Almost two-thirds of C-suite executives report daily or weekly cyberattacks: Accenture

Nearly two-thirds (63%) of C-suite executives report that their companies experience “significant” cyberattacks daily or weekly, but only 25% of them say their organization always incorporate measures in the design of their company’s technology and operating models to make them more resilient, according to a new survey from Accenture.

Business resilience in the face of cyber risk, released this week, surveyed 959 C-suite executives – predominantly CEOs, chief information officers, chief technology officers and chief operating officers – via phone and online in a number of industries, including insurance, banking and capital markets, Accenture, a global management consulting, technology services and outsourcing company said in a press release.

Despite the finding that only one-quarter of those surveyed always incorporate design measures to make them more resilient, 88% believe that their cyber defence strategy is “robust, understood and fully functional.” Nearly as many (86%) measure their organization’s resilience to determine what improvements are needed. [click image below to enlarge]

However, only 9% of executives said their company proactively runs inward-directed attacks and intentional failures to test their systems on a continuous basis. About half (53%) of those surveyed said their company has a continuity plan that they refresh as needed. Just 49% map and prioritize security, operational and failure scenarios and even fewer (45%) have produced threat models to existing and planned business operations to enable rapid responses to an attack or system failure, the release noted. In addition, only 38% of the executives said their companies had thoroughly documented the relationships between their technology and operational assets to identify resilience risks and dependencies in their organization.

“Given the prevalence of cyberattacks on today’s companies and government organizations, the only question for most is when a cyberattack will occur, not if it will occur,” said Brian Walker, managing director, Accenture Technology Strategy, in the release. “While savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios, and producing response and continuity plans that guide quick actions when a breach occurs, the data clearly shows that companies by and large have more work to do.” [click image below to enlarge]

According to the report, successful enterprises recognize that responsibility for resilience and agility does not just fall to the CIO, chief information security officer (CISO) or chief risk officer. On average, the research found that companies have two executives in the C-suite who are responsible for continuously monitoring and improving their business resilience. In fact, 19% of the represented companies had a “dedicated resilience officer.”

“To enable and protect the company, CEOs should work closely with their CIO, CISO and others across their leadership team as well as their board of directors, to make decisions about investments, and advance their business continuity efforts,” said Walker. “They cannot prevent an attack or failure, but they can mitigate the damage it can cause by taking steps to make their business more resilient, agile and fault-tolerant.”

To that end, the report suggests that companies:

• Create a digital ecosystem that enables them to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organization’s security posture and effectiveness;

• Manage digitally to deliver multi-speed business and IT capabilities in real-time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment; and

• Institutionalize resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organizational culture including fostering open communication with boards on governance practices and enterprise risk management.