The accelerating pace of digitalization, fuelled by COVID-19, has led to a record-breaking year for cybercrime.
A new survey reveals a wide perception gap between business executives, who think their companies are cyber resilient, and security leaders, half of whom disagree.
Ransomware attacks were up some 150% in 2021 and more than 80% of experts say it is becoming a threat to public safety
The report’s key insight is that cybersecurity is no longer a sufficient tactic – building resilience needs to be integrated into an organization’s strategy, especially since it can take 10 months to detect a security breach.
The global digital economy has surged off the back of the COVID-19 pandemic, but so has cybercrime - ransomware attacks rose 151% in 2021. There were on average 270 cyberattacks per organization during 2021, a 31% increase on 2020, with each successful cyber breach costing a company $3.6m. After a breach becomes public, the average share price of the hacked company underperforms the NASDAQ by -3% even six months after the event.
According to the World Economic Forum’s new annual report, The Global Cybersecurity Outlook 2022, 80% of cyber leaders now consider ransomware a “danger” and “threat” to public safety and there is a large perception gap between business executives who think their companies are secure and security leaders who disagree.
Some 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk-management strategies, only 55% of cyber leaders surveyed agree. This gap between leaders can leave firms vulnerable to attacks as a direct result of incongruous security priorities and policies.
Even after a threat is detected, our survey, written in collaboration with Accenture, found nearly two-thirds would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team. Perhaps even more troubling is the growing trend that companies need 280 days on average to identify and respond to a cyberattack. To put this into perspective, an incident which occurs on 1 January may not be fully contained until 8 October.
“Companies must now embrace cyber resilience – not only defending against cyberattacks but also preparing for swift and timely incident response and recovery when an attack does occur,” said Jeremy Jurgens, Managing Director at the World Economic Forum.
“Organizations need to work more closely with ecosystem partners and other third parties to make cybersecurity part of an organization’s ecosystem DNA, so they can be resilient and promote customer trust,” said Julie Sweet, Chair and CEO, Accenture. “This report underscores key challenges leaders face – collaborating with ecosystem partners and retaining and recruiting talent. We are proud to work with the World Economic Forum on this important topic because cybersecurity impacts every organization at all levels.”
Chief Cybersecurity Officers kept up at night by three things
Less than one-fifth of cyber leaders feel confident their organizations are cyber resilient. Three major concerns keep them awake at night:
They don’t feel consulted on business decisions, and they struggle to gain the support of decision-makers in prioritizing cyber risks – 7 in 10 see cyber resilience featuring prominently in corporate risk management
Recruiting and retaining the right talent is their greatest concern – 6 in 10 think it would be challenging to respond to a cybersecurity incident because they lack the skills within their team
Nearly 9 in 10 see SMEs as the weakest link in the supply chain – 40% of respondents have been negatively affected by a supply chain cybersecurity incident
Training and closing the cyber gap are key solutions
Solutions include employee cyber training, offline backups, cyber insurance and platform-based cybersecurity solutions that stop known ransomware threats across all attack vectors.
Above all, there is an urgent need to close the gap of understanding between business and security leaders. It is impossible to attain complete cybersecurity, so the key objective must be to reinforce cyber resilience.
Including cyber leaders into the corporate governance process will help close this gap.
Report methodology
Insights for the first annual Global Cybersecurity Outlook 2022 were gathered from four sources: first, a survey of global cyber leaders; second, Cyber Outlook Series sessions conducted by the World Economic Forum throughout 2021; third, multiple interviews with experts and bilateral meetings; fourth, data collected from reports, research and articles published by the World Economic Forum and reputable third parties. Combining all these efforts, the World Economic Forum’s team has consulted with 120 global cyber leaders over the past year.
The 24-question survey was anonymous and non-attributable to respondents or their respective organizations. The Forum’s Cybersecurity Centre hosted Cyber Outlook Series sessions throughout 2021, with a goal of creating opportunities for unique peer-level exchanges on key cybersecurity issues among members of the Cybersecurity Leadership Community.
During 2021’s sessions, the Forum actively engaged more than 120 members of the community. Members take ownership of the series by providing input to the topics, shaping the agenda and engaging actively in the sessions, resulting in the actionable insights shared in this report.
Additional quotes
“We are at a crossroads, a point at which cyber resilience has become the defining mandate of our time – beyond foundational security controls – to anticipate future threats, withstand, recover from cyberattacks, and adapt to likely future digital shocks,” said Algirde Pipikaite, Cybersecurity Strategy Lead, World Economic Forum.