Persistently low engagement on the part of the IT/C-suite is exposing organisations and businesses to unacceptable levels of cyber-risk, and may negatively impact investments, a new report finds.

ransomware attacks

The report, published by Trend Micro, found that almost all (90%) of IT and business leaders surveyed expressed fears about the current security landscape, with ransomware attacks causing the greatest concern.

Despite widespread anxiety over spiralling threats, the study found that only around half (57%) of responding IT teams discuss cyber-risks with the C-suite at least weekly.

Fortunately, current investment in cyber initiatives is not critically low. Just under half (42%) of respondents claimed their organisation is spending most on cyberattacks to mitigate business risk.

This was the most popular answer logged in the report, above more typical projects like digital transformation and workforce transformation. Around half (49%) said they have recently increased investments to mitigate the risks of ransomware attacks and security breaches.

However, low C-suite engagement combined with increased investment suggests a tendency to throw money at the problem rather than develop an understanding of the cybersecurity challenges and invest appropriately.

This approach may undermine more effective strategies and risk greater financial loss. Less than half of respondents claimed concepts like “cyber-risk” and “cyber-risk management” were known extensively in their organisation.

Most (77%) said they wanted to hold more people in the organisation responsible for managing and mitigating these risks, which would help to drive an enterprise-wide culture of “security by design.” The largest group of respondents (38%) favoured holding CEOs responsible. Other non-IT roles cited by respondents included CFOs (28%) and CMOs (22%).

Eva Chen, CEO of Trend Micro, said:

“Vulnerabilities used to go months or even years before being exploited after their discovery. Now it can be hours, or even sooner. More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cybersecurity landscape evolves.

“IT leaders need to communicate with their board in such a way that they can understand where the organisation’s risk is and how they can best manage it,” Chen added.

The study follows on from previous Trend Micro research that exposed a worrying cybersecurity disconnect between business chiefs and IT leaders – a gulf perpetuated by self-censorship from cyber experts and a lack of clarity over who is ultimately responsible for dealing with corporate cyber risk.