Cybersecurity maturity of large organisations: “Could do better”

« Prevention is better than cure. » One might think that with the countless cyberattacks that have been in the news for months, this saying would have found a fair echo among large French organisations, prime targets for cybercriminals. However, as the benchmark shows, it is often only when confronted with this problem that organisations become aware of the investments they need to make to ensure a certain level of security.

« The cybersecurity budget represents an average of 6.1% of a company’s overall IT budget, with very wide variations, » says Gérôme Billois, partner at Wavestone. In some organisations, which have hardly tackled the subject of cybersecurity, it is around 1%, while in others, which have suffered cyberattacks, it can reach up to 18%. In the year the organisation was attacked, investments skyrocket and often continue in the following years, because mechanically, it is necessary to upgrade. »

According to him, the organisation’s general management often takes advantage of this. « Their logic is not to cut off heads but to say, ‘Never again’ and ‘Secure us whatever it costs’, » he explains. Other factors also influence cybersecurity investments: a neighbouring organisation that has been the victim of a cyberattack, the pandemic that has helped organisations decide to secure all remote access systems, and finally the conflict between Ukraine and Russia. « Many companies are in crisis mode and are isolating Russian and Ukrainian subsidiaries for fear of a spillover of attacks or are tightening the screws on security measures that were not fully up to speed, » says Gérôme Billois.

The complex reconstruction

Ransomware is the most common type of attack. « Cybercriminals will first enter information systems, steal data and block the systems, then demand a ransom to unblock the IS or to stop the leak of the victim’s data, » explains Clément Jolliet, senior consultant at Wavestone. They currently use a double extortion strategy to increase the pressure on victims. The professionalisation of cybercriminals is quite impressive. »

However, today, only 5% of organisations will pay the ransom. « Many regulators and states have said that everyone should stop paying these ransoms because they finance cybercrime. Anyhow, companies have realised that—whether they pay or not—they have ultimately lost confidence in their IS, » says Clément Jolliet. « And in any case, they will still be obliged to carry out all the reconstruction and threat research operations in their information systems. » Wavestone’s benchmark notes that for organisations, the ability to rebuild following a cyberattack remains the most complex subject to deal with (score of 40 out of 100) in the cybersecurity value chain (Identify, Protect, Detect, Respond, and Recover).

The regulatory stick

Based on a field assessment of more than 180 security measures, the benchmark has been carried out over the past three years with more than 75 very large organisations—two-thirds of which employ more than 10,000 people—mostly in the form of one-to-one interviews with the organisations’ security managers (CISOs).

« The level of maturity was calculated on the basis of international standards—in this case the NIST standard, the CSF Framework and the ISO 27001/27002 standards, » explains Gérôme Billois. However, the overall maturity score of 46 out of 100 hides a strong disparity between the sectors of activity of the organisations. » Finance is leading the way with a score of 54.4 out of 100, followed by energy (51.8) and industry (44.8). Services and the public sector come last. Although they are aware of the risks, they are struggling to identify the necessary investments. The benchmark shows that 30% of large organisations remain very vulnerable to a potential ransomware attack.

But legislation can have a positive impact on the level of cybersecurity in organisations. « Some sectors of activity are governed by regulations that oblige organisations to protect themselves, » notes Clément Jolliet. The military programming law, in particular, identifies certain operators called of vital importance to the state, for example in the energy and financial services sectors. These operators must implement specific compliance measures on their information systems of vital importance which are verified by the state. »