UK organisations are failing to make progress towards strong cyber security and “facing paralysis” as cyber criminals become more advanced. These are the stark conclusions drawn from the findings of the 2019 Risk:Value Report – ‘Destination Standstill. Are You Asleep at the Wheel?’ – issued by NTT Security.
Examining the attitudes of 2,256 non-IT decision-makers to risk and the value of security to the business, NTT Security’s annual Risk:Value Report focuses on C-Suite executives and other senior decision-makers across 20 countries in the Americas, Asia Pacific and Europe (including the UK) and from across multiple industry sectors.
UK respondents are aware of the risks posed by cyber threats, with over half (54%) ranking cyber attacks on their organisation as one of the Top Three issues that could affect businesses in the next 12 months – second only to ‘economic or financial crisis’ (56%).
While global organisations rank ‘loss of company data’ in third place, in the UK, 44% believe that cyber attacks on critical infrastructure pose a far greater threat. Of the most vulnerable components of Critical National Infrastructure (CNI), telecoms, energy and electricity networks take first, second and third place.
Almost all (90%) respondents in the UK believe that strong cyber security is important to their business over the next 12 months, compared to 78% who say the same about ‘growing revenue and profit’. 93% believe cyber security has a big role to play in society.
According to the report, strong cyber security allows UK organisations to ‘ensure the integrity of their data’ (58%) and ‘ensure only the right people have access’ to this data (56%), while around half say it ‘helps to protect the brand’.
Good and bad practice
For each organisation in the research for the last two years, NTT Security has analysed the responses for good and bad practice in cyber security, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress globally.
In 2019 as in 2018, the average score was just +3, meaning that there’s nearly as much bad practice as good practice. 32% of businesses score less than zero (ie they’re exhibiting more bad practice than good practice).
Businesses in India, a new country to the research, are now the best-performing in the world for cyber security, ahead of the UK. The performance of organisations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, in turn placing doubt on the robustness of CNI.
Where are organisations stalling?
Where, then, are organisations appearing to stall when it comes to cyber security Best Practice?
Paying cyber criminals One third (33%) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper. That’s a significant rise of 12% over 2018’s Risk:Value Report. In addition, 34% said they would rather pay a ransom to a hacker than be handed a fine for non-compliance with data regulations
Budgets Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15%) in line with the global average. The percentage of operations budget spent on security has fallen by around 1% since last year to 16.5% in 2019
General Data Protection Regulation (GDPR) compliance Just 30% globally believe they are subject to the GDPR a year on from the deadline, despite it affecting all organisations that have operations or customers in any European Union Member State. The UK is a more respectable 48%, but still behind Spain (55%) and Italy (50%)
Internal security policies Businesses are still failing to be proactive internally. At a global level, 58% have a formal information security policy in place. That’s just 1% up over last year. While the UK shows an impressive 70% with a policy in place, this is down on last year’s 77%. Less than half (47%) of respondents, however, admit that their employees are fully aware of such a policy
Incident response plans In 2019, 60% of UK organisations have an incident response plan in place in the event of a security breach. This represents a 3% drop on last year. However, this is still above the global average of 52% and among the highest figures across all 20 countries
Blaming IT Around half (44%) of UK respondents believe cyber security “is the IT Department’s problem and not that of the wider business” (which is in line with the global average of 45%). While Swedish organisations are most likely to blame IT (60%), Brazil is least likely (28%) to do so.
Time and money spent on breach recovery
The 2019 Risk:Value Report reveals that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally when it was one of the lowest in 2018.
The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million. Oil and gas is the industry sector having to spend the most on recovery efforts (to the tune of $2.3 million).
The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9%, up from 9.7% in 2018 – and in line with the global average of 12.7%.
Commenting on the 2019 Risk:Value Report’s findings, Azeem Aleem (vice-president of consulting at NTT Security) explained to Risk Xtra: “The Risk:Value Report is an interesting barometer based on responses from those sitting outside of the IT function. It’s often very revealing. What’s clear is that the world around those individuals is changing, and changing fast, with the introduction of new regulations, the integration of new technologies and fast-paced digital transformation projects changing the way in which we work. What’s concerning, though, is that organisations seem to have come to a standstill in their journey to cyber security Best Practice. It’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning.”
Aleem went on to state: “Decision-makers clearly see security as an enabler. Something that can help the business and society in general, but while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cyber security strategies must improve or business risk will escalate for the organisations concerned.”
*For a copy of NTT Security’s 2019 Risk:Value Report and other Risk:Value resources visit: https://www.nttsecurity.com/riskvalue2019-uk