Being the chief executive has its
privileges. And one of them may be a blissful ignorance of your
company's data breach risks.
According to a study to be released Tuesday by the privacy-focused Ponemon
Institute, companies' chief executives tend to value cybersecurity just as--if
not more--highly than their executive colleagues. But compared to lower-level
execs, CEOs also tend to underestimate the frequency of cyberthreats their
organization faces.
The survey, which was funded by cybersecurity firm Ounce Labs, asked 213
senior executives about their perceptions of data breach risks. Among those
respondents, just 17% of CEOs said their company faced attempts by
cybercriminals to steal data at least once every hour, compared with 33% of
other executives. By contrast, nearly 50% of CEOs said their company experienced
an attack "rarely"--less than once a week--while only 32% percent of other
executives reported the same frequency of cyberthreats.
That disconnect, says Ponemon founder and lead researcher Larry Ponemon,
isn't a matter of CEOs not valuing cybersecurity. On the contrary, about 77% of
chief execs said that preventing cyber attacks and insider data theft was
"important or very important" compared with just 51% of other respondents.
But Ponemon says that CEOs' staffs may not tell them the full extent of a
company's data risks. "Even in the most transparent of companies, there's a bit
of hesitance to give the CEO a report of vulnerabilities or even small
breaches," says Ponemon. "We don't know how much filtering of bad news happens
that keeps CEOs from hearing some of the darker secrets."
There's plenty of evidence to support the views of the survey's more paranoid
respondents. Cybersecurity firms, such as Finland's F-Secure, detect more than
20,000 new variations of malicious software churned out by hackers every day. In
fact, the rate of publicly known data breaches has been steadily rising for
years, with 646 breaches recorded in 2008, a 46% increase over 2007, according
to the Identity Theft Resource Center.
In January, Princeton, N.J.-based payment processor Heartland Payment
Systems revealed that it had been the victim of a cybercriminal
operation that had gained access to as many as 100 million credit card
numbers, potentially the largest data breach of all time.
Despite that sort of high-profile hack, the CEOs interviewed in
Ponemon's survey seemed especially unconcerned about cybercrime as a
source of data breaches. While 31% named stolen PCs or thumb drives as a
source of data loss, only 3% cited malicious hackers as the top threat
for their company's data security--about a fifth as many as the lower
level employees who cited cybercriminals as the most important threat.
|
