Light at the end of the cyber crime tunnel?3 min read

15/Jul/2019

Companies worldwide expect to boost their cyber security investments by 34% in the next fiscal year, after raising them by 17% the previous year, according to a new study covering 467 firms in several industries across 17 countries. About 12% of companies surveyed plan to bolster their cyber security investments by over 50%.

These increases come in the face of growing annual losses from cyber attacks. For those companies surveyed this averaged $4.7 million (£3.8 million) in the last fiscal year. More than one in 10 firms lost over $10 million (£7.9 million). That average loss equates to 0.114% of revenue across all of the firms surveyed. Losses are more severe for mid-sized companies than for large and very large companies, which have already taken greater action to secure their businesses.

Many executives believe that their cyber security investments are paying off. Firms report a decline in the impact from untrained staff, social engineers, and unsophisticated hackers over the last nine months.

ESI ThoughtLab’s survey shows that the impact of cyber attacks from malware, phishing, and mobile phone apps also decreased over that period. Yet the escalation in overall reported cyber losses highlights that cyber security is an ever-evolving struggle, as hackers target not just individual companies but whole industries, searching for any vulnerability.

Although the impact from certain types of attacks has fallen, the survey shows a rise in others, such as incursions through company supply chains and ecosystems.

“This is an example of what we call the ‘balloon effect’ in cyber security, where squeezing down on risks in one place causes others to appear elsewhere,” said Lou Celi, ESI ThoughtLab’s CEO. “Thanks to improved cyber security, companies are more effectively mitigating risks from unintentional and less sophisticated threat actors, but more advanced adversaries are still finding a way in.”

The research shows that to combat evolving risks, companies need to take a proactive, multi-layered defense / defence, approach. Firms are responding by allocating the biggest share of their budgets to technology, while seeking the right balance between investments in people and process. They are also focusing more on risk identification to address emerging vulnerabilities and are investing more in resilience to ensure they can respond quickly to successful attacks.

Other calls to action from the study include:
• Make sure you are investing enough in cyber security. Some industries, such as media and consumer markets, are allocating less and may be more exposed to cyber risks.
• Think of cyber security like any other existential threat to your business. The risks are not just about privacy, liability, and stealing data; they also can create huge operational risks if business is interrupted and can have reputational impacts that can hurt market positions.
• Pay attention to risks from partners and your supply chain. As firms draw on ecosystems of third parties to drive digital transformation, they increase their vulnerabilities to cyber risks.
• Be aware that legal and regulatory risks are also rising substantially. Companies that do not comply with new standards face hefty penalties and legal consequences.
• Implement rigorous incident training. To do so, put key stakeholders through a strong scenario exercise to prepare them for events when they occur, and to plan on how to respond quickly.
• Measure your full losses, costs, and returns. When hit by a successful cyber attack, you need to understand all of your costs – direct and indirect, tangible and intangible.

Survey methodology

As part of a global research initiative titled “The Cybersecurity Imperative”, ESI ThoughtLab and WSJ Pro Cybersecurity carried out the survey in the spring of 2019. This survey is a follow-up to a more comprehensive survey of 1,300 companies conducted in autumn 2018. The latest survey was developed to track how executives’ investments, plans, and perspectives have changed over the last nine months.

The Cybersecurity Imperative programme was conducted with a coalition of leading organisations with expertise across the cyber security space, including Baker McKenzie, CyberCube, HP, KnowBe4, Opus, Protiviti, the Security Industry Association, and Willis Towers Watson.

Download an executive summary of the results via the link.

United Kingdom

contact@cynation.com

+44 020 3190 5000

PopHub Leicester Square
41 Whitcomb Street
London WC2H 7DT

The Netherlands

contact@cynation.com

Oude Udenseweg 29
5405 PD Uden
The Netherlands

Newsletter Signup

%d bloggers like this: