India leads the way in cybersecurity

Failure to progress over the last year sees UK businesses falling behind in cyber incident response planning and cyber breach recovery times, handing the top spot to India -- now the best performing in the world for cybersecurity, according to a industry report. Performance in organisations in France, Germany and Singapore has also worsened in the last year, as have the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors.

These are the findings of NTT’s latest annual Security Risk:Value report, which brings together the views of over 2,000 C-level executives and other senior decision makers across 20 countries in the Americas, Asia-Pacific and Europe, from across multiple industry sectors.

NTT analysts say UK respondents are aware of the risks posed by cyber threats, with over half ranking cyber attacks on their organisation as one of the top three issues that could affect businesses in the next 12 months – second only to economic or financial crisis. While global organisations rank loss of company data in third place, in the UK, 44% believe that cyber attacks on critical infrastructure is a far greater threat. Of the most vulnerable components of critical national infrastructure, telecoms, energy and electricity networks take first, second and third place.

Almost all (90%) respondents in the UK believe that strong cybersecurity is important to their business over the next 12 months, compared with 78% who say the same about ‘growing revenue and profit’. 93% believe cybersecurity has a big role to play in society.

For each organisation in the research for the last two years, NTT Security has analysed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a lack of progress globally: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two per cent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.

Time and money

The 2019 Risk:Value report suggests that the time spent on recovering from a cyber breach continues to rise year-on-year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally compared to one of the lowest in 2018.

The cost of recovering from a breach is estimated to be almost £1m in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at £1.4m and Sweden in first place with expected recovery costs for a business suffering a breach of £2.4m. Oil & Gas is the industry sector having to spend the most on recovery efforts to the tune of £1.8m.

The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9%, up from 9.7 per cent in 2018, and in line with the global average of 12.7%.

VP of consulting at NTT Security, Azeem Aleem says considering the view of those sitting outside of the IT function – and is often very revealing. "What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work. What’s concerning though is that organisations seem to have come to a standstill in their journey to cybersecurity best practice – and it’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning.

“Decision makers clearly see security as an enabler; something that can help the business and society in general. But while awareness of cyber risks is high, organisations still lack the ability, or perhaps the will, to manage them effectively. The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned.”


Where are organisations stalling? (Source: NTT Security)


• Paying cyber criminals: A third (33 per cent) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper, a significant rise of 12% over 2018’s report; and 34% said they would rather pay a ransom to a hacker than get a fine for non-compliance of data regulations.

• Budgets: Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15 per cent) in line with the global average. The percentage of operations budget spent on security has fallen by around 1% since 2018, to 16.5% in 2019.

• GDPR compliance: Just 30% globally believe they are subject to GDPR, a year on from the deadline, despite it affecting all organisations that have operations or customers in any European Union member state. The UK is a more respectable 48% – still behind Spain (55%) and Italy (50%).

• Internal security policies: Businesses are still failing to be proactive internally. At a global level, 58% have a formal information security policy in place, just 1% up over last year. While the UK shows an impressive 70% with a policy in place, this is down on last year’s 77%. Less than half (47%) however admit that their employees are fully aware of such a policy.

• Incident response plans: In 2019, 60% of UK organisations have an incident response plan in place in the event of a security breach, a 3% drop. However this is still above the global average of 52% and among the highest figures across all 20 countries.

• Blaming IT: Around half (44%) of UK respondents believe cybersecurity “is the IT department’s problem and not the wider business”, which is in line with the global average of 45%. Swedish organisations are most likely to blame IT (60%). Brazil is least likely (28%) to do so.


Research for this report was conducted in February and March 2019. A total of 2,256 senior non-IT business decision makers were interviewed online in the US, Japan, UK, Germany, Austria, Switzerland, France, Belgium, Netherlands, Luxembourg, Spain, Italy, Sweden, Norway, Hong Kong, Singapore, India, Australia, Brazil and Chile. Job functions included business development, strategy, finance, sales, operations, production, HR and marketing. Predominantly, organisations had more than 500 employees and had activities in one of 17 sectors.

    Share Story:

Recent Stories