54% of office workers would reconsider working for a company that had recently experienced a cyber breach, according to a study by Encore.
An independent study of 100 C-level executives, 100 chief information security officers (CISOs) and 500 office workers in the US and the UK, conducted by Censuswide, sought to uncover the gap that remains between boards and security teams when it comes to addressing cyber demands.
33% of staff said they would be ‘completely unphased’ if their employer suffered a cyber break-in.
57% of C-level executives polled said they have been breached in the last 12 months alone. Most office workers, however, were unaware, with only 39% believing their organization had been the victim of a successful cyber breach.
“The immediate financial cost of a cyber-attack remains the number one concern for businesses,” said Brendan Kotze, CEO at Encore. “But security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public. In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers.”
41% of C-level executives polled named reputational damage as one of the biggest costs to their business following a cyber-attack, with 34% agreeing that loss of clientele or their trust was a significant cost.
Despite many admitting to suffering a cyber breach in the last year, 92% of CISOs and C-level executives polled believe their business is secure at any given moment. Kotze believes that a mindset shift is needed at an organizational level, treating cyber incidents and the security of employee and customer data as a fundamental part of normal business operations, not a function that sits on the outside, looking in.
“There is a very real problem of security feeding a false sense of confidence,” he continues. “This is a risk that must be addressed through data and reporting. All too often, we see C-level executives treat their security investments as a sure way of securing their business against persistent and motivated attackers. Security or being ‘cybersafe’ is not something you can measure at a single point in time – it needs to be an ongoing effort.”
Kotze concludes: “Being able to instil confidence in a wide range of stakeholders, from clients to investors to staff, is fundamental to the modern business. Trust is the bedrock of success and should be the same for security as it is as a business enabler. If all companies prepare and respond to threats as if their existence (or at least a very substantial part of it) is at risk, our chances of blocking or swiftly responding to attacks is considerably higher. Cybersecurity is no longer enough; we need to channel cyber safety to build resilience and establish trust both internally and externally.”