The cyber threat has increased according to the respondents. However, many also report of an unchanged threat level which might be explained by the sector’s relatively high level of cybersecurity maturity.
What does the survey show?
Three out of four respondents in the survey think that the cyber threat against their business has increased or increased significantly over the last two years. The remaining respondents report of an unchanged threat level. Nobody is of the perception that the cyber threat has decreased.
The businesses in the survey were asked about their perception of the development in the cyber threat level during COVID-19 (the survey was conducted in August 2020). Thirty-four percent indicate that the threat has increased during this period, and 66% indicate that the level has stayed the same. Again, nobody is of the perception that the threat has decreased.
Q: How has the cyber threat against your organisation in your view developed…
Most of the respondents are of the perception that the cyber threat has increased over the last couple of years. However, compared to other sectors that have been investigated as part of Deloitte’s Cyber Surveys (the consumer sector, the public sector and the energy, resources and industrials sector), the financial sector has a high proportion of respondents indicating that the threat level has remained unchanged over the last two years.
It is important to be aware of the distinction between the actual cyber threat level and the perceived cyber threat level. As this is a survey, the numbers reflect the perceived level. This could be part of the explanation why a relatively big proportion of the businesses in the financial sector sees the threat level as unchanged. Compared to the other sectors, the financial sector has a high cybersecurity maturity level in general, having been “in the game” and at risk of cyber-attacks for many years – people have always been after a financial gain. Thus, being exposed to cyber threats is a condition for businesses in the financial sector, and they have learned to live with it. They are more aware, and it does not feel like an increase.
However, the shape of the threat against the financial sector has developed over the years. Today, it is not only about obtaining a financial gain from financial businesses. Sometimes, the sole purpose of the attack is destruction.
The bigger picture
Understanding the threat landscape
A business should not only be aware of the general cyber threat landscape and threat level, but also have deeper insights into the specific threats that the business is facing. This involves assessing which assets need to be further protected and knowing about the potential attackers’ motivations and modus operandi. Every business should map its most valuable assets, i.e. its “crown jewels”, define its most crucial business priorities and investigate what vulnerabilities and threats are associated with the existing systems and technologies. They should also have a clear understanding as to why somebody might target them and to what purpose.
“Sensing” a cyber-attack
Companies have historically invested in detecting cyber-attacks. Such detection is based on a combination of technology, processes and people. Recent cyber-attacks have shown that this does not suffice. For example, the NotPetya attack in 2017 was able to wipe out half of the affected companies’ critical assets in less than two hours. Today, it is also important to sense what attack vectors are more important for your business, e.g. through threat intelligence, threat assessments and crown-jewel identification, and by regularly ensuring that you are cyber resilient and protecting your crown jewels.