Many of those leaders underestimate the capabilities of their attackers and the damage they can cause.
Leaders remain unaware that while technology advances in the modern workplace improve productivity and convenience, they also increase vulnerabilities to cyberattacks. Those changes include social collaboration, expanded use of mobile devices, storage of information in the cloud, digitizing sensitive information and moving to smart grid technologies.
The cyber threats confronting modern businesses are many and varied. And the survey found that too many of them are enabled by a lack of attention to risk. Among the more obvious risks are supply chains, both of the hardware and software supporting IT and the more traditional supply of parts and services.
"In today's interconnected ecosystem, both of these supply chain avenues are often direct freeways to compromise company assets," the survey said, noting that many vendors and business partners "can have lower — even nonexistent — cybersecurity policies and practices," than the enterprises they serve.
Dave Burg said it is not necessarily that suppliers don't care about security, but that they may not have the same resources that their client enterprises do.
"The threat actors know this and are targeting the small and medium sized organizations in order to exploit the weaker target as a means to get to the ultimate target," he said.
Getting suppliers to comply with privacy policies can also be a problem, especially in industries like financial services, health care and the Payment Card Industry (PCI), where the protection of personally identifiable information (PII) is crucial.
"Yet fewer than one-third of all industry respondents to PwC's 2013 Global State of Information Security Survey required third parties to comply with privacy policies," the survey reported.
Randy Trzeciak, technical manager of the Insider Threat Center at CERT, said it can be very challenging for an enterprise to get suppliers to match its security needs since many times there needs to be an integration of very disparate systems.
"You need to communicate your expectations," he said. "You need to write them into service level agreements prior to signing anything. And you need due diligence as well. You should be able to go out and inspect those suppliers if needed."
The threat is just as high, and the potential damage even higher, from more direct insiders — employees. As the survey noted, those with malicious intent already have access, they know what the company "crown jewels" are and they often know where they are.
To mitigate that threat requires both technical and nontechnical means. Trzeciak said CERT promotes "trust but verify" — trusting workers to support the organization, but limiting access to what they need to do their jobs. He said CERT has a Common Sense Guide to Mitigating Insider Threats on its website that offers 19 practices for enterprises to detect and prevent insider threats.
Sign up for Computerworld eNewsletters.