NTT Security Risk:Value Report reveals U.S. businesses show confidence in security posture amid global results indicating a lack of preparedness

Tuesday, June 5, 2018

Low levels of proactive measures and awareness indicate long road ahead for enterprise and data security professionals

June 5, 2018 – Omaha, Neb. – Despite an indicated lack of data security awareness and preparedness amongst organizations across the globe, U.S. companies stand out as some of the most confident in regards to cybersecurity. Recent findings from the latest Risk:Value report, commissioned by NTT Security, the specialized security company of NTT Group, show how far organizations have come, as well as the long road ahead for cybersecurity, as one-third of global business decision-makers reported they would rather pay a hacker’s ransom demand versus investing in information security to cut costs.

The findings are particularly concerning, given the growth in ransomware, as identified in NTT Security’s Global Threat Intelligence Report (GTIR) published in April. According to the GTIR, ransomware attacks surged by350 percent in 2017, accounting for seven percent of all malware attacks worldwide.

“We’re witnessing almost unprecedented levels of confidence among our respondents in this year’s report, with almost half claiming they have never experienced a data breach,” said Khiro Mishra, Chief Executive Officer of the Americas at NTT Security. “While this high level of confidence is positive, it is still extremely important that organizations take proactive steps to thwart possible cybersecurity attacks and be prepared for the realistic threat, this could happen to them.”

U.S. confidence levels are high amid rising costs of a data breach

U.S. organizations appear to be the most confident in their levels of security globally, with 46 percent claiming to have never been breached, and stating they do not expect to be. Conversely, the number of respondents who did not know if they’d been breached, but anticipate one, was relatively low. Since proving whether or not a company has been attacked is particularly difficult, the number of organizations claiming to have not been breached is high, and likely unrealistic. 

When it comes to the impact of a breach, respondents prioritized what a data breach will do to their image, shortly followed by financial loss:

56 percent of respondents are concerned about loss of customer confidence
52 percent worry about the damage to their companies reputation
40 percent of companies highlighted financial loss as a concern

The estimated loss in terms of revenue is 10.29 percent on average, up from 2017’s 9.95 percent,although executives in Europe are more optimistic, expecting lower revenue losses than those in thevU.S. or APAC. The estimated cost of recovery has increased to $1.5m, up from $1.3m in 2017 and $900k in 2015. However, respondents anticipate it would take just 57 days to recover, down from 74 days in 2017.

“While it’s encouraging that many organizations are prepared to take a long-term, proactive stance, there are still signs that many choose to take a short-term, reactive approach to security in order to drive down costs,” said Mishra. “However, the reputational and financial damage organizations fear facing are likely to become a reality as executives attempt to cut corners and rebuff proactive security as a business-critical investment.”

U.S. organizations prove to be biggest investors of data security

Respondents this year estimate that the operations department spent more of its budget on security (17.84 percent on average) than the IT department (14.32 percent on average) – for the second year in a row. In fact, IT spent less of its budget on security this year than in 2017 (14.58 percent).
However, operations in the U.S. stood out as a particularly big spender on cybersecurity, allocating 21.26 percent of the budget to it, surpassing the global average.

The NTT Security Risk:Value report also shows that 48 percent of companies are still failing to fully secure critical data, despite recent mandates such as the European Union’s General Data Protection Regulation (GDPR) now in effect. Perhaps reflective of the substantially larger budgets allocated by U.S. companies, American-based organizations also bucked this trend with 61 percent of respondents claiming to have secured critical data, whereas fewer than 48 percent globally claim to have done so.

Additionally, when it comes to taking advantage of cyber insurance the U.S. takes the lead yet again. Only 38 percent of global respondents have a dedicated cyber insurance policy – down from last year’s 40 percent – whereas a staggering 54 percent of U.S. organizations have one in place.

Whose responsibility is it anyway?

According to the 2018 Risk:Value report, there is no clear consensus on who is responsible for day to day security, with 22 percent of respondents saying the CIO is responsible, compared to 20 percent for the CEO and 19 percent for the CISO. This suggests that no single role is stepping up to the plate.

One area of consensus, however, is the need for regular boardroom discussions about security, with 81 percent of respondents agreeing that preventing a security attack should be a regular item on the Board’s agenda, up from 73 percent last year. But only 61 percent admit it is, a marginal increase from 56 percent in 2017.

Examining business attitudes toward risk and the value of information security, NTT Security’s annual Risk:Value report surveys C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the U.S. and APAC, across multiple industry sectors.

For further information on NTT Security’s 2018 Risk:Value report and to download a copy, visit: