As the number of cyberattacks increases (crime, hacktivism, state) – even more so in a shaken geopolitical context – organisations must speed up their digital transformation. They must ask, what is the current state of security within the various sectors? and what are the strengths and weaknesses of large organisations when it comes to cybersecurity?
To answer such questions, Wavestone has conducted a detailed benchmark based on a field assessment of more than 180 security measures – relative to the requirements of the international NIST CSF Framework & ISO 27001/2 standards. Over the past 3 years, data from over 75 organisations, accounting for over 3 million users, has been aggregated and analysed. The results demonstrate that large organisations still have a long way to go, with an overall maturity score of only 46%.
At 46%, the cyber maturity of large organisations is below average
Although an overall level of maturity of only 46%, the study still reveals disparities between sectors. The Finance sector stands out, with 54.4% maturity. Which, can be explained by the substantial and historic investments made in cyber, all be it, stimulated by regulations. The energy sector is second (51.8%), followed by the industrial sector (44.8%) which is lagging behind, as it undetakes its digital transformation. This is followed by services (42.5%) and finally the public sector (36.9%). The latter, although well aware of cyber risks, is struggling to secure the necessary funding.
Organisations covered by critical infrastructures’ security regulations (NIS/LPM) stand out as more mature (55.4% VS 43.3%).
Faced with the risks of a ransomware attack, 30% of organisations are at risk
Thanks to its CERT-Wavestone incident response team, Wavestone manages numerous cyber-attacks on behalf of its clients. In the study, the main vulnerabilities exploited by cybercriminals have been mapped and a specific maturity assessment was conducted on this basis. From this, it appears that:
- 30% of organisations continue to be highly prone to the risk of ransomware attacks. This phenomenon mostly affects services and the public sectors, although certain financial or industrial players are not immune.
- Extremely large organisations (CAC40 type) are more difficult targets, as they display a higher level of maturity (55%).
Shortage of talent remains the issue...
As on a global scale, cybersecurity in the UK is faced with a constant shortage of talent: 10,000 positions are open, but unfilled. Large organisations are attempting to reverse the curve by increasingly strengthening their teams. It is to be noted that there are large differences depending on the sectors’ digital maturity.
As far as headcount is concerned, organisations display less than 1 person dedicated to cybersecurity for every 1,500 employees. This scant figure is insufficient to face current challenges and highlights the sectoral disparities.
... as well as dedicated financial investments
Of the overall IT budget of organisations, only 6.1% is dedicated to security. At first glance, this number may seem insufficient, but we notice a steep rise to 13% when organisations were faced with a cyber incident.
Gérôme BILLOIS, Partner in charge of Wavestone’s cybersecurity activity adds that “the materialisation of a crisis enables a high degree of mobilisation from executives, and activates the mechanisms for high levels of investment“.
From a sectoral point of view, those who invest the most are the industrial (7%) and public services (6.6%). In contrast, the finance (5.8%), energy (5.5%) and services’ (4%) sectors remain shyer. However, it should be mentioned that finance has heavily invested in previous years, and has IT budgets unrivaled by other business sectors.
Many other challenges for organisations
- Regarding the strategic axes of cybersecurity, maturity on detection and reaction to attacks has matched the level of effort put on protection (with 46%, 45% and 47% respectively). This is due to massive investments in these areas in recent years. However, the ability to reconstruct in the wake of an attack remains a complex issue to address (40% of maturity).
- Regarding protection technologies, the majority of organisations have succeeded in widely deploying the most effective solutions: EDRs (advanced computer and server protection tool) and multi-factor authentication (MFA). On average, 51% of organisations have an EDR tool deployed at 67%; and 61% of organisations have deployed an MFA at 63%. But plenty remains to be done on Active Directory security (only 24% of cyber teams analyse incidents at their cyber center) and resilience (only 17% of organisations have fully tested their IT recovery plan).
- For the industrial sector, the biggest issue still consists in securing industrial information systems (35% of maturity). Legacy systems were conceived without by-default security and are now becoming increasingly open and interconnected. As such, initial efforts have been made. For instance, setting up a governance (50%) and engaging isolation processes (66%), but they are often difficult to complete. In addition, these perimeters are still barely monitored (22%).
- Due to the volume of assets involved, the most difficult challenges of today remain in application and data security, and surprisingly cloud security. Where, poor practices are still in force pertaining to application and data security. For instance, more than 42% of the organisations allow administrators access to the cloud with a simple login / password.
“Instinctively, we believe that the cloud is secure. This can be true when using providers’ services, but many securing measures remain the responsibility of organisations… and are unfortunately often forgotten! This is a major issue for the security of new applications“, says Gérôme BILLOIS.
Methodology
Maturity levels were measured against international standards (NIST CSF / ISO 27001/2) during assignments carried out by Wavestone consultants, mostly in the form of declarative interviews with security managers of evaluated organisations. The sample, dated March 1, 2021, includes more than 75 organisations (2/3 of which have more than 10,000 employees and 15 CAC40 groups). It represents more than 3 million employees in France. The data from these individual assessments was consolidated and analysed by Wavestone’s teams of specialists.