As the Internet of Things (IoT) grows and cyberthreats become more sophisticated and prevalent, it’s more important than ever for security companies to understand the cybersecurity landscape and have strong cybersecurity postures. The security industry is recognizing the urgency of this issue, too – in the Security Industry Association’s (SIA’s) research to forecast the 2019 Security Megatrends, cybersecurity was identified as the standout trend shaping the security industry. Industry leaders said that cybersecurity’s impact on physical security solutions was the top trend they expected to face in 2019 – by nearly 30 percentage points.
In an effort to strengthen the industry’s cybersecurity understanding and preparedness, this National Cybersecurity Awareness Month, SIA sponsored a groundbreaking global study from ESI ThoughtLab and WSJ Pro Cybersecurity that analyzes and benchmarks the cybersecurity practices and initiatives of 1,300 companies. The report shares insights on cybersecurity best practices, performance metrics and calls to action to help companies address the complex, evolving cyber risk landscape.
Here are some of the top takeaways for today’s security companies:
Digital Innovation Presents Cyber Risks and Backlash
As companies embrace new technologies, adopt open platforms and tap supplier and partner ecosystems, they face heightened cyber risks. Companies noted several key threats they are seeing now and expect in the near future:
- Firms report their biggest current threats are malware (81%), phishing (64%) and ransomware (63%).
- Companies expect substantial growth over the next two years in cyberattacks through partners, customers and vendors (247% growth), supply chains (146%), denial of service (144%), apps (85%) and embedded systems (84%).
Further, those companies that do not keep their cybersecurity practices on pace with their digital transformation initiatives are more likely to face $1 million+ in losses from cyberattacks. Digital leaders in the early stages of cybersecurity management have a 27-percent chance of facing major attacks – 10 percent higher than for digital leaders whose cybersecurity systems are advanced.
Cybersecurity Investments Are Growing and Varied
Companies are addressing cyber risks by considering their cybersecurity investments.
- Overall, firms increased their cybersecurity investments by 7 percent over the last year, with plans to boost their investment by 13 percent next year.
- Investments vary by company type (energy/utility leaders plan to increase spending by 20 percent, compared to only 1 percent for manufacturing companies), size (firms with revenue under $5 billion will raise spending at almost triple the average of 13 percent) and location (companies in South Korea, Mexico and Australia will increase investment by more than double the average).
- Next year, companies will designate 39 percent of cybersecurity budgets to technology, with 31 percent going to process and 30 percent to people. While technologies like multi-factor authentication (90%), blockchain (68%) and IoT (62%) are commonly used, growth is expected in the use of technologies like behavioral analytics (18-fold), smart grid technologies (nine-fold) and deception technology (seven-fold) over the next two years.
- Companies are investing more in threat prevention and detection than they are in cyber resilience. Next year, firms are expected to increase investment in protection to 26 percent, but they will also allocate more to response (19%) and recovery (18%) and less than before to identification (18%) and detection (18%).
Cybersecurity Maturity Helps Mitigate Threats
As companies’ cybersecurity systems mature, the probability of them facing costly cyberattacks decreases; where a cybersecurity beginner has a 21-percent chance of facing a cyberattack generating $1 million or more, the probability drops to 16 percent for intermediate companies and 16 percent for leaders.
Costs of cyberattacks also decrease significantly with cybersecurity maturity: for example, a company with $10 billion in revenue would face an average of $3.9 million in costs if it were a beginner, but if it were a leader, the costs would average $1.2 million.
As Companies Address Cyberthreats, They’re Changing Their Staffing Practices
Companies are reorganizing to enhance their cybersecurity postures – and changing their practices as they move up the maturity curve, too.
- Chief information security officers are more likely to be given primary cybersecurity responsibility at companies that are cybersecurity leaders (37%) than they are at beginner companies (20%). Beginner companies and those with less than $1 billion in revenue are more likely to give the board primary responsibility.
- As companies become more mature in their cybersecurity programs, the ratio of cybersecurity staff to technology staff decreases – this drop is due to both a decreasing need for specialists as firms install automated cybersecurity systems and leverage advanced technology like robotics and artificial intelligence, along with increased reliance on partners and suppliers and outsourcing of cybersecurity efforts.
“Having these clear benchmarks around cybersecurity not only facilitates the advancement of cybersecurity within our members’ own organizations, but it also allows the overall industry to deliver appropriate solutions for their customers,” says Don Erickson, SIA’s CEO and one of Security’s 2018 Most Influential People in Security.