62% of board members view their organisation as unprepared to cope with a cyberattack in the next year despite 78% thinking they have invested adequately in cybersecurity
Proofpoint, Inc., a leading cybersecurity and compliance company, and Cybersecurity at MIT Sloan (CAMS), an interdisciplinary research consortium, today released their Cybersecurity: The 2022 Board Perspective report, which explores board of directors’ perceptions about their key challenges and risks. The report explores three key areas: the cyber threats and risks boards face, their level of preparedness to combat those threats, and their alignment with CISOs based on the CISO sentiments Proofpoint uncovered in its 2022 Voice of the CISO report.
While cybersecurity is dominant on boardroom agendas, there seems to be a disconnect between board members and their CISOs. Globally, 69% of board members and 51% of CISOs agree that they see eye-to-eye with each other. In Singapore however, that number is significantly lower compared to the other 11 countries surveyed – ranking 10 out of 12 for the number of board members that feel aligned to CISOs, while just 44% of CISOs feel aligned with their board.
One of the ways boards and CISOs are misaligned is reflected in what they perceive as the biggest cybersecurity threat to their organisations. Only 56% of Singaporean board members believe human error is their biggest cyber vulnerability, despite the World Economic Forum finding that human error leads to 95% of all cybersecurity incidents. Additionally, while board members globally are most concerned with business email compromise (41%), insider threats rank second last (28%) on their minds. This contrasts with global CISOs concerns, who believe insider threats — whether malicious, accidental, or negligent — are the most important (31%).
And CISOs are right to be concerned. According to Proofpoint’s 2022 Cost of the Insider report released earlier this year, insider threats are one of the most prominent vulnerabilities, having increased 44% in the past two years. More than half of these incidents (56%) experienced by organisations represented in this research were due to negligence, and the average annual cost to remediate the incident was US$6.6 million.
“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organisations for material cyberattacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organisational success.”
A disconnect in the board-CISO relationship could contribute to weakened defences against cyberattacks. While 78% of board members in Singapore think they have invested adequately in cybersecurity, 70% discuss cybersecurity at least monthly, and 68% feel their board understands their organisation’s systemic risk – these efforts appear insufficient with 62% still viewing their organisation as unprepared to cope with a cyberattack in the next 12 months.
“Board members play a key role in their organisations’ cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organisations; therefore, they must understand the cybersecurity threats their organisations face and the strategy their organisations take to be cyber resilient,” said Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS). “Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and centre on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organisations’ protection and resilience.”
The Cybersecurity: The 2022 Board Perspective report examines global, third-party survey responses from 600 board members at organisations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.
Key Singapore findings include:
- The boardroom and CISOs are aligned when evaluating the risk posed by today’s sophisticated cybercriminals: 66% of Singaporean board members believe that their organisation is at risk of material cyberattack in the next 12 months, compared to 64% of CISOs.
- Board members and CISOs have different concerns about the threats they face: board members in Singapore ranked email fraud/business email compromise (BEC) and ransomware as their top two concerns (36%). CISOs ranked Distributed Denial of Service (DDoS) and cloud account compromise as their top two concerns.
- Awareness and funding do not translate into preparedness: although 68% of Singaporean respondents feel their board understands their organisation’s systemic risk, 78% think they have invested adequately in cybersecurity, 66% believe their data is adequately protected, and 70% discuss cybersecurity at least monthly, these efforts appear insufficient—62% still view their organisation as unprepared to cope with a cyberattack in the next 12 months.
- Board members disagree with CISOs about the most important consequences of a cyber incident: reputational damage is at the top of the list of concerns for boards in Singapore (40%), followed closely by internal data becoming public (38%). These concerns are in sharp contrast with those of Singaporean CISOs, who are more worried about significant downtime, disruption of operations, and loss of current customers.
- High employee awareness doesn’t protect against human error: although 74% of those surveyed believe their employees understand their role in protecting the organisation against threats, 56% of Singaporean board members believe human error is their biggest cyber vulnerability.
- The relationship between boards and CISOs has room for improvement: there is a sharp variance in perspective between Singaporean board members and CISOs: while 59% of board members report seeing eye-to-eye with their CISO, only 44% of CISOs feel the same.
Boards are warming up to regulatory oversight: 84% of Singaporean respondents to the survey agree that organisations should be required to report a material cyber attack to regulators within a reasonable timeframe and only 4% disagree.