ESI ThoughtLab has partnered with the Wall Street Journal, the Security Industry Association and other industry coalition members to release cybersecurity analysis and benchmarks covering 1,300 companies.
SILVER SPRING, Md. – A comprehensive study about cybersecurity from leading research firm ESI ThoughtLab, together with research partner the Wall Street Journal’s WSJ Pro Cybersecurity and a cross-industry coalition made up of the Security Industry Association (SIA) and other organizations, including Baker McKenzie, CyberCube, HP Inc., KnowBe4, Opus, Protiviti and Willis Towers Watson, shows that digital transformation is exposing companies to higher and more costly cyber risks. According to a global benchmarking study of 1,300 companies, those whose cybersecurity practices do not keep pace with their digital transformation initiatives are more likely to see $1 million or more in losses from cyberattacks.
The research shows that cyber risks rise dramatically as companies embrace new technologies, adopt open platforms and tap ecosystems of partners and suppliers. While firms now report the biggest impacts from malware (81%), phishing (64%) and ransomware (63%), in two years they expect massive growth in attacks through partners, customers and vendors (247% growth); supply chains (+146%); denial of service (+144%); apps (+85%); and embedded systems (84%).
Surveyed companies see high risks from external threat actors, such as unsophisticated hackers (cited by 59 percent of firms), cybercriminals (57%) and social engineers (44%), but the greatest threat lies with untrained general staff (87%). Another 57 percent of firms see data sharing with partners and vendors as their main IT vulnerability. Nonetheless, only 17 percent of companies have made significant progress in training staff and partners on cybersecurity awareness.
“Companies need to make sure that their cybersecurity programs keep pace with their digital transformation efforts,” said Lou Celi, CEO of ESI ThoughtLab and director of the study. “Cybersecurity should not be an afterthought. It needs to be integrated into the fabric of an organization’s growth strategy.”
To Win the Arms Race With Hackers, Companies Are Boosting Their Cybersecurity Investments
To cope with rising cyber risks, surveyed companies are increasing their cybersecurity investment 7 percent this year and 14 percent next year. The biggest upsurge will come from platform companies, which are hiking their spending 59 percent this year and 64 percent next year. On average, companies with revenue between $250 million and $1 billion will spend $2.9 million next year, $1-5 billion ($5.7 million), $5-$20 billion ($10.7 million) and $20+ billion ($16.8 million).
Next year, these firms plan to allocate 39.3 percent of their cybersecurity budgets to technology, 30.7 percent to process and 30 percent to people. Companies now use a variety of technologies to improve cybersecurity, such as multi- factor authentication (90%), blockchain (68%), the Internet of Things (62%) and artificial intelligence (44%). Over the next two years, they plan to greatly expand their use of behavioral analytics (+1,735%), smart grid technologies (+831%), deception technology (+684%) and hardware security and resilience (+114%).
“As validated by SIA’s just-released 2019 Security Megatrends – highlighting the top factors influencing both short- and long-term change in the global security industry – security companies see cybersecurity as the dominant trend shaping the industry,” said SIA’s CEO, Don Erickson. “Having these clear benchmarks around cybersecurity not only facilitates the advancement of cybersecurity within our members’ own organizations, but it also allows the overall industry to deliver appropriate solutions for their customers.”
Cybersecurity Is Still a Work in Progress
ESI ThoughtLab scored the surveyed companies based on their progress against each area of the National Institute of Standards and Technology’s cybersecurity framework, then segmented these firms into three stages of cybersecurity maturity: beginners, intermediates and leaders. The study’s results reveal that companies have a long way to go with regard to cybersecurity maturity: only 20 percent of companies are leaders, while 31 percent are beginners and 49 percent are intermediates. Interestingly, technology firms have the lowest maturity scores — although platform companies have the highest. Financial services and insurance firms also tend to be further along the maturity curve than average.
According to the study, companies have made more progress on risk prevention than resilience. Over the next year, firms will continue to allocate the largest share of their investment to protection (26.5%), but will allocate more to respond (19.2%) and recover (18.1%) to increase resilience as attacks rise.
Cybersecurity maturity also varies by country: companies in the study with the highest maturity scores are based in the United States (107.2), South Korea (104.7), Japan (102.6), France (101.9) and Australia (101.3). Most of the lowest scoring companies were headquartered in emerging markets, including Brazil (88.6), Argentina (93.6) and India (93.7), although companies in Germany (97.3) and Switzerland (96.3) also had relatively low scores.
The Returns on Cybersecurity Maturity
The study shows that as corporate cybersecurity systems mature, the probability of costly cyberattacks declines. Cybersecurity beginners have a 21.1% probability of cyberattacks generating over $1 million in losses versus 16.1% for intermediates and 15.6% for leaders. The costs of cyberattacks also decrease as cybersecurity matures: the costs for beginners is 0.039 percent of revenue ($3.9 million for a $10 billion company) compared with 0.012 percent of revenue for leaders ($1.2 million for a $10 billion company). However, these costs — and the number of successful attacks — are harder to measure for beginners due to their inadequate detection systems.
Despite better monitoring methods and metrics, most companies still do not know the return on investment of their cybersecurity investments. One stumbling block is that firms often do not measure indirect costs, such as productivity loss, reputational damage and opportunity costs, which can hurt bottom lines. Another is the difficulty of gauging risk probabilities and the failure to take into account the upside from improving productivity (cited by 35% of companies), profitability (22%), corporate reputations (18%), competitive positioning (16.2%) and customer engagement (11%).
“While cybersecurity will always be more of an art than a science,” says Celi, “companies need to do a better job of measuring their full direct and indirect cost-benefits to understand where to invest to secure their digital future. This study is a major step in that direction.”
About the Research Program
Pioneering research program The Cybersecurity Imperative is based on a global survey of 1,300 organizations across industries and region, research input from a high-level advisory panel, in- depth interviews with CISOs and leading experts and rigorous benchmarking analysis. The research was conducted in the second quarter of 2018 by ESI ThoughtLab and research partner WSJ Pro Cybersecurity in conjunction with a diverse coalition of sponsors, including SIA, Baker McKenzie, CyberCube, HP Inc., KnowBe4, Opus, Protiviti and Willis Towers Watson.
About Our Research Team
ESI ThoughtLab is the thought leadership arm of Econsult Solutions Inc., a leading economic consultancy. The innovative think tank offers fresh ideas and evidence-based analysis to help business and government leaders understand and respond to economic, industry and technological shifts around the world. Its team of top economists and thought leaders excel at creating valuable decision support that combines visionary thinking, analytical excellence, and multi-format content.
WSJ Pro Cybersecurity is designed to help executives monitor the ever-changing landscape of cybersecurity through a business lens. Our dedicated team delivers unique, actionable insight on the wide-ranging challenges of cybercrime risk.
SIA (securityindustry.org) is the leading trade association for global security solution providers, with nearly 900 innovative member companies representing thousands of security leaders and experts who shape the future of the security industry. SIA protects and advances its members’ interests by advocating pro-industry policies and legislation at the federal and state levels, creating open industry standards that enable integration, advancing industry professionalism through education and training, opening global market opportunities and collaborating with other like-minded organizations. As a proud sponsor of ISC Events expos and conferences, SIA ensures its members have access to top-level buyers and influencers, as well as unparalleled learning and network opportunities. SIA also enhances the position of its members in the security marketplace through SIA Government Summit, which brings together private industry with government decision makers, and SNG, the security industry’s top executive conference for peer-to-peer networking.