This article was written by Gérôme Billois, Partner – France, Paris and Clément Jolliet, Manager – France, Paris. The original article was published by Wavestone. You can find the article here.
Against a tense geopolitical backdrop, and with the Olympic Games coming to France in the summer of 2024, businesses are going to face cyber espionage and cyber attacks from a multitude of malicious actors: cyber criminals, hacktivists and even states. Against this backdrop, what is the level of security in various sectors? What are the strengths and weaknesses of large corporations in terms of cybersecurity? What’s the difference with smaller companies?
To answer these questions, we carried out a detailed benchmark based on a field assessment of almost 200 security measures. Over the past 5 years, data from more than 150 organizations, representing nearly 7 million users, has been consolidated and analyzed. The results illustrate the long way to go for all companies, particularly large corporations (>$1 billion in sales – over 100 structures in the database), but also a significant improvement, with the latter achieving an overall maturity score of 53% compared with 52% last year, the score being relative to the requirements of the international standards NIST CSF Framework & ISO 27001/2.
While the overall level of maturity has risen to 53%, the study nevertheless reveals heterogeneity across sectors. The Finance sector comes out on top with a score of 60%, although there are real differences in maturity between the large scale banks and insurers, which are less mature on average. The Luxury Goods and Retail sectors follow, largely driven by the former and their considerable resources, with an average score of 52.7%. Next in line is the Industry sector, with a maturity score of 51.3%, demonstrating the efforts made to catch up through digital transformation. With a score of 50.9%, the Energy sector remains slightly above average. The Services sector (50%) closes the gap.
The positive impact of regulation is also visible: companies subject to critical infrastructure security regulations (NIS/LPM) stand out and are more mature (57.5% VS 51.7%).
Wavestone manages numerous cyberattacks on behalf of its clients through its incident response team, CERT-Wavestone. The main vulnerabilities used by cybercriminals have been identified, and a specific maturity analysis has been carried out. This analysis shows that:
In the context of the Olympic and Paralympic Games, the structures most critical to the success of the Games have been the subject of specific supervision by the state and the organizing bodies. But we mustn’t overlook all the other French companies. especially those whose brand is strongly associated with the country, and that will certainly also be the target of usual hacktivist attacks aimed at tarnishing France’s image and creating “cyber noise” around the Games.
And for these structures, the risk is considerable: only 39% of large groups have solutions to protect all their sites against denial of service attacks (saturation of websites leading to their non-functioning) (27% for smaller companies) and 47% have advanced protection solutions for their applications exposed on the Internet to guard against defacement, an uncontrolled modification of website pages.
Recruitment in the cybersecurity sector presents particular challenges. According to the ISC2 in 2023: 4 million positions worldwide remain unfilled due to a lack of candidates, only 25% of the workforce are women, the majority of professionals (92%) say they have a skills shortage in their organization. To meet these challenges, companies are focusing on individual development through initiatives such as setting up a training catalog, building cyber career paths, or defining clear mobility processes.
In terms of headcount in the organizations evaluated, there is around 1 person dedicated to cybersecurity for every 1,100 employees. This average masks very disparate results. The financial sector, for example, is beginning to expect interesting thresholds (1/267 or much less for the largest structures), but this ratio is still too low to meet today’s challenges, particularly in certain sectors such as industry.
Of a company’s total IT budget, 6.6% is dedicated to security. This may seem low at first glance, but it rises significantly in the event of a cyber attack, to around 15%.
From a sectoral point of view, those who invest the most is Finance (7.8%), quite logically in a context of compliance with DORA regulations.
Many senior management teams are asking to do more with the same resources, forcing cybersecurity teams to rationalize their activities (e-g with near/off-shoring) or to arbitrate between their risks.
Maturity levels were measured against international standards (NIST CSF / ISO 27001/2) during assessment missions carried out by Wavestone consultants, mainly in the form of interviews with the security managers of the organizations concerned. The sample, dated June 1, 2024, includes over 150 organizations (100 of which have sales in excess of 1 billion euros), representing almost 7 million employees. The data from these individual assessments was then consolidated and analyzed by Wavestone’s specialist teams.
Download Download the Cyber Benchmark 2024 here:
Tailored B2B information solutions. We collect and integrate vital intelligence, empowering your growth strategies and competitive edge. Accelerate your pathway to success.
© 2024 Calleo Solutions (Pty) Ltd. All Rights Reserved.
© 2024 Calleo Solutions (Pty) Ltd. All Rights Reserved.