Cybersecurity capabilities of corporates are worrying, finds Accenture benchmark

03 March 2017

As digitalisation continues across a range of sectors, information from businesses and private individuals is increasingly being compromised by lax security. To understand the capabilities of some of the world's largest companies, Accenture developed a global and cross-industry benchmark.

Cybersecurity remains a thorn in the side of many organisations and private individuals, as business secrets and sensitive personal information continues to be stolen and leveraged for criminal, nefarious and inappropriate ends.

While digitalisation creates cost benefits to the operations of organisations, they do come with additional ‘hidden’ cost posts that many companies are not aware of, or are ignore to cut costs. The negative externalities associated with digital technology – here cybercrime – are not without consequence however, with consumers and organisations finding themselves out of pocket, and in some instances, out of business.

Defining performance levels for cybersecurity capabilities

To better understand how some of the world’s largest organisations, those with revenues above $1 billion, are dealing with threats to themselves and their customers and clients, Accenture surveyed 2,000 senior security executives to better understand their respective capabilities.

As part of the research the firm developed 33 distinct capabilities benchmark and measured the performance of participating businesses in each capability. These capabilities cover everything from cyber response readiness to governance and leadership, and are based on the firm’s own methodology.

Proportion of respondents in each range of cybersecurity capabilities rated highly competent

The study found that few organisations are rated highly competent by the firm in almost all capabilities, at 4%. Around 16% are competent in more than 21 capabilities. The largest segment, 30% of the surveyed companies, are highly competent in 0-6 of the capabilities, while 21% are capable in 6-10 capabilities.

The research notes that a number of areas, which are integral to a strong defensive posture, have low uptake among respondents, ‘identification of high-value assets and business processes’ and ‘cybersecurity investments for key assets’, for instance, have 27% and 29% respectively with high competence. Business also face issues from an ‘ability to ensure stakeholder involvement’, with cyber security teams often side-lined as a cost post that the leadership doesn’t understand the real need for engaging, creating poor integration.

Security index score by industry

The research also sought to understand the different levels of performance across industry segments, as a % share of high-performance security capabilities.

Communications organisations come first, with a high-performance score in 45% of the 33 categories, followed by banking & capital markets, on 44%. High technology comes in third, on 44%, followed by consumer products, 39%, and insurance, 38%.

The life sciences industry is the poorest performer, with 19% of the 33 categories scored with high-performance, followed by energy, which had an average score of 27%.

Security Index Score by Country

The research also looked at the performances of businesses across a number of countries, to better understand how different regions are rising to technology threats. The UK and France come out on top, each scoring an average 44% on high-performance in the 33 categories. Brazil takes the third spot, with a score of 42%, while Japan and the US round off the top five on 40% and 37% respectively.

The research found that the UK is particularly strong in the ‘communication of cyber incidents’, at 55%, ‘cooperation during crisis management with third-parties’, at 52% and ‘measuring and reporting cybersecurity’, at 50%. While France performs well in ‘identification of high-value assets and business processes’, 40%, and ‘business-relevant threat monitoring’, at 44%.

Spain, Australia and Germany are the poorest performers, on 22%, 26% and 26% respectively. Spanish businesses surveyed underperformed in all categories on average.

Kelly Bissell, Managing Director of Accenture Security says about the report, “A new approach is clearly needed. One that protects the organisation from the inside out and across the entire industry value chain – from the wellhead to the oil pump. And the start of this must be a new, more comprehensive definition of what constitutes cybersecurity success based on impact to the business.”



Boards of top UK firms must do more on cyber-awareness

06 March 2019

A new report released by the UK Government has found that UK businesses need to do more to build awareness in their firms, if they are to fend off cyber-attackers. The study found that an all-time high of 72% of businesses now see cyber-threats as a top risk, but just less than half of UK boards do not have a comprehensive understanding of the critical assets at risk from cyber-attacks.

Digital technology has revolutionised modern business, with a rate of innovation present in many companies that arguably eclipses that of the industrial revolution. The huge opportunities presented by technology mean that many firms have rushed to digitalise their offerings; but while this means they are able to take advantage  of the latest trends, it has also opened innumerable doors for cyber-criminals looking to use technology to loot corporations from across the globe.

Illustrating the extent to which cyber-crime has boomed in the last decade, in the final quarter of 2018, a study commissioned by Bromium and presented by Dr. Michael McGuire at RSA found that the cyber-crime economy has grown to an estimated $1.5 trillion dollars annually. That is only a conservative estimate – but that conservative figure alone is so large that if it constituted a national GDP, instead of a collection of digital frauds, it would be the world’s 13th largest economy.

Amid this state of play, it is easy to see why cyber-security has become one of the key watchwords of any board room in the 21st century. The cyber-security consulting segment has boomed, with the world’s 10 largest operators in the segment bringing in more than $11 billion in related fees, as businesses tap external expertise to help find areas where they can improve their defences. As noted by a new UK Government report, the legacy of this spike in consulting activity is that almost all UK businesses now have a cyber-security strategy, with only 4% admitting otherwise. 

Cyber threats are increasingly seen as high risk in comparison to other risks that businesses face

This comes at the end of a sea-change in attitudes toward cyber-security over the last five years. According to the 2018 FTSE 350 Cyber Governance Health Check, in 2013, the largest minority of businesses felt cyber-threats represented a low operational risk, at 38%, compared to just 25% who saw it as a very high group risk. Now, the two opinions have seen a dramatic reversal, with only 6% seeing cyber-security as a low threat, compared to a huge 72% of businesses which see it as a very high risk. Considering the high profile hacks that occurred in the interim, this is perhaps not that surprising.

However, while cyber-awareness in general is at an all-time high, this is where the positive news ends. According to the study, while the vast majority of firms in the UK have a cyber-security plan in place, only 46% have a dedicated budget to enact that strategy. Should their financial positions change rapidly in the near future – something increasingly likely with the prospect of a No Deal Brexit still looming over the horizon – then that plan could fall by the wayside, with the funding shortfall exposing firms to even greater financial damage in the near future.

The study, released by the Department for Digital, Culture, Media & Sport (DCMS) in March 2019, was undertaken in partnership with Winning Moves and support from EY, KPMGPwC and Deloitte, working with their FTSE 350 clients to participate in the survey. The study also found that while most businesses have incident response plans, most are not testing them: 95% of FTSE 350 businesses have an incident response, but a mere 57% test their crisis incident response plans regularly. With companies facing the consistently evolving threat of cyber-attacks, that could leave major chinks in their armour undiscovered until it is too late.

Board understanding of business-critical assets

Similarly, many firms also seem oblivious to the threat posed by their wider supply chains, which if left unchecked, provide hackers with a blank cheque to access company data. A majority of boards do not recognise supply chain risks beyond the first tier, as 77% of FTSE 350 businesses told researchers they did not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

Meanwhile, almost half of UK boards do not understand the critical assets at risk from cyber-attacks. 54% of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive, while of that, only 12% said understanding was the best it could be. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding, suggesting that key progress is being made, but also that there is a great deal of room for improvement.

Commenting on the findings, Digital Minister Margot James said, “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”