Results of a new survey of IT decision makers (ITDMs) should make for disturbing reading for CEOs in the light of the WannaCry ransomware attack.

Although, as the top ranking execs provided much of the information themselves, maybe they know all about it.

A headline finding is that three quarters of CEOs admit to using software programmes and applications that have not been approved by their IT department, thus putting critical data at risk.

At the same time 63% of them state that losing this data would destroy their business.

`The survey polled 801 IT decision makers (ITDMs), including CSOs, CTOs, CISOs and CIOs as well as 404 business decision makers (BDMs), including at least 137 CEOs, in the US, UK and Germany, according to Code 42.

It’s entitled the CRTL-Z (or Undo) survey, reminding managers of a command they may want to make in future, and was commissioned by Code 42, a US software company providing endpoint protection, and carried out by Sapio Research, a UK research consultancy,

Another finding is that 50 percent of all corporate data in the typical enterprise is held on laptops and desktops, instead of in a data centre or centralised servers.

In the U.S., this rises to as much as 60 percent. Simultaneously, the significance of this data to the productivity and security of the business is well understood at the top of the organisation — with 63 percent of CEOs stating that losing this data would destroy their business. But, awareness of the risk is doing little to change adherence to proper security practices, says Code 42.

And to underline the conscious risk taking that is going on, the report reveals that 75% of CEOs and more than 52% of BDMs admit they use applications/programmes that are not approved by their IT department.

Yet 91% of CEOs and 83% of BDMs acknowledge that their behaviours could be considered a security risk to their organisation, but say they use the programmes to ensure productivity.

The survey found the majority of ITDMs do have laptop (86%) and server backup (95%) in place, but at least 13% and 8%, respectively, have not tested their laptop or server backup programmes.

“If an enterprise-wide failure, such as a widespread and devastating ransomware attack, took place today the questions would be: “Is your IT team prepared to get you back up and running?” and, “How long would you take to be productive again, considering the amount of data held on laptops and desktops?” said Rick Orloff, VP and CSO at Code-42.

“Modern enterprises are fighting an internal battle between the need for productivity and the need for security—both of which are being scrutinised all the way to the CEO,” he said. “By using unauthorised programmes and applications, business leadership is challenging the very security strategies they demanded be put in place. This makes it clear that a prevention-based approach to security is not sufficient; recovery must be at the core of your strategy.”

Increasingly experts are commenting that endpoint protection has to be reinforced with faster responses for when the ‘inevitable’ breach occurs.