Stories of cyber attacks on corporations and their leaders are becoming all too commonplace, but Accenture’s third State of Cyber Resilience study suggests there is still a long way to go before industry gets to grips with cybersecurity. The report reveals that while investment in cybersecurity (or cybersecurity technology at least) is growing, fewer than 1 in 5 organizations are effectively preventing cyberattacks. What’s more, they’re also failing to respond quickly enough to the attacks they face, so the impact of them is much greater than it should be.
The findings emerged from a survey of over 4,600 cybersecurity professionals from across the world. The survey attempted to understand just how big a priority cybersecurity was for organizations, along with the effectiveness of their strategies to deal with cyberattacks, while also understanding the impact of any investments they were making in this area.
The head of the pack
From analyzing the data, the researchers were able to identify a number of companies who were clearly ahead of their peers in terms of their cybersecurity performance. This group, which consisted of around 17% of the organizations assessed, were able to achieve significantly better results from their investment than their peers. These cybersecurity leaders were consistently stopping more attacks, and doing so faster, which in turn enabled them to fix any breaches faster and therefore reduce their subsequent impact on the business.
The scale of their advantage was considerable, with nearly 90% of this group able to detect a breach in less than a day, compared to just over 20% of the remaining organizations. Similarly, when they were breached, practically all of the leaders were able to fix it in less than 15 days, whereas around two-thirds of the remaining organizations took longer than 16 days to fix the breach. Indeed, over a half of the remaining organizations took longer than a month to do so!
“When a cyberattack prevents a pharmaceutical company from manufacturing drugs or a ship from docking at port — those are the kinds of crippling business impacts we’re most concerned about helping our clients avoid,” Accenture say. “If investments in technology don’t hit the mark when it comes to defending against cyberattacks, C-suite executives are not only jeopardizing their operations and finances but their brands and reputations as well.”
Among the remainder of the organizations assessed, there was a group of approximately 74% of businesses, who were average in their approach to cybersecurity, which left a small group of around 9% lagging far behind the rest.
Putting their money where their mouth is
The cybersecurity leaders were able to perform so strongly in large part because they invested more in cybersecurity. They had established capabilities and were often trying to sustain this high level of excellence. Those companies performing at a lower level were somewhat behind, and therefore much of their investment was in early-stage projects, with a focus on piloting new concepts and scaling up new capabilities.
There was also a strong sense that cybersecurity leaders were investing in skills as well as technology. The survey revealed that more advanced companies were around three times as likely to provide employees with advanced training on how to effectively use security tools and generally behave in a secure way than the other organizations.
This had a profound impact on results, with leading organizations three times less likely to have large scale breaches (defined as having over half a million customer records exposed) than their peers during the last 12 months. Indeed, among the typical organization, there was nearly a 50% chance of such a breach occurring each year.
Looking at the ecosystem
Equally interesting was the suggestion that the best organizations are increasingly looking outside of their own systems with their cybersecurity efforts. They appreciate that in our connected world with highly complex supply chains that operate on a just-in-time basis, it’s important to secure the ecosystem of vendors and partners.
This is a clear area of weakness for organizations, with just 60% reporting that they were working across their ecosystem to ensure vendors, partners and other stakeholders were secure. The vulnerability this ecosystem provides was emphasized by the finding that approximately 40% of all cyber breaches came via the ecosystem itself.
It seems that the complexity of supply chains is only going to intensify, so adopting a systemic approach to cybersecurity is essential, but there remains clear evidence that many organizations are neglecting their duty in doing this well enough. In a connected world, systems are only as secure as their weakest point, so it’s vital that organizations look throughout their ecosystem for vulnerabilities and work collectively to protect the network.
Despite cybersecurity being highlighted as one of the top 10 risks faced by society today in their Global Risks Report published in January, it’s clear that many organizations are not investing sufficiently in either technology or talent to mitigate that risk. Accenture reminds us that there are organizations leading the way that can show us both what’s possible, and how we can better secure our own organizations. Now is the time for the laggards to act.