Deloitte surveys: businesses have a false sense of cybersecurity caused by positive self-evaluation of their capabilities and the lack of basic defense efforts

Approximately three quarters of businesses in the financial and consumer sectors have a false sense of cyber security caused by the positive self-evaluation of their capabilities and their lack of basic defense efforts, according to the latest editions of Deloitte Cyber Surveys for the financial and consumer sectors. More than 70% of respondents ranked their cybersecurity level as seven or higher on a maturity scale from zero to ten and only 9% of companies in the financial sector said that they have implemented all four baseline cybersecurity measures, consisting of response plans, self-defense plans, cyber awareness training and cyber hygiene. Also, only four out of ten of the surveyed consumer businesses have a cyber defense strategy, with basic defense efforts being implemented in full or in part.

Operating with a false sense of cyber defense represents a risk for businesses, considering that over 70% of the respondents from financial (72%), consumer (72%) and energy, resources and industrials (79%) sectors perceive an increase in the level of cyber threats in the last two years, the studies highlight. Additionally, compared to other sectors – consumer (24%) and energy, resources and industrials (21%) –, the financial sector (28%) has a higher proportion of respondents indicating that the threat level has remained unchanged over the last two years, the latter being exposed to cyber threats longer than the others, which explains the more mature understanding of the cyber threat landscape.

The survey shows that phishing/malware is considered the biggest cyber risk in the financial sector, as indicated by half of the respondents. The second biggest risk represented by technical vulnerabilities in applications and infrastructure and the third one is data leakage/data integrity. As for the energy, resources and industrials businesses, the lack of security on the supply chain is ranked as the highest threat by 63% of respondents. This is a trend also seen in the consumer sector.

“During the last two years, malware and phishing activities reached the top three most frequent threats in the European Union, as 71% of the organizations and companies have faced malware activities and the rate of phishing fraud rose by 667% in just one month during the COVID-19 pandemic, according to public data. In a growing cyber threat landscape, companies should really consider complex exercises, not relying only on penetration testing or vulnerability scanning. Among the additional efforts that the banking industry should contemplate are the Threat Intelligence-Based Ethical Red-teaming European Union (TIBER-EU) framework published by the European Central Bank, which aims to organize testing similar to a real attack – involving Red Teaming, based on prior Threat Intelligence assessments, and Blue or Purple Teaming exercises -, joint cyber exercises, involving new cyber-physical systems, and integrated technical and strategic elements, enabling companies to practice the entire chain of command in simulating a large-scale cyber incident,” stated Andrei Ionescu, Partner-in-Charge, Consulting and Risk Advisory, Deloitte Romania.

The studies also show the way in which the leadership of the businesses in the financial, consumer and energy, resources and industrials sectors prioritize cybersecurity topics. The top management teams in the financial sector are more focused on such aspects than those in other sectors, the studies emphasize, as 42% of the respondents indicate that cybersecurity is on the leadership agenda monthly or more frequently, compared to 37% of the respondents in the consumer sector and only 30% of the businesses in energy, resources & industrials.