Why Your Company Could Be Wrong About Cyber Risks

Everyone is worried about the threat of cyberattacks to their business. But the people you’d expect to understand the threat best don’t seem to be on the same page as those calling the plays on digital defense.

According to BAE Systems (BAESY, +1.87%), those in the C-Suite, including chief technology and chief information officers, often don’t agree with their leading decision-making colleagues in IT on what the biggest threats are, how much a hack could cost their company—and worst of all, they can’t even agree who’s responsible for stopping a cyberattack.

The cognitive dissonance doesn’t end there. Although many companies accept in principle that sharing relevant information with cybersecurity firms could help them fend off hackers more effectively, 38% of bosses still refuse to under any circumstances.

BAE polled more than 1,000 C-Suit and decision-making IT people at Fortune 500companies across eight countries for its 2017 Cyber Defense Monitor, and found that over one-third (35%) of C-Suiters thought their staff were ultimately responsible for stopping cyberattacks, Meanwhile, half of the IT decision-makers said it was the responsibility of the board—a gap in understanding that can be exploited by hackers.

The IT specialists also put the average cost of a successful cyberattack at around 70% higher than their bosses’ estimate ($19.2 million versus $11.6 million), a disparity that suggests they are either more alarmist than the C-Suite, or have a more complete and granular understanding of all the ways that it can disrupt a business.

Board executives, who almost by definition spend more time facing the customer and investors directly, were more inclined to fret about the theft of customer information or personal data (as in the hacks of Yahoo (YHOO) that now threaten to derail its takeover by Verizon (VZ, -0.46%)) or sensitive corporate information (as with Sony Pictures Entertainment (SNE, -0.46%)). By contrast, IT executives had a broader range of concerns, notably including just keeping operations ticking over.

Another sign that top-level managers may be listening more to the media than to their own experts was that C-suiters were more inclined to view amateur hackers as the most likely attackers, while IT managers were decidedly of the view that professionals (a group that includes state-sponsored operations out of countries like China or Russia) were the biggest threat.

One bright spot to note, said Adrian Nish, head of BAE’s threat intelligence team, is that terrorism, by contrast, hardly figures when it comes to cyberwarfare.

“It is a justifiable concern, because the impact may be huge, but it’s not something we see on a day-to-day basis,” Nish said.

The much more clear and present danger, it would seem, is the gap in perceptions regarding the source, nature, and risks of today’s threat.

“The biggest positive change any organization can make,” the BAE report summed up, “is not necessarily to buy the latest and greatest security product, but to improve its own internal communications.”