62% of companies spend less than 5% of their IT budget on cybersecurity…
(Boursier.com) — A new PAC study reveals that 41% of French companies are less mature in terms of cybersecurity than they think… Although 53% of French companies surveyed consider their level of maturity in cybersecurity to be high, this perception does not reflect the reality on the ground because many of them do not have the necessary measures and systems in place to achieve it.
For example, it is surprising to find that 14% of companies that said they had a very high level of cybersecurity maturity did not have a cybersecurity strategy in place.
In addition, the Comex’s involvement in decision-making regarding cybersecurity remains weak: only 41% of companies that have implemented a cybersecurity strategy decide on it at the level of general management and the COMEX… The lack is even more apparent in terms of regular monitoring because only one CISO (Information Systems Security Manager) out of five reports to the Comex or to general management. The involvement of the Comex is however a sine what not condition to align the company’s strategy in terms of cybersecurity with the “business” and trade issues…
The budget dedicated to cybersecurity also remains quite limited… Thus, 62% of companies spend less than 5% of their IT budget on cybersecurity. However, awareness is also there. A large majority of the companies surveyed have planned to make up for this delay in investment and wish to increase their budget dedicated to cybersecurity in the next two years, including 52% with an increase of more than 10%.
Raising employee awareness and training is a key prevention measure, implemented by 65% of companies surveyed. This shows that companies are aware of the importance of the human factor in terms of cybersecurity. However, the effectiveness of this training depends on employees’ willingness to adhere to good practices and the resistance to change among employees is one of the main challenges faced by the companies surveyedjust behind the complexity of the IT landscape and the shortage of talent…
The survey also highlighted gaps in the implementation of essential technologies… For example, the governance, risk and compliance systems (GRC – Customer Relationship Management), essential to the both for regulatory compliance and for the good image of companies, were put in place by about one in two companies. It’s the same for cloud security measures implemented by only 44% of companies surveyed.
The situation is even less encouraging with cutting-edge cybersecurity devices such as next-generation SOCs (Security Operations Centers), zero trust (SASE – Secure Access Service Edge, microsegmentation) and a generalized, multi-factor “passwordless” approach ( MFA) and contextual… Less than a third of the companies surveyed have implemented one. It is quite surprising to note that the companies which have not planned to implement these solutions explain it by the lack of added value of these devices, while the companies which have implemented them emphasize the many benefits that they could see. This explains the importance of the awareness-raising work that publishers and service providers must do on the essential nature of these solutions for their customers.
Despite this, there is a global shift in approaches to cybersecurity. Aware that perfect cybersecurity does not exist, more and more companies are thinking in terms of cyber resilience. As our survey results show, approximately one in two companies has implemented crisis management and cyber resilience systems. Service providers have a key role to play in helping companies better understand their cybersecurity maturity and support them towards the desired level.
“Cyber threats and cyberattacks generate legitimate concern about an organization’s ability to maintain its activities, protect its secrets and preserve its employees and customers. In response, cybersecurity has become a crucial issue to ensure the sustainability activities, sovereignty and independence of the organization. This study highlights the major cybersecurity challenges and issues that organizations face and sheds light on their lack of maturity in setting up a system allowing to reach an acceptable level of risk with regard to its exposure. As long as this subject is not sufficiently taken into consideration by the COMEX with means and dedicated attention, the threats hanging over organizations can prove to be devastating” concludes Fabien Lecoq, Cybersecurity Director Sopra Steria.