Latest News

C-Suite Actively Flaunting InfoSec Rules, Bitdefender Research Reveals

March 2018


41% of security C-suiters deem their direct C-level colleagues as ‘infosec averse’, a higher percentage than any other business demographic. Is it ‘rules for some’, but not for all?

The individuals charged with running an organisation are actually the most likely to expose it to a major cyber attack, according to information security executives. More than two fifths (41 percent) of CISOs, CSOs and CIOs perceive their direct C-Suite colleagues as the most infosec averse, out of any other organisational demographic, according to brand new Bitdefender research. This paints a concerning picture at the top of UK businesses given the current global security landscape.

Associated reputational and financial fallout of a large-scale data breach were deemed the most undesirable by surveyed infosec executives. In fact, 42 percent of infosec executives are most concerned about a loss of customer/stakeholder trust, and more than a quarter (26 percent) worry about the company being fined by a supervisory authority, such as the Information Commissioner’s Office (ICO). These findings, and more, are revealed today in Bitdefender’s Small Gains, Big Wins Study. It explores, in detail, the pressures faced by CISOs, Chief Security Officers (CSOs) and Chief Information Officers (CIOs) and their attitudes to risk, speed and strategy when it comes to information security. The study takes into account the views and opinions of 250 CISOs, CSOs and CIOs in UK-based organisations of 500 or more employees.

Understanding where the risks lie

Facing an increasingly complex threat landscape, information security executives have had to take stock, and identify where the risks in their respective organisations’ lie. It turns out the C-Suite isn’t just a risk in isolation. A significant number of infosec executives (75 percent) deemed that management, from the board level down to junior department heads, were the most likely to flaunt data security rules. This is in sharp contrast to just 25 percent who thought day-to-day knowledge workers were likely the most infosec averse.

From a departmental perspective, those which are more likely to handle sensitive information were deemed at greater risk of a data breach. Two in every ten infosec executives (23 percent) cited Finance as the most vulnerable department, followed by Sales (17 percent).

“Our research found that nearly two thirds of CISOs are losing sleep at night about information security threats, but their direct C-Suite colleagues are the biggest culprits when it comes to bending the rules. Infosec execs need to be far tougher at conveying the real life repercussions of poor information security practices, from the board level downwards,” comments Liviu Arsene, Global Cybersecurity Analyst at Bitdefender.

A unanimous view on the importance of speed

To overcome the challenges, and pace of cyber security changes, infosec executives are taking a serious look at which small changes — centred on speed, as the swift identification and mitigation of cyber threats could end up being invaluable to an organisation, and affect a positive long term change.

Areas of the security stack where speed was deemed either critically, or very, important by infosec executives was centred around endpoint security, detection and response (75 percent), closely followed by anti-exploit/memory protection (74 percent). Infosec tools such as these can serve as a vital layer of defence whilst infosec teams rush to patch software in the event of a global exploit being discovered. Just over half of infosec executives seem confident their organisation could patch corporate devices against a discovered vulnerability within 24 hours (51 percent), however, that still leaves 49 percent who would take 25 hours and upward — which is why adequate endpoint security is so vital.

Small gains, big wins

One specific, and reoccuring, example of a small change infosec executives have enacted has been to increase end-user awareness to the variety of different attack vectors which are currently being exploited by cyber criminals. Examples given by CISOs range from training programmes teaching employees what to look out for, right through to a more ‘shock tactics’ approach, where IT conducts mock-phishing and social engineering attacks on employees to reinforce the consequences of infosec negligence.

“Information security is an ever-evolving and changing process, with advancements in technology not only increasing the threat landscape, but also the protective tools available. A balanced approach to data security, encompassing not only best-in-class infosec solutions, but also surrounding yourself with the right security response team is key for effectively mitigating threats,” concludes Arsene.