Subscribe to RSS - ESI ThoughtLab

ESI ThoughtLab

Cybersecurity benchmarking study released

 - 
Wednesday, October 17, 2018

A new benchmarking study of the cybersecurity practices and initiatives of global organizations provides insight into the cyber landscape today and moving forward over the next few years. The study, called The Cybersecurity Imperitive, was produced in partnership with ESI ThoughtLab and WSJ Pro Cybersecurity and is sponsored by Security Industry Association (SIA) and several other partners.

“As validated by SIA’s just-released 2019 Security Megatrends—highlighting the top factors influencing both short- and long-term change in the global security industry—security companies see cybersecurity as the dominant trend shaping the industry,” SIA CEO Don Erickson said in an email announcing the study. “Having these clear benchmarks around cybersecurity not only facilitates the advancement of cybersecurity within your own organizations, but it also allows firms like yours to deliver appropriate solutions to your customers.”

One key finding in the study is that digital transformation is exposing companies to higher and more costly cyber risks. For example, those whose cybersecurity practices do not keep pace with their digital transformation initiatives are more likely to see $1 million or more in losses from cyberattacks. The research showed that cyber risks rise dramatically as companies embrace new technologies, adopt open platforms and tap ecosystems of partners and suppliers.

“Companies need to make sure that their cybersecurity programs keep pace with their digital transformation effort,” Lou Celi, CEO of ESI ThoughtLab and director of the study, said in the announcement. “Cybersecurity should not be an afterthought. It needs to be integrated into the fabric of an organization’s growth strategy.”

According to the study, there will be an increase in cyber-threat vectors by 2020, including:
•    Attacks through partners, customers and vendors (247% growth)
•    Supply chains (+146%)
•    Denial of service (+144%)
•    Apps (+85%)
•    Embedded systems (84%)

Surveyed companies see high risks from external threat actors, such as unsophisticated hackers (cited by 59% of firms), cybercriminals (57%) and social engineers (44%), but the greatest threat lies with untrained general staff (87%). Another 57 percent of firms see data sharing with partners and vendors as their main IT vulnerability. Nonetheless, only 17 percent of companies have made significant progress in training staff and partners on cybersecurity awareness.

The study also cites the leading cyber-threat vectors in 2018, which are:
•    Malware (81%)
•    Phishing (64%)
•    Ransomware (63%)
•    Viruses (62%)
•    Attacks from Apps (62%)

Another key finding is companies are boosting their cybersecurity investments. To cope with rising cyber risks, surveyed companies are increasing their cybersecurity investment by 7 percent this year and 14 percent next year. The biggest upsurge will come from platform companies, which are hiking their spending 59 percent this year and 64 percent next year. On average, companies with revenue between $250 million and $1 billion will spend $2.9 million next year; $1-5 billion ($5.7 million); $5-20 billion ($10.7 million); and $20 billion+ ($16.8 million).

According to the study, companies now use a variety of technologies to improve cybersecurity, such as multi-factor authentication (90%), blockchain (68%), Internet of Things (62%) and artificial intelligence (AI) (44%).

Security Systems News’ Class of 2017 “20 under 40” winner Ryan Fritts, CISO, ADT, said, "We are using AI in our access and entitlement management to analyze the behaviors of end-users and determine whether or not their behaviors are risky."

Over the next two years, studied firms indicated they plan to greatly expand the use of the following technology solutions:
•    Behavioral analytics (+1,735%)
•    Smart grid technologies (+831%)
•    Deception technology (+684%)
•    Hardware security and resilience (+114%)

The study also found that as corporate cybersecurity systems mature, the probability of costly cyberattacks declines. Cybersecurity beginners have a 21.1-percent probability of cyberattacks generating over $1 million in losses versus 16.1 percent for intermediates and 15.6 percent for leaders.

"Security is a holistic discipline. You need to manage both physical and cyber risks,” Joseph Gittens, SIA director of standards, and Cybersecurity Imperative study advisor, said in a prepared statement. “You could have the best physical security ever—guards, gates, guns and surveillance—but if someone can access your network from the comfort of their living room, it's not doing anything. The reverse is true as well. You could have a ton of cybersecurity but fail to lock down your physical space."