Cyber Benchmark 2024: Progress in Cyber maturity continues, yet pace is slow
Published June 26, 2024
- Cybersecurity
Market maturity and cybersecurity trends
Against a tense geopolitical backdrop, and with the Olympic Games coming to France in the summer of 2024, businesses are going to face cyber espionage and cyber attacks from a multitude of malicious actors: cyber criminals, hacktivists and even states. Against this backdrop, what is the level of security in various sectors? What are the strengths and weaknesses of large corporations in terms of cybersecurity? What’s the difference with smaller companies?
To answer these questions, we carried out a detailed benchmark based on a field assessment of almost 200 security measures. Over the past 5 years, data from more than 150 organizations, representing nearly 7 million users, has been consolidated and analyzed. The results illustrate the long way to go for all companies, particularly large corporations (>$1 billion in sales – over 100 structures in the database), but also a significant improvement, with the latter achieving an overall maturity score of 53% compared with 52% last year, the score being relative to the requirements of the international standards NIST CSF Framework & ISO 27001/2.
Key highlights
- A slightly higher level of maturity among large groups (> $1 billion in sales) (+1 point), validating the efforts made (53%).
- Cyber budgets represent 6.6% of the IT budget across all sectors, at the lower end of the recommended range (between 5 and 10%).
- One expert is dedicated to cybersecurity for 1,086 employees on average, and more and more companies have launched initiatives to ensure talent retention.
- Two areas made particular progress this year: cloud security (+5%) driven by advances in platform administration security, and data security (+4%), intrinsically linked to the growing challenges of Artificial Intelligence.
- Certain key areas of cybersecurity remain outstanding, in particular the security of third parties (e.g. partners, suppliers and increasingly interconnected and sources of attack), at 48.9% maturity, and that of industrial systems, at 39.9%.
- If we compare large groups with smaller structures (< $1 billion in sales): the basics are under control for the majority of the former, on the contrary to the latter, 54% of which remain fragile to the risks of ransomware attacks.
- The Olympic Games in France will expose large French groups to denial-of-service attacks (39% are sufficiently protected) and website downtime (47% are sufficiently protected).
- The NIS 2 directive will have a major impact on cybersecurity strategies, applying to a growing number of companies and the whole of Europe and will require substantial investment to close the gap of 20% to 40% in the face of the expected requirements.
With an increase of 1%: progress continues but at a slower pace
While the overall level of maturity has risen to 53%, the study nevertheless reveals heterogeneity across sectors. The Finance sector comes out on top with a score of 60%, although there are real differences in maturity between the large scale banks and insurers, which are less mature on average. The Luxury Goods and Retail sectors follow, largely driven by the former and their considerable resources, with an average score of 52.7%. Next in line is the Industry sector, with a maturity score of 51.3%, demonstrating the efforts made to catch up through digital transformation. With a score of 50.9%, the Energy sector remains slightly above average. The Services sector (50%) closes the gap.
The positive impact of regulation is also visible: companies subject to critical infrastructure security regulations (NIS/LPM) stand out and are more mature (57.5% VS 51.7%).
Faced with the most frequent risks of attack (ransomware), large groups have mastered the basics, but still have undeniable room for progress; smaller structures are at risk.
Wavestone manages numerous cyberattacks on behalf of its clients through its incident response team, CERT-Wavestone. The main vulnerabilities used by cybercriminals have been identified, and a specific maturity analysis has been carried out. This analysis shows that:
- Among small and medium-sized businesses, more than half (54%) of our panel are considered to be in a critical situation, as they have not mastered all the basics required to resist this type of attack. This phenomenon mainly affects the service sector, although some financial and industrial players are not immune.
- Large corporations (> €1 billion in sales), with a maturity level of 56.9%, are no longer necessarily easy targets for cybercriminals.
In France, the threat posed by the Olympic and Paralympic Games is particularly acute.
In the context of the Olympic and Paralympic Games, the structures most critical to the success of the Games have been the subject of specific supervision by the state and the organizing bodies. But we mustn’t overlook all the other French companies. especially those whose brand is strongly associated with the country, and that will certainly also be the target of usual hacktivist attacks aimed at tarnishing France’s image and creating “cyber noise” around the Games.
And for these structures, the risk is considerable: only 39% of large groups have solutions to protect all their sites against denial of service attacks (saturation of websites leading to their non-functioning) (27% for smaller companies) and 47% have advanced protection solutions for their applications exposed on the Internet to guard against defacement, an uncontrolled modification of website pages.
Despite the shortage of human resources, cybersecurity sectors continue to grow and are facing new challenges…
Recruitment in the cybersecurity sector presents particular challenges. According to the ISC2 in 2023: 4 million positions worldwide remain unfilled due to a lack of candidates, only 25% of the workforce are women, the majority of professionals (92%) say they have a skills shortage in their organization. To meet these challenges, companies are focusing on individual development through initiatives such as setting up a training catalog, building cyber career paths, or defining clear mobility processes.
In terms of headcount in the organizations evaluated, there is around 1 person dedicated to cybersecurity for every 1,100 employees. This average masks very disparate results. The financial sector, for example, is beginning to expect interesting thresholds (1/267 or much less for the largest structures), but this ratio is still too low to meet today’s challenges, particularly in certain sectors such as industry.
