Business leaders don't understand cyber risks, making investment difficult to secure

Only 30 per cent told CA Veracode that they had heard of the Equifax breach

The drive to develop new software quickly is outpacing the urgency of security, a report by CA Veracode has found, as business leaders don't understand cyber risks.

While software development budgets have increased to support digital transformation - by as much as 50 per cent over the last three years, according to some respondents - that has not translated to heightened investments in or awareness of security.

Only half of the respondents to Veracode's ‘Securing the Digital Economy' survey (1,000 over the USA, UK and Germany) fully understood the risks that vulnerable software represented to their business. 25 per cent didn't understand any of the common threats, including ransomware, phishing or malicious insider activity; and a third said that they had no plans to improve their defences over the next 12 months.

Awareness of major attacks is low

This lack of understanding could be because business leaders tend to pay less attention to cyber breaches or their underlying causes. Fewer than 20 per cent said that they were aware of the Heartbleed vulnerability, and less than a third were aware of the Equifax breach - despite it being highly publicised this year.

In spite of the job losses and legal ramifications, only five per cent said that Equifax had caused them to rethink their cyber strategy, and a similar figure was seen for WannaCry (although awareness was slightly higher in Britain). In total, just 33 per cent had adjusted their security plan after an attack on another company.

"Many business leaders have yet to fully grasp the most common cyber threats to their business," said CA Veracode CTO Chris Wysopal, "nor are they keeping up with some of the most catastrophic cyber events of our time. We need to bridge this disconnect between business leaders and the cybersecurity threat: without greater awareness of the threats and what is needed to defend against them, their company could easily be the next headline."

Personal risk is a motivator

Although business leaders are confident in their IT departments' ability to protect their company, persuading board members to pay attention is difficult. This is especially important as digital transformation projects often result in a larger threat surface.

Personal accountability is the most likely factor to make executives act on security concerns; more than a third of respondents said the personal risk to executives outstripped compliance as a driver for board members.

38 per cent and 35 per cent of business leaders recommended emphasising the potential brand damage and job losses, respectively, that could result from a data breach, as a way to engage the board on cyber security. Only 29 per cent thought that speaking about regulations like the GDPR would have the same effect. However, discussing potential fines and loss of capital was said to be the most effective way of talking to the board about security.