Although the number of cyberattacks is rising sharply, the majority of large companies are found to be not well prepared to thwart the attacks, according to new research from Accenture.
Based on a survey of more than 4,700 executives globally, Accenture’s State of Cybersecurity Resilience 2021 study found that more than half (55%) of large companies are not effectively stopping cyberattacks, finding and fixing breaches quickly, or reducing the impact of breaches.
The study explores the extent to which organisations prioritise security, the effectiveness of current security efforts, and how their security investments are performing.
Staying one step ahead of cyber attacks
It was found that four in five respondents (81%) believe that “staying ahead of attackers is a constant battle and the cost is unsustainable”, which is an increase from 69% in last year’s survey. At the same time, while 82% of survey respondents increased their cybersecurity spending this past year, the number of successful breaches — which include unauthorised access to data, applications, services, networks or devices — jumped 31% over the previous year, to 270 per company, on average.
“From run-of-the-mill cybercriminals to sophisticated nation-state actors, cyber adversaries are getting more resourceful at finding new ways to carry out their attacks,” said Kelly Bissell, who leads Accenture Security globally. “Our analysis reveals that organisations too often focus solely on business outcomes at the expense of cybersecurity, creating greater risk. While getting the balance right isn’t easy, those who have a clear view of the threat landscape and a strong alignment on business priorities and outcomes achieve greater levels of cyber resilience.”
Aligning cyber resilience with the business strategy
The report highlights the need to extend cybersecurity efforts beyond a company’s own walls to its entire ecosystem, noting that indirect attacks — i.e., successful breaches to an organisation through the supply chain — continue to grow. For instance, despite two-thirds (67%) of organisations believing that their ecosystem is secure, indirect attacks accounted for 61% of all cyberattacks this past year, up from 44% the prior year.
Additionally, the research identified a small group of companies that not only excel at cyber resilience, but also align with the business strategy to achieve better business outcomes and return on cybersecurity investments. Compared with other organisations, these “Cyber Champions,” as Accenture refers to them, are far more likely to:
- strike a balance between cybersecurity and business objectives;
- report to the CEO and board of directors and demonstrate a far closer relationship with the business and CFO;
- consult often with CEOs and CFOs when developing their organisation’s cybersecurity strategy;
- protect their organisation from loss of data;
- embed security into their cloud initiatives; and
- measure the maturity of their cybersecurity programme at least annually.
“Spending more on cybersecurity without being closely aligned to the business doesn’t make your organisation safer,” said Jacky Fox, group technology officer at Accenture Security. “When it comes to managing cyber risks, organisations can’t afford to lean one way or the other. To achieve sustained and measurable cyber resilience, chief information security officers need to move away from security-focused silos so they can collaborate with the right executives in their organisation to gain a 360-degree view of the business risks and priorities.”