CYE has released its inaugural Cybersecurity Maturity Report, an industry data analysis based on two years of data, collected from more than 500 organizations, in 15 countries, spanning 11 industries and a range of company sizes.
The report provides valuable insights into the strength of cyber risk in different industries, company sizes and countries. It highlights areas where improvements have been made, as well as areas where more attention may be needed. Additionally, the report sheds light on the most common cyber vulnerabilities present in today’s threat landscape.
In 2022 alone, global cyberattacks increased by 38%, while corporate security budgets have risen significantly over the last few years as a result of the growing sophistication of attacks and the number of cybersecurity solutions introduced into the market. The recent surge in security breaches has led to substantial business losses, including financial and reputational damages.
“CYE’s cybersecurity report should serve as a wake up call for both private and governmental organizations. While there are some excellent companies doing it right when it comes to cyber preparedness in the relevant industries and countries that we looked at, overall, the picture we get is still far from ideal,” said Reuven Aronashvili, founder and CEO at CYE. “As we continue to face mounting threats, we encourage organizations to invest in capabilities and not tools; perform ongoing and deep assessments to prevent hackers from exploiting vulnerabilities; and develop an integrated approach to cybersecurity with board-level accountability, which is the only way that management will understand the risks and the level of financial investment required to protect a company. The main takeaway from this research is that organizations can achieve a superior maturity posture even without a huge cybersecurity budget, if they plan and spend it right.”
Report highlights include:
On a country level, Norway scored highest on overall cyber maturity level, followed by Croatia and Japan. This can largely be attributed to early cybersecurity adoption in these countries (Norway, for example, had its first national cybersecurity strategy introduced in 2003) and unified planning by governments and organizations, as well as advanced regulatory systems, despite not having the larger cyber budgets of countries such as the US, UK and Germany which scored significantly lower. This indicates that big financial investments do not always translate to high maturity levels. Specific reasons for lower maturity may be lack of proper cybersecurity risk quantification and strategic planning for maturity
Among sectors, the energy and financial industries scored highest on cyber maturity level, while healthcare, retail and government agencies scored among the lowest. But the rising number of cyberattacks in the financial sector still poses a threat to financial stability and makes cyber risk a key concern for policymakers. Regulations and concerns of financial loss spur many companies to implement cybersecurity measures, which is why the financial sector, including banks and fintech, scored well. On the other hand, the retail industry scored poorly overall, partly because retail companies have invested in the “second line of defense” – monitoring and response – where they are leading, instead of investing in the “first line of defense”, which is detection and protection.
Surprisingly, the tech industry scored average in overall cyber maturity. This could be explained by the large attack surface of tech companies, and the higher risk appetite that tech companies have compared to other sectors. Also, tech companies tend to be early adopters of new technologies that are still maturing and are therefore especially vulnerable to attacks and exploits. Tech companies tend to grow much faster than in other sectors, and maintaining high cyber hygiene while making that transition is challenging.
Healthcare ranked very low – meaning, the lack of cyber maturity in this industry could ultimately result in risk to people’s lives and exposure of sensitive data. There are several reasons for the low scoring, including the reality that Electronic Health Records systems, telemedicine, the complex interrelationship of insurance companies, practitioners, specialists, patients, and others, all expose weak spots in the security fabric. Investments in security solutions are spread across multiple unconnected products that do not communicate, and a barrage of alerts and false positives makes it hard for security teams to detect real threats. The cost to discover, mitigate and report attacks, and recover from reputational damage is the highest of any industry: an average cost per breached record of $408, with many breaches involving thousands of records.
Small organizations achieved a high cyber maturity score in large part due to their more limited attack surface that can be managed successfully by a smaller security team. Medium organizations also know that they need to prioritize cybersecurity and generally have the resources to invest in cybersecurity solutions. While growing, large organizations in contrast, have low maturity scores overall, possibly due to the challenges of defending a bigger and more complex attack surface, but as they grow to large enterprise companies (1000 employees or more) we see that they gain control again by implementing policies properly and more regularly.
“We are excited to release our findings that put into clear focus the very real need for organizations to shift their approach to cybersecurity which is critical in this era of increasingly prevalent and sophisticated cyberattacks,” said Nimrod Partush, VP Data Science at CYE. “CYE’s industry-leading data scientists and security researchers have worked hard to collect and analyze this data and glean meaningful insights that will hopefully enable organizations to learn from our recommendations and best practices on how to achieve a better cyber posture.”
The report includes insights obtained from more than 500 companies consisting of 20% small-sized, 19% medium-sized and 61% large-sized. Assessments were conducted across seven security domains, including Application Security; Policies, Procedures, & Governance; Identity Management; Network Security; Monitoring & IR; Sensitive Data Management and Endpoint Security.
You can read the full report here.