Some Enterprises Still Have No Plan Against Cyber Threats 

NEW YORK — A new report shows that despite the fact that nearly all enterprises have faced a cyber threat, some still don’t have a cyber defense plan in place.

The report, “2021 Future of Cyber Survey” by Deloitte, focuses on cybersecurity at enterprises in the U.S. and makes comparisons to cybersecurity practices at non-U.S. enterprises, according to the global consulting firm.

The report was released last month by Deloitte.

Widespread breaches and the defenseless

For instance, nearly all U.S. executives (98%) reported that their organizations experienced at least one cyber event in the past year, compared to a slightly lower rate of 84% by non-U.S. executives.

The COVID-19 pandemic disruption also led to increased cyber threats to U.S. executives’ organizations (86%) at a considerably higher rate than non-U.S. executives experienced (63%). 

Yet, 14% of U.S. executives said their organizations have no cyber threat defense plans, a rate more than double that of non-U.S. executives (6%).

Cyber threat fallout and obstacles

The biggest fallout U.S. execs reported from cyber incidents or breaches at their organizations during the past year include operational disruption (28%), share price drop (24%), leadership change (23%), intellectual property theft (22%), and loss of customer trust (22%).

Increases in data management, perimeter, and complexities (38%), inability to match rapid technology changes (35%), and a need for better prioritization of cyber risk across the enterprise (31%) all pose obstacles to U.S. executives’ organization-wide cybersecurity management programs.

“No CISO or CSO ever wants to tell organizational stakeholders that efforts to manage cyber risk aren’t keeping up with the speed of digital transformations made or bad actors’ improving tactics,” said Deborah Golden, leader and principal, Deloitte Risk & Financial Advisory Cyber and Strategic Risk, Deloitte & Touche. 

“Aggressive organizational digital transformations and continued remote work for some seem to be shining more of a spotlight on the human side of cyber events — both the cyber talent gap and the potential risk well-meaning employees can pose. We see leading organizations turning to advanced technologies to help bridge those gaps.”

See more: Cybersecurity Market

Key findings from “2021 Future of Cyber Survey”

Talent gap

• Competition for cyber talent remains fierce, particularly in the U.S., as 31% of U.S. executives say their organizations are often unable to recruit and retain cyber talent — a rate nearly twice what non-U.S. executives (16%) experience

Enemy within

• The cyber threat U.S. executives say they are most concerned about isn’t phishing, malware or ransomware (27%) — it’s unintended actions of well-meaning employees (28%)
• Yet, 15% of U.S. executives say their organizations have no way to detect or mitigate employee cyber risk indicators 
• 44% say their organizations rely on leadership to monitor employee behaviors and cyber risk indicators
• Just 41% say their organizations leverage automated behavior analytic tools to help detect potential risk indicators among employees.

Trust

• Zero-trust adoption continues to gain momentum. The prioritization of zero trust by U.S. executives as they work to transform their organizations’ security capabilities is second only to cyber and technical resilience building, whereas zero trust is not near as high a priority (ranked No. 7) by non-U.S. respondents
• Balancing business needs with customer trust has room for improvement in the U.S. Data protection (53% U.S. executives; 43% non-U.S. executives) and data privacy (41% U.S. executives; 42% non-U.S. executives) are top-ranked security projects for executives globally 
• Despite loss of customer trust resulting from a cyber event ranking high with 22% of U.S. executives and 16% non-U.S. executives, 19% of U.S. execs say that their marketing organizations balance the need for customer data collection with engendering customer trust “very well,” compared to 60% of non-U.S. execs who say the same

Internal visibility

• Cyber is top of mind for U.S. CEOs and boards. U.S. executives share that their organizations see CISOs reporting direct to CEOs (42%), CTOs (19%) or CIOs (16%)
• Nearly all (96%) report that cybersecurity is on the board’s agenda more than once per year — most frequently occurring quarterly (49%) or monthly (30%) 
• Outside the U.S., execs are less likely to see CISOs reporting to CEOs (30%), and cyber appears on the board’s agenda more than annually by most non-U.S. executives (88%), if most frequently occurring quarterly (50%) or biannually (20%)

Risk and response

• When leaders make decisions on cybersecurity investments, U.S. executives are most likely to do so by leveraging risk quantification tools to discern ROI (45%), compared to non-U.S. executives who are most likely to use cyber maturity assessments to guide those decisions (42%)
• Risk analysis and threat modeling for new and existing app security is conducted at least monthly by 59% of U.S. executives’ organizations, compared to 36% of non-U.S. executives’ organizations
• DevSecOps has been adopted fully (43% of U.S. executives; 40% of non-U.S. executives) or partially adopted (49% of U.S. executives; 51% of non-U.S. executives) in most respondents’ organizations
• To address data destruction attacks that aim to indefinitely disrupt business, U.S. executives are most likely to turn to their organization’s disaster recovery (DR) and business continuity (BC) solutions to address such events (43%). Non-U.S. executives are most likely to rely on specific back-up or DR solutions or BC plans for data destruction events

Cloud

• Cloud environment visibility around workloads and applications protection was the top cloud security concern for all executives polled (34% U.S. executives; 27% non-U.S. executives)
• The groups diverged on secondary cloud security concerns as U.S. executives listed consistency of application changes (25%) second, compared to non-U.S. executives listing compliance (19%) as second-ranked concern

See more: Incident Response Market 2021

Report methodology

As part of a global Deloitte Touche Tohmatsu Limited survey, 577 C-suite executives around the world — 159 from the U.S. — were polled online from June 6, 2021 to Aug. 24, 2021 about their organizations’ cybersecurity programs. 

Participating U.S. respondents held CEO (25%), chief information security officer, or CISO (23%), CFO (21%), CIO (15%), CMO (13%), or other C-suite positions (3%). 

U.S. respondents’ organizations had annual revenues of $500 million to less than $5 billion (37%), more than $5 billion to less than $30 billion (53%), or more than $30 billion (10%). 

See more: Top Cloud Security Companies & Solutions