Invest in security or pay the hackers?

A third of business decision makers in Benelux would rather pay hacker’s ransom than invest more in security, NTT Security Risk:Value report reveals estimated $1.58m to recover from a data breach is one of the highest figures globally, while damage to brand and reputation and loss of customer confidence are leading concerns.

One third (34 per cent) of senior business decision makers in Benelux agree that their organization would consider paying a ransom demand from a hacker rather than invest more in information security because it is cheaper. This is in line with the global figure of 33 per cent across 12 countries. The findings from the 2018 Risk:Value Report, commissioned by NTT Security, the specialized security company of NTT Group, show that a further 15 per cent of respondents in the Benelux region are not sure if they would pay or not, suggesting that only around half would proactively invest in their information security.

Examining business attitudes to risk and the value of information security to organisations, NTT Security’s annual Risk:Value Report surveys C-level executives and other decision makers from non-IT functions in countries across Europe, the US and APAC and from multiple industry sectors.

 The growth in ransomware, identified in NTT Security’s Global Threat Intelligence Report (GTIR) in April, suggests these findings are cause for concern. According to the GTIR, ransomware attacks surged by 350 per cent in 2017, accounting for 29 per cent of all attacks in EMEA – and 7 per cent of malware attacks worldwide.

Are confidence levels unrealistic?

Almost two-thirds (62 per cent) of respondents in Benelux countries say they are kept fully to up to date by the IT security team about data attacks, potential threats and compliance issues relating to their business.

However, nearly half (44 per cent) say they have never suffered a breach and do not expect to. Apart from the US (46 per cent) this is significantly more than any other country and well ahead of the global average (33 per cent) suggesting that levels of confidence are unrealistic given the current global threat environment. More realistically, 18 per cent do expect to suffer a breach, while a quarter admits they have already suffered one.

Impact of a breach

Looking at how their organization would be affected by a security breach, respondents in Benelux are most concerned about damage to corporate brand and reputation (52 per cent) and loss of customer confidence (49 per cent), followed by direct financial loss (31 per cent), loss of shareholder value/share price (29 per cent) and loss of investment (28 per cent). Nearly a third (30 per cent) also admit that a breach could lead either to Board members being forced to resign/lose their job or other staff losses.

Estimated loss from a breach in terms of revenue is 9.6 per cent (compared to the global average of 10.29 per cent, up from 2017’s 9.95 per cent). Executives in Europe are more optimistic, expecting lower revenue losses than those in the US or APAC.

Respondents in Benelux estimate that it would cost $1.58m to recover from a security breach, above the global average of $1.52m, and one of the highest figures globally. Benelux respondents also believe it would take around 63 days to recover, compared to 57 days globally – again one of the highest estimates when it comes to recovery times.

Whose responsibility is security?

According to 2018 Risk:Value, there is no clear consensus on who is responsible for day to day security, however in Benelux, senior business decision makers firmly place responsibility within the IT department, with 23 per cent pointing to the CIO, 23 per cent to the CISO and 13 per cent to the IT Director. Just 15 per cent believe security as the job of the CEO (compared to 22 per cent at a global level).

When it comes to having regular boardroom discussions about security, 70 per cent of respondents agree that preventing a security attack should be a regular item on the Board’s agenda, although a fifth actually disagree with this idea. Yet just over half (58 per cent) admit it is and 10 per cent don’t know if it is regular agenda item.

How prepared are organizations in Benelux?

Less than half (45 per cent) of respondents in the Benelux region have a full information security policy in place, but 28 per cent are in the process of implementing one and one in ten are currently designing one. Asked if this same policy had been actively communicated to everyone within the business, just two thirds (67 per cent) say it has, well below the global figure of 81 per cent, and the second lowest figure across all 12 countries. As a result, just over a quarter (27 per cent) of employees are “fully aware” of it.

In terms of incident response planning, Benelux again falls below the global average (49 per cent) at 42 per cent when it comes to having an incident response plan, although a third of respondents say they are in the process of implementing one. Shockingly, just 28 per cent of business decision makers are “fully aware” of what their incident response plan includes, the lowest figure across all 12 countries measured by some margin and almost half the global average (51 per cent). Almost a fifth (20 per cent) are not aware of it at all.

“We’re witnessing high levels of confidence among our senior respondents in this year’s report, with almost half claiming they have never experienced a data breach or expect to,” comments Kai Grunwitz, Senior VP EMEA, NTT Security. “But we also have this worrying figure that more than a third of respondents in Benelux (and globally) would rather pay a hacker’s ransom than invest more in their security because it would be cheaper to do so.

“While it’s encouraging that many organisations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs. However, the reputational and financial damage organizations fear facing are likely to become a reality as executives attempt to cut corners and rebuff proactive security as a business-critical investment.”

For further information on NTT Security’s 2018 Risk:Value report and to download a copy, click right below: