Cybersecurity capabilities of corporates are worrying, finds Accenture benchmark
As digitalisation continues across a range of sectors, information from businesses and private individuals is increasingly being compromised by lax security. To understand the capabilities of some of the world's largest companies, Accenture developed a global and cross-industry benchmark.
Cybersecurity remains a thorn in the side of many organisations and private individuals, as business secrets and sensitive personal information continues to be stolen and leveraged for criminal, nefarious and inappropriate ends.
While digitalisation creates cost benefits to the operations of organisations, they do come with additional ‘hidden’ cost posts that many companies are not aware of, or are ignore to cut costs. The negative externalities associated with digital technology – here cybercrime – are not without consequence however, with consumers and organisations finding themselves out of pocket, and in some instances, out of business.
To better understand how some of the world’s largest organisations, those with revenues above $1 billion, are dealing with threats to themselves and their customers and clients, Accenture surveyed 2,000 senior security executives to better understand their respective capabilities.
As part of the research the firm developed 33 distinct capabilities benchmark and measured the performance of participating businesses in each capability. These capabilities cover everything from cyber response readiness to governance and leadership, and are based on the firm’s own methodology.
The study found that few organisations are rated highly competent by the firm in almost all capabilities, at 4%. Around 16% are competent in more than 21 capabilities. The largest segment, 30% of the surveyed companies, are highly competent in 0-6 of the capabilities, while 21% are capable in 6-10 capabilities.
The research notes that a number of areas, which are integral to a strong defensive posture, have low uptake among respondents, ‘identification of high-value assets and business processes’ and ‘cybersecurity investments for key assets’, for instance, have 27% and 29% respectively with high competence. Business also face issues from an ‘ability to ensure stakeholder involvement’, with cyber security teams often side-lined as a cost post that the leadership doesn’t understand the real need for engaging, creating poor integration.
The research also sought to understand the different levels of performance across industry segments, as a % share of high-performance security capabilities.
Communications organisations come first, with a high-performance score in 45% of the 33 categories, followed by banking & capital markets, on 44%. High technology comes in third, on 44%, followed by consumer products, 39%, and insurance, 38%.
The life sciences industry is the poorest performer, with 19% of the 33 categories scored with high-performance, followed by energy, which had an average score of 27%.
The research also looked at the performances of businesses across a number of countries, to better understand how different regions are rising to technology threats. The UK and France come out on top, each scoring an average 44% on high-performance in the 33 categories. Brazil takes the third spot, with a score of 42%, while Japan and the US round off the top five on 40% and 37% respectively.
The research found that the UK is particularly strong in the ‘communication of cyber incidents’, at 55%, ‘cooperation during crisis management with third-parties’, at 52% and ‘measuring and reporting cybersecurity’, at 50%. While France performs well in ‘identification of high-value assets and business processes’, 40%, and ‘business-relevant threat monitoring’, at 44%.
Spain, Australia and Germany are the poorest performers, on 22%, 26% and 26% respectively. Spanish businesses surveyed underperformed in all categories on average.
Kelly Bissell, Managing Director of Accenture Security says about the report, “A new approach is clearly needed. One that protects the organisation from the inside out and across the entire industry value chain – from the wellhead to the oil pump. And the start of this must be a new, more comprehensive definition of what constitutes cybersecurity success based on impact to the business.”