Cybersecurity threats are right at the top of the agenda for business leaders, NTT Security’s 2019 Risk:Value research indicates. Cyber attacks (43%), data loss or theft (37%), and attacks on critical infrastructure (35%) – particularly telecoms and energy networks – are the biggest issues for businesses after the economy.
However, amid confusion around responsibility, many senior managers think that cybersecurity is just a problem for the IT department. Senior managers remain concerned about the impact of security incidents, particularly as the time to recover has increased markedly year-on-year. In 2019, the NTT Security Risk:Value Index, measuring cybersecurity good practice, remains at +3, showing no progress since 2018
Security budgets are failing to keep up with increasing cyber risk, it says, with only a minimal increase in the percentage of IT budgets attributed to security (15% this year). The percentage of the operations budget attributed to security has fallen since 2018, to 16%. This is concerning because of the growing threat surface exposed to hostile activity through the greater use of the internet of things and connected operational equipment.
The static nature of cybersecurity spending indicates that companies are lacking resources to address cyber risk. This is backed up by the fact that 43% of organizations lack the necessary skills and resources in house to cope with the number of cybersecurity threats.
Over a third of organizations reveal that they would rather pay a ransom to a hacker than be fined for failing to meet data protection regulations. The cost of a cybersecurity breach has increased in 2019 to 12.7% of annual revenue.
Some 2,256 organizations in 17 sectors across 20 countries were surveyed in the USA, Japan, UK, Germany, Austria, Switzerland, France, Belgium, Netherlands, Luxembourg, Spain, Italy, Sweden, Norway, Hong Kong, Singapore, India, Australia, Brazil and Chile. Most organizations had at least 500 employees, and 43% of companies had locations in multiple regions.
NTT Security analysed the responses of each organization from the research for the last two years, scoring them on good (positive score) and bad (negative score) cybersecurity practices. Alarmingly no progress has been made since 2018: the score remains at just +3, on a scale of -41 to +27. 32 percent of businesses scored a negative value, meaning they are exhibiting more bad practice than good practice.
More than four in five organizations (83 percent) feel that compliance is important, but one in seven (13 percent) do not know which regulations their organization is subject to. Only 30 percent of companies think they are affected by GDPR; actually, it affects all organizations that have operations or customers in any European Union member state.
Overall, fewer than half (48%) of all organizations say that all their critical data is secure. A smaller proportion (45%) have secured all of their organization’s data. Some countries are really struggling on this issue: the figure for securing critical data falls to just 41% in Germany and 34% in Singapore.
