Organizations are ‘facing paralysis’ as cyber threats advance, claims report
- Published: Thursday, 27 June 2019 08:12
Global organizations have stalled in their progress towards cyber security best practice and are facing paralysis as cyber criminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security.
Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s fifth annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, and from across multiple industry sectors.
This year’s findings show that organizations are aware of the risks posed by cyber threats, with cyber security and data theft listed in three of the top five business risks. In fact, only the risk of an ‘economic or financial crisis’ beats their concerns over ‘cyber attacks on the organization’ to the top spot. The vast majority of respondents (84 percent) believe that strong cyber security will help their business; while 88 percent believe cyber security has a big role to play in society.
For each organization in the research for the last two years, NTT Security analyzed the responses for good and bad practice in cyber security, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two percent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.
Businesses in India are the best performing in the world for cyber security. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.
Where are businesses failing to make progress with cyber security?
- Fewer than half (48 percent) of the respondents this year consider all of their ‘critical data’ to be ‘completely secure’ – exactly the same figure as in 2018;
- Over a third (36 percent) of respondents reveal that they would rather pay a ransom to a hacker than be fined for failing to meet data protection regulations. A third of respondents would rather pay a hacker than invest more in security – the same figure as 2018, again showing a lack of progression.
- Although 83 percent of respondents feel that complying with regulations is important, 1 in 7 do not know which regulations their organization is subject to.
- Only 30 percent believe they are subject to GDPR, a year on from the deadline for compliance, despite it affecting all organizations that have operations or customers in any European Union member state.
- Security budgets are failing to keep up with increasing cyber risk, with only a minimal increase in the percentage of IT budgets attributed to security (15 percent this year). The percentage of the operations budget attributed to security has fallen since 2018, to 16 percent.
- Organizations are still failing to be proactive when it comes to internal polices and processes. 58 percent have a formal information security policy in place, just 1 percent higher than last year. Just over half (52 percent) have an incident response plan, a rise of 3 percent over 2018.
- Around half believe that cyber security “is the IT department’s problem and not the wider business”.
- The percentage of businesses still lacking skills/resources remains static year on year, suggesting businesses need more assistance from third party security providers.
The cost and time spent recovering from a security breach
The 2019 Risk:Value report also reveals that the time spent on recovering from a breach continues to rise year on year, with an expected recovery time of 66 days, a like-for-like increase of nine days over 2018. The estimated revenue loss in percentage terms is also up year-on-year: 12.7 percent in 2019, compared to 10.3 percent in 2018 and 9.9 percent in 2017.
The cost of recovering from a breach, according to the report, remains high at $1.2 million, on average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million, more than double the global average. Oil & Gas takes top spot across industry sectors, expecting to spend $2.3 million on recovery efforts.
“This year’s Risk:Value report shows that companies have come to a standstill on their journey to cyber security preparedness,” comments Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “It’s clear that decision-makers see security as an enabler; something that can help the business and society in general. But while awareness of the risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. We are still seeing low responses for areas like internal security policies and incident response plans, as well as a lack of knowledge about regulations that affect companies – all underpinned by the expectation that when something goes wrong it’s the fault of the IT department. The design and execution of cyber security strategies must improve or business risk will escalate for the organizations concerned.”