The need has never been stronger for an organisation-wide, security-first culture, supported by a robust incident response plan and a coherent, well enforced security policy. But companies are failing to make progress towards this – and in some cases are going backwards.
NTT Security analysed all the organisations surveyed, across global markets, awarding positive scores for good cybersecurity practice and negative scores for bad. In both 2019 and 2018 the average score was just +3, meaning that there is nearly as much bad practice as good practice. One third of businesses score less than zero: exhibiting more bad practice than good practice.
The ‘stalling’ of cybersecurity progress is not down to a failure to recognise the scale of cyber risk, or the need to address it.
Cybersecurity threats are topof the agenda for UK business leaders, with cyberattacks, data loss or theft, and attacks on criticalinfrastructure cited as three of the top five business risks they face. Only ‘economic or financial crisis’ was a greater concern. The picture is the same across almost all markets – including Australia, Germany, France, India, Spain and the US.
Business leaders are also aware of the benefits of implementing strong cybersecurity measures, with 84% believing this will help their business, and 88% believing cybersecurity has a positive role to play in society at large.
So why are organisations’ security postures no better than they were a year ago?
Lack of policy. Only 70% of UK businesses have a formal security policy in place, down 7% from 2018, and of those 48% say their employees are fully aware of it. The problem is even more acute in the rest of Europe, with only Spain coming close to the UK (67% have a formal security policy). This drops to 48% in Switzerland and 44% in the Netherlands.
Incident response plans are in place at 60% of UK companies; higher than the global figure of just over half, and tops companies in the Netherlands, Germany and Austria by some margin.
Inadequate investment. Budgets are failing to keep up with growing demands on teams, with the percentage of operations spend dedicated to security falling around 1% to 16.5%, and 15% of IT spend attributed to security. Organisations in Germany and Switzerland are spending the least on security, at 14% and 12% of IT budget respectively.
Shortage of skills. Businesses still don’t have adequate skills and resources to cope with security threats, with almost half of UK companies admitting this is the case. Globally, the issue is most acute in Singapore (59%), which may in part be due to a competitive jobs market and the country’s increasing attractiveness to cybercriminals.
Insufficient knowledge of regulation. The regulatory landscape has changed in the last few years, but many businesses are not keeping pace. While four in five feel that compliance is important, 13% do not know which regulations they are subject to. More than half in the UK do not believe their company is affected by GDPR. Worryingly, awareness is even lower in a number of European countries including Benelux (24%), Switzerland (32%), Germany and Austria (36%) and France (37%)
Fear over non-compliance is leading many businesses to consider paying ransoms to hackers:a third of UK executives would rather pay up than invest more in security, up 12% from 2018.
At the root of this cybersecurity paralysis is a lack of strategic leadership.
Passing the buck
Nearly half of UK business leaders believe that cybersecurity “is the IT department’s problem”, and nothing to do with the wider business. This rises to more than half in Switzerland, Sweden and Norway.
Cybersecurity really matters to business leaders. They see it as an enabler, and they’re aware of the risks and the need to manage them – but appear to lack the ability, or perhaps the will, to do so. As a result, many businesses are falling behind cyber criminals as the capabilities of their adversaries advance.
Organisations must act now to address their weak cybersecurity links. Security needs to be a strategic priority – discussed regularly at board level, and integrated into and monitored as part of the overall business risk programme.
Effective cybersecurity policies and incident response plans need to be implemented, communicated to all stakeholders, and tested and regularly reviewed. This requires a comprehensive understanding of the regulations and compliance obligations that apply.
Finally, organisations must plan for change. Threats evolve, and new skills and resources will be needed to combat them. The integration of new technology and digital transformation projects is expanding the threat surface, and hacking campaigns are causing more damage. Unless the design and execution of cybersecurity strategies improves, business risk will continue to escalate.