Print.IT Reseller - issue 54

01732 759725 16 CYBERSECURITY Working with research agency Vanson Bourne, NTT Security interviewed 1,800 global business decision makers to understand their cybersecurity stance. The study found that respondents are still making the same mistakes, failing to make any progress in crucial areas such as cybersecurity awareness and preparedness. Many organisations are still stuck in a reactive mindset when it comes to security. NTT Security was surprised at the number of respondents willing to wait for a ransom demand to arrive before tackling cybersecurity investment – one-third of companies reported that they would rather pay a hacker’s ransom than invest in information security. The UK was a little more sensible than the global average, with fewer respondents prepared to prioritise ransoms over long-term investment. Nevertheless, just over one in five UK respondents (21 per cent) were still willing to focus on ransomware payments rather than cybersecurity investments in an attempt to save money These organisations will be among the most likely to fall victim to cyber- attacks and may find that ransoms aren’t an option, or that criminals do not honour them. In cybersecurity, NTT Security warns prevention is better than cure, and advises companies to follow both the spirit and the letter of regulatory guidelines, paying attention to how they evaluate risk and prepare for the time when hackers come calling. Secure critical data Despite the fact that regulators are now enforcing the GDPR, only one in three respondents globally believe that it affects them and almost half (48 per cent) of companies are still failing to fully secure critical data. One thing has improved. Companies are starting to take control of their data as cloud computing best practices mature. Respondents are also keeping data close to home as there is a strong NTT Security’s Risk:Value 2018 Report reveals companies still don’t have a firm grip on information security issues Prevention is better than cure tendency for an organisation to store its data within its national borders. Only one per cent of respondents currently use a third-party managed security services provider. But more than one in three plan to. Of those, 18 per cent cite a lack of skills as the main reason, Data breach-related concerns Across the board, companies were most concerned about what a data breach would do to their image, with 56 per cent concerned about the loss of customer confidence and 52 per cent fretting about damage to brand and reputation. These data breach-related concerns correlate closely with companies’ broader fears. One in four (25 per cent) saw losing market share to competitors as their biggest threat. The UK stood out for its concern over the effect of data breaches on company image. 73 per cent of UK respondents worried about the impact on customer confidence following an information security incident, compared to the 56 per cent global average. 69 per cent of UK organisations fretted about brand damage, compared to 52 per cent globally. The economic impacts of a data breach ranked a clear second after image, but even here financial fallout worried some companies more than others. Direct financial losses ranked highest, with 40 per cent of companies highlighting it as a concern. Indirect losses, such as the impact of regulatory penalties and loss of share price, were less of a concern. 31 per cent of companies felt that they would be affected by financial penalties, and 29 per cent said that they would be affected by loss of shareholder value. The effect of a breach on revenue has risen only slightly after a downward turn between 2015 and 2017, with the average revenue drop forecast at 10.29 per cent. European countries were more optimistic overall, anticipating lower revenue losses than the US and APAC respondents. Cost of recovery While the predicted effect of a data breach on revenues appeared mostly static, the cost of recovery was deemed to be of greater concern. However, almost one in four respondents were unable to predict the recovery cost, suggesting a lack of risk analysis in data breach planning. On average, respondents questioned for the 2018 Risk:Value Report anticipated a 57 day recovery time if targeted by a data breach. Companies are over-confident about their level of vulnerability. Overall, almost half of all business decision-makers said that they had not been affected by data breaches, with more than one in five (22 per cent) UK companies stating that they didn’t know whether they had suffered from a breach or not. According to NTT Security, this assumption is worryingly high, given how difficult it is to prove with certainty that a company has not been breached. Another concern is the one in three respondents who say that they do not expect to suffer from a breach. www.nttsecurity.com One thing has improved. Companies are starting to take control of their data as cloud computing best practices mature 33% would try to cut costs by paying a ransom demand from a hacker rather than invest in information security The financial losses from a breach are less important than the damage an attack would do to an organization’s reputation: The estimated loss in terms of revenue is 10.29% on average, up from 9.95% in 2017 The estimated cost of recovery has increased to $1.5m , up from $1.3m in 2017 Respondents anticipate it would take 57 days to recover, down from 74 days in 2017 WHO’S RESPONSIBLE ANYWAY? There is no clear consensus on who is responsible for day-to-day security: 22% say the CIO is responsible, compared to 20% for the CEO and 19% for the CISO 81% agree that preventing a security attack should be a regular item on the board’s agenda, up from 73% in 2017 Only 61% admit security is regularly discussed, a marginal rise from 56% in 2017 PREVENTION IS BETTER THAN CURE Some organizations are taking a long-term, proactive stance but there are signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs. In yber ecurity as in edicine, prevention is better than cure. NTT S curity advises companies to follow both the spirit and the letter of regulatory guidelines, paying attention to how they evaluate risk and prepare for the time when hackers come calling. The report and details of the research methodology can be downloaded at: www.nttsecurity.com/risk-value-2018 22 % 81 % 61 % 10.29 % $1.5 m 57 days www.nttsecurity.com | ©2018 NTT Security 2018 Risk:Value Report Examining business attitudes to risk and the value of informatio security, NTT Security’s annual Risk:Value Report surveys C-level executives and other decision makers in non-IT functions from 12 countries in Europe, the US and APAC across multiple industry sectors. The report highlights that many organizations are still making the same mistakes, failing to make any progre s in crucial areas such as cybersecurity awareness and preparedness. RANSOM DEMANDS vs. INVESTING IN SECURITY One third ( 33% ) would try to cut costs by paying a ransom demand fr m hacker rather than invest in information security 16% re not sure if they would pay a ran om or not Just over half are prepared to invest in securit and take a less reactive approach to the protecti n of their organization 33 % 16 %