Companies’ cybersecurity – 5th edition of CESIN’s annual barometer

Companies’ cybersecurity - CESIN barometer - Blog Nameshield
Image source: TheDigitalArtist via Pixabay

Every year, the Club of Experts in Information and Digital Security (CESIN) publishes its barometer of companies’ cybersecurity in order to better understand the perception and concrete reality of cybersecurity and its issues within CESIN member companies.

Last January, CESIN unveiled the results of its OpinionWay survey, carried out from the 2nd of December 2019 to the 7th of January 2020 among its 253 members, Chief Information Security Officer (CISO) of major French groups.

Cyberattacks: Fewer companies affected but still heavily impacted

First of all, the study highlights a positive figure: the decline in the number of companies that suffered at least one cyberattack in 2019, i.e. 65% of the companies surveyed compared to 80% in 2018 (note, however, that this difference in results is nuanced by the addition of the definition of cyberattack in the survey conducted in January 2020).

On the other hand, the impact of these cyberattacks remains significant since 57% of these attacks have consequences on business such as disruption of production (27%), website unavailability (17%) and revenue loss (9%).

The targeted companies were the targets of 4 types of cyberattacks on average in 12 months. Among the attacks vectors, phishing remains the most frequent attack with 79% of companies affected in 2019, followed by the scam on the President (47%), the exploitation of a vulnerability (43%) and fraudulent login attempts (40%).

The main consequences of these attacks are identity theft (35%), malware infection (34%), personal data theft (26%), ransomware infection (25%) and denial of service (19%).

Cloud, IoT and AI, issues of concern

With the digital transformation, the use of the Cloud is important within companies: 89% of companies surveyed store their data in a Cloud, including 55% in public Clouds.

A massive use of the Cloud which still represents a high risk due to a lack of control over the hosting provider’s subcontracting chain (for 50% of CISOs), the difficulty of conducting audits (46%) and the lack of control over the use of the Cloud by employees (46%). For 91% of respondents, the tools implemented by Cloud hosting providers are not sufficient to secure the data stored, and specific additional tools or measures are necessary.

Connected objects are also a growing concern, increasing the attack surface and creating new types of threats. The CISOs surveyed are concerned about the security breaches present in this equipment (43%) and the uncertainty in the assessment of potential risks (28%).

The study also shows that the embedded AI at the heart of cybersecurity solutions has yet to prove its worth since 53% of CISOs do not trust it.

An awareness of cyber-risks

To prevent the risk of attacks, companies implement an average of a dozen protection solutions, in addition to antivirus and firewalls. Among them, the mail security gateway (85%), the VPN/SSL gateway (85%), proxy and URL filtering (83%), and multi-factor authentication. The latter, adopted by 72% of companies, has increased by 13% compared to 2018.

More aware of cyber risks, 91% of the companies surveyed are implementing a cyber-resilience program in parallel with protection solutions or are considering doing so, that’s 12 points higher than last year.

Awareness of cyber risks is also reflected in the steady increase over the last three years in the number of companies having subscribed to cyber-insurance (60%).

Despite this, only 4 out of 10 companies say they are prepared in case of a large-scale cyberattack.

Employees Awareness

In addition to the external threat, for 43% of companies, employees’ negligence is the most common cyber risk.

Shadow IT, i.e. the deployment and use of applications and services beyond the control of IT teams, is mentioned by 98% of the CISOs surveyed and remains a significant threat to be dealt with.

Yet even though they are aware of cyber risks (according to 74% of respondents), only half of employees comply with the recommendations, according to CISOs.

Issues for the future of cybersecurity

Governance is the first issue mentioned by CISOs (70%) for the future of cybersecurity, followed by users’ training and awareness raising on cybersecurity issues (57%).

Increasing the budget is another major issue for 50% of respondents. The proportion of the IT budget allocated to cybersecurity has increased in companies compared to last year. 62% of them plan to increase it further in the next 12 months and 83% want to acquire new technical solutions.

In terms of human resources, one out of two companies (51%) would like to increase the number of staff dedicated to cybersecurity, but 90% face a shortage of Information Systems Security profiles, leading to recruitment difficulties.

Cybersecurity overview – CESIN’s barometer

Cybersecurity overview
Image source: TheDigitalArtist via Pixabay

The CESIN (Club of Information and digital security experts) just published the fourth edition of its annual barometer realized with OpinionWay within its 174 members, 84% are CISO (Chief information security officer) of big French companies. This annual study allows to better define the perception and reality of cybersecurity and its issues within the companies which are members of CESIN.

The most common cyberattacks and their impacts

During these twelve last months, although the attacks number tends to stabilize, 80% of the interviewed companies have been the victims of at least one cyberattack, and the consequences on the business (stopping of the production, unavailable website, revenue loss…) are more important than in 2017.

Each year, companies face five kinds of cyberattack on average.

Among the attacks suffered, phishing is the most frequent with 73% of companies affected, followed by the “Fake President” fraud with 50% of the respondents affected, then in third position is the ransomware and the malware infection.

Regarding cyber risks, Shadow IT is the most frequently encountered risk, 64% of the interviewed CISO estimate that this is a threat to deal with. Indeed, the implementation and use of non-approved and often free applications can escape the control of the Information systems department.

Cloud and IoT: the impact of the digital transformation on the security of Information systems

For 98% of the companies, digital transformation has a real impact on the security of Information and data systems and increases the cyberattacks’ perimeter. Particularly through the important use of Cloud, used by 87% of the companies, of which 52% store their data in public Clouds.

This use of Cloud represents an important risk because of the lack of control from the hosting provider regarding the company’s data (through administrators or others), or regarding the subcontracting chain used by the hosting provider, or even regarding the data not deleted. For 89% of the CISO, these issues imply the use of complementary securing tools to the ones proposed by the service provider in order to secure the data stored in the Cloud.

Concerning IoT (Internet of Things), the race for innovation and the increasingly common use of connected things lead to the apparition of new cybersecurity threats, notably due to security flaws in these devices.

A cyber resilience to develop

To face these cyber risks, the CISO develop many technical solutions.

However, despite all these solutions, the CISO are less confident comparing to last year regarding the company’s capacity to face these cyber risks, and less than one out of two estimates that their company is prepared to manage a large scale cyberattack. And yet, only 12% have implemented a real cyber resilience program, it is in process for 33% and 34% are planning to implement one.

Three essentially human issues for the future of the cybersecurity

  • Awareness of the user

According to 61% of the interviewed CISO, the main issue for the future of the cybersecurity is the training and the awareness of the users to the cybersecurity issue. According to the respondents, “even if the employees are aware, they are still not involved enough and do not necessarily follow the recommendations. An important education work remains.”

  • Governance of the cybersecurity

For 60% of the respondents, the governance of the cybersecurity needs to be placed at the right level. Although the compliance to the GDPR allowed the companies to be aware of the data protection issues, the confidence in the ability of the executive committee to take into account the cybersecurity issues stays uneven depending on the activity sectors.

  • Human resources

The lack of Information system security profiles observed by 91% of the CISO, is a real challenge for the companies while 50% of these companies plan to increase the workforce allocated to cybersecurity.