With the frequency and scope of serious cyberattacks on the rise, nearly three quarters of organizations (73 percent) globally cannot identify and fully protect their corporate high-value assets and processes, finds a new analysis from Accenture. According to the newly released Accenture Security Index, only one in three organizations (34 percent) have the ability needed to monitor for threats to critical parts of their business.
“A turning point has been reached for cybersecurity. While organizations have improved their security over the last few years, progress has not kept pace with the sophistication of highly motivated attackers, said Kelly Bissell, managing director of Accenture Security. “A new approach is clearly needed. One that protects the organization from the inside out and across the entire industry value chain—from the wellhead to the oil pump. And the start of this must be a new, more comprehensive definition of what constitutes cybersecurity success based on impact to the business.”
To gauge the effectiveness of current enterprise security efforts and the adequacy of their existing investments, Accenture surveyed 2,000 top enterprise security practitioners representing companies with annual revenues of $1 billion or more. The results of this survey were analyzed in collaboration with Oxford Economics to develop the Accenture Security Index, which aggregates scores across 15 countries and 12 industries, providing the ability to compare the relative strength of all organizations to protect themselves from cyberattacks. The index is based on a comprehensive model measuring 33 specific cybersecurity capabilities. It provides a new benchmark to determine what high performance security looks like and what it takes for organizations to establish cybersecurity success.
Country-Level Performance Weak Across Important Capabilities
· Globally, the average organization has high performance in 11 of the 33 cybersecurity capabilities analyzed. At the top end of the scale, only 9 percent of organizations managed to achieve high performance in more than 25 of the 33 cybersecurity capabilities.
· In the UK, which tops the country roster along with France for cybersecurity performance, the average organization achieved high performance in 44 percent —or 15 out of 33—capabilities.
· The UK ranks highest overall for cooperation with third-parties during crisis management (52 percent) and communication of cyber incidents as part of business alignment (55 percent).
· In comparison, Spain ranks at the bottom of the performance list with companies claiming high performance in only 22 percent —or seven of 33 cybersecurity capabilities.
· The US is fifth on the list, with the typical company having high performance in 12 of the 33 capabilities. In line with its overall ranking, the US has average performance across the remaining cybersecurity capabilities with the exception of governance and leadership where it ranks second overall in creating a security-minded culture (53 percent) and cooperation with third-parties during crisis management (42 percent).
A Surprising Degree of Variation in Industry-Level Performance
· Communication companies have the highest performance in 11 capabilities including the protection and recovery of key assets (49 percent) and monitoring for business-relevant threats (47 percent).
· Banking organizations have highest performance in eight capabilities including “what-if” threat analysis (47 percent) and third-party cybersecurity in their extended business ecosystem (44 percent).
· High technology companies rank highest in seven capabilities including the ability to create a security-minded culture (54 percent) and recovering from cyber incidents (48 percent).
· Life Sciences organizations are bringing up the rear with an overall ranking of only 19 percent, meaning organizations exhibited high performance in only six capabilities on average.
· Life Sciences also rank lowest in all but one of the 33 cybersecurity capabilities including the ability to ensure stakeholder involvement (12 percent) and design for the protection of key assets (13 percent).