Benchmark research
This article was written based on the survey: 'What decisions do organisations make on digitisation?' Conducted by BenchLab. This research was conducted between April 2022 and January 2024 among business service providers, municipalities, and healthcare institutions. Meanwhile, over 200 decision-makers participated in the survey. Over 800 decision-makers have been added to Conscia's network and provided with regular survey updates. All benchmark reports were followed up by appointment by Conscia specialists.
94% of organisations factor in a cyber attack. 54% call security a top priority. Budget is there (67%). Awareness is present. But execution lags behind. 43% invest in prevention. Only 15% in detection. 39% trust their own response plan. The gap between intent and reality is risky.
From awareness to action
The vast majority of organisations expect to be hacked. For as many as 94 per cent of companies, the question is not whether this will happen, but when. Over half of the organisations have made cybersecurity a top priority, showing that awareness of the dangers of a cyber attack is high. However, the focus is now mainly on prevention, while detection and adequate handling of a potential attack receives even less attention at many organisations. This is according to research by IT specialist Conscia in collaboration with research firm BenchLab.
Large-scale crises shift focus area
More than half of the participating organisations indicate that cybersecurity is a top priority within the organisation, two-thirds of the organisations say they have sufficient budget available for it. The average rating organisations give themselves for cybersecurity comes out at 6.1.
The type of threat organisations are guarding against is changing. Two years ago, DDoS attacks were still seen as the biggest threat. Meanwhile, respondents say they fear ransomware, phishing and chain attacks in particular. Due to large-scale crises such as the war in Ukraine, there is more focus on protection against damage from state actors, whereas before it revolved around activities from criminal groups.
Emphasis on prevention rather than detection and response
Organisations still place the emphasis of their cybersecurity strategy on prevention. This is where 43 per cent of organisations invest the most time and energy. Detection of attacks is usually the next step, but lags far behind at 15 per cent. Only 39 per cent of organisations believe that their own Security Operations Centre (SOC) or security team is capable of responding appropriately to a cyber incident.
Maarten Werff, solution consultant cybersecurity at Conscia believes that the power of a good cybersecurity strategy lies in a broader approach: "A good strategy is about identification, prevention, detection and response. Know what is in your network, what software is deployed and make sure known vulnerabilities are patched in time. A shift from the detection strategy to what we want to protect - the user, the endpoint and the 'crown jewels', the valuable data - offers the opportunity to act quickly."
"In doing so, if it turns out that you do not have sufficient knowledge or capacity in your own organisation to effectively respond to an attack, an external 24/7 Security Operations Centre offers a solution for many organisations. For many organisations, Managed Detection & Response (MDR) provides a better answer to today's challenges than a conventional SOC or SIEM. By using intelligent sensors, MDR provides higher visibility, the ability to intervene quickly and is a cost-effective way for many organisations to establish a resistant cybersecurity strategy in a short period of time."
