A study of CEOs recently released by KPMG revealed some alarming trends about cybersecurity preparedness.
The report, entitled, Global CEO Outlook 2015, included information garnered from over a thousand CEOs of companies with at least $500M in revenue in ten major economies around the world. While the executives generally expressed confidence about their respective businesses' abilities to flourish over the next three years, about two thirds of CEOs expressed some level of concern regarding their firms ability to keep their offerings as "relevant" three years from now as they are today, and almost three quarters of the CEOs expressed concern about keeping current with new technologies in a rapidly changing world.
More scary, however, was what the CEOs said about the risk of a crippling cyber attack to their businesses: A whopping 50%--half the CEOs polled--indicated that their firms are either not prepared, or only partially prepared, to deal with a major cyber event. At the same time, however, only one fifth of the CEOs considered information-security risk to be at the top of their list of business concerns. This combination--from the firms that are generally-speaking among the best financially-equipped to deal with cyber-risk--clearly illustrates that serious cybersecurity challenges remains severely unaddressed; it should not shock anyone if major firms continue to suffer significant breaches in the not so distant future.
I discussed the report with Malcolm Marshall, Global Head of Cyber Security at KPMG, who noted that part of the problem is that cyber-risk remains erratic--it is far more difficult to quantify than with most other risks, and it is much harder to know when one is truly adequately prepared to address cyber-attacks. It is far easier to anticipate what the likely magnitude of damage will be from a flood, for example, than from a cyber-breach.
Another interesting statistic that Marshall discussed with me is that American CEOs (making up about a third of the CEOs polled) were generally much more confident of their respective businesses' abilities to fight off cyberattacks than were their peers in Europe and Asia, with 87% of CEOs in the USA expressing that their operations were ready to address major cyber incidents. While I suspect that some of these folks may be overconfident — how many times have organizations that thought that they were secure been successfully breached?--this sentiment clearly distinguishes the USA from the rest of the world. Of course, while 87% might sound like our country is well prepared, a situation in which 13% of CEOs believe that their firms are not prepared to withstand a cyber-attack is hardly ideal. Can you imagine if 13% of businesses with over $500M in revenue were suddenly breached?
In any case, why do American CEOs think their firms are more secure?
Is it because Americans firms are actually better prepared? Because the American media seems to discuss cybersecurity far more than media elsewhere, and, as a result, American executives have taken more action than their counterparts? Because the USA is societally more tech-industry focused than many other Western nations? Because American firms often house far more credit card information and other sensitive data than foreign firms (due to the size of our nation's economy), and, therefore, CEOs know that their businesses make more attractive targets for criminals than do their counterparts overseas? Because healthcare information is in the hands of numerous private businesses rather than held by the government and a small number of highly-regulated entities?
There are many factors at play--and it is hard to know how much each one weighs in the equation.
One thing is certain, however: hackers will be targeting businesses--and firms that are unprepared will likely pay a hefty price.
To learn what you can do to protect your business please see my recent article: 13 Tips to Achieve Great Cybersecurity Without Spending a Fortune.
To read the KPMG study please visit: www.kpmg.com/CEOoutlook.
Please feel free to discuss this article with me. I'm on Twitter at @JosephSteinberg.