NTT Security’s Risk:Value 2018 Report reveals companies still don’t have a firm grip on information security issues
Working with research agency Vanson Bourne, NTT Security interviewed 1,800 global business decision makers to understand their cybersecurity stance. The study found that respondents are still making the same mistakes, failing to make any progress in crucial areas such as cybersecurity awareness and preparedness.
Many organisations are still stuck in a reactive mindset when it comes to security. NTT Security was surprised at the number of respondents willing to wait for a ransom demand to arrive before tackling cybersecurity investment – one-third of companies reported that they would rather pay a hacker’s ransom than invest in information security.
The UK was a little more sensible than the global average, with fewer respondents prepared to prioritise ransoms over long-term investment. Nevertheless, just over one in five UK respondents (21 per cent) were still willing to focus on ransomware payments rather than cybersecurity investments in an attempt to save money
These organisations will be among the most likely to fall victim to cyber-attacks and may find that ransoms aren’t an option, or that criminals do not honour them. In cybersecurity, NTT Security warns prevention is better than cure, and advises companies to follow both the spirit and the letter of regulatory guidelines, paying attention to how they evaluate risk and prepare for the time when hackers come calling.
Secure critical data
Despite the fact that regulators are now enforcing the GDPR, only one in three respondents globally believe that it affects them and almost half (48 per cent) of companies are still failing to fully secure critical data.
One thing has improved. Companies are starting to take control of their data as cloud computing best practices mature. Respondents are also keeping data close to home as there is a strong tendency for an organisation to store its data within its national borders.
Only one per cent of respondents currently use a third-party managed security services provider. But more than one in three plan to. Of those, 18 per cent cite a lack of skills as the main reason,
Data breach-related concerns
Across the board, companies were most concerned about what a data breach would do to their image, with 56 per cent concerned about the loss of customer confidence and 52 per cent fretting about damage to brand and reputation. These data breach-related concerns correlate closely with companies’ broader fears. One in four (25 per cent) saw losing market share to competitors as their biggest threat.
The UK stood out for its concern over the effect of data breaches on company image. 73 per cent of UK respondents worried about the impact on customer confidence following an information security incident, compared to the 56 per cent global average. 69 per cent of UK organisations fretted about brand damage, compared to 52 per cent globally.
The economic impacts of a data breach ranked a clear second after image, but even here financial fallout worried some companies more than others. Direct financial losses ranked highest, with 40 per cent of companies highlighting it as a concern. Indirect losses, such as the impact of regulatory penalties and loss of share price, were less of a concern. 31 per cent of companies felt that they would be affected by financial penalties, and 29 per cent said that they would be affected by loss of shareholder value.
The effect of a breach on revenue has risen only slightly after a downward turn between 2015 and 2017, with the average revenue drop forecast at 10.29 per cent. European countries were more optimistic overall, anticipating lower revenue losses than the US and APAC respondents.
Cost of recovery
While the predicted effect of a data breach on revenues appeared mostly static, the cost of recovery was deemed to be of greater concern. However, almost one in four respondents were unable to predict the recovery cost, suggesting a lack of risk analysis in data breach planning. On average, respondents questioned for the 2018 Risk:Value Report anticipated a 57 day recovery time if targeted by a data breach.
Companies are over-confident about their level of vulnerability. Overall, almost half of all business decision-makers said that they had not been affected by data breaches, with more than one in five (22 per cent) UK companies stating that they didn’t know whether they had suffered from a breach or not.
According to NTT Security, this assumption is worryingly high, given how difficult it is to prove with certainty that a company has not been breached. Another concern is the one in three respondents who say that they do not expect to suffer from a breach.