According to a new survey by BDO USA, 79% of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and 78% say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19 percent.
This is the fourth consecutive year that board members have reported increases in time and dollars invested in cybersecurity. Despite this positive progress, the survey also found that businesses continue to resist sharing information on cyber-attacks with entities outside of their company. Just one-quarter are sharing information gleaned from cyber-attacks with external entities – a practice that needs to become more prevalent for the safety of critical infrastructure and national security.
“The survey also reveals a significant vulnerability – the continued failure of companies to share information they have gathered from cyber-attacks. Sharing information gleaned from cyber-attacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing information externally. This behavior needs to change,” said Gregory Garrett, Leader of International Cybersecurity at BDO USA.
Almost one in five (18%) board members indicate that their company experienced a data breach during the past two years, a percentage very similar to the previous two years (22%).
A majority (61%) of corporate directors say their company has a cyber-breach/incident response plan in place, compared to 16% who do not have a plan and close to 23% who are not sure whether they have such a plan. Those with plans is approximately the same percentage as a year ago (63%), but a major improvement from 2015 when 45% of directors reported having them.
79% of public company board members report that their board is more involved with cybersecurity than it was 12 months ago. The vast majority of directors (91%) are briefed on cybersecurity at least once a year – this includes 28% that are briefed quarterly and better than one-fifth that are briefed twice a year (21%). The balance are briefed annually (36%) or more often than quarterly (6%).
Surprisingly, nine percent of board members say they are still not briefed at all on cybersecurity. However, during the four years of the survey, the percentage of directors reporting no cybersecurity briefings has dropped consistently.
Lack of sharing
Sharing information gleaned from cyber-attacks is key to defeating hackers and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience.
Unfortunately, when asked whether they share information they gather from cyber-attacks, only 25% of directors – virtually unchanged from 2016 (27%) – say they share the information externally. A similar proportion (24%) say they do not share the information with anyone and 51% aren’t sure whether they do or not.
Of those sharing information on their cyber-attacks, the vast majority (86%) share with government agencies (FBI, Dept. of Homeland Security) and 47% share with ISAC (Information Sharing & Analysis Centers). Very few (8%) share with competitors.