NTT Security has published its 2018 Risk:Value Report (registration required). It is the first report since regulators started to enforce GDPR and since NTT Security published its Global Information Threat Intelligence (GTIR) report in April.
The results show that the reality of cyber security is still not hitting home in the boardroom. This ranges from denial over being the victim of a data breach, to being willing to pay off ransomware attackers. Responsibility for cyber security is almost seen as a poison chalice with nobody wanting to hold it. Perhaps that is driven by the fact that there are still real gaps when it comes to investing in cyber security.
In addition, the majority of organisations are still not taking GDPR seriously. The legislation has been in place for two years and now regulators are about to enforce it. Despite this, two-thirds of respondents globally believe that the legislation does not impact their business. An even bigger surprise is that less than half of European respondents felt it applied to them.
Kai Grunwitz, Senior VP EMEA, NTT Security, commented: “We’re seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach. Some might call it naivety and perhaps suggests that many decision makers within organisations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view.
“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs.”
Who is responsible for cyber security?
The lack of leadership inside organisations when it comes to cyber security makes life easier for hackers. It means that there is no coherent security policy or stance. In addition, with no-one individual or group having visibility across the entire security landscape, there will always be exploitable gaps.
One of the reasons for the lack of leadership is that cyber security is still not high enough up the agenda for the main board. This is not a new problem. Despite the value of IT systems to an organisation, it has always been a second-class citizen at the board level. Cyber security is seen as a subset of IT rather than a business threatening issue. As such, the C-Suite doesn’t want to take responsibility.
Hand in hand with this is the feeling among many directors that they are somehow immune from cyber security policies and rules. They are relatively easy targets for hackers who use phishing and other cyber attacks against them. NTT Security recently updated its Management Hacks security education to include social media attacks against directors.
When asked who should be responsible for cyber security, respondents couldn’t agree. 22% felt it was the CIO, 20% the CEO and only 19% pointed the finger at the CISO.
Data breach impacts still not focused on the customer
Data breaches are a fact of life. This is not just about hackers breaching cyber defences and making off with unencrypted customer data. For the majority of businesses there is more risk of an insider stealing data than an external attacker. Those breaches could be an engineer leaving with intellectual property, or a sales person taking customer lists to a new job.
Whatever the cause, 41% of respondents claim their organisation has never suffered a data breach. 31% believe it will never happen. This is not just a shocking level of complacency but substantial denial of reality.
For those willing to consider that a breach may happen, the concern is not about how it impacts the customer. Instead, it was all about the organisations reputation. 56% were concerned that it could lead to a loss of customer confidence and 25% worried it could lead to a loss of market share. Both of these would have a direct impact on the bottom line which was also a major concern. Surprisingly, even given the draconic penalties that GDPR brings, the impact of a regulatory fine was less important.
Ransomware defences still not adequate
The GTIR showed that ransomware continues to grow unchecked. Europe was the most affected region from ransomware. It accounted for 29% of all attacks in EMEA in 2017. It might be thought that this would lead companies to beef up their cyber security to protect from ransomware. This is not just about buying in solutions but improving the way backups and security processes work.
It seems that rather than invest in a proper cyber security solution fully, one-third of respondents would simply pay off a ransomware attacker. This is a risky approach. An increasing number of the attacks seen in 2017 were badly crafted. This meant that data could not be recovered even after buying the decryption key. In addition, once an attacker has been paid, they are quick to leave messages on Dark Web sites as to who paid and how much. This encourages other attackers to target a company.
The money paid to an attack is often more than that required to invest in better processes and solutions. It means that organisations are simply throwing money away.
What does this mean
Another day, another report and more evidence that cyber security is still struggling to be taken seriously. The problem for most of the C-Suite is that they just don’t understand cyber security. When they look at investment to solve problems across the rest of the business, they are able to create investment plans with an expected ROI. Cyber security is an evolving problem that is seen as a money pit. No matter how much they invest, it keeps coming back for more.
This is not helped by the lack of leadership and self-denial that this report, like many others, shows. Anyone who believes that they will never suffer a data breach is only fooling themselves. The problem is that many think of a breach as coming from outside and therefore completely ignore the malicious insider. They also overlook the undertrained employee who clicks on a phishing link and gets infected with malware.
There is nothing in this report to feel good about and that should send shock waves through all those companies who were respondents to the report. The report might be titled Prevention Is Better Than Cure, but judging on the contents, you can’t prevent something that you don’t believe exists. The C-Suite has become the cyber security equivalent of Flat Earthers.