There is a strong consensus among Danish businesses in the ER&I sectors that the cyber threat has been growing and Covid-19 has distorted the threat landscape and added fuel to the fire. Now, organisations need to take action or risk falling victim to inevitable attacks.
But are they ready?
The past few years have seen Danish ER&I businesses facing an increase in the frequency and intensity of phishing and ransomware attacks. This development builds on the general trend of cyber threat escalation that we have seen during the same period. The question is: Can the cyber defences implemented by the businesses surveyed keep up with the growing cyber threat?
What does the survey show?
79% of respondents have experienced an increase or a significant increase in the cyber threat during the past two years. 21% believe the threat has stayed the same. None believe in a decrease. In addition, 34% of respondents believe Covid-19 has resulted in an increased cyber threat to their businesses.
The most popular pre-emptive measure taken by the surveyed businesses is a self-defence plan. 86% have completely or partly introduced such a measure. However, it is worth noting that 62% of the surveyed businesses do not operate with a fully actionable response plan in case of an attack.
Q: How has the cyber threat against your organization in your view developed…
It is highly surprising that 37% of Danish ER&I businesses do not have a self-defence plan ready in case of an attack. In an environment of critical increase in the cyber threat, we can only appeal to all businesses to prepare themselves as soon as possible.
While it is positive to see that a big majority perceive the threat level to have increased during the past two years, the fact that 21% of the respondents have not noticed a change in the threat level during that time, and that 66% have not experienced an increase during Covid-19, indicate that it is necessary to revisit the cyber threat assessment for some Danish businesses in the ER&I sectors.
According to Deloitte's cyber experts, building a resilient cyber defence begins with a detailed threat assessment, weighing the likelihood of different threats and embedding prioritised security measures in a proportionate response. Altogether, this should form the strategy used throughout the organisation.
Based on the survey, it can be concluded that some Danish ER&I businesses retain a mismatch between threat level and cyber defence, thereby perpetuating a potent security risk. In the effort to stay secure during a time of heightened threat, it is crucial to free up the needed resources and create access to sufficient data. This provides the insight needed to build a realistic understanding of how the threat landscape is evolving. Not having a realistic understanding of such developments renders mitigation of the threat nearly impossible.
Q: Which of the following is implemented in your organization in order to improve your cyber and information security?
The bigger picture
Getting priorities straight
Danish ER&I businesses should not only be aware of the general threat landscape but also have deep insights into the specific threats that the organisation faces. And the effort should not stop there. A comprehensive strategy mapping the organisation's most valuable assets and vulnerabilities should be put in place in order to get priorities straight in the event of an attack.
A good incident response plan outlines several plausible incident scenarios combined with detailed descriptions of the steps that need to be taken in order to mitigate the threat. The plan must clearly identify key roles and responsibilities necessary to respond to a cyber incident. It then needs to be tested through red team exercises and war gaming. Additionally, the incident response plan needs to align with other contingency plans in case of major incidents.