Boardroom executives and IT decision makers are at odds in their approach to defending against cyber threats, according to new research published by cyber defence experts, BAE Systems.
The research shows board directors and IT leaders believe each other are responsible for managing the response to a cyber-attack, and that board level directors estimate the cost of a successful attack to be dramatically lower than their IT colleagues – with a disparity of S$16.5m in Singapore.
These latest findings reveal that cyber-security is the most significant business challenge to over three quarters (76%) of C-Suite respondents in Singapore.
Additionally, 77% of IT Decision Makers anticipate they will be targeted by a cyber-attack in the next 12 months, with the majority of both groups reporting they expect the frequency and severity of attacks to increase (67% C-Suite and 78% ITDM).
Therefore, it has never been more important for businesses to understand the nature of the threat and how to combat it. In line with this, half (48%) of boardroom respondents plan to devote more time and resource to cyber security.
“This research confirms the importance that business leaders place on cyber security in their organisations. However, it also shows an interesting disparity between the views of C-Suite respondents and those of IT Decision Makers.
“Each group’s understanding of the nature of cyber threats, and of the way they translate into business and technological risks, can be very different,” says Alex Taverner, BAE Systems Commercial Head of Cyber in the Asia-Pacific.
“With successful cyber-attacks regularly making headline news, our findings make it clear that boardrooms and IT teams recognise the risks but need to concentrate on bridging the intelligence gap to build a robust defence against this growing threat.
“The disconnect in opinions between board level respondents and IT Decision Makers when it comes to potential threats, accountability and responsibility creates gaps for attackers to exploit. While the Singapore government is stepping up its efforts to create a resilient and trusted cyber environment with the launch of the Cybersecurity Strategy, organisations still need to plan ahead for successful incidents and ensure that the boardroom and IT teams are working collaboratively to narrow gaps in understanding, intelligence and responsibility.”
Who is to blame for a breach?
The report also reveals that 66% of C-Suite respondents say their IT teams and staff more broadly are responsible in the event of a breach, whereas 39% of ITDMs think this is the case. Similarly, over half of ITDMs (57%) think senior management and leaders should shoulder the blame, compared to less than a quarter (24%) of C-Suite respondents.
Singaporean IT Decision Makers believe the cost of a successful cyber attack on their business to be around S$27.1m compared to an estimation of just S$10.6m from board level directors in the same country.
In Singapore, between 11 and 13 per cent of a company’s IT budget is spent on cyber security and defence (C-Suite 11% and ITDM 13%). And around half of respondents plan to increase their allocation of time and resources on cyber security in the coming year (48% C-Suite and 45% ITDM).
Both groups believe the number and severity of attacks will increase over the coming year with 81% of board respondents and 80% of IT teams predicting an increase in the number of attacks, and 67% and 78% respectively predicting an increase in the severity of attacks. And yet, 67% of Board members and 76% of IT teams are confident they are well-equipped to defend against a cyber attack.
While 81% of IT teams report that their spend on cyber security is part of a comprehensive strategy, only one-third of the board (29%) believe this to be the case – the lowest among all countries – with 48% believing the investment is more ad hoc.
Twice as many C-Suite executives think that human error will enable a cyber attack than ITDMs (62% vs 30%), indicating the C-Suite have lower confidence in the cyber savviness of their people.
“Perhaps most worryingly for Singapore, only two per cent of IT Decision makers are confident their company has the skills they need to deal with a cyber attack,” says Gundeep Sandhu, Asia-Pacific Head of Cyber Solutions in the Asia-Pacific.
“This is an area where industry and Government must work together to close the skills gap and lift Singapore’s cyber security capability and capacity. There is an opportunity for Singapore to take a leadership role in the region in this respect, and last year’s Memorandum of Collaboration signing between the Cyber Security Agency of Singapore and BAE Systems was one step towards that.”