With this Barometer our goal is to assess the reality of cybercrime as it affects our peers. Yet it is clear that when investments are properly made and qualified people are in charge of dealing with the issue, the situation changes drastically.
The diversity of CESIN members, who range from French large caps to intermediate-sized companies, with a few SMEs (11% of this year’s respondents), and come from all business sectors, is undeniable proof of this barometer’s representativeness.
It is now generally admitted that cyber risk is systemic, a fact of life generated by an “all-digital” world and the digital transition of businesses, and well underway for several years now. Nothing really works without computers anymore. This is why the CESIN’s Barometer increasingly focuses on the resilience of companies. How do we cope when nothing works due to a cyberattack?
One of the study’s first findings is that cyberattacks are down. They now affect fewer than one in two companies surveyed. In order to distinguish between “attempted attacks” and “successful attacks”, CESIN requests that its members only account for successful attacks that had significant consequences on victims. In regard to ransomware, which is also declining, the results are the same.
Phishing, a “main attack vector”
However, this does not mean cybercrime is any less intense, as the threat is just as present. Indeed, 24% of businesses that declared an attack in 2022 consider the phenomenon to be on the rise. As for attack vectors, they remain unfortunately stable year after year, with phishing one of the most frequent vectors. In fact, 74% of respondents cite phishing as one of the main attack vectors.
Exploiting residual vulnerabilities is high up in the rankings (45%). This is not a surprise, considering the exponential growth of software vulnerabilities, the management of which has become a headache for CISOs. The latter must develop real industrial models to deal with them.
Another noteworthy scourge that is on the rise: Smurf attacks via subcontractors (24%). This third party risk has multiplied in recent years, as outsourcing becomes the norm in IT. It is often much easier to reach a company through its ill-protected contractors. In terms of damages, the numbers are similar to last year’s: 35% of respondents cite data theft, and 33%, identity theft.
We mustn’t forget cyberespionage, which remains a significant threat for 50% of respondents, as six out of ten companies say they are concerned about issues of sovereignty and a trustworthy cloud.
Today, many solutions and services are available to businesses in their fight against cyberattacks. CISOs strengthen measures deemed most effective, like EDR, MFA, vulnerability management tools and SOC services. We can note with some satisfaction that trust in the effectiveness of the tools used increases year after year. Eighty-eight percent of respondents thus consider that market solutions are rather well-suited. Finally, six out of ten companies use innovative services developed by startups. This is good news for innovation.
The cloud’s significant share
Cloud migration is now a reality. For 30% of respondents, cloud activity is over 50%. However, these environments generate new risks such as a lack of control over the host’s subcontracting chain and the difficulty in monitoring access points by host administrators. It must be emphasized that 89% of respondents are of the opinion that protecting cloud-stored data involves specific tools other than those built in by cloud providers.
Almost all respondents (8 out 10) claim they raise awareness but only two thirds of users end up following the rules. Computer specialists (whether administrators, architects or developers) still blame negligence for attacks. As such, user mistakes make up the main source of incidents (38%).
And, as always, funds are key. On a positive note, the share of members with cybersecurity budgets in the “five to ten percent of IT budget” grows significantly each year, to the detriment of the “less than five percent” bracket. Only 26% of members were in the “five to ten percent” bracket three years ago, compared to 45% today. Eighty-two percent plan on acquiring new solutions, as 54% will increase their workforce.
Moreover, the resilience of information systems in the face of cyberattacks remains an important defense strategy factor to improve. Seventy-five percent of respondents are satisfied with their executive body’s level of commitment. Giving cybersecurity governance its rightful place in the business is at the forefront of future goals.