NTT Report: “Cyber attacks ranked as top business issue across next 12 months”

UK organisations are failing to make progress towards strong cyber security and “facing paralysis” as cyber criminals become more advanced. These are the stark conclusions drawn from the findings of the 2019 Risk:Value Report – ‘Destination Standstill. Are You Asleep at the Wheel?’ – issued by NTT Security.

Examining the attitudes of 2,256 non-IT decision-makers to risk and the value of security to the business, NTT Security’s annual Risk:Value Report focuses on C-Suite executives and other senior decision-makers across 20 countries in the Americas, Asia Pacific and Europe (including the UK) and from across multiple industry sectors.

UK respondents are aware of the risks posed by cyber threats, with over half (54%) ranking cyber attacks on their organisation as one of the Top Three issues that could affect businesses in the next 12 months – second only to ‘economic or financial crisis’ (56%).

While global organisations rank ‘loss of company data’ in third place, in the UK, 44% believe that cyber attacks on critical infrastructure pose a far greater threat. Of the most vulnerable components of Critical National Infrastructure (CNI), telecoms, energy and electricity networks take first, second and third place.

Almost all (90%) respondents in the UK believe that strong cyber security is important to their business over the next 12 months, compared to 78% who say the same about ‘growing revenue and profit’. 93% believe cyber security has a big role to play in society.

According to the report, strong cyber security allows UK organisations to ‘ensure the integrity of their data’ (58%) and ‘ensure only the right people have access’ to this data (56%), while around half say it ‘helps to protect the brand’.

Good and bad practice

For each organisation in the research for the last two years, NTT Security has analysed the responses for good and bad practice in cyber security, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress globally.

In 2019 as in 2018, the average score was just +3, meaning that there’s nearly as much bad practice as good practice. 32% of businesses score less than zero (ie they’re exhibiting more bad practice than good practice).

Businesses in India, a new country to the research, are now the best-performing in the world for cyber security, ahead of the UK. The performance of organisations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, in turn placing doubt on the robustness of CNI.

Where are organisations stalling?

Where, then, are organisations appearing to stall when it comes to cyber security Best Practice?

Paying cyber criminals One third (33%) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper. That’s a significant rise of 12% over 2018’s Risk:Value Report. In addition, 34% said they would rather pay a ransom to a hacker than be handed a fine for non-compliance with data regulations

Budgets Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15%) in line with the global average. The percentage of operations budget spent on security has fallen by around 1% since last year to 16.5% in 2019

General Data Protection Regulation (GDPR) compliance Just 30% globally believe they are subject to the GDPR a year on from the deadline, despite it affecting all organisations that have operations or customers in any European Union Member State. The UK is a more respectable 48%, but still behind Spain (55%) and Italy (50%)

Internal security policies Businesses are still failing to be proactive internally. At a global level, 58% have a formal information security policy in place. That’s just 1% up over last year. While the UK shows an impressive 70% with a policy in place, this is down on last year’s 77%. Less than half (47%) of respondents, however, admit that their employees are fully aware of such a policy

Incident response plans In 2019, 60% of UK organisations have an incident response plan in place in the event of a security breach. This represents a 3% drop on last year. However, this is still above the global average of 52% and among the highest figures across all 20 countries

Blaming IT Around half (44%) of UK respondents believe cyber security “is the IT Department’s problem and not that of the wider business” (which is in line with the global average of 45%). While Swedish organisations are most likely to blame IT (60%), Brazil is least likely (28%) to do so.

Time and money spent on breach recovery

The 2019 Risk:Value Report reveals that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The  UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally when it was one of the lowest in 2018.

The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million. Oil and gas is the industry sector having to spend the most on recovery efforts (to the tune of $2.3 million).

The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9%, up from 9.7% in 2018 – and in line with the global average of 12.7%.

Azeem Aleem

Azeem Aleem

Commenting on the 2019 Risk:Value Report’s findings, Azeem Aleem (vice-president of consulting at NTT Security) explained to Risk Xtra: “The Risk:Value Report is an interesting barometer based on responses from those sitting outside of the IT function. It’s often very revealing. What’s clear is that the world around those individuals is changing, and changing fast, with the introduction of new regulations, the integration of new technologies and fast-paced digital transformation projects changing the way in which we work. What’s concerning, though, is that organisations seem to have come to a standstill in their journey to cyber security Best Practice. It’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning.”

Aleem went on to state: “Decision-makers clearly see security as an enabler. Something that can help the business and society in general, but while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cyber security strategies must improve or business risk will escalate for the organisations concerned.”

*For a copy of NTT Security’s 2019 Risk:Value Report and other Risk:Value resources visit:

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts