With rising consumer demands and expectations, consumer businesses rely more on innovative technologies to help retain customer loyalty, surpass consumer expectations and create competitive advantages in an ever-increasing digital world.
As investments in new technology grow, so does the potential attack-surface, enabling cyber criminals to exploit weaknesses. This calls for a significant focus on cybersecurity, but our survey indicates that there is a general lack of basic cyber defence efforts among the surveyed consumer businesses.
What does the survey show?
The survey indicates that only about four out of ten of the surveyed consumer businesses have a cyber defence, with basic defence efforts being implemented in full or in part. This includes response plans, self-defence plans, cyber hygiene and cyber awareness training. 46% of the respondents state that they do not or only partly have a self-defence plan in place. Approximately half of the surveyed consumer businesses do not or only partly perform cyber hygiene practices. 53% of the respondents do not have a response plan in place – or only partly have one in place to some degree – that can be used if the business is attacked. Finally, 62% replied that they do not, or only to some degree, conduct regular awareness training.
Only 16% of the respondents that have ranked their cyber defence seven or higher have fully implemented all four cyber defence efforts.
Based on the respondents’ positive self-evaluations, an assumption would be that the majority have fully implemented the basic set of cyber defence efforts. Our survey, however, shows that only 16% of the respondents ranking themselves seven or higher have fully implemented all four basic defence efforts. This supports the argument that several businesses might operate with a false sense of confidence in their cyber defence.
According to Deloitte’s cyber experts, cyber hygiene and awareness training are fundamental and elementary initiatives that are crucial to any organisation’s cyber resiliency. Also, it is a necessity to have both a strategic plan and an operational plan for how you should defend yourself against the threats you are facing. If you do not have a response plan that tells you how to act when a cyber-attack strikes you, you are not as resilient as you might feel you are. Ideally, such plans need to be in writing, and you need to test them frequently to make sure that you are ready for when – not if – your organisation is hit by a cyber-attack.
Based on the findings of the survey, it therefore seems fair to conclude that there are bright spots in Danish consumer businesses when it comes to cybersecurity, but also quite some room for improvement. Luckily, there are plenty of low-hanging fruits that can be harvested relatively easy to strengthen the consumer businesses’ cyber defence and resiliency. For instance, many organisations just need to operationalise the knowledge, plans or procedures that already exist within the organisation but have not yet been written down or systematised.
The broader picture
Strategic self-defence plan
An operational and a strategic plan to defend an organisation against cyber threats start with a detailed threat assessment and weighing of the likelihood of the threats materialising, as well as conducting analyses and penetration tests in order to map and expose the organisation’s vulnerabilities. As a next step, security efforts must be prioritised; a budget has to be drawn up; and the strategically most important actions before, during and after an attack need to be identified and operationalised.
Several major organisations are lagging behind technologically, and older systems pose a significant security risk. Structured and frequent cyber hygiene, including user control, updates of software and hardware and a requirement to regularly change passwords, significantly increases security, and often it does not cost anything but time.
Incident response plan
A good incident response plan outlines several plausible incident scenarios combined with an overview of the detailed steps that need to be taken in order to mitigate the threat. The plan must clearly identify key roles and responsibilities necessary to respond to a cyber incident. It then needs to be tested through red team exercises and war gaming. Additionally, the incident response plan needs to align with other contingency plans in the case of major incidents.
The Centre for Cybersecurity (CFCS) of Denmark estimates that “unconscious insiders” are involved in up to half of the security incidents recorded, which underlines the importance of conducting awareness training frequently. Organisations that are furthest ahead in this area utilises gamification or in-your-face, real-time awareness training to increase the effect of the training.