UK organizations are failing to make progress towards strong cybersecurity and are facing paralysis as cybercriminals become more advanced. This is the conclusion drawn from the findings of the 2019 Risk:Value report – ‘Destination standstill. Are you asleep at the wheel?’ – from NTT Security, the specialized security company and center of excellence in security for NTT Group.

Examining the attitudes of 2,256 non-IT decision makers to risk and the value of security to the business, NTT Security’s annual Risk:Value report researches C-level executives and other senior decision makers across 20 countries in the Americas, Asia Pacific and Europe, including the UK, and from across multiple industry sectors.

Impact of cyber attacks on businesses

Almost all respondents in the UK believe that strong cybersecurity is important to their business over the next 12 monthsUK respondents are aware of the risks posed by cyber threats, with over half (54 per cent) ranking cyber attacks on their organization as one of the top three issues that could affect businesses in the next 12 months – second only to ‘economic or financial crisis’ (56 per cent). While global organizations rank ‘loss of company data’ in third place, in the UK, 44 per cent believe that cyber attacks on critical infrastructure is a far greater threat. Of the most vulnerable components of critical national infrastructure, telecoms, energy and electricity networks take first, second and third place.

Almost all (90 per cent) respondents in the UK believe that strong cybersecurity is important to their business over the next 12 months, compared to 78 per cent who say the same about ‘growing revenue and profit’, while 93 per cent believe cybersecurity has a big role to play in society.

According to the report, strong cybersecurity allows UK organizations to ‘ensure the integrity of their data’ (58 per cent) and ‘ensure only the right people have access’ to this data (56 per cent), while around half say it ‘helps protect the brand’.

Good and bad practice in cybersecurity

Businesses in India, a new country to the research, are now the best performing in the world for cybersecurityFor each organization in the research for the last two years, NTT Security has analyzed the responses for good and bad practice in cybersecurity, with good practice awarded positive scores and bad practice awarded negative scores. The results show a worrying lack of progress globally: in 2019 as in 2018, the average score was just +3, meaning that there is nearly as much bad practice as good practice. Thirty-two per cent of businesses score less than zero: that is, they are exhibiting more bad practice than good practice.

Businesses in India, a new country to the research, are now the best performing in the world for cybersecurity, ahead of the UK. The performance of organizations in France, Germany and Singapore has worsened in the last year, as has the performance of the financial services, telecommunications, chemicals, pharmaceuticals, oil and gas and private healthcare sectors, placing doubt on the robustness of critical national infrastructure.

Areas where UK organizations are stalling

  • Paying cybercriminals: A third (33 per cent) of UK respondents say that they would rather pay a ransom to a hacker than invest more in security because it would be cheaper, a significant rise of 12 per cent over 2018’s Risk:Value report. In addition, 34 per cent said they would rather pay a ransom to a hacker than get a fine for non-compliance of data regulations.
  • Budgets: Security budgets in the UK are potentially failing to keep up with increasing cyber risk, with the percentage of IT budget attributed to security (15 per cent) in line with the global average. The percentage of operations budget spent on security has fallen by around 1 per cent since 2018, to 16.5 percent in 2019.
  • GDPR compliance: Just 30 per cent globally believe they are subject to GDPR, a year on from the deadline, despite it affecting all organizations that have operations or customers in any European Union member state. The UK is a more respectable 48 per cent – still behind Spain (55 per cent) and Italy (50 per cent).
  • Internal security policies: Businesses are still failing to be proactive internally. At a global level, 58 per cent have a formal information security policy in place, just 1 per cent up over last year. While the UK shows an impressive 70 per cent with a policy in place, this is down on last year’s 77 per cent. Less than half (47 per cent), however, admit that their employees are fully aware of such a policy.
  • Incident response plans: In 2019, 60 per cent of UK organizations have an incident response plan in place in the event of a security breach, a 3 per cent drop. However, this is still above the global average of 52 per cent and among the highest figures across all 20 countries.
  • Blaming IT: Around half (44 per cent) of UK respondents believe cybersecurity ‘is the IT department’s problem and not the wider business’, which is in line with the global average of 45 per cent. While Swedish organizations are most likely to blame IT (60 per cent), Brazil is least likely (28 per cent) to do so.

Time spent on recovery from cyber breach

The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global averageThe 2019 Risk:Value report reveals that the time spent on recovering from a cyber breach continues to rise year on year, with UK respondents estimating that it will take 93 days on average to recover. The UK figure is a significant rise of nearly double over last year’s estimated 47 days. The UK now ranks as one of the highest figures globally compared to one of the lowest in 2018.

The cost of recovering from a breach is estimated to be $1.2 million in the UK, matching the global average. Notably in the Nordics, costs are predicted to be much higher, with Norway at $1.8 million and Sweden in first place with expected recovery costs for a business suffering a breach of $3 million. Oil & Gas is the industry sector having to spend the most on recovery efforts to the tune of $2.3 million.

The estimated loss in revenue in percentage terms is up year on year in the UK – 12.9 per cent, up from 9.7 per cent in 2018, and in line with the global average of 12.7 per cent.

Integration of new technologies

The execution of cybersecurity strategies must improve or business risk will escalate for the organisations concerned"Commenting on the 2019 findings, Azeem Aleem, VP Consulting, NTT Security, says: “The Risk:Value report is an interesting barometer based on responses from those sitting outside of the IT function – and is often very revealing. What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work.

"What’s concerning though is that organizations seem to have come to a standstill in their journey to cybersecurity best practice – and it’s particularly worrying to see UK businesses falling behind in some critical areas like incident response planning.

Decision makers clearly see security as an enabler; something that can help the business and society in general. But while awareness of cyber risks is high, organizations still lack the ability, or perhaps the will, to manage them effectively. The execution of cybersecurity strategies must improve or business risk will escalate for the organizations concerned.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

COVID-19 Worries Boost Prospects Of Touchless Biometric Systems
COVID-19 Worries Boost Prospects Of Touchless Biometric Systems

Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads. No longer in favor are contact-based modalities including use of personal identification numbers (PINs) and keypads, and the shift has been sudden and long-term. Both customers and manufacturers were taken by surprise by this aspect of the virus’s impact and are therefore scrambling for solutions. Immediate impact of the change includes suspension of time and attendance systems that are touch-based. Some two-factor authentication systems are being downgraded to RFID-only, abandoning the keypad and/or biometric components that contributed to higher security, but are now unacceptable because they involve touching. Touchless biometric systems in demand The trend has translated into a sharp decline in purchase of touch modality and a sharp increase in the demand for touchless systems, says Alex Zarrabi, President of Touchless Biometrics Systems (TBS). Biometrics solutions are being affected unequally, depending on whether they involve touch sensing, he says. Spread of the novel coronavirus has jolted awareness of hygiene as it relates to touching surfaces such as keypads “Users do not want to touch anything anymore,” says Zarrabi. “From our company’s experience, we see it as a huge catalyst for touchless suppliers. We have projects being accelerated for touchless demand and have closed a number of large contracts very fast. I’m sure it’s true for anyone who is supplying touchless solutions.” Biometric systems are also seeing the addition of thermal sensors to measure body temperature in addition to the other sensors driving the system. Fingerscans and hybrid face systems TBS offers 2D and 3D systems, including both fingerscans and hybrid face/iris systems to provide touchless identification at access control points. Contactless and hygienic, the 2D Eye system is a hybrid system that combines the convenience of facial technology with the higher security of iris recognition. The system recognises the face and then detects the iris from the face image and zeros in to scan the iris. The user experiences the system as any other face recognition system. The facial aspect quickens the process, and the iris scan heightens accuracy. TBS also offers the 2D Eye Thermo system that combines face, iris and temperature measurement using a thermal sensor module. TBS's 2D Eye Thermo system combines face, iris and temperature measurement using a thermal sensor module Another TBS system is a 3D Touchless Fingerscan system that provides accuracy and tolerance, anti-spoofing, and is resilient to water, oil, dust and dirt. The 2D+ Multispectral for fingerprints combines 2D sensing with “multispectral” subsurface identification, which is resilient to contaminants and can read fingerprints that are oily, wet, dry or damaged – or even through a latex glove. In addition, the 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue. The system fills the market gap for consent-based true on-the-fly systems, says Zarrabi. The system captures properties of the hand and has applications in the COVID environment, he says. The higher accuracy and security ratings are suitable for critical infrastructure applications, and there is no contact; the system is fully hygienic. Integration with access control systems Integration of TBS biometrics with a variety of third-party access control systems is easy. A “middleware” subsystem is connected to the network. Readers are connected to the subsystem and also to the corporate access control system. An interface with the TBS subsystem coordinates with the access control system. For example, a thermal camera used as part of the biometric reader can override the green light of the access control system if a high temperature (suggesting COVID-19 infection, for example) is detected. The enrollment process is convenient and flexible and can occur at an enrollment station or at an administration desk. Remote enrollment can also be accomplished using images from a CCTV camera. All templates are encrypted. Remotely enrolled employees can have access to any location they need within minutes. The 3D+ system by TBS provides frictionless, no-contact readings even for people going through the system in a queue Although there are other touchless technologies available, they cannot effectively replace biometrics, says Zarrabi. For example, a centrally managed system that uses a Bluetooth signal from a smart phone could provide convenience, is “touchless,” and could suffice for some sites. However, the system only confirms the presence and “identity” of a smart phone – not the person who should be carrying it. “There has been a lot of curiosity about touchless, but this change is strong, and there is fear of a possible second wave of COVID-19 or a return in two or three years,” says Zarrabi. “We really are seeing customers seriously shifting to touchless.”

