Chief executive officers should bear the brunt of responsibility if a business suffers a data breach, according to a new survey of IT security professionals that also found many believe their firms are not taking adequate steps to protect themselves from such losses.
The research, conducted by Websense at this year's e-Crime Congress event, found seven out of ten respondents stated the CEO should be held ultimately responsible for any data loss incidents.
Just 13 per cent pointed the finger primarily at the chief security officer, while nine per cent placed the blame on the rest of the board. Only five per cent said the fault lies with the IT departments, while four per cent stated it should fall on the employee directly responsible for the breach.
The study also found many security professionals believe their company is not taking the threat of data breaches seriously enough. While cyber security is an item on boardrooms' agendas, 45 per cent said it is not afforded a high enough priority.
However, awareness of the issue is rising, at least in part as a result of the frequent data breaches that now make headlines.
Three-quarters of security professionals feel this coverage has helped their firm create a strong case for improving the budget, focus and resources they devote to cyber threats. Only 15 per cent believe that the headlines have hindered this, as they make companies feel powerless to protect against these attacks.
Developing a stronger focus on security matters will be increasingly important as new technology innovations present additional opportunities for attackers. For instance, the survey found 93 per cent of respondents said the rise of the Internet of Things will make organisations more vulnerable to data theft.
Trends such as greater mobility may also present challenges. Some 77 per cent of security professionals stated employees at their enterprise would connect to an unsecure Wi-Fi network to respond to an urgent request from a company executive, while nearly one in three (30 per cent) admitted they would do so themselves.
Neil Thacker, information security and strategy officer at Websense, commented that organisations have a tough challenge ahead to deal with the deluge of data originating from the internet of Things, as well as a shortage of information security skills.
"The more we talk about the issues and share the common techniques used to breach organisations and abuse, steal or damage data, the better," he said, adding: "Implementing a data theft prevention control that provides a data-centric approach to security, alongside building a culture of security accountability across the business through collaboration, is essential to keep data protected."
A key part of this will be the defences businesses put in place. Innovations from Encode, supported by IBM QRadar, provide a comprehensive solutions for this, covering all the features organisations need to stay safe.
Such tools with be vital, as security professionals agree there should be legal consequences for firms that experience serious data breaches.
Almost all respondents (98 per cent) said the law should step in with punishments such as fines (65 per cent), mandatory disclosure rules (68 per cent) and compensation for consumers' affected (55 per cent). Some 16 per cent even called for senior executives to face prison in the most extreme cases.