Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impact of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.
In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.
"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It [cyber] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."
Cyber Maturity Matters
Deloitte categorized organizations' cybersecurity maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment. Whether or not the organization adopted any of these three practices hinged on stakeholders recognizing the importance of cyber responsibility and engagement across the whole organization, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organizational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.
In the analysis, 21% of organizations were considered high maturity, as they adhered to two or three of the key practices, and 41% of organizations were categorized as medium maturity for adhering to one of the practices. The remainder, or 38%, were low maturity, as they did not adhere to any of practices identified by Deloitte.
According to Deloitte, 91% of organizations reported at least one cyber incident or breach, but low maturity organizations tended to experience more significant cybersecurity events (6 or more events).
There were some differences based on the organization's maturity in what kind of issues they were concerned about. High-maturity organizations seem more concerned about cybercriminals and terrorists, as well as phishing, malware, and ransomware. Medium-maturity and low-maturity organizations were more concerned about denial-of-service attacks.
High maturity organizations are doing more when it comes to engaging leadership, planning, and acting, and they are seeing results in areas typically not associated with cybersecurity, such as increased efficiency, resiliency, and agility, Deloitte noted. Nearly 70% of high maturity organizations said their cybersecurity posture had an impact on enhancing trust and enabling efficiency throughout the organization. And 65% of the high maturity organizations cited resilience and agility as the benefits they are seeing as a result of their cybersecurity activities. More than half of the leaders of these high maturity organizations said their cybersecurity activities gave them confidence to take on new initiatives, compared to 45% for medium-maturity organizations and 40% for low-maturity organizations, Deloitte found. Cybersecurity also helped with the bottom line: 47% of high maturity organizations claimed their cybersecurity initiatives helped increase revenue.