Cloudflare research shows that just 29% of European organisations say they are well prepared for future cyberattacks. It’s a chilling statistic. While small organisations have the least confidence in their ability to protect themselves, medium to large organisations are not much more confident.
The details are in a new report entitled Shielding the Future: Europe’s Cyber Threat Landscape Report (content gated). It surveyed more than 4,000 European security professionals from 13 countries and various industries.
While the UK came out as the most attacked country (48%), Spain and Sweden were close behind at 47%. Commenting on the findings, Christian Reilly, Field CTO EMEA at Cloudflare, said: “Thousands of UK business leaders are bracing themselves for growing cybersecurity threats that they feel ill-equipped to deal with.
“With incidents on the rise in both volume and frequency, preparation is key. Businesses that have previously faced attacks are seemingly on their guard, but industries that have not yet encountered such an incident are shockingly underprepared. Just because businesses have been lucky enough to avoid an attack so far, it doesn’t make them immune in the future.”
What do we learn from this research?
Some of this report’s findings are to be expected. It tracks similar results from other reports over the last year. However, some numbers are concerning.
- 72% reported at least one attack in the last year
- 84% of those that were breached say that the frequency of incidents is up in the last 12 months. Whether the volume of attacks caused the breach is unclear
- Organisations that are breached once get breached several times. Over 43% of businesses were attacked more than 10 times in 2023, with 3% suffering more than 100 attacks
- The financial impact is severe. 63% lost at least €940,000, while 25% lost more than €1.88 million.
- The rise in remote and hybrid working is blamed for creating an environment where attacks are more likely
- Mid-sized organisations (42%) are more likely than large (40%) and small (34%) organisations to get breached
- 64% believe a cybersecurity incident will occur in the next 12 months
The worries over being unprepared
One of the more concerning findings in this report is the lack of preparedness of security teams. The report didn’t offer any reason for this, which is disappointing. Had there been some qualitative follow-up, it is likely that some real insight could have been derived from this.
The report did find that:
- Italy (21%) was the least prepared country. The report also shows that Germany (24%) and Czechia (24%) were also unprepared. The big surprise here is that number from Germany. Given the compliance legislation that successive German governments have put in place around cybersecurity and data protection, this number stands out.
- Healthcare (18%) and education (19%) were singled out as the worst-prepared industries. This is surprising, as both are under significant and sustained attacks. It will be interesting to see if this changes in the next year.
- Only 25% of small businesses claim to be well prepared. However, medium (27%) and large (32%) organisations fare little better.
A complex but familiar cybersecurity landscape
Cyberattacks continue to evolve, but at the same time, the types of attacks continue to be the things we know. Perhaps the biggest shift is the overlay of multiple attacks to either overwhelm defences or to distract.
An interesting finding from this report is that 53% of respondents believe attackers are trying to install spyware. Surprisingly, this was higher than those seeing financial gain (48%) and the installation of malware (48%).
Phishing (59%), web attacks (58%) and DDoS attacks (37%) are among the most commonly experienced attacks. However, when it comes to the top three threats, phishing (37%) comes in lower than malware (57%) and ransomware and spyware (40%).
Investment in cybersecurity and updating infrastructure
Organisations continue to invest heavily in cybersecurity with sharp rises in cybersecurity budgets. However, questions are being asked about why investment does not reflect an improved security stance.
One commonly accepted reason is the volume of tools and the challenge of tool sprawl and integration. To address that, 48% are consolidating and simplifying their cybersecurity estate. There is also a push to modernise applications (47%) to improve cybersecurity and to remove older and more vulnerable technologies.
One of the key changes over the last year has been the modernisation of networks. This is not just about segmentation to harden the internal network and reduce lateral movement but also to address hybrid cloud environments. The report found that 42% ranked network modernisation as an important initiative, yet only 24% allocated additional budget. That means others are taking the budget from elsewhere.
Cyber intruders are inside the network for longer, or are they?
The dwell time is the time attackers are inside a network before detection. 62% believe this has increased in the last year, and 15% say it has increased significantly. It is yet more evidence of ineffective processes, tools and security.
However, it is worth looking at what this report says about dwell time. Most reports put dwell time at months, although the last couple of years have seen that drop to weeks. This report turns that on its head. 57% of respondents said the average dwell time is 24 hours or less, while 37% put it at 1-3 days. A small minority, 3%, said it averages more than a week.
Interestingly, the report plays down dwell time in favour of resolution times. The majority of respondents (52%) are now resolving incidents within six hours. Half of those saying they respond faster say technology investment, playbooks and better talent contributed.
They also cited security culture as a factor in the improved response time. However, the report doesn’t provide any insight into what changed in security culture. Was it better training for users and IT teams? How many of these respondents have adopted Human Risk Management or Security Posture Management solutions?
The report also lists barriers to shortening cybersecurity incident response times. The top four issues are all about how an organisation coordinates its response to an incident. It suggests that more needs to be done at higher levels of organisations to set out the rules for response and to enforce those rules.
Enterprise Times: What does this mean?
This is one of those good, bad and stating the obvious reports. There are some interesting takeaways, not least in how organisations look forward and deal with incidents. It is equally worrisome that key industries are unprepared, although Germany seems like an anomaly and deserves further investigation.
That need for further investigation is also a missed opportunity. Like most reports, this is all about quantitative research and collating numbers from responses. However, several missed opportunities for qualitative research could have yielded powerful insights that would have made this a must-read report.