Fourth Consecutive Year for Increased Spending on Cybersecurity

According to a new survey by Chicago-based BDO USA (FY17 net revenue of $1.4 billion), more than three-quarters (79%) of public company directors report that their board is more involved with cybersecurity than it was 12 months ago, and a similar percentage (78%) say they have increased company investments during the past year to defend against cyber-attacks. The average budget expansion is 19%.

This is the fourth consecutive year that board members have reported increases in time and dollars invested in cybersecurity. Despite this positive progress, the survey also found that businesses continue to resist sharing information on cyber-attacks with entities outside of their company. Just one-quarter (25%) are sharing information gleaned from cyber-attacks with external entities – a practice that needs to become more prevalent for the safety of critical infrastructure and national security.

“The annual survey has documented the continued ascension of cybersecurity in corporate boardrooms, as directors are being briefed more often and are responding with increased budgets to address this critical area. This year’s study also indicates that boards are aware of the expanding threat of ransomware and most of their businesses are proactively addressing this risk,” says Gregory Garrett, leader of international cybersecurity. “The survey also reveals a significant vulnerability – the continued failure of companies to share information they have gathered from cyber-attacks. Sharing information gleaned from cyber-attacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing information externally. This behavior needs to change.”

Almost one in five (18%) board members indicate that their company experienced a cyber-breach during the past two years, a percentage very similar to the previous two years (22%). A majority (61%) of corporate directors say their company has a cyber-breach/incident response plan in place, compared to 16% who do not have a plan.

Lack of Sharing on Cyber-Attacks
Sharing information gleaned from cyber-attacks is key to defeating hackers and the U.S. government has consistently communicated how businesses can contact relevant federal agencies about cyber incidents they experience. Unfortunately, when asked whether they share information they gather from cyber-attacks, only one-quarter (25%) of directors say they share the information externally.

Of those sharing information on their cyber-attacks, the vast majority (86%) share with government agencies (FBI, Department of Homeland Security) and close to half (47%) share with Information Sharing & Analysis Centers. Very few (8%) share with competitors.

SOC for Cybersecurity
Earlier this year, the AICPA introduced a Cybersecurity Risk Management Framework also known as “SOC for Cybersecurity” – that provides companies with a proactive approach for designing a risk management program and communicating about its effectiveness. When asked about this initiative, just 40% of directors are familiar with it.

For the full survey report go to 2017 BDO Cyber Governance Survey.