Most companies are confident in their ability to protect the enterprise. But that confidence does not match reality.
A recent global Accenture Security survey of 2,000 executives from 12 industries across 15 countries revealed a dangerous disconnect: even though 75 percent of respondents reported being “confident” in their cybersecurity strategies, and 70 percent said their organizations have completely embedded cybersecurity into their culture, one out of every three focused and targeted cyber breach attempts is successful.1
In fact, our survey revealed that:2
- The average organization faces 106 targeted cyber attacks per year
- Two to three effective attacks occur per month
- The greatest security impact comes from internal breaches made by malicious insiders
- Only 65 percent of effective breaches are identified by internal security, while employees, law enforcement and “ethical” hackers (so-called “white hats”) find most of the rest
Watch this Accenture Security video for more survey findings:
As you can see, the failure rate in preventing security breaches is alarmingly high. And the problem only gets worse when you consider the length of time required to detect the breaches, with a majority of respondents indicating it can take months.
Part of the challenge is prioritizing where to focus resources to effectively protect the organization:3
- More than 50 percent of respondents stated that internal breaches made by malicious insiders have the greatest impact.
- Two of three respondents said they lack confidence in their organizations’ abilities to monitor internally for security breaches.
Yet, the majority of respondents continue to focus on external security issues, and many companies remain unsure of their ability to manage the internal threats with the greatest cybersecurity impact. Security teams admit they lack the tools to detect breaches.
In addition, many companies appear to be too reliant on compliance, in part because it seems more tangible and measurable. Many cybersecurity departments measure performance based on compliance objectives as opposed to mitigating negative business impacts. But while compliance frameworks and programs help define security foundations, they don’t always reflect real-world dynamics, and cybersecurity compliance alone will not protect a company from breaches.
Further, many companies invest ineffectively in cybersecurity:4
- Between 44 to 54 percent would spend extra budget on more of the same things they are doing now
- Only 28 percent would invest in mitigating financial losses
- Only 17 percent would invest in cybersecurity training
And finally, while three of four respondents reported confidence in cybersecurity, only 37 percent claimed being confident in their organization’s ability to monitor for breaches, and 36 percent said the same about minimizing disruptions.5
In short, perceptions of cybersecurity clearly do not match reality. Organizations should rethink and rework their approaches to security threats if they want to survive in this contradictory and increasingly risky landscape.
In my next post, I will take a closer look at what steps companies can take to overcome the threats to cybersecurity.
In the meantime, I invite you to download the full Building Confidence—Facing the Cybersecurity Conundrum report.
- “Building Confidence – Facing the Cybersecurity Conundrum,” Accenture, 2017. Access at: https://www.accenture.com/us-en/insight-building-confidence-facing-cybersecurity-conundrum