Today, data breaches are becoming more severe, yet many organizations around the world still assume they will never suffer one. They choose to take a reactive approach instead of being proactive. In fact, one third of companies would rather pay a hacker’s ransom than invest in information security.
Findings from our new Risk:Value Report show that, despite the rise in data breaches and increasingly sophisticated attack types, respondents are still making the same mistakes, failing to make progress in crucial areas such as cybersecurity awareness and preparedness. The question is: how does the US fare in all of this?
Despite an indicated lack of data security awareness and preparedness amongst organizations across the globe, US companies stand out as some of the most confident in regards to cybersecurity, with 46% claiming to have never suffered a breach and that they don’t expect to be (compared to 33% globally). Conversely, those who do not know if they’d been breached, but anticipate to be, was relatively low. Since proving whether or not a company has been attacked is particularly difficult, the number of organizations claiming to have not been breached is high, and likely unrealistic.
When it comes to the impact of a breach, decision makers in the US prioritize what a data breach will do to their image, shortly followed by financial loss:
- 58% of respondents are concerned about loss of customer confidence (compared to 56% globally)
- 54% worry about the damage to their company’s reputation (compared to 52% globally)
- 43% of companies highlighted financial loss as a concern (compared to 40% globally)
Interestingly, our report indicates that companies are still failing to fully secure critical data, despite recent mandates such as the EU’s General Data Protection Regulation (GDPR) now in effect. Perhaps reflective of the substantially larger budgets allocated by US companies, American-based organizations bucked this trend with 61% of respondents claiming to have secured critical data, whereas fewer than 48% globally claim to have done so.
One of the most significant findings coming out of this report is that senior management seems distracted when it comes to security. Executives are not stepping up to the plate to claim responsibility for the cybersecurity role that is critical to the growth and future of their business.
According to the report, there is no clear consensus on who is responsible for day to day security, with 27% of US respondents saying the CEO is responsible, compared to 20% for the CISO and 18% for the CIO (20%, 19%, and 22% respectively across the globe).
A lack of clear leadership at board level, combined with a tendency to hand-off responsibility for information security entirely to the IT department, creates the perfect conditions for a severe data breach. Now is the time for organizations to invest in cybersecurity and take proactive ownership of their data before attackers try to take it away.