…while financial investments are closely monitored by senior management
Of a company’s total IT budget, 6.6% is dedicated to security. This may seem low at first glance, but it rises significantly in the event of a cyber attack, to around 15%.
From a sectoral point of view, those who invest the most is Finance (7.8%), quite logically in a context of compliance with DORA regulations.
Many senior management teams are asking to do more with the same resources, forcing cybersecurity teams to rationalize their activities (e-g with near/off-shoring) or to arbitrate between their risks.
Cloud and artificial intelligence: real progress in these crucial areas for the future
- Cloud security recorded one of the strongest growth rates in maturity among Large Groups this year, with an increase of over 5%, even if overall maturity remains among the least mature in the CyberBenchmark.
- This growth is mainly attributed to the rise of specific solutions such as CNAPP (Cloud-Native Application Protection Platform), which centralizes the tools needed to secure cloud-native applications, and the growing adoption of CSPM (Cloud Security Posture Management) solutions for detecting and correcting configuration errors and vulnerabilities.
- However, 6% of large groups can still access their console with a simple login and password, underlining the urgent need to switch to multi-factor authentication or the use of a bastion, a practice already adopted by 65% of groups.
- Data protection made significant progress in 2024, against a backdrop of Artificial Intelligence stirring up the cybersecurity community:
- 39% of large groups are able to train their AI models securely, thanks to their data classification and desensitization tools
- 49% of large groups are ready to use AI to facilitate access to data while maintaining its confidentiality, thanks to the use of tools enabling them to identify, inventory and classify data.
- Nearly 50% of our customers are launching or have already launched projects to secure their generative AI solutions.
Some attack levers are still widely used by cybercriminals, and companies are finding it difficult to make progress in these areas.
- Managing suppliers, who sometimes number in the thousands or even tens of thousands, remains a challenge in a context where a large proportion of attacks occur via this channel:
- 67% of large groups have security clauses in place to frame their relationships with third parties, but only 38% of these audit them regularly.
- Only 16% of large groups test their intervention and recovery plan with their third parties on all critical perimeters.
- The main challenge facing major groups today is to set up an effective operational model for managing suppliers (several tens or even hundreds of thousands), with dedicated staff, an effective relationship with purchasing and business units, and powerful tools for inventorying and tracking all these suppliers.
- In the industrial sector, the biggest problem remains the security of industrial control systems (39.9% maturity). Historic systems were designed without security by default, and are now opening up as a result of digital transformation. While efforts on isolation work continue (+4% in 2024), cyber resilience remains a challenge: only 36% of large groups have secure backups of these environments. In addition, there is a growing gap between the most regulated players (energy, pharmaceuticals, defense, etc.) and the others (construction, textiles, food, etc.): 50% average maturity versus 37%. This trend should diminish with the arrival of the NIS 2 Directive.
In a near future that promises to be highly regulatory, the NIS 2 directive will have a major impact on security strategies over the next 5 years.
- Published at European level on December 27, 2022, the NIS 2 Directive considerably expands the scope of information systems covered and must be transposed into national law by October 2024.
- Extended coverage: Unlike the original NIS directive, which focused on Essential Information Systems (EIS), NIS 2 now applies to almost all of an organization’s information systems.
- Application criteria: Any organization with more than 50 employees or annual sales or balance sheet in excess of €10M in essential or important sectors is concerned.
- 10 main objectives: The directive sets 10 cybersecurity objectives that each EU country must take into account in its transposition. These 10 objectives include: cyber hygiene/awareness, incident management, audits, business continuity and crisis management.
- Where do large groups stand a few months ahead of the Directive’s arrival? If we look at some of the topics covered by NIS 2, we can observe significant differences between large groups and smaller companies:
- Security policy (PSSI): Large groups are 80% mature, compared with 52% for small companies.
- Business continuity and crisis management: Large groups are 49% mature, compared with 36% for small companies.
- Audits: Large groups show a maturity of 72% versus 42% for small companies.
- Awareness-raising and training: Large groups are 56% mature, compared with 31% for small companies.
- Incident response: large groups are 57% mature, while small companies are 41% mature.
Through the NIS 2 directive, the European Union has set a number of cybersecurity topics that all EU countries must comply with. These topics include :
- Cybersecurity policies : 80% of large organizations have properly implemented ISS policies and risk analysis processes.
- Risk management audit procedures : 72% of large organizations correctly control and audit there IS, applications and cloud providers.
- Incident response : Large organizations have a 57% maturity score in the incident reaction topics.
- Cyber hygiene & training : 56% of large organizations train internal and external staff and top management in cybersecurity topics
- Business continuity & crisis management : Large organizations have a 49% score maturity in resilience topics.
Study Methodology
Maturity levels were measured against international standards (NIST CSF / ISO 27001/2) during assessment missions carried out by Wavestone consultants, mainly in the form of interviews with the security managers of the organizations concerned. The sample, dated June 1, 2024, includes over 150 organizations (100 of which have sales in excess of 1 billion euros), representing almost 7 million employees. The data from these individual assessments was then consolidated and analyzed by Wavestone’s specialist teams.