Would you rather pay a ransom for ransomware attacks than invest in IT security?

The Risk:Value Report is produced annually by the market research company Vanson Bourne on behalf of NTT Security. Executives around the world - 1,800 this year - are surveyed on topics related to IT and IT security.

Low investment in IT security

The current survey shows that with 40%, less than half of the decision-makers surveyed in Swiss companies classify all business-critical data as "completely secure". Compared to last year's survey, this represents a drop of 15 percentage points. One reason for this is the continuing low level of investment in IT security. In Switzerland, only a good 15% of the IT budget is invested in information security. The investment volume is significantly lower than in quite a few other corporate areas. With regard to the segments in which higher investments are made than in information and data security, the following were named

• 46% Operation and manufacturing
• 46% Marketing
• 41% Distribution
• 41% Accounting and Controlling
• 32% Research and development
• 25% Human Resources

Ransomware attacks: Better to pay...

The lack of willingness to invest corresponds with another key finding of the study. 23% of the Swiss companies surveyed would rather pay a ransom in the event of a ransomware attack than invest more heavily in information security, as they consider such an approach to be more cost-effective. On a global level, an average of as many as 33% of the companies are prepared to accept demands for payment.

"This result is more than alarming, especially given the unabating threat of ransomware attacks. Our recently unveiled Global Threat Intelligence Report revealed that ransomware accounts for a high 29% of all malware attacks in EMEA," said Kai Grunwitz, Senior Vice President EMEA at NTT Security. "If companies now expect cost benefits from paying ransom, this is more than deceptive in our eyes. And the rude awakening will come sooner or later for many."

The low level of willingness to invest is all the more surprising given that 96% of the companies surveyed in Switzerland were of the opinion that a security incident involving data theft would have serious negative consequences. Loss of customer confidence (52%), damage to reputation (52%) and direct financial losses (45%) were mentioned. The respondents expect an average loss of sales of a good 7% and estimate that it takes more than nine weeks to rectify a damage that has occurred, incurring costs of more than 1.1 million Swiss francs on average. Swiss companies estimate the costs to be significantly lower than in other countries. The international average is 1.5 million Swiss francs.

Seriousness of the situation still too little recognized?

The high damage potential raises the question of how things stand in terms of incident response. Here, too, not much has really changed compared to the previous year. In Switzerland, only 42% of companies had an incident response plan in place in 2017. However, 21% were already in the implementation process and a further 21% were planning to implement
corresponding measures in the near future. However, the current results do not reflect this development; on the contrary. As before, only 42% of the companies have an incident response plan in place. "Unfortunately, the result shows that in many cases it has remained with mere declarations of intent and the seriousness of the situation is still insufficiently recognized, even though numerous security incidents in recent times have actually shown that there is no way around a lived incident response plan. This is because dedicated process and emergency plans are the only way to respond appropriately and, above all, quickly to different IT security incidents. Ideally, specialized incident response tools should be
be used, for example, a central incident response platform for the systematic and coordinated handling of security incidents with ready-made action plans," says Grunwitz.

Managed security services are gaining in importance

However, from NTT Security's point of view, the investigation also produced positive results. For example, there is a growing awareness that security incidents cannot be ruled out entirely. 57% of respondents have already been the victim of such an incident, and a further 14% have not yet, but expect to be. For this reason, Managed Security Services (MSS) are also gaining significant importance with regard to the implementation of comprehensive cyber security strategies. Although MSS are still being used cautiously at present, the Risk:Value Report shows that around two-thirds of the companies surveyed in Switzerland are currently actively considering MSS solutions or plan to do so in the near future.

Source: www.nttsecurity.com/ch