The Global State of Information Security? Survey 2018

Here is a link to the full report, or to our website. The global state of information security unfortunately is still far from where it should be !

The most feared outcomes of a successful cyberattack are the following:

• disruption of operations (40%)
• compromise of sensitive data (39%)
• harm to product quality (32%)
• damage to physical property (29%)
• harm to human life (22%)

So there is awareness of the real risks, yet many organisations remain unprepared to deal with cyberattacks. Only 44% of the 9,500 respondents in 122 countries surveyed say they do not have an overall information security strategy.

Only about half (52%) of respondents say their organizations employ a CISO and only 44% of GSISS respondents say their corporate boards actively participate in their companies’ overall security strategy.

Many key processes for uncovering cyber risks in business systems have been adopted by less than half of survey respondents:

No wonder Wannacry and Petya are able to create havoc and bring entire factories down (often for days - I know of a case where it was for weeks in a row).

The rising cyber interdependence of infrastructure networks is one of the world’s top risk drivers. The WEF 2017 Global Risks Report found that cyberattacks, software glitches, and other factors could spark systemic failures that cascade across networks and affect society in unanticipated ways.

There is a wide disparity in cybersecurity preparedness among countries around the world. The UN found that only 38% of member states have a published cybersecurity strategy, and only 11% have a dedicated standalone strategy. Only 12% have a cybersecurity strategy in development. Although 61% of member states have an emergency response team with national responsibility, only 21% of states publish metrics on cybersecurity incidents.

“Can I withstand the failure of others on whom I depend?” really is the key question organisations should ask themselves. Stress-testing your cyber security arrangements is absolutely essential ! Currently, only 39% of respondents say they are very confident in their cyberattack attribution capabilities.

Tomorrow’s successful companies—those that are resilient will be best positioned to sustain operations, build trust with customers, and achieve high economic performance.

Pursue resilience as a path to rewards—not merely to avoid risk. This was proven by the companies that built business-continuity management procedures into their enterprise risk management programs before the 2011 Japanese tsunami. They were able to resume operations faster than their competitors—allowing them to capture market share after the disaster.

As a final point, last year's report already pointed out the importance of greater information sharing and coordination. Only 58% of respondents say they formally collaborate with others in their industry, including competitors, to improve security and reduce the potential for future risks. However, only half of those say their efforts have led to sharing and receiving more actionable information. Clearly, maturity still needs to rise and in my opinion, governments have a big role to play there as well.