“Why aren’t the leaders of large companies devoting more energy to cybersecurity issues? »

Phave a week without cyberattack on a large scale, with blocked organizations, ransoms, and data leaks. Computer security has taken center stage and the government has just announced a plan to help SMEs and mid-sized companies (ETI) to protect themselves. But beware, the largest companies are also subject to this risk. Our research shows that their leaders are struggling to tackle the subject head-on.

Within supervisory boards, these cybersecurity issues are most often placed at the end of the agenda, dealt with quickly, marginalized, even though the potential damage may prove to be considerable (“Framing Dialogues on Cyber-Resilience on Boards”by Sven-Volker Rehm, Laura Georg Schaffner and Lakshmi Goel, “International Conference on Information Systems (ICIS) Proceedings”, n° 10, 2021).

Lack of transparency

Large corporations, on the other hand, misinform their shareholders. The CAC40 firms, in particular, devote very little space to the subject in their annual reports. Two-thirds of the companies we studied deal with the issue generically without specifying their own risk exposure and policy.

Read also: Article reserved for our subscribers “Obsessed by logistical chaos, companies must also worry about the danger of the Internet’s immaterial routes”

Only 10% of them provide key data, such as insurance coverage in the event of an incident (“Cyber ​​Risk Disclosure: How transparent are CAC40 Companies in Their Annual Reports?”, by Laura Georg Schaffner, Elodie Behnam and Jessie Pallud, “Association information et management (AIM) Proceedings”, 2021). This lack of transparency on a critical issue raises questions, even if we imagine that some data is sensitive.

Additional research conducted in Germany between 2005 and 2018 in DAX 30 companies has also highlighted the lack of reaction of executive committees after major security incidents (“Corporate Management Boards’ Information Security Orientation”by Laura Georg Schaffner and Enrico Prinz, Journal of Management and Governance2022).

Read also Article reserved for our subscribers “We have to wonder if France can continue to do without strong strategic coordination of cybersecurity with the president”

Only a quarter of these firms have carried out reorganizations, but most often to strengthen compliance more than cybersecurity itself, in other words, not to really guard against attacks, but to better manage the legal risk that they could entail a posteriori!

They don’t speak the same language

Why don’t the leaders of large companies devote more energy to these questions that have become vital for organizations? The crucial point is, in our opinion, the poor quality of their communication with IT managers.

You have 47.88% of this article left to read. The following is for subscribers only.

Source link