Report: More than half of organizations do not effectively defend against cyberattacks
Accenture’s State of Cyber Resilience study also revealed key traits of cyber resilient leaders. The report found an average of 270 attacks per year per company.
More than half (55%) of large companies are not effectively stopping cyberattacks, finding and fixing breaches quickly or reducing the impact of breaches, according to a new research study from Accenture.
SEE: Security incident response policy (TechRepublic Premium)
Accenture’s State of Cybersecurity Resilience 2021 study explored the extent to which organizations prioritize security, the effectiveness of current security efforts and how their security investments are performing. The pandemic served as “a breeding ground for new attacks,” according to the study, which was based on a survey of more than 4,700 executives globally.
There were on average 270 attacks per company over the year, an increase of 31% compared with 2020, the Accenture study said.
“From run-of-the-mill cybercriminals to sophisticated nation-state actors, cyber adversaries are getting more resourceful at finding new ways to carry out their attacks,” said Kelly Bissell, who leads Accenture Security globally, in a statement. “Our analysis reveals that organizations too often focus solely on business outcomes at the expense of cybersecurity, creating greater risk.”
While getting the balance right isn’t easy, Bissell added, people who have a clear view of the threat landscape and a strong alignment on business priorities and outcomes achieve greater levels of cyber resilience.
Battling cyberattackers remains a challenge
The study also revealed that four in five respondents (81%) believe that “staying ahead of attackers is a constant battle, and the cost is unsustainable,” an increase from 69% in last year’s survey.
At the same time, while 82% of survey respondents said they increased their cybersecurity spending this past year, the number of successful breaches—which include unauthorized access to data, applications, services, networks or devices—jumped 31% over the previous year, to 270 per company, on average.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
The report highlights the need to extend cybersecurity efforts beyond a company’s own walls to its entire ecosystem, noting that indirect attacks such as successful breaches to an organization through the supply chain—continue to grow. For instance, despite two-thirds (67%) of organizations saying they believed that their ecosystem is secure, indirect attacks accounted for 61% of all cyberattacks this past year, up from 44% the prior year, according to the study.
How to become a “cyber champion”
Additionally, the research identified a small group of companies that Accenture said not only excel at cyber resilience but also align with the business strategy to achieve better business outcomes and return on cybersecurity investments. Compared with other organizations, these so-called “cyber champions” are far more likely to:
- strike a balance between cybersecurity and business objectives
- report to the CEO and board of directors and demonstrate a far closer relationship with the business and CFO
- consult often with CEOs and CFOs when developing their organization’s cybersecurity strategy
- protect their organization from loss of data
- embed security into their cloud initiatives
- measure the maturity of their cybersecurity program at least annually.
Organizations stand to reduce the cost of breaches by 48% to 71% if they increase their performance to cyber champion levels, the study said.
There are three measures executives can take to make their organizations become more like cyber champions: give CISOs a seat at the top table, be threat-centric and business-aligned, and get the most out of a secure cloud, according to the study.
Spending more on cybersecurity without being closely aligned to the business doesn’t make an organization safer, noted Jacky Fox, group technology officer at Accenture Security. “When it comes to managing cyber risks, organizations can’t afford to lean one way or the other.”
To achieve sustained and measurable cyber resilience, CISOs “need to move away from security-focused silos so they can collaborate with the right executives in their organizations to gain a 360-degree view of the business risks and priorities,” Fox said.
Accenture Research surveyed 4,744 executives representing companies with annual revenues of at least $1 billion in 23 industries and 18 countries across North and South America, Europe and Asia Pacific. To define four levels of cyber resilience, the firm said it conducted an analysis on a sample subset of 3,455 organizations, with cyber champions accounting for 5% of those. The study was fielded from March to April 2021.