How To Use Threat Intelligence Data To Manage Security In The Age Of COVID-19
How To Use Threat Intelligence Data To Manage Security In The Age Of COVID-19

COVID-19 has already had a huge impact on the global economy. According to Statista, GDP growth globally will drop from around 3% to 2.4% - equivalent to a drop of around $35 trillion worldwide. In sectors like oil and gas, the impact is particularly acute: IHS Markit predicted that the reduction in oil consumption due to COVID-19 has led to a first-half surplus of 1.8 billion barrels of crude oil. The macroeconomic trends around these worldwide sectors point to harsher economic conditions and recession. For companies in the oil and gas sector running complex operations around the world, this will lead directly to tougher trading environments and a lot of necessary belt-tightening when it comes to costs around operations. Indirectly, the potential recession could cause more civil unrest and security threats for them as well. To cope with these potential challenges, companies will have to look at how they can maintain security for their operations and prevent risks as much as possible. Taking a contextual approach to physical security With these two goals in mind, looking at threat intelligence data should be considered. Threat intelligence refers to a set of data that can be used to judge current and future trends around risks, from everyday crime or political changes through to larger events like civil unrest, terrorism or the current pandemic. Based on data around these issues, companies can make better decisions on how they invest and manage their security posture in advance. Behind this overall approach, however, there are a significant number of moving parts that have to be considered. This includes where the data comes from, how it is used, and who is using the data. Companies can make better decisions on how they invest and manage their security posture The first consideration for threat intelligence is where data comes from. Typically, companies with large oilfields or refinery operations will have large investments in physical security to protect these environments, and part of this spend will include intelligence on local market, political and security conditions. Using this forecast data, your security leadership team can ensure that they have the right resources available in advance of any particular problem. This data can come from multiple sources, from social media data and crowdsourced information through to government, police and private company feeds. This mass of information can then be used to inform your planning and decision making around security, and how best to respond. However, one issue for oil and gas companies with distributed operations is how much data they have to manage over time. With so many potential sources of information all feeding back in real time, it’s hard to make sense of what comes in. Similarly, companies with international teams may have different sets and sources of data available to different parts of their organizations - while each team has its own view of what is going on, they may be missing out on contextual data from other sources held by neighbouring teams or by the central security department. Without a complete picture, it is easy to miss out on important information. Making threat intelligence smarter To solve this problem - and to reduce the costs around managing threat intelligence data - centralizing your approach can make it easier to provide that context to all your teams and stakeholders. Rather than letting each team set up and run their own threat intelligence approach, centralizing the data and letting each team use this can reduce costs. More importantly, it can improve the quality of your threat intelligence approach overall. By applying a combination of algorithms and security analysts to evaluate threat intelligence centrally, you can improve the quality of the data that you have coming into the organization in the first place. This approach provides higher quality data for decision making. However, a centralized approach is not enough on its own. Local knowledge and analysis is always useful. Consequently, alongside any centralization approach you have to have better filtering and search capabilities, otherwise you risk teams not being able to get the information that is particularly relevant and timely to them. This approach of bringing together centralized management of data feeds with more powerful tools for local teams to find what they want and get that access in real time represents the best of both worlds. Planning ahead Scenarios vary from a best case return to pre-crisis revenues of $50 to $60 per barrel by 2021 or 2022 According to consultancy firm McKinsey, the oil and gas sector faces an enormous challenge over the next few years. Scenarios vary from a best case return to pre-crisis revenues of $50 to $60 per barrel by 2021 or 2022, through to a worst case scenario where demand never returns and the industry has to undertake managed decline around some assets and look for new market opportunities in others. Whatever scenario plays out in the real world, security for existing assets will be a continued requirement. Planning ahead using threat intelligence data will be essential whatever happens. To help reduce costs and improve data quality, centralizing this approach will help. Without this mix of global oversight and local detail, companies will find their operations hampered and wrong decisions are made. It’s only by applying threat intelligence data in the right context that security teams will be able to keep up with the challenges of the future.

What Are the Security Challenges of the Oil and Gas Market?
What Are the Security Challenges of the Oil and Gas Market?

Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: What are the security challenges of the oil and gas market?