Organizations are ‘facing paralysis’ as cyber threats advance, claims report

Published: Thursday, 27 June 2019 08:12

Global organizations have stalled in their progress towards cyber security best practice and are facing paralysis as cyber criminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security.

Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s fifth annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, and from across multiple industry sectors.

This year’s findings show that organizations are aware of the risks posed by cyber threats, with cyber security and data theft listed in three of the top five business risks. In fact, only the risk of an ‘economic or financial crisis’ beats their concerns over ‘cyber attacks on the organization’ to the top spot. The vast majority of respondents (84 percent) believe that strong cyber security will help their business; while 88 percent believe cyber security has a big role to play in society.

For each organization in the research for the last two years, NTT Security analyzed the responses for good and bad practice in cyber security, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two percent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.

Businesses in India are the best performing in the world for cyber security. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.

Where are businesses failing to make progress with cyber security?

The cost and time spent recovering from a security breach

The 2019 Risk:Value report also reveals that the time spent on recovering from a breach continues to rise year on year, with an expected recovery time of 66 days, a like-for-like increase of nine days over 2018. The estimated revenue loss in percentage terms is also up year-on-year: 12.7 percent in 2019, compared to 10.3 percent in 2018 and 9.9 percent in 2017.

The cost of recovering from a breach, according to the report, remains high at $1.2 million, on average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million, more than double the global average. Oil & Gas takes top spot across industry sectors, expecting to spend $2.3 million on recovery efforts.

“This year’s Risk:Value report shows that companies have come to a standstill on their journey to cyber security preparedness,” comments Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “It’s clear that decision-makers see security as an enabler; something that can help the business and society in general. But while awareness of the risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. We are still seeing low responses for areas like internal security policies and incident response plans, as well as a lack of knowledge about regulations that affect companies – all underpinned by the expectation that when something goes wrong it’s the fault of the IT department. The design and execution of cyber security strategies must improve or business risk will escalate for the organizations concerned.”

More details.