C-suite executives today are more likely to “throw money” at cybersecurity problems instead of leading the charge on finding actionable solutions, according to the results of a recent study.

The survey by Trend Micro, a global data and cybersecurity firm in Tokyo, which collected input from 5,321 IT and business decision makers from companies with a staff of 250 or more across 26 countries, found that 42% of companies are spending their IT budget on risk mitigation. The majority are spending money to tackle problems as they arise, failing to establish any set protocol to mitigate repeat issues.

Dale Denham, MAS+, PPAI’s president and CEO, who has a technology background, says the increased funding has helped to better-position companies, but their work lies in improving current systems. “The real challenge comes when processes need to change to be secure,” he says. “When a process change might negatively impact the sales or efficient operations of a firm, cybersecurity often becomes secondary to efficiency or sales growth.”

Results of the survey suggest that IT professionals feel they are left alone to handle cybersecurity matters without much direction from C-suite executives. Half of IT leaders (50%) and 38% of business decision makers said they believe the C-suite truly understands cybersecurity risks, and 26% said it’s because they don’t try hard enough or they aren’t interested in understanding (20%). Nearly half of all respondents (49%) also said that cyber risks are still being treated as IT problems rather than a business risk.

Denham explains that despite the increased funding for cybersecurity and staff, it’s an area that will never be “finished,” which is why it should remain in focus. “Keeping the balance of ‘secure enough’ is difficult for even the best IT leader—as if there is ever a breach, the IT leader is on the hook. Unfortunately, even when an IT leader is willing to discuss what is ‘secure enough,’ the complexity becomes very difficult for a non-IT leader to fully understand, is what it really takes to find balance.”

More than six in 10 respondents (62%) think it’ll take a cybersecurity breach for C-suite executives to take notice and be more proactive. The same percentage (62%) agreed that it would help ease the process if there was a way to better report on and explain cybersecurity risks.

Eva Chen, CEO of Trend Micro, said in a statement that executives aren’t attending to cybersecurity issues as they should, because they are overwhelmed. “Vulnerabilities used to go months or even years before being exploited after their discovery. Now it can be hours or even sooner.” Chen added, “More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cybersecurity landscape evolves. IT leaders need to communicate with their board in such a way that they understand where the organization’s risk is and how they can best manage it.”

The conditions are nearly the opposite as they were over the last few years, when a common complaint for IT departments was a lack of staff and funding. With the funding and staff now in place, professionals say it’s come at the specific cost of executives’ dismissal and unwillingness to engage in cybersecurity issues. The indirection from upper management is also trickling down to the staff; less than half (46%) of respondents said they are familiar with concepts such as “cyber risk management,” through 66% believe it has the highest cost impact of any other business risk.

Mike Pfeiffer, VP of technology for Glenwood, Minnesota, distributor American Solutions for Business, and incoming chair of PPAI’s Technology Committee, suggests that companies start building awareness around cybersecurity through training. “Establishing a clear cybersecurity strategy and providing timely education to executives in business terms, rather than technical, can be a great start. For example, knowing that MFA (multi-factor authentication) on email accounts can reduce account takeover attacks by 99.9% is good. Explaining that 93% of data breaches start with a simple phishing message leading to takeover helps provide context for why account security is so key.”

Pfeiffer says that when cyberattacks are worthy of national and even international coverage, it presents companies with the opportunity to educate all staff, from top to bottom, on why and how it happened, and how that relates to their business. “When cybersecurity events hit the news, such as the recent Log4j or Solar Winds vulnerabilities, preparing an impact statement for executives, employees and customers can help explain what can be a very technical complexity with business terms, on potential exposure and any impact to the company as a result of the announced vulnerability in the news.”

Paul Elfstrom, PPAI’s director of IT, suggests a few ways that companies can involve their entire staff in cybersecurity training. “Every employee in an organization should have some level of responsibility when it comes to cybersecurity. If you think about all the communication flowing in and out of an organization by means of email, phone, text, chat, websites, etc., any can be exploited, and your employees are right on the front lines.” He adds, “If your employees are aware of the different types of threats and red flags to watch for, they become part of your cybersecurity solution. This is where security awareness training comes into play as well. So, it’s important that cybersecurity is part of a company’s culture to elevate its importance and effectiveness.”

Denham says that for themselves, executive scan take a prioritized approach to cybersecurity by identifying their greatest risks first and working back from there. “Buying software to prevent attacks is helpful, but there are so many significant risks that cannot be avoided by even the most expensive software that executives should be requiring detailed reporting of risks, priorities and severity, as well as requiring monthly updates on progress towards addressing the risks.”

To educate staff, Pfeiffer recommends beginning with regularly scheduled cybersecurity awareness training that communicate material clearly for use across all departments. “At American Solutions for Business, we require all employees, especially our board and C-suite, to watch our monthly Cyber Minute. The Cyber Minute is a five-minute video sharing our nascent information on current attacks or the highest-priority challenges we are seeing this month. We provide real-world examples of what to look for and how to product yourself and [ASB].” To ensure all staff to participate in Cyber Minute, Pfeiffer says that if staff miss three months consecutively, they are locked out of their accounts until they are current.