This article was updated at 1443 on 02 April 2016.
In the largest study of its kind, commissioned by the NASDAQ, 90% of corporate executives surveyed said that they cannot read a cybersecurity report and are not prepared to handle a major attack. More distressing is that 40% of executives don’t feel responsible for the repercussions of hackings.
These two statistics are indicative of why legislators at all levels are creating new legislation.
Louis Modano, CIO of the NASDAQ was interviewed (video available here) and he did not pull any punches. He said the frequency and severity of attacks has gone up dramatically in the last couple of years and the sophistication of the attackers has also gone up, but what has not gone up is the education of executives across all industries regarding the cyber threat. Dave Damato, CSO of Tanium, who conducted the survey for the NASDAQ, was equally blunt and said companies were sticking their heads in the sand. He also pointed out that there are no standard metrics for measuring a company’s cyber security performance, unlike in the financial space – no equivalent to ROI or Net Profit. Louis also said something that I have been saying for a long time – this is not a technology problem – this is a cultural or mindset problem that everyone needs to deal with.
As consumers, those statistics should confirm our worst fears – that the companies that we give our data to are not ready to protect it and don’t feel responsible for it being breached.
What this means is that the CIO or CISO or some mid-level manager is responsible for trying to take care of security in an environment that neither understands it nor feels responsible for taking care of it.
According to the Center for Strategic and International Studies, a D.C. based think tank, loses due to cyber crime are inching up to a half trillion dollars a year worldwide.
If you had any wonders as to why the hackers are winning, this certainly gives an insight.
Which also means that consumers need to beware and vote with their feet.
Recently, a friend was going to open an account at a bank and when he asked whether they offered two factor login (a password and one time PIN), the banker said no. My friend was just about to walk out the door and open the account at a different account when he called me. I did a quick bit of research and discovered that they did offer two factor login — the banker did not even know what security services his own bank offered.
Information for this post came from CNBC.