Boards are getting more involved in cybersecurity, but is it enough
Forty-five percent of 10,000 CEOs, CFOs, CIOs and other executives PwC polled said that their boards participated in corporate cybersecurity strategy, up from 42 percent when PwC conducted a similar survey for 2014, according to David Burg, PwC's global cybersecurity practice leader. But given the glut of cybersecurity attacks Burg says the numbers are lower than they should be. "It is surprising that this number isn't north of 75 percent,” says Burg, who published the data in a new report. “In a world of connected business ecosystems, you’re only as strong as your weakest link.”
Emphasis on protecting corporate assets has risen dramatically in the wake of high-profile breaches at Target, Home Depot and other organizations. A major, targeted attack on Sony Pictures proved terrifying for many companies -- and heightened board-level interest -- as the attackers released embarrassing emails. Moreover, the frequency of attacks is accelerating: PwC survey respondents reported a 38 percent uptick in cyber-assaults from 2014. The result has business leaders and their boards rethinking their cybersecurity practices, including funneling $77 billion on corresponding tools and processes this year. That number will more than double to $170 billion by 2020, according to Gartner research.
[ Related: Boards are on high alert over security threats ]
Emerging digital technologies, including IP address-enabled devices under the Internet of Things banner, will widen the attack surface, forcing corporate boards to step up their participation in threat mitigation, Burg says. Some boards are influencing technology selection, process implementation and budgets. For example, board participation in technology spending grew 7 percent, to 37 percent from 2014 to 2015, which he views as partially responsible for the 24 percent boost in security tools. Reviews of privacy and security risks also grew 7 percent, to 32 percent from 25 percent a year ago.
Meanwhile, with or without the board’s involvement, companies are taking several measures to better protect themselves beyond such obvious options as strong encryption.
Cloud services as a trusted security measure. Companies are investing heavily in cloud tools for data protection, privacy, network security, identity and access management, real-time monitoring and analytics, and advanced authentication. Sixty-nine percent of those surveyed say they were using a cloud-based security service, and 56 percent cited real-time monitoring and analytics as their preferred line of defense.
[ Related: CISOs facing boards need better business, communication skills ]
Advanced authentication: Many banks and credit card providers support Apple’s Touch ID technology, allowing consumers to access their mobile application by pressing a finger to the iPhone’s fingerprint scanner. USAA, a financial services and insurance firm that caters to military veterans and service members, uses facial and voice recognition and fingerprint scanning for customer access to its mobile apps. Starwood Hotels & Resorts allows preregistered hotel guests to bypass the check-in desk and tap their smartphone or Apple Watch to unlock hotel room doors. Ninety-one percent of companies say they are using some form of advanced authentication to replace the traditional password credentials.
[ Related: Do boards of directors actually care about cybersecurity ]
Security frameworks: Security frameworks, such as ISO 27001 and the U.S. National Institute of Standards and Technology Cybersecurity Framework, are gaining acceptance among organizations seeking to establish a foundation on which to mitigate risks. Such frameworks help companies identify and prioritize risks, gauge the maturity of their cybersecurity practices and better communicate. The Canadian Imperial Bank of Commerce has developed a scorecard based on framework controls that it uses to measure the maturity of its security program, according to the PwC report. Burg says 91 percent of organizations have adopted a security framework to hedge against risks.
Strength in numbers: Most companies – 56 percent surveyed -- are partnering with one another, sharing threat intelligence with others as a collective defense. Most organizations say such collaboration allows them to share and receive more actionable information from industry peers, as well as Information Sharing and Analysis Centers (ISACs). Burg says information sharing got a boost earlier this year when President Barack Obama signed an executive order that encourages collaboration among public and private organizations through Information Sharing and Analysis Organizations (ISAOs) designed to be more flexible than ISACs.
“ISAOs will fill certain gaps that current groups do not address and ultimately play a valuable role in contributing to a national cybersecurity immune system,” says Burg. He says PwC is currently working with stakeholders from the White House, industry and academia to improve the ISAOs.