The maturity of cybersecurity has divided the business world into two clearly differentiated and distant groups. 56% of companies lack a well-defined cybersecurity strategy and are far from complying with the Digitally Secure Organization model. And this threatens their sustainability and future in the digital age, in which teleworking heightens the risk and e-commerce is growing exponentially.
Additionally, 73% of companies do not have the necessary incentive, training and communication mechanisms for their professionals to facilitate the required changes in their organization in terms of cybersecurity. And 90% of companies have not incorporated professionals that specialize in cybersecurity.
All of this makes it essential to have the support of specialized partners who offer a comprehensive vision of the challenges posed by a hyper-specialized and ever-changing sector.
This need becomes even more apparent if we consider that only 22% have implemented centralized identity management, a very important measure at a time when digital identity and password theft are two of the main attack vectors. The companies’ lack of protection also becomes evident in the fact that only 55% of organizations rely on a Cybersecurity Operations Center, which is essential to detect attacks and be able to respond.
These are some of the facts revealed in the 2020-21 Report on Digital Maturity in Spain, focused on Cybersecurity and prepared by the Indra companies Minsait and SIA, and based on personal interviews with the heads of a hundred large companies and organizations in Spain and Europe, as well as with some of the leading cybersecurity experts.
This situation proves more serious if we consider that 90% of cyber-attacks use some social engineering technique to break the first line of defence of companies and that, during the pandemic, phishing attacks have skyrocketed by 6,000%.
Underlying these facts is a problem of lack of strategic vision. In this regard, