Every year, the Club of Experts in Information and Digital Security (CESIN) publishes its barometer of companies’ cybersecurity in order to better understand the perception and concrete reality of cybersecurity and its issues within CESIN member companies.
Last January, CESIN unveiled the results of its OpinionWay survey, carried out from the 2nd of December 2019 to the 7th of January 2020 among its 253 members, Chief Information Security Officer (CISO) of major French groups.
Cyberattacks: Fewer companies affected but still heavily impacted
First of all, the study highlights a positive figure: the decline in the number of companies that suffered at least one cyberattack in 2019, i.e. 65% of the companies surveyed compared to 80% in 2018 (note, however, that this difference in results is nuanced by the addition of the definition of cyberattack in the survey conducted in January 2020).
On the other hand, the impact of these cyberattacks remains significant since 57% of these attacks have consequences on business such as disruption of production (27%), website unavailability (17%) and revenue loss (9%).
The targeted companies were the targets of 4 types of cyberattacks on average in 12 months. Among the attacks vectors, phishing remains the most frequent attack with 79% of companies affected in 2019, followed by the scam on the President (47%), the exploitation of a vulnerability (43%) and fraudulent login attempts (40%).
The main consequences of these attacks are identity theft (35%), malware infection (34%), personal data theft (26%), ransomware infection (25%) and denial of service (19%).
Cloud, IoT and AI, issues of concern
With the digital transformation, the use of the Cloud is important within companies: 89% of companies surveyed store their data in a Cloud, including 55% in public Clouds.
A massive use of the Cloud which still represents a high risk due to a lack of control over the hosting provider’s subcontracting chain (for 50% of CISOs), the difficulty of conducting audits (46%) and the lack of control over the use of the Cloud by employees (46%). For 91% of respondents, the tools implemented by Cloud hosting providers are not sufficient to secure the data stored, and specific additional tools or measures are necessary.
Connected objects are also a growing concern, increasing the attack surface and creating new types of threats. The CISOs surveyed are concerned about the security breaches present in this equipment (43%) and the uncertainty in the assessment of potential risks (28%).
The study also shows that the embedded AI at the heart of cybersecurity solutions has yet to prove its worth since 53% of CISOs do not trust it.
An awareness of cyber-risks
To prevent the risk of attacks, companies implement an average of a dozen protection solutions, in addition to antivirus and firewalls. Among them, the mail security gateway (85%), the VPN/SSL gateway (85%), proxy and URL filtering (83%), and multi-factor authentication. The latter, adopted by 72% of companies, has increased by 13% compared to 2018.
More aware of cyber risks, 91% of the companies surveyed are implementing a cyber-resilience program in parallel with protection solutions or are considering doing so, that’s 12 points higher than last year.
Awareness of cyber risks is also reflected in the steady increase over the last three years in the number of companies having subscribed to cyber-insurance (60%).
Despite this, only 4 out of 10 companies say they are prepared in case of a large-scale cyberattack.
In addition to the external threat, for 43% of companies, employees’ negligence is the most common cyber risk.
Shadow IT, i.e. the deployment and use of applications and services beyond the control of IT teams, is mentioned by 98% of the CISOs surveyed and remains a significant threat to be dealt with.
Yet even though they are aware of cyber risks (according to 74% of respondents), only half of employees comply with the recommendations, according to CISOs.
Issues for the future of cybersecurity
Governance is the first issue mentioned by CISOs (70%) for the future of cybersecurity, followed by users’ training and awareness raising on cybersecurity issues (57%).
Increasing the budget is another major issue for 50% of respondents. The proportion of the IT budget allocated to cybersecurity has increased in companies compared to last year. 62% of them plan to increase it further in the next 12 months and 83% want to acquire new technical solutions.
In terms of human resources, one out of two companies (51%) would like to increase the number of staff dedicated to cybersecurity, but 90% face a shortage of Information Systems Security profiles, leading to recruitment difficulties.