Report: Nearly Half of Board Members Feel Unprepared for Cyberattacks

Proofpoint Inc., a cybersecurity and compliance company, and Cybersecurity at MIT Sloan (CAMS), an interdisciplinary research consortium, released their Cybersecurity: The 2022 Board Perspective report that explores board of directors’ perceptions about challenges and risks.

Cybersecurity is dominant on their agendas, as 77 percent of participants agree cybersecurity is a top priority for their boards, and 76 percent discuss the topic at least monthly. Consequently, 75 percent believe their boards clearly understand the systemic risks their organizations face and 76 percent assert they’ve made adequate investments in cybersecurity.

But this optimism may be misplaced. The report found nearly two-thirds of board members believe their organization is at risk of material cyber-attack in the next 12 months. Almost half feel their organization is unprepared to cope with a targeted attack. And only two-thirds of board members view human error as their biggest cyber vulnerability, despite the World Economic Forum finding this risk leads to 95 percent of all cybersecurity incidents.

The Cybersecurity: The 2022 Board Perspective report examines global, third-party survey responses from 600 board members at organizations with 5,000 or more employees from different industries. In August 2022, 50 board directors were interviewed in each market across 12 countries: Australia, Brazil, Canada, France, Germany, Italy, Japan, Mexico, Singapore, Spain, the United Kingdom and the United States.

The report explores three key areas:

  • The cyber threats and risks boards face
  • Their level of preparedness to combat those threats
  • Their alignment with CISOs based on the CISO sentiments

Proofpoint found a disconnect between the two sides in cyber risks, consequences, and threats.

“It is encouraging to see that cybersecurity is finally a focus of conversations across boardrooms. However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organizations for material cyberattacks,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organizational success.”

Key global findings include:

  • There is a disconnect between the boardroom and CISOs when evaluating the risk posed by today’s sophisticated cybercriminals: 65 percent of board members believe their organization is at risk of material cyberattack in the next 12 months, compared to 48 percent of CISOs.
  • Board members and CISOs have similar concerns about the threats they face: Board members ranked email fraud/business email compromise (BEC) as their top concern (41 percent), followed by cloud account compromise (37 percent), and ransomware (32 percent). While email fraud/BEC and cloud account compromise are also among top concerns for CISOs, they view insiders as their top threat, whereas board members rate insiders as a lower concern.
  • Awareness and funding do not translate into preparedness: although 75 percent of those surveyed feel their board understands their organization’s systemic risk, 76 percent think they have invested adequately in cybersecurity, 75 percent believe their data is adequately protected, and 76 percent discuss cybersecurity at least monthly, these efforts appear insufficient — 47 percent still view their organization as unprepared to cope with a cyberattack in the next 12 months.
  • Board members disagree with CISOs about the most important consequences of a cyber incident: internal data becoming public is at the top of the list of concerns for boards (37 percent), followed closely by reputational damage (34 percent) and revenue loss (33 percent). These concerns are in sharp contrast with those of CISOs, who are more worried about significant downtime, disruption of operations, and impact on business valuations.
  • High employee awareness doesn’t protect against human error: although 76 percent of those surveyed believe their employees understand their role in protecting the organization against threats, 67 percent of board members believe human error is their biggest cyber vulnerability.
  • The relationship between boards and CISOs has room for improvement: there is a sharp variance in perspective between board members and CISOs: while 69 percent of board members report seeing eye-to-eye with their CISO, only 51 percent of CISOs feel the same.
  • Boards are warming up to regulatory oversight: 80 percent of respondents to the survey agree that organizations should be required to report a material cyber attack to regulators within a reasonable timeframe and only 6 percent disagree.

“Board members play a key role in their organization’s cybersecurity culture and cybersecurity posture. Board members have fiduciary and oversight responsibility for their organizations; therefore, they must understand the cybersecurity threats their organizations face and the strategy their organizations take to be cyber resilient,” said Dr. Keri Pearlson, executive director at Cybersecurity at MIT Sloan (CAMS). “Board members need to look for ways to make CISOs their strategic partners. With cybersecurity risk front and center on boardroom agendas, a better alignment of CISOs’ and boards’ cybersecurity priorities will only serve to improve their organizations’ protection and resilience.”

To download the Cybersecurity: The 2022 Board Perspective report, visit:

https://www.proofpoint.com/us/resources/white-papers/board-perspective-report

More information is available at www.proofpoint.com or at cams.mit.edu.