04 June 2018

One third of business decision makers would pay hacker’s ransom demands rather than invest in more security, NTT Security Risk:Value report reveals

Levels of security confidence unrealistic as almost half claim they have not been affected by a breach

One third of global business decision makers report that their organization would try to cut costs by paying a ransom demand from a hacker rather than invest in information security. The findings from the latest Risk:Value report, commissioned by NTT Security, the specialized security company of NTT Group, show that a further 16 percent are not sure if they would pay or not, leaving just half of respondents prepared to invest in security and take a less reactive approach to the protection of their organization.

Examining business attitudes to risk and the value of information security, NTT Security’s annual Risk:Value report surveys C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.

The findings are particularly concerning, given the growth in ransomware, as identified in NTT Security’s Global Threat Intelligence Report (GTIR)* published in April. According to the GTIR, ransomware attacks surged by 350 percent in 2017, accounting for 7 percent of all malware attacks worldwide, while in EMEA, ransomware represented 29 percent of all attacks in the region.

Confidence levels and estimated costs of a breach
Levels of confidence about being vulnerable to attack also seem to be unrealistic, according to Risk:Value. Around half of respondents (47 percent) claim that their organization has not been affected by a data breach, although of these 14 percent expect to suffer one, while a third do not expect to suffer from a breach at all. More worrying is the 12 percent globally who are not sure, an average driven up by the one in five (22 percent) in the UK who do not know if they have suffered a breach or not.

When it comes to the impact of a breach, respondents are most concerned about what a data breach will do to their image, with more than half concerned about loss of customer confidence (56 percent) and damage to reputation (52 percent).

The financial losses from a breach come second after image, according to the report. The estimated loss in terms of revenue is 10.29 percent on average, up from 2017’s 9.95 percent, although executives in Europe are more optimistic, expecting lower revenue losses than those in the US or APAC. The estimated cost of recovery has increased to $1.5m, up from $1.3m in 2017 and $900k in 2015, while encouragingly respondents anticipate it would take 57 days to recover, down from 74 days in 2017.

Whose responsibility is it anyway?
According to the 2018 Risk:Value report, there is no clear consensus on who is responsible for day to day security, with 22 percent of respondents saying the CIO is responsible, compared to 20 percent for the CEO and 19 percent for the CISO. This suggests that no single role is stepping up to the plate.

One area of consensus, however, is the need for regular boardroom discussions about security, with 81 percent of respondents agreeing that preventing a security attack should be a regular item on the Board’s agenda, up from 73 percent last year. But only 61 percent admit it is, a marginal increase from 56 percent in 2017.

How prepared are organizations?
Respondents this year estimate that the operations department spent more of its budget on security (17.84 percent on average) than the IT department did (14.32 percent on average) – for the second year in a row. In fact, IT spent less of its budget on security this year than in 2017 (14.58 percent).

Year on year, the NTT Security Risk:Value report shows that companies are still failing when it comes to communicating information security policies. More than half (57 percent) claim to have a policy in place, just 1 percent up from last year, while 26 percent are working on one. While 81 percent of respondents with a policy in place say this is actively communicated internally, just 39 percent admit that employees are fully aware of it.

Comparing this year’s figures to 2017, it appears that organizations are also failing to progress their incident response plans. Less than half (49 percent) say they have implemented a plan, with a further 30 percent in the process, a change from 48 percent and 31 percent respectively in 2017. This suggests that just 1 percent have finished a response plan since last year.

Stuart Reed, Senior Director Market Strategy at NTT Security comments: “This year’s report suggests that many organizations are falling into the trap of making the same mistakes when it comes to effectively communicating their security policies internally and progressing their response plans in the event of a breach. Many are stuck in a reactive mindset when it comes to security. This is reinforced by the fact that more than a third would rather pay a ransom demand than invest in cybersecurity, especially given the rise in ransomware detections and global headline-grabbing incidents like WannaCry.

“But we are encouraged by the fact that the majority of respondents are prepared to take a long-term, proactive stance when it comes to security, and are supportive of it becoming a regular discussion item at the Board level. The fact that more businesses are also looking to work with third party providers to support them in their security efforts is also a very positive step.”

For further information on NTT Security’s 2018 Risk:Value report and to download a copy, visit: nttsecurity.com/risk-value-2018


Notes for editors:

For a PDF of the 2018 Risk:Value Report or a copy of the global/UK infographic, images or further information/stats, please contact: nttsecurity@origincomms.com.

* To learn more about the NTT Security 2018 Global Threat Intelligence Report (GTIR), visit: nttsecurity.com/gtir  

Research demographics

Commissioned by NTT Security, the 2018 Risk:Value report research was conducted by Vanson Bourne in February and March 2018. 1,800 non-IT business decision makers were surveyed in the US, UK, Germany, Austria, Switzerland, France, Benelux, Sweden, Norway, Hong Kong, Singapore and Australia. Predominately, organizations had more than 500 employees and were selected across a number of core industry sectors. 
About Vanson Bourne

Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis, is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.
About NTT Security

NTT Security is the specialized security company and the center of excellence in security for NTT Group. With embedded security we enable NTT Group companies  to deliver resilient business solutions for clients’ digital transformation needs.  NTT Security has multiple SOCs, seven R&D centers, over 1,500 security experts and handles hundreds of thousands of security incidents annually across six continents.
NTT Security ensures that resources are used effectively by delivering the right mix of Managed Security Services, Security Consulting Services and Security Technology for NTT Group companies – making best use of local resources and leveraging our global capabilities.  NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world.  Visit nttsecurity.com to learn more about NTT Security or visit www.ntt.co.jp/index_e.html