But new data from Fox Rothschild indicates that a surprising number of corporate directors still aren’t trained to prevent such attacks. The new survey, released Wednesday, revealed that while 68 percent of respondents’ companies train employees on cybersecurity issues, and one-third train employees to prevent data breaches, only 14 percent train directors in these areas.
“Just because you have initials or a title following your name doesn’t mean you are less vulnerable,” said Elizabeth Litten, Fox Rothschild’s privacy and data security practice co-chair. “You might be more vulnerable to phishing attempts targeting large quantities of data. I think that’s a big mistake.”
Some 52 percent of respondents said executive and board awareness of cybersecurity issues was more important for company privacy than general employee awareness. But this sentiment didn’t seem to translate into actually keeping the board informed. Of the 53 survey respondents— CLOs, GCs and other in-house counsel at large companies— 27 percent never report to their directors on cybersecurity and data privacy.
“[Executives] should be asking the basic questions on a regular basis, to whoever is handling their IT issues, rather than just assuming, ‘Well I’ve delegated this downstream and I don’t have to worry about it,’” Litten said.
While more than half of executives reported their companies are at a high or very high risk for an attack and 75 percent have recently been impacted by phishing, 53 percent said they don’t have adequate cybersecurity and data privacy budgets to deal with a breach.
Two-thirds of the respondents spend less than 10 percent of their IT budgets on programs related to cybersecurity. That’s a figure that Mark McCreary, Fox Rothschild’s chief privacy officer and co-chair of its privacy and data security practice called the “bare minimum,” as the report notes the average cost of a data breach hovers near $6 million.
“Any company not dedicating at least 20 percent of their budget toward security on a baseline year, not an odd year, is making a mistake,” McCreary said. “It’s not ‘you buy something one year and you’re done.’ The tactics change, the ability to fight [breaches] changes.”