thbangkok – stock.adobe.com
Findings from a survey of CISOs, IT leaders and staffers reveal how experiencing a cyber incident may take a larger-than-thought toll on employee retention
Published: 24 Oct 2022 14:00
Experiencing a cyber attack can be so discombobulating for ordinary employees that over half of office workers say they would reconsider working for a company that had recently fallen victim to an incident, with only a third saying they would be unphased. This is according to a study of office workers, C-suite executives and business leaders, and chief information security officers (CISOs) produced for security stack management specialist Encore.
Of further concern was a disconnect highlighted in the report data between how many business leaders and CISOs knew they had experienced an incident in the past 12 months (57%), and how many regular office workers believed they had experienced one (39%).
This disparity suggests that a significant number of business leaders are either failing to be open and transparent with their workforce, or are potentially even covering up security breaches. Encore said that with such high numbers of staffers “on the precipice of jumping ship” during the pandemic-induced Great Resignation, organisations could ill afford to give them any reason to quit. Being breached is one thing, the report noted, but keeping people in the dark about it is something else entirely.
“The immediate financial cost of a cyber attack remains the number one concern for businesses. But security teams are learning that there is a long tail to these breaches, with employees at risk of losing faith in their company, its ethics and values and its overarching responsibilities to the general public,” said Brendan Kotze, CEO and co-founder of Encore.
“In a competitive market, this is a stark warning to businesses across the world. Keeping your staff in the dark about cyber risk is a fundamental error, not to mention the additional impact of delayed disclosure to customers.”
The report, The true cost of cyber – What hides below the tip of the iceberg?, found that business leaders were still rather more concerned with the direct financial cost of an incident, with 54% of that group citing recovery costs as the biggest impact, while 41% cited the potential long-term reputational impacts, fearing an exodus of business partners and/or customers in the wake of a cyber attack.
In spite of the high numbers of business leaders and CISOs at organisations which had suffered some kind of breach, the overwhelming majority (92%) still believed that their organisations were secure at any moment.
As such, said Kotze, there would seem to be a need for a shift in mindsets at the organisational level. He recommended business leaders in particular begin to treat cyber security incidents and employee and customer data protection as a “fundamental” part of normal business operations and not just an external function.
“There is a very real problem of security feeding a false sense of confidence,” said Kotze. “This is a risk that must be addressed through data and reporting. All too often, we see C-level executives treat their security investments as a sure way of securing their business against persistent and motivated attackers. Security or being ‘cyber safe’ is not something you can measure at a single point in time – it needs to be an ongoing effort.
“Being able to instil confidence in a wide range of stakeholders, from clients to investors to staff, is fundamental to the modern business. Trust is the bedrock of success and should be the same for security as it is as a business enabler.
“If all companies prepare and respond to threats as if their existence, or at least a very substantial part of it, is at risk, our chances of blocking or swiftly responding to attacks is considerably higher. Cyber security is no longer enough; we need to channel cyber safety to build resilience and establish trust both internally and externally,” he said.
Read more on Data breach incident management and recovery
What to look for when taking out a cyber insurance policy
By: Cliff Saran
Australian CISOs least prepared for cyber attacks
By: Aaron Tan
How India organisations can mitigate cyber threats
When to pull the plug on an ecommerce site