Driving Cybersecurity Performance is the latest global research initiative to be released by ESI ThoughtLab, Econsult Solutions' thought leadership arm. The study includes an in-depth global survey of CISOs in companies spanning the Americas, Europe, and Asia Pacific and represents firms of varying sizes, from $50 million to over $50 billion in revenue. Full findings are now publicly available by visiting the Driving Cybersecurity Performance microsite.
ESI ThoughtLab would like to give special thanks to our program sponsors including Verizon Business, KnowBe4, Arceo.ai, Optiv, Fiserv, Check Point Software Technologies and Cowbell Cyber. Without their active participation on our advisory board, and in-depth knowledge of cybersecurity best practices, this program would not have been possible.
Digital innovation is a double-edged sword: while essential for driving performance in today's interconnected world, it exposes firms to greater cybersecurity risks. Although firms have made major improvements in cybersecurity, there is more to be done. CISOs need to revise their cybersecurity strategies to encompass proactive prevention along with a deep understanding of the risks their companies face and the heightened nature of today's sophisticated cyberattacks. To help CISOs do that, ESI ThoughtLab worked with a coalition of cybersecurity, cyber insurance, and technology experts from leading companies and associations to answer a central question: How can firms drive the best cybersecurity performance in today's complex digital world?
To conduct the cybersecurity analysis, ESI ThoughtLab's team of economists and digital specialists used a rigorous, mixed-methods research approach that included the following elements:
Digital transformation continues to expose companies to new risks and vulnerabilities as they adopt emerging technologies, digital processes, and new business models. The COVID-19 pandemic is accelerating these trends as companies embrace remote working and rethink supply chains, while consumers ramp up their use of digital shopping and banking, as well as remote medicine, communication, and entertainment.
To cope, companies are investing more in cybersecurity, with an average increase of 12% in 2019 and 14% targeted for 2020, although these budgets may change as the pandemic plays out. In 2019, the companies in our sample spent about $9.6 million each on cybersecurity, about $515 per employee. Cybersecurity leaders, those firms most advanced in cybersecurity effectiveness and compliance, spent far more: $15 million, or about $618 per employee. The largest share of investment budgets went to technology (39%), followed by people (32%) and process (28%). This spending pattern held relatively constant across companies of different sizes, industries, and cybersecurity maturity.
On average, firms see an overall ROI of 179% from their cybersecurity investments. That means that every dollar of investment generates almost $2 in benefits. ROI on investments range from 271% for investments in people, to 156% for process, and 129% for technology. The least cyber-mature firms recognize the highest ROI, since they have more to gain. Companies experience diminishing returns as they become more cyber mature. In all, the additional cybersecurity spending last year by the 1,009 firms we surveyed—which amounted to $1.4 billion—has enabled them to reduce their combined potential losses by an estimated $3.9 billion.
Despite their investments, our survey respondents lost $4.1 billion from cyberattacks in the most recent year, an average of $4.1 million per firm. The losses stemmed from 28,100 successful breaches, averaging about $330,000 per breach. While the lion's share of these breaches were minor (meaning they affected only a small number of people and machines), about 20% of breaches were moderate and about 1% were material, defined as generating a substantial loss and requiring disclosure. Insurance and financial firms suffered the most attacks, and financial, retail, hospitality, and automotive firms sustained a disproportionate number of material breaches.
Even before the COVID-19 pandemic, the greatest losses came from malware (66%), phishing/social engineering (60%), and password/credential reuse (49%). Cyber criminals were seen to be the biggest threat actors. As business goes more digital over the next two years, executives also expect an increase in attacks through artificial intelligence (38%), denial of service (34%), and web applications (29%). With geopolitical and social unrest growing, and greater economic volatility ahead, firms are bracing for a rise in cyber terrorism and attacks from nation-states. For many CISOs, the challenge will be how to do more, with potentially less, if budgets are streamlined for the post-pandemic aftermath.
Adding to the complexity, companies have tended to underestimate their exposure to breaches. While the average firm in our study assigns a 45% probability to experiencing a moderate or material breach in 2020, our analysis shows a much higher probability, ranging from 62% to 86%.
To reduce risk probabilities, CISOs must go well beyond compliance with cybersecurity frameworks, such as NIST, ISO, and others. For example, only 64 of 151 companies (42%) that evaluated themselves as NIST compliant are rated as being leaders in their cybersecurity practices in the study. Rather than applying NIST as a box-ticking exercise, cybersecurity leaders need to better align such frameworks with their business goals, strategies, and individual risk profiles. Cybersecurity leaders also combine analysis from advanced quantitative tools and input from internal business partners and third-party experts to make the best decisions.
During his more than 35 years of research, marketing and publishing work, Lou Celi has helped top organizations build their businesses by engaging corporate and government decision makers. Prior to setting up ESI ThoughtLab, Mr. Celi was board director and president of Oxford Economics, where he built the firm's successful business in the Americas and set up its global thought leadership practice.
Daniel Miles is the Chief Economist for ESI ThoughtLab, Econsult Solutions' thought leadership arm. Prior to joining ESI, Dr. Miles was a senior economist in the New York office of Oxford Economics where he led a multinational team of economists based in New York, Belfast and London.