In an increasingly digitised and interconnected world, it is crucial that organisations are protected by robust and resilient cybersecurity defences.
Our survey, however, shows that Danish organisations lack comprehensive and consistent implementation of baseline cybersecurity measures.
What does the survey show?
Our survey reveals notable differences across the sectors when it comes to adoption of baseline cybersecurity measures, such as incident response plans, self-defence plans, cyber hygiene and cyber awareness training.
On average, 57% of the Danish organisations have fully implemented a self-defence plan. Meanwhile, only 46% have an incident response plan fully implemented, while 48% conduct regular awareness training. Cyber hygiene is fully implemented in 43% of the organisations.
Sector deep dive
On average, 15% of the organisations in the CGS, FS and ERS have all four cyber measures fully implemented. In the FS, 9% of the participating organisations indicate that they have all four measures fully implemented, which is approximately half of the companies in the three other sectors.
On average, we see that more than one-third of the organisations do not have a proper self-defence plan fully implemented. As for incident response plans, the PS is doing better than the other three. Further, across all four sectors, we see sporadic implementation of cyber awareness and good cyber hygiene.
To start on a positive note, our survey indicates that, on average, almost half of the participating Danish organisations have either implemented the baseline cybersecurity measures in full or in part. This is a positive sign combined with increased leadership involvement in cyber and increased threat awareness.
It is, however, still alarming to see that most organisations are lagging behind when it comes to having all four of these baseline security measures fully implemented. Measures implemented in part may not get these organisations through a major security disaster.
Our survey shows that, on average, less than one-sixth of the organisations have all four baseline cybersecurity measures fully implemented. This is surprising given the positive self-evaluations where 66% have rated the level of their own cybersecurity as 7 or higher. This supports our previous observation that these organisations may be over-estimating their cybersecurity abilities.
We see that 46% of the businesses in the CGS and FS do not or only partly have a cyber self-defence plan in place. This is approximately 10 percentage points more than in the two other sectors, which slightly contradicts the fact that the CGS and FS had the highest average in their self-evaluations.
Further, it is of concern to see that 41% of the organisations in the CGS and 30% of the organisations in the ERS directly state that they do not have an incident response plan fully implemented. A good and tested incident response plan is the first line of defence when your cyber defences are breached; not having prepared for such a scenario should not be acceptable.
The CGS has the highest level of respondents, 62%, indicating that regular cyber awareness training is either implemented in part or not at all. Again, this supports the observation that organisations in this sector may be over-estimating their cyber defences, as educating their first line of defence – their employees – on how to stay safe in cyberspace is an essential part of cyber resiliency.
Lastly, our survey indicates that the percentage of organisations that have partly implemented good cyber hygiene is quite similar to the percentage of companies that have cyber hygiene fully implemented. This may be due to a lack of understanding of what cyber hygiene entails, but it can also point to the challenge of reaching a state where vulnerabilities are regularly identified and mitigated – especially for legacy environments.
The bigger picture
Strategic self-defence plan
An operational and a strategic plan to defend an organisation against cyber threats start with a detailed threat assessment, weighing the likelihood of the threats materialising and conducting analyses and penetration tests in order to map and expose the organisation’s vulnerabilities. As a next step, security efforts must be prioritised; a budget has to be drawn up; and the strategically most important actions to be taken before, during and after a cyberattack need to be identified and operationalised.
Several major organisations and businesses are lagging behind technologically, and older systems pose a significant security risk. Structured and frequent cyber hygiene, including user control, updates of software and hardware and a requirement to regularly change passwords, significantly increases the level of cybersecurity, and often it does not cost anything but time.
Incident response plan
A good incident response plan outlines several plausible incident scenarios combined with an overview of the detailed steps that need to be taken in order to mitigate the threat. The plan must clearly identify key roles and responsibilities necessary to respond to a cyber incident. It then needs to be tested through red-team exercises and war gaming. Additionally, the incident response plan needs to align with other contingency plans in case of major incidents.
The Centre for Cybersecurity (CFCS) of Denmark estimates that “unconscious insiders” are involved in up to half of the security incidents recorded, which underlines the importance of conducting awareness training frequently. Organisations that are furthest ahead in this area utilises gamification or in-your-face, real-time awareness training to increase the effect of the training.