C-suite unprepared for NotPetya and other extinction-level cyberattacks
Many executives either don't know what their company's cyber defense is, lack budget, or spend too much time analyzing rather than taking action.
In a new poll of 2,800 cyber security practitioners and C-suite executives, 65% cite destructive cyber attacks like NotPetya as a top cyber security concern. The poll was conducted during the Deloitte webinar, "Is Business Ready for an Extinction-level Event?"
Most respondents said that destructive malware and ransomware negatively impacts business operations, the ability of executives to do their jobs, the organization's reputation, and stakeholder relationships.
[The findings don't] completely surprise me," said Pete Renneker, a principal in Deloitte Cyber. "It is interesting to see the variety of responses in the 'How concerned is your organization?' question. We are seeing this movement up the risk radar as it refers to this threat. Right now, we're seeing a lot of activity around ransomware and there's a financial motive. The more concerning threat is a bad actor whose motive is not financial gain but is societal destruction."
To counter the rise of ransomware and destructive malware, 36% respondents said they are using both technical solutions and business continuity planning. An equal number said they did not know of their organizations plans or defenses, and 8.5% said they have neither technical solutions nor business continuity plans in place.
The biggest reason for a lack of defenses and recovery options, cited by 26% of respondents, was not enough budget. Lack of awareness and "paralysis by analysis" was holding back 26% of respondents. "Ownership confusion" was hampering the efforts of 7.5% to defend the organization. And just over 11% are still deciding if they want to buy or build a solution.
Of those respondents who are actively working to defend against these attacks, "a comprehensive approach to cyber resilience" (27%) and "stronger cyber defense and detection" (19%) were cited as the two main ways they are improving their defenses. "Increased executive awareness" (12%), "improved cyber incident response" (11.5%), and "an isolated recovery environment" (7%), rounded out the remaining responses.
"A lot of firms have great resiliency as far as business continuity," said Benjamin Romero, a consulting manager in the digital security division of the risk consultancy Crowe. "They have hot sites that are geographically dispersed and they test multiple times a year. And the attitude is, 'This is good and that it will take care of everything.' But what is missed is what happens if that resiliency backfires and you are sending [recovery] data that is corrupted? How do you recover from that? For many firms, that means starting from scratch. So it's really an attitude issue that is now being resolved and I don't think that it's too difficult to overcome."