Deep Instinct has released the results from new research highlighting the role that executive leadership teams play in their organizations’ cyber resilience. The independent survey was conducted by Sapio Research and engaged over 200 CEOs, senior financial, and IT security decision-makers working at mid to large enterprises in the UK. The findings highlight a disconnect in how senior management teams collaborate and determine the risks and impact on their operations when hit by a cyber attack.
CFOs are struggling to play their part in the risk assessment of cyber attacks on the financial health of their organizations, with only 12 percent of CFOs actively involved in the process. This exclusion has caused confidence to plummet amongst financial leaders, with only 14 percent of CFOs stating that their business is well-prepared and could withstand a cyber attack. This implies a significant perception disconnect compared with the 63 percent of CEOs who feel they are well-prepared.
Additionally, there is a large gap between CFO’s estimates of ransomware demands and the reality of ransomware payments. Despite respondents saying they would only pay, on average, a ransom of around £760,000, the reality is that those survey respondents that did pay ransoms paid more than £3 million, four times higher than predicted. Moreover, for those that paid ransom demands, only 32 percent were able to recover their data – showing that positive outcomes are far from certain even when cooperating with bad actors.
The research also revealed that ‘studious financial planning’ is essential to gain a clear picture of the monetary risks that come from cyber attacks. Only 38 percent of respondents cited that they are confident in placing a monetary value on the data within their organization, as well as calculating the potential impact of its loss. Worse, 48 percent gave answers that reveal a lack of accurate assessments, or no assessments at all.
According to Heather Bellini, Chief Financial Officer at Deep Instinct, “Cyber criminals and organizations usually have a common goal – financial reward – and each day a new ransomware attack hits the headlines one of the first questions amongst executives is, ‘how much is it going to cost to get back the data?’ It is vital for organizations to take the task of quantifying the financial risk of cyber attacks seriously and ensure it is accurate, otherwise they can fall into the trap of having a false sense of security and being blasé when it comes to the true cost.”
She continues, “This is why it is so important that all senior and strategic roles within the business have an active and equal responsibility in ensuring their business is resilient and well prepared. We talk in the industry about breaking down siloes and cyber security no longer being the sole remit of the IT team, but this isn’t translating into meaningful action. Until this changes, organizations will continue to be counting the costs of breaches and lining the pockets of cyber criminals.”
Ransomware impacts on business continuity
It should come as no surprise that ransomware attacks have a significant impact on business continuity. Nearly two-thirds (61 percent) of all respondents admitted their business has been hit by a ransomware attack, with 56 percent paying the ransom. In 29 percent of the cases where a ransom was paid, the CEO made the decision while the CFO made the decision in just 14 percent of situations.
The quantitative survey was conducted among 201 senior financial and senior IT security decision makers in companies with more than 250 employees in the UK. The interviews were conducted online by Sapio Research in April and May 2022 using an email invitation and an online survey.
The qualitative research was conducted through eight in-depth interviews (IDIs) with CFOs, CROs, and senior risk and financial roles. The interviews lasted up to 45 minutes.