Deloitte surveys: businesses have a false sense of cybersecurity caused by positive self-evaluation of their capabilities

Press releases

Deloitte surveys: businesses have a false sense of cybersecurity caused by positive self-evaluation of their capabilities and the lack of basic defense efforts

20 October 2021

Approximately three quarters of businesses in the financial and consumer sectors have a false sense of cyber security caused by the positive self-evaluation of their capabilities and their lack of basic defense efforts, according to the latest editions of Deloitte Cyber Surveys for the financial and consumer sectors. More than 70% of respondents ranked their cybersecurity level as seven or higher on a maturity scale from zero to ten and only 9% of companies in the financial sector said that they have implemented all four baseline cybersecurity measures, consisting of response plans, self-defense plans, cyber awareness training and cyber hygiene. Also, only four out of ten of the surveyed consumer businesses have a cyber defense strategy, with basic defense efforts being implemented in full or in part.

Operating with a false sense of cyber defense represents a risk for businesses, considering that over 70% of the respondents from financial (72%), consumer (72%) and energy, resources and industrials (79%) sectors perceive an increase in the level of cyber threats in the last two years, the studies highlight. Additionally, compared to other sectors – consumer (24%) and energy, resources and industrials (21%) –, the financial sector (28%) has a higher proportion of respondents indicating that the threat level has remained unchanged over the last two years, the latter being exposed to cyber threats longer than the others, which explains the more mature understanding of the cyber threat landscape.    

The survey shows that phishing/malware is considered the biggest cyber risk in the financial sector, as indicated by half of the respondents. The second biggest risk represented by technical vulnerabilities in applications and infrastructure and the third one is data leakage/data integrity. As for the energy, resources and industrials businesses, the lack of security on the supply chain is ranked as the highest threat by 63% of respondents. This is a trend also seen in the consumer sector.

“During the last two years, malware and phishing activities reached the top three most frequent threats in the European Union, as 71% of the organizations and companies have faced malware activities and the rate of phishing fraud rose by 667% in just one month during the COVID-19 pandemic, according to public data. In a growing cyber threat landscape, companies should really consider complex exercises, not relying only on penetration testing or vulnerability scanning. Among the additional efforts that the banking industry should contemplate are the Threat Intelligence-Based Ethical Red-teaming European Union (TIBER-EU) framework published by the European Central Bank, which aims to organize testing similar to a real attack - involving Red Teaming, based on prior Threat Intelligence assessments, and Blue or Purple Teaming exercises -, joint cyber exercises, involving new cyber-physical systems, and integrated technical and strategic elements, enabling companies to practice the entire chain of command in simulating a large-scale cyber incident,” stated Andrei Ionescu, Partner-in-Charge, Consulting and Risk Advisory, Deloitte Romania.

The studies also show the way in which the leadership of the businesses in the financial, consumer and energy, resources and industrials sectors prioritize cybersecurity topics. The top management teams in the financial sector are more focused on such aspects than those in other sectors, the studies emphasize, as 42% of the respondents indicate that cybersecurity is on the leadership agenda monthly or more frequently, compared to 37% of the respondents in the consumer sector and only 30% of the businesses in energy, resources & industrials.

Deloitte’s Cyber Risk Advisory team in Romania specializes in cyber strategy, security controls, detecting and managing cyber threats, vulnerability assessments, penetration testing, source code review, red-team testing (TIBER-EU), incident management processes and technologies. In addition, the team provides internationally recognized trainings through Deloitte Academy. Deloitte is also an official Authorized Training Center (ATC) for EC-Council in Romania and is one of the very few private sector organizations invited to participate in the annual NATO Cyber Coalition and Romania National Cyber Drill Exercises as part of the offensive teams.

In 2021, Deloitte has been ranked for the tenth year in a row no.1 in security consulting services in market share by revenue by Gartner and was named a leader in European Cybersecurity Consulting Providers according to Forrester’s report.

Deloitte provides worldwide audit, consulting, legal, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories, bringing world-class capabilities, insights, and high-quality service to address clients' most complex business challenges. Deloitte's goal is to make an impact that matters through its more than 345,000 professionals.

Deloitte Romania is one of the leading professional services organizations in the country providing, in cooperation with Reff & Associates | Deloitte Legal, services in audit, tax, legal, consulting, financial advisory, risk advisory, business processes as well as technology services and other related services, through over 2,600 professionals.