Organizations realize the scale of cyber risk but lack how to have counter-actions to build resilience.
The research found that cyber-attacks (43 percent), data loss or theft (37 percent), and critical infrastructure attacks (35 percent)— especially targeting telecoms and energy networks— most concern respondents. The survey respondents found that these risks will pose their company with a greater risk over the next 12 months than trade barriers and other important global issues such as economic, crime, and policy failures.
Thankfully, corporate awareness is growing of the need for beefed-up cybersecurity. Eighty-four percent and 85 percent of businesses, respectively, said good information security and data integrity protection were just as important as business continuity and even more important than growth in sales. Nine out of ten respondents said good cybersecurity is a blessing for their organization.
Cybersecurity Policies and Incident Response Plans Missing
Nevertheless, several companies are struggling to maintain even the basic security standards. Just 58 percent have a structured security policy, but only 48 percent of those say their employees know what’s in it, indicating that only 28 percent of companies have security policies that their employees clearly understand. We still fall short of incident response preparation, which outlines what should be done by stakeholders in the event of a security incident. Just 52 percent of respondents have a strategy like this. While this is 3 percent higher than in 2018, just 57 percent of client respondents with a policy know what’s inside it.
Despite Increasing Cyber Risks, Security Budgets Remain Flat
Companies are not keeping up with rising IT dependency and uncertainties, in addition to their planning shortfalls. On average, 15% of IT budgets are allocated to defense, but since last year, the share of operating budgets assigned to security has dropped to 16%. This is alarming, particularly as the surface of the attack has grown exponentially because of the emerging Internet of Things (IoT) and connected operational technology (think industry 4.0).
Organizations in Germany (14 percent) and Switzerland (12 percent) invest the lowest percentage on defense in their IT budget. Protection spending is the lowest in the construction and manufacturing industries, allocating 13 percent of their IT budgets. The emergence of potentially devastating threats to the operating infrastructure that is commonly used in the manufacturing sector is deeply disturbing considering the scanty resources dedicated to combating those risks.
One-Third of Companies Would Rather Pay Ransom
One remarkable finding from the NTT study is the incredible number of companies willing to pay a ransom. One-third said they would rather pass on ransom to a suspect than invest in cybersecurity. We said it’s “cheaper.” This logic is both risky and misguided, as it allows the bad guys to come back— maybe with even greater demands than they were at first.
A similar percentage of respondents said they would rather pay the ransom than be fined for non-compliance, which indicates a concern about the implications of non-compliance and a lack of confidence in some organizations in their ability to address critical regulatory issues and execute a comprehensive response plan for accidents. This condition is causing concern as cybercriminals become more advanced by the day. In reality, cybercrime is undergoing an industrialization wave with large-scale syndicates creating a thriving underground economy, expected to yield more than a whopping $1.5 trillion in annual revenues.
Leaders Think Cybersecurity Is an IT Task
Poor coordination of security measures could be due to subpar or misinformed senior management. The NTT survey revealed that 84 percent of respondents said they agreed that cybersecurity should be a boardroom issue, but only 72 percent said it was a boardroom problem indeed. One in four (23 percent) said someone in their company (such as a CISO) controlled their organization’s day-to-day security, but only 13 percent said that individuals had ultimate responsibility for cybersecurity.
Nearly half (45 percent) of all respondents— and 57 percent of respondents at C-level — said cyber risk is an issue for the IT department. That illustrates the disturbing distance between cybersecurity and the C-suite that often exists. Over the past two years, little has changed, although a single successful assault can have major financial and legal implications. Intelligent business executives need to develop a different corporate mindset to win the risks in the digital strategy of their company.
Conclusion
Cybersecurity is a prime concern for businessmen. Rightly so, because there has never been greater reliance on IT uptime and resilience. Nevertheless, corporate boards need to step into practice beyond recognition and rhetoric to reduce their organization’s risk exposure and ensure long-term success.
More stringent regulatory frameworks and higher infringement fines are raising awareness of cyber risk and the organization-wide need for enforcement. But they also need to encourage a transition in corporate governance. Solutions that might have operated in the analog days (such as simply putting protection under IT) are no longer sufficient, particularly when there is a stake in revenues and profits from digital operations and brand reputation. Practically any board decision in the digital era would impact the cyber-risk posture of the company. Cybersecurity should, therefore, be a recurrent item on board agendas and should be constantly reassessed in terms of the wider risk context.