Data breaches cost Australian companies an average of $2.72 million during 2012, according to research firm Ponemon. Photo: Reuters
Company boards and executives are being urged to actively investigate the risks posed by online attacks and data theft to their intellectual property, as regulations surrounding security breaches begin to tighten.
Security experts and industry bodies have warned that boards are not talking to their heads of security and technology often enough to be on top of potential risks, while others have accused some companies of being willingly blind to the potential of data theft.
Jason Clark, head of security at software firm Websense, and a former head of security at The New York Times, said many of the executives and boards he spoke to each year failed to properly grasp the risk that online attacks could pose to corporate property.
"Sixty per cent of [chief security officers] I talk to are actually only talking to the CEOs and board once a year," he said.
"It should be a much more frequent conversation; quarterly, if not monthly with the CEO. And it should be around the business risks, the threat models and how we are measuring ourselves to each of the stages of the attack to our threats."
He said that while many chief executives acknowledged their concern about the risk of online attack, many were confident they were safe.
As a result, many company decisions on security risk were based off bad habits or vendor marketing, he said.
Data breaches cost Australian companies an average of $2.72 million during 2012, according to research firm Ponemon.
Concern over lack of board and executive oversight of information security in organisations was followed by the Australian Institute of Company Directors, which last month issued calls for boards and directors to gain "sufficient IT literacy to critically examine information about IT and, if needed, know what further information should be requested" from executives.
YOU DON'T KNOW WHAT YOU'VE GOT 'TIL IT'S GONE
But Gail Pemberton, a director on several boards including PayPal Australia, said many companies remained unaware of their risk until they became affected.
Ms Pemberton is a former chief information officer of Macquarie Bank and divisional chief executive at BNP Paribas.
"It's when it first happens that companies become really aware of the risks they're carrying and take action," she said.
The warnings come as the federal government explores a proposal that would force companies to publicly disclose security breaches that lead to personal information being stolen or publicised.
Sign up for CIO Asia eNewsletters.