NTT Security 2019 Risk:Value report asks why organizations are at a standstill with cybersecurity despite recognizing the scale of cyber threats

26 June 2019

New report highlights lack of cybersecurity investment, poor knowledge of compliance issues and continued failure to secure critical data

India now the best performing in the world for cybersecurity ahead of the USA and UK

Global organizations have stalled in their progress towards cybersecurity best practice and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialized security company and center of excellence in security for NTT Group.

Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s fifth annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, and from across multiple industry sectors.

This year’s findings show that organizations are aware of the risks posed by cyber threats, with cybersecurity and data theft listed in three of the top five business risks. In fact, only the risk of an ‘economic or financial crisis’ beats their concerns over ‘cyber attacks on the organization’ to the top spot. The vast majority of respondents (84 percent) believe that strong cybersecurity will help their business; while 88 percent believe cybersecurity has a big role to play in society.

For each organization in the research for the last two years, NTT Security analyzed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two percent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.
Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the USA and the UK. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.

Where are businesses failing to make progress with cybersecurity?

•  Fewer than half of the respondents this year consider all of their ‘critical data’ to be ‘completely secure’ – 48 percent compared to exactly the same figure in 2018.
•  Over a third (36 percent) of respondents reveal that they would rather pay a ransom to a hacker than be fined for failing to meet data protection regulations. A third of respondents would rather pay a hacker than invest more in security – the same figure as 2018, again showing a lack of progression.
•  Although 83 percent of respondents feel that complying with regulations is important, 1 in 7 do not know which regulations their organization is subject to.
•  Only 30 percent believe they are subject to GDPR, a year on from the deadline for compliance, despite it affecting all organizations that have operations or customers in any European Union member state.
•  Security budgets are failing to keep up with increasing cyber risk, with only a minimal increase in the percentage of IT budgets attributed to security (15 per cent this year). The percentage of the operations budget attributed to security has fallen since 2018, to 16 percent.
•  Organizations are still failing to be proactive when it comes to internal polices and processes. Fifty-eight percent have a formal information security policy in place, just 1 percent higher than last year. Just over half (52 percent) have an incident response plan, a rise of 3 percent over 2018.
•  Around half believe cybersecurity “is the IT department’s problem and not the wider business”.
•  The percentage of businesses still lacking skills/resources remains static year on year, suggesting businesses need more assistance from third party security providers.


Cost and time spent recovering from a security breach

The 2019 Risk:Value report also reveals that the time spent on recovering from a breach continues to rise year on year, with an expected recovery time of 66 days, a like-for-like increase of nine days over 2018. The estimated revenue loss in percentage terms is also up year-on-year – 12.7 percent in 2019, compared to 10.3 percent in 2018 and 9.9 percent in 2017.

The cost of recovering from a breach, according to the report, remains high at $1.2 million, on average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million, more than double the global average. Oil & Gas takes top spot across industry sectors, expecting to spend $2.3 million on recovery efforts.

“This year’s Risk:Value report shows that companies have come to a standstill on their journey to cybersecurity preparedness,” comments Garry Sidaway, SVP Security Strategy & Alliances at NTT Security. “The world around them is changing, with the integration of new technology and digital transformation projects changing the way we do business, but cybercriminals are taking advantage of this paralysis and, because of this, data breaches will continue to make headlines.

“It’s clear that decision-makers see security as an enabler; something that can help the business and society in general. But while awareness of the risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. We are still seeing low responses for areas like internal security policies and incident response plans, as well as a lack of knowledge about regulations that affect companies – all underpinned by the expectation that when something goes wrong it’s the fault of the IT department. The design and execution of cybersecurity strategies must improve or business risk will escalate for the organizations concerned.”

~ Ends ~

Notes for editors:

For further information on NTT Security’s 2019 Risk:Value – ‘Destination standstill. Are you asleep at the wheel?’ report and to download a copy, visit: https://www.nttsecurity.com/riskvalue2019
For a PDF of the 2019 Risk:Value report or a copy of the global infographic, images or further information/stats, please contact: [email protected].


Methodology for the NTT Security Risk:Value 2019 report

Commissioned by NTT Security, the 2019 Risk:Value report research was conducted by Jigsaw Research in February and March 2019. A total of 2,256 senior non-IT business decision makers were interviewed online in the US, Japan, UK, Germany, Austria, Switzerland, France, Belgium, Netherlands, Luxembourg, Spain, Italy, Sweden, Norway, Hong Kong, Singapore, India, Australia, Brazil and Chile. Job functions included business development, strategy, finance, sales, operations, production, HR and marketing. Predominantly, organizations had more than 500 employees and had activities in one of 17 sectors.

NTT Security’s assessment of good and bad practice in cybersecurity is on a scale of -41 to +27, which reflects the many factors organizations need to focus on in order to improve their security posture.


About Jigsaw Research

Jigsaw Research is an international strategic insight agency, with an exclusively senior team. They focus on building an authentic understanding of how and why people behave the way they do, using research techniques that explore both conscious and non-conscious behavior.


About NTT Security

NTT Security is the specialized security company and the center of excellence in security for NTT Group.  With embedded security, we enable NTT Group companies (Dimension Data, NTT Communications and NTT DATA) to deliver resilient business solutions for clients’ digital transformation needs.  NTT Security has multiple SOCs, seven R&D centers, over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents.

NTT Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology for NTT Group companies – making best use of local resources and leveraging our global capabilities.  NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world. Visit nttsecurity.com to learn more about NTT Security or visit www.ntt.co.jp/index_e.html