Dive Brief:
- Fewer than two out five CFOs and CEOs (38%) worldwide believe that their companies’ cybersecurity adequately shields more than 75% of their operations, Accenture said, noting that roughly half of top executives identified low funding and weak accountability as obstacles to protection.
- “Security teams really struggle to help project what things they are able to do and what things they are not able to do and how that connects back to corporate strategy and how the business operates,” according to Ryan LaSalle, leader for Accenture Security in North America. Chief Information Security Officers (CISOs) generally are more confident than other top executives in their companies’ defenses against hackers.
- Companies last year raised their cybersecurity spending to 15% of their information technology budgets while facing 270 cyberattacks on average, a 31% surge compared with 2020, Accenture said while describing results of a survey. Nearly half (49%) of CFOs and CEOs said that siloed responsibilities undermine cybersecurity.
Dive Insight:
CFOs and their C-suite colleagues faced a record onslaught of cybercrime last year and, during the past several months, have had to adjust to federal efforts to strengthen cybersecurity.
Ransomware, “business email compromise” schemes and the criminal use of cryptocurrency were the leading causes of internet crime complaints to the FBI last year, pushing up reported abuses 7% compared with 2020 to a record 847,376. Potential losses exceeded $6.9 billion, the FBI said in a report.
The widespread shift to remote work and schooling after the start of the pandemic in 2020 “expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching,” according to the FBI.
The average ransomware payment surged 78% last year to $541,000, fueled in part by the rapid spread of ransomware-as-a-service (RaaS) business models that reduce barriers to entry for cyber extortionists, Palo Alto Networks said.
Ransomware criminals last year targeted companies in the Americas in 60% of their attacks and demanded on average $2.2 million from their victims, a 144% increase compared with 2020, Palo Alto Networks said.
U.S. companies were the No. 1 target of ransomware hackers last year, facing 421 million attempted breaches, an increase of 98% compared with 2020, the Senate Committee on Homeland Security and Government Affairs said in a report.
The Biden administration has sought to strengthen cybersecurity in both the public and private sectors, instituting a “zero trust” approach in the federal government and partnering with private electric, natural gas and water companies to improve threat detection.
The Securities and Exchange Commission (SEC) in March proposed tougher, more detailed rules for cybersecurity disclosure, including deeper company reports on cyberattacks and regular filings on cyber-risk management, governance and strategy. Companies would need to report breaches within four days.
“Consistent, comparable and decision-useful” disclosure standards “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting,” SEC Chair Gary Gensler said before the commission approved the proposal. The period for public comment on the rule ended May 9.
Under the proposed SEC rules, companies would need to update reports on previously disclosed breaches.
Companies would also be required to describe how they manage cybersecurity risks, “including whether the registrant considers cybersecurity as part of its business strategy, financial planning and capital allocation,” the SEC said. They would need to disclose the board’s role in cybersecurity oversight, and the role of management in containing risks.
Some companies make the mistake of believing that regulatory compliance will ensure adequate cybersecurity, LaSalle said in an interview. Instead, they need to integrate cybersecurity into all facets of business strategy, including initiatives such as mergers and product innovation.
Accenture determined in its global survey of 500 CFOs and CEOs and 4,244 CISOs that only 5% of companies have adequately aligned cybersecurity with business strategy.
“Many organizations set their budgets to what they’re required to do for compliance,” he said. “They’re not really thinking about the performance of their business, they’re not really thinking about what the threat actors are trying to do.”
Yet “there’s a big gulf between threat actor talent and motivation, and what the regulators are asking you to cover,” LaSalle said.