Like their global peers, Danish companies and public sector organisations find themselves in a cyber-everywhere world where digital innovation is happening continually.
We live in a hyper-connected world, where core business processes are interconnected; and for most organisations, boundaries are becoming less defined with complex supply chains that may potentially open the way for a whole new set of cyber threats.
Today, the question is not whether you will be targeted, but when, to what degree, and with what consequences. In this year’s Danish cyber survey, 6 per cent of cyber security leaders said that in the last 12 months, respondents’ organisations had experienced not just a ‘successful’ cyberattack, but with a material impact on their organisations.
Figure 1. Most recent successful cyberattack
When has your company/organisation last experienced a successful cyberattack that has affected your company/organisation significantly?
For almost all the respondents who experienced such an attack, one of the biggest impact of the attacks was disruption in operations. Many also mentioned recovery costs, while others pointed to other impacts such as loss of revenue, legal costs, layoffs, reputational loss, or changes in leadership following an incident.
Despite the negative impact that cyberattacks can have, 76 per cent of the cyber security leaders did not know the size of their organisation’s cyber security budget relative to its annual revenue. For the majority of the 20 per cent of respondents who were aware, it did not exceed one per cent.
Cyberattacks on other organisations are a trigger for action
According to our survey, witnessing cyberattacks on other organisations and the damages such attacks cause are one of the critical triggers for action. In fact, the survey found that cyberattacks on other organisations are the number one trigger for starting to invest in cyber security, and proactive detection and monitoring is number two.
The main trigger points to start investing in cyber security
Regulation is the third most common trigger for initiating investments in cyber security, a clear sign that the increased scrutiny by regulators is starting to manifest itself as organisations prepare for a safer digital future.
The regulatory complexity is further discussed in Deloitte’s recent interview with Danish member of the European Parliament and NIS2 advocate, Morten Løkkegaard. He also serves as the vice chair of the Special Committee on foreign interference in all democratic processes in the European Union, including disinformation (INGE 2). According to him, given the unprecedented level of cyber threat that mixes security policy, geopolitics and international crime, we have only seen the beginning of cyber regulation. He also discusses how the European Union has a deep recognition that security is no longer a private matter for companies and individual states, but a collective responsibility that must be solved through the common institutions.
You can see the full interview here.
The perception of cyber security maturity remains high vs. the reality
When asked how they would rate the level of cyber security in their organisation (on a scale of 0 to 10, with 10 being ‘ideal’), 7 was the most common answer for companies with more than 500 employees, while companies between 200 and 500 employees scored themselves even higher with 8 out of 10 as the most common answer. However, the fundamentals of cyber security still remain to be improved causing a discrepancy between the current perception vs. the reality of successful security implementation within their organisations (see figure 5).
Figure 2. Rating level of cyber security
Imagine a company/organisation where cyber security is deeply rooted, a strategy is defined and key initiatives are implemented, with a clear contingency plan outlined. On a scale from 0 to 10, how close do you believe that your company/organisation is to that ideal? 10 matches that ideal, and 0 doesn't match at all.
Main reasons given for the lack of security enhancements were due to the lack of internal resources (49 per cent), lack of time (38 per cent) and top management not giving it priority (27 per cent).
Figure 3. Reasons for not reaching the ideal cyber security level
Which of the following are reasons why your company/organisation hasn't reached the ideal level yet?
The lack of resources, time or top management attention, however, is not preventing Danish organisations from having high ambitions: 28 per cent of respondents expected to reach an ideal security level within the next year, and another 21 per cent within the next 1-3 years.
However, 43 per cent stated that they would never achieve the ‘ideal’. Their comments shows that this is due to a continual and increasing sophistication of cyber criminals and their methods over time. Cyber security is therefore an area needing constant development, and cyber threats are therefore a moving target because attackers keep on developing their tactics.
Figure 4. Expectation of reaching an ideal level of cyber security
You answered that your company/organisation hasn't reached the ideal level of cyber security. When do you expect to reach a cyber security level that matches the ideal level?
Basic cyber security measures are still missing
We asked respondents whether their organisations have implemented what we consider to be the four basic cyber security initiatives: regular awareness training; an incident response plan; an operational and strategic plan; and basic cyber hygiene (such as basic software maintenance, user management, password safety and a security-centric mind-set).
Looking at incident response planning – a vital tool for responding to cyberattacks and minimising the damage from a successful attack – only 64 per cent of the respondents said that their organisation has fully implemented such a plan. What is more, the frequency of the testing of the incident response planning seem to vary greatly whereby 20 per cent said at least quarterly, 18 per cent say bi-annually, and 45 per cent annually or less often. 13 per cent said that their organisation’s incident response plan is never tested, and four per cent did not know the frequency of testing, indicating a sporadic level of maturity in the way in which such processes are tested and improved upon from organisation to organisation.
Figure 5. Test of incident response plan
How often is your company's/organisation's incident response plan tested?
68 per cent of respondents could answer ‘yes’ to regular awareness training, 57 per cent to having a full operational and strategic plan, and 54 per cent said that their organisation has a fully implemented procedure for improving the organisation’s cyber hygiene. This indicates that organisations are still in the process of developing and implementing an overall strategy and processes for cyber security although this result shows that cyber security is being recognised as an important risk.
Figure 6. Implementation of measures to improve cyber security
Has your company/organisation implemented any of the following to increase the cyber security?
The size of the company or organisation seems to influence the level of implementation of these different measures. Larger companies tend to be ahead in the process of implementing different cyber security tools. For example, 81 per cent of the organisations with over 500 employees have regular awareness training compared to 60 per cent of the organisations with between 200 and 500 employees. One of the factors point towards still the lack of importance in implementing cyber security training awareness as part of the security hygiene of organisations with a fewer number of employees.
Figure 7. Implementations of measures to improve cyber security: Size of company/organisation
Has your company/organisation implemented any of the following to increase cyber security?
In conclusion, only 31 per cent of respondents answered “yes” to all four initiatives. In light of the relatively high self-scoring of maturity, this could very well point to a generic discrepancy between the perception of one’s own maturity and the actual implementation of cyber security measures in the organisation.
Figure 8. Implementations of all four measures
Has your company/organisation implemented any of the following to increase cyber security?