Survey finds that cyber security budgets are up; with additional investments being made in risk identification and resilience
- Published: Friday, 12 July 2019 07:29
Companies worldwide expect to boost their cyber security investments by 34 percent in the next fiscal year, after raising them by 17 percent the previous year, according to a new study covering 467 firms across industries and based in 17 countries. About 12 percent of companies surveyed plan to bolster their cyber security investments by over 50 percent.
These increases come in the face of growing annual losses from cyber attacks, which for companies surveyed averaged $4.7 million in the last fiscal year—with more than one in ten firms losing over $10 million. That average loss equates to 0.114 percent of revenue across all firms surveyed. Losses are more severe for mid-sized companies than for large and very large companies, which have already taken greater action to secure their businesses.
Many executives believe that their cyber security investments are paying off. Firms report a decline in the impact from untrained staff, social engineers, and unsophisticated hackers over the last nine months.
ESI ThoughtLab’s survey shows that the impact of cyber attacks from malware, phishing, and mobile phone apps also decreased over that period. Yet the escalation in overall reported cyber losses highlights that cyber security is an ever-evolving struggle, as hackers target not just individual companies but whole industries, searching for any vulnerability.
Although the impact from certain types of attacks has fallen, the survey shows a rise in others, such as incursions through company supply chains and ecosystems.
“This is an example of what we call the ‘balloon effect’ in cyber security, where squeezing down on risks in one place causes others to appear elsewhere,” said Lou Celi, ESI ThoughtLab’s chief executive officer. “Thanks to improved cyber security, companies are more effectively mitigating risks from unintentional and less sophisticated threat actors, but more advanced adversaries are still finding a way in.”
The research shows that to combat evolving risks, companies need to take a proactive, multi-layered defense / defence, approach. Firms are responding by allocating the biggest share of their budgets to technology, while seeking the right balance between investments in people and process. They are also focusing more on risk identification to address emerging vulnerabilities and are investing more in resilience to ensure they can respond quickly to successful attacks.
Other calls to action from the study include:
- Make sure you are investing enough in cyber security. Some industries, such as media and consumer markets, are allocating less and may be more exposed to cyber risks.
- Think of cyber security like any other existential threat to your business. The risks are not just about privacy, liability, and stealing data; they also can create huge operational risks if business is interrupted and can have reputational impacts that can hurt market positions.
- Pay attention to risks from partners and your supply chain. As firms draw on ecosystems of third parties to drive digital transformation, they increase their vulnerabilities to cyber risks.
- Be aware that legal and regulatory risks are also rising substantially. Companies that do not comply with new standards face hefty penalties and legal consequences.
- Implement rigorous incident training. To do so, put key stakeholders through a strong scenario exercise to prepare them for events when they occur, and to plan on how to respond quickly.
- Measure your full losses, costs, and returns. When hit by a successful cyber attack, you need to understand all your costs—direct and indirect, tangible and intangible.
ESI ThoughtLab and WSJ Pro Cybersecurity carried out the survey in the spring of 2019 as part of a global research initiative titled The Cybersecurity Imperative. This survey is a follow-up to a more comprehensive survey of 1,300 companies conducted in the fall of 2018. The latest survey was developed to track how executives’ investments, plans, and perspectives have changed over the last nine months.
The Cybersecurity Imperative program was conducted with a coalition of leading organizations with expertise across the cyber security space, including Baker McKenzie, CyberCube, HP, KnowBe4, Opus, Protiviti, the Security Industry Association, and Willis Towers Watson.