NTT Security 2019 Risk:Value report asks why organizations are at a standstill with cybersecurity despite recognizing the scale of cyber threats

Wednesday, June 26, 2019

Benelux lags behind whereas India is the best performing in the world for cybersecurity.

New report highlights lack of cybersecurity investment, poor knowledge of compliance issues and continued failure to secure critical data.


Global organizations have stalled in their progress towards cybersecurity best practice and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialized security company and center of excellence in security for NTT Group.

Examining the attitudes of 2,256 non-IT decision makers - 101 in Benelux - to risk and the value of security to the business , NTT Security’s fifth annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, and from across multiple industry sectors.

This year’s findings show that organizations are aware of the risks posed by cyber threats, with cybersecurity and data theft listed in three of the top five business risks. In fact, only the risk of an ‘economic or financial crisis’ beats their concerns over ‘cyber attacks on the organization’ to the top spot. The majority of respondents - 84% at global level and 77% in Benelux - believe that strong cybersecurity will help their business; while 88% and 80% respectively believe cybersecurity has a big role to play in society.

For each organization in the research for the last two years, NTT Security analyzed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. In the Benelux, Belgium (+1) and Netherlands (0) are below the global rate.  

Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the USA and the UK. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.

Where are Benelux businesses failing to make progress with cybersecurity?

  • Fewer than half of the Benelux respondents this year consider all of their ‘critical data’ to be ‘completely secure’ - 45% compared to exactly the same figure in 2018.
  • Over a third of respondents reveal that they would rather pay a ransom to a hacker than be fined for failing to meet data protection regulations ; the same proportion would rather pay a hacker than invest more in security – the same figure as 2018, again showing a lack of progression.
  • Although 81% of respondents feel that complying with regulations is important, 1 in 10 do not know which regulations their organization is subject to.
  • Only 24% believe they are subject to GDPR, a year on from the deadline for compliance, despite it affecting all organizations that have operations or customers in any European Union member state.
  • Security budgets are failing to keep up with increasing cyber risk, with only a minimal increase in the percentage of IT budgets attributed to security (14% this year). The percentage of the operations budget attributed to security has fallen since 2018, to 15%.
  • Benelux organizations are still failing to be proactive when it comes to internal polices and processes. 50% have a formal information security policy in place. Less than a half (43%) have an incident response plan, a rise of 1% over 2018.
  • 40 percent believe cybersecurity “is the IT department’s problem and not the wider business”.
  • The percentage of businesses still lacking skills/resources increases : 48 percent compared to 44 percent in 2018; suggesting Benelux businesses need more assistance from third party security providers.

Cost and time spent recovering from a security breach

The 2019 Risk:Value report also reveals that unlike global average, Benelux respondents believe that the time spent on recovering a breach decrease compared to last year : 57 days (- 6 days) for Benelux and 66 days (+ 9 days) at global scale. However, the estimated revenue loss in percentage terms is up year-on-year – 12.7 percent in 2019, compared to 10.3 percent in 2018 and 9.9 percent in 2017.

The cost of recovering from a breach, according to the report, remains high at almost €900,00 on average for the Benelux businesses and €1 million worldwide. Notably in the Nordics, costs are predicted to be much higher, with Norway at €1.6 million and Sweden in first place with expected recovery costs for a business suffering a breach of €2.7 million, more than double the global average. Oil & Gas takes top spot across industry sectors, expecting to spend €2 million on recovery efforts.

“This year’s Risk:Value report shows that companies have come to a standstill on their journey to cybersecurity preparedness,” comments Charles Bovy, Director MSS PreSales EMEA & Regional Lead Benelux at NTT Security. “The world around them is changing, with the integration of new technology and digital transformation projects changing the way we do business, but cybercriminals are taking advantage of this paralysis and, because of this, data breaches will continue to make headlines.

“It’s clear that decision-makers see security as an enabler; something that can help the business and society in general. But while awareness of the risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. We are still seeing low responses for areas like internal security policies and incident response plans, as well as a lack of knowledge about regulations that affect companies – all underpinned by the expectation that when something goes wrong it’s the fault of the IT department. The design and execution of cybersecurity strategies must improve or business risk will escalate for the organizations concerned.”




Notes for editors:

For further information on NTT Security’s 2019 Risk:Value‘Destination standstill. Are you asleep at the wheel?’ report and to download a copy, visit:

For a PDF of the 2019 Risk:Value report or a copy of the global infographic, images or further information/stats, please contact: [email protected].

Methodology for the NTT Security Risk:Value 2019 report

Commissioned by NTT Security, the 2019 Risk:Value report research was conducted by Jigsaw Research in February and March 2019. A total of 2,256 senior non-IT business decision makers were interviewed online in the US, Japan, UK, Germany, Austria, Switzerland, France, Belgium, Netherlands, Luxembourg, Spain, Italy, Sweden, Norway, Hong Kong, Singapore, India, Australia, Brazil and Chile. Job functions included business development, strategy, finance, sales, operations, production, HR and marketing. Predominantly, organizations had more than 500 employees and had activities in one of 17 sectors.

NTT Security’s assessment of good and bad practice in cybersecurity is on a scale of -41 to +27, which reflects the many factors organizations need to focus on in order to improve their security posture.

About Jigsaw Research

Jigsaw Research is an international strategic insight agency, with an exclusively senior team. They focus on building an authentic understanding of how and why people behave the way they do, using research techniques that explore both conscious and non-conscious behavior.

About NTT Security

NTT Security is the specialized security company and the center of excellence in security for NTT Group.  With embedded security, we enable NTT Group companies (Dimension Data, NTT Communications and NTT DATA) to deliver resilient business solutions for clients’ digital transformation needs.  NTT Security has multiple SOCs, seven R&D centers, over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents.

NTT Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology for NTT Group companies – making best use of local resources and leveraging our global capabilities.  NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world. Visit to learn more about NTT Security or visit