Here’s a transcript of the podcast for your convenience.
Hello. My name is Kai Grunwitz, and I’m Senior VP EMEA at NTT Security. In this Help Net Security podcast, I will be talking about the NTT Security 2018 Risk:Value Report, our annual global report that surveys 1800 senior business decision makers in 12 countries to examine business attitudes to risk and the value of information security to the business.
Companies work on the digital transformation, but a lot of experts highlight that it’s also a battle for survival. Companies have to adapt or will fail in the future and disappear. The speed of change and the required agility is unparalleled.
Cybersecurity is at the center of this storm that modern companies have to handle. No one wants to drive an unsecure car and hit a wall. It is all about trust, and trust is a very fragile thing. No surprise that nearly 80 percent of the attendees of a strategy day around digital transformation have highlighted that they expect massive security challenges on their journey. So, cybersecurity is a core component of the digital transformation, and we must implement an agile and proactive security layer supporting the requirements of the digital age. It is not digital transformation or cybersecurity, It’s all about security culture and security by design approach.
Please let me highlight in this context some interesting and partly shocking findings from our Risk:Value Report. First of all, respondents seem to be overconfident about not being breached. While data breaches are becoming more severe, we see multiple companies assuming they will never suffer one.
Around half of the respondents claimed that their organizations has not been affected by any data breach so far. Of these, a third even do not expect to suffer a breach at all. 12 percent are not sure if they have been breached, an average driven up by 22 percent in the UK who do not know if they have suffered a breach or not. Quite often companies do not know how to detect breaches early enough at all. They don’t have the tools, the experience, or the resources to implement a proactive threat detection solution.
This overconfidence can result in a massive risk for a digital transformation. If a company is hit by a cyber-attack in the middle of an implementation of a digital strategy – unprepared because underestimated.
The second item to cover is the impact of a breach. The cost of recovery continues to rise. Let me be so bold in state that breaches can always happen. What is the biggest concern of decision makers? Decision makers are concerned about what a data breach will do to their image. With more than half concerned about loss of customer confidence and damage to reputation. Considering the dependency on reputation of the new leading edge solutions around block change, IoT, artificial intelligence or autonomous cars, no surprise. You don’t want to lose ground compared to your competitors. Lost trust is always hard to recover.
In addition, the estimated cost of recovery has increased to 1.5 million, up approximately 15 percent year over year. That means companies have to invest much more to mitigate the consequences of a breach. This also includes investments in forensics, tools, and other things. One reason more to move towards a proactive mode, and stop the fire before it’s spreading.
On a positive note, a senior manager also expect it would take only 57 days to recover from a breach, which was a massive decline year over year, coming down from 74 days. So, companies expect they are better prepared to handle the consequences of a data breach.
The third item is ransomware. It was really a big surprise to see the number of respondents willing to wait for ransom demand to arrive before tackling cybersecurity investments. These organizations will be among the most likely to fall victim to cyber-attacks, and may find out that ransoms aren’t an option, or that criminals do not honor them. The hard fact is that a third 33 percent of global business decision makers say that their organization would try to cut costs by paying a ransom demand from a hacker, rather than invest in information security. This is worrying, given the growth in ransomware we saw in the previous year.
In NTT Security’s recent Global Threat Intelligence Report, our global threat team showed that ransomware attacks have surged by 350 percent in 2017, and counting for 29 percent of all malware attacks in EMEA. Only half of the respondents would prefer to invest in IT security rather than taking a proactive and then a reactive cybersecurity approach. This is absolutely in line with our real life experience where we see many companies only half prepared for a ransomware attack. Even after WannaCry, and Petya, and some more, even missing basic protection and incident response ideas.
The fourth item and an interesting one as well is who owns cybersecurity at the most senior level. There’s no clear consensus of who is responsible for day to day security. Is it the CIO, is it CEO, CISO? No single role is stepping up to the plate. But one area of consensus is the need of a regular boardroom discussion about security. 81 percent of respondents agree that preventing a security attack should be a regular item on the boardrooms agenda, a significant increase year over year, and we see a strong increase of cybersecurity being already part of the boardroom agenda.
We are heading in the right direction. The awareness is there considering the relevance of the cybersecurity for the digital transformation. It is an absolutely must, and we see that the senior management is heading in the right direction.
The last item to be highlighted is how well are companies prepared. How good is the security readiness? Businesses are still failing when it comes into the area of their information security policies. More than half, exactly 57 percent, claim to have a policy in place. Slightly up from last year, and most say it’s communicated internally very well. On the other hand, only 39 percent consider the employees to be fully aware of it. There’s a clear disconnect in this area. Organizations are also failing to progress incident response plans. Less than half say that they have implemented a plan, with a further 30 percent in the process of implementing an incident response plan.
Comparing that with the numbers from the previous year we see only an increase of 1 percent of companies who have finished a response plan since our last survey. Here we see a massive gap of the requirements, also the compliance requirements coming together with GDPR and the business reality.
This year’s Risk:Value Report suggests that many companies are failing into the trap of making the same mistakes when it comes to communicating their security policies internally. and progressing response plan in the event of a breach.
Many are still stuck in a reactive mindset when it comes to security. Reinforced by the fact that more than a third would rather pay ransom and demand, than invest in cybersecurity. Digging deeper into this research shows some brighter spots and some considerably darker ones. However, the digital transformation is not allowing us to get overconfident or reactive. We have to do our homework, work on the security basics, and build a security layer the future business can build on securing the digital journey.
Please feel free to download a copy of the report on our website, where you’ll also find further information about managed and consulting services. Thank you for listening.