NTT Security 2019 Risk:Value Report Asks Why Organizations Are at a Standstill with Cybersecurity Despite Recognizing the Scale of Cyber Threats

New report highlights lack of cybersecurity investment, poor knowledge of compliance issues and continued failure to secure critical data

India now the best performing in the world for cybersecurity ahead of the USA and UK 

LONDON – June 26, 2019 – Global organizations have stalled in their progress towards cybersecurity best practice and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialized security company and center of excellence in security for NTT Group.

Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s fifth annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, and from across multiple industry sectors.

This year’s findings show that organizations are aware of the risks posed by cyber threats, with cybersecurity and data theft listed in three of the top five business risks. In fact, only the risk of an ‘economic or financial crisis’ beats their concerns over ‘cyber attacks on the organization’ to the top spot. The vast majority of respondents (84 percent) believe that strong cybersecurity will help their business; while 88 percent believe cybersecurity has a big role to play in society.

For each organization in the research for the last two years, NTT Security analyzed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two percent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.

Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the USA and the UK. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.

Where are businesses failing to make progress with cybersecurity?

• Fewer than half of the respondents this year consider all of their ‘critical data’ to be ‘completely secure’ – 48 percent compared to exactly the same figure in 2018.
• Over a third (36 percent) of respondents reveal that they would rather pay a ransom to a hacker than be fined for failing to meet data protection regulations. A third of respondents would rather pay a hacker than invest more in security – the same figure as 2018, again showing a lack of progression.
• Although 83 percent of respondents feel that complying with regulations is important, 1 in 7 do not know which regulations their organization is subject to.
• Only 30 percent believe they are subject to GDPR, a year on from the deadline for compliance, despite it affecting all organizations that have operations or customers in any European Union member state.
• Security budgets are failing to keep up with increasing cyber risk, with only a minimal increase in the percentage of IT budgets attributed to security (15 per cent this year). The percentage of the operations budget attributed to security has fallen since 2018, to 16 percent.
• Organizations are still failing to be proactive when it comes to internal polices and processes. Fifty-eight percent have a formal information security policy in place, just 1 percent higher than last year. Just over half (52 percent) have an incident response plan, a rise of 3 percent over 2018.
• Around half believe cybersecurity “is the IT department’s problem and not the wider business”.
• The percentage of businesses still lacking skills/resources remains static year on year, suggesting businesses need more assistance from third party security providers.

Cost and time spent recovering from a security breach

The 2019 Risk:Value report also reveals that the time spent on recovering from a breach continues to rise year on year, with an expected recovery time of 66 days, a like-for-like increase of nine days over 2018. The estimated revenue loss in percentage terms is also up year-on-year – 12.7 percent in 2019, compared to 10.3 percent in 2018 and 9.9 percent in 2017.

The cost of recovering from a breach, according to the report, remains high at $1.2 million, on average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million, more than double the global average. Oil & Gas takes top spot across industry sectors, expecting to spend $2.3 million on recovery efforts.

“This year’s Risk:Value report shows that companies have come to a standstill on their journey to cybersecurity preparedness,” comments Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “The world around them is changing, with the integration of new technology and digital transformation projects changing the way we do business, but cybercriminals are taking advantage of this paralysis and, because of this, data breaches will continue to make headlines.

“It’s clear that decision-makers see security as an enabler; something that can help the business and society in general. But while awareness of the risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. We are still seeing low responses for areas like internal security policies and incident response plans, as well as a lack of knowledge about regulations that affect companies – all underpinned by the expectation that when something goes wrong it’s the fault of the IT department. The design and execution of cybersecurity strategies must improve or business risk will escalate for the organizations concerned.”

To learn more and download the report, visit the NTT Security website.