IMA Pulse


By Raef Lawson, PH.D., CMA, CSCA, CFA, CPA, CAE
September 18, 2015



The findings of a recent IMA® survey of senior finance professionals supports the fact that cybersecurity is a massive problem that companies need to address more vigorously. Only 30% of survey respondents believe their companies haven’t experienced any breaches (that they know of). Of the 54% who reported some type of breach within the last year (16% were unsure), 41% had one or two breaches, and 13% report three or more breaches.




With daily headlines about hackers’ sophisticated attacks to gain access to IT systems and steal personal information, it isn’t surprising that “hackers” was the number one source of cybersecurity breaches (78%). A distant second was “employees” (12%).


By far, the most often cited threat or vulnerability is malware (e.g., computer viruses, worms and Trojan horses, or other malicious software), reported by 68% of respondents. Other serious threats include:

  • Unauthorized access of data (30%).
  • Outdated information security controls (21%).
  • Employees’ laptops (21%).
  • Cyberattacks to steal intellectual property (18%).




We asked respondents what their companies are doing to address the increasing threat to cybersecurity information, such as requiring training, employing cybersecurity professionals, and improving response time when breaches occur.


Frequent employee cybersecurity awareness training is vital for deterring cyberattacks:

  • Only 33% say their companies provide training for all employees.
  • 58% do not provide any training.
  • The rest were unsure.


Cybersecurity professionals are important for detecting and reporting cyberattacks. Of the companies that have cybersecurity professionals, 35% say the professionals report to the Chief Financial Officer, 28% say they report to the Chief Information Officer, and a few respondents say their companies outsource the function.

  • 44% say they have no cybersecurity professionals employed.
  • 37% say that cybersecurity professionals make up 2% or less of their companies’ employees.
  • Only 11% say they plan to hire more cybersecurity professionals in the near future.


A short response time is critical when a breach occurs in order to minimize the damage to companies:

  • 18% say their IT department initiates an investigation within 10 minutes of the breach.
  • 28% say that they responded within four hours.
  • 19% say it takes a day or longer.




This study indicates that many companies need to do more to reduce the risk of cybersecurity breaches. With a million new malware threats created each day, it isn’t a matter of if a breach will occur for any given company but when and how damaging. A proactive approach to securing company data, especially private customer data, is warranted. The challenge will be making it easier for the government and businesses to share information about cyberthreats that will boost security while also protecting individuals’ right to privacy.

Raef Lawson, Ph.D., CMA, CSCA, CFA, CPA, CAE, is professor-in-residence and vice president of research and policy at IMA. You can reach him at (201) 474-1532 or
1 + Show Comments

1 comment.

    […] Cybersecurtiy: Time for Companies to Do More – IMA Pulse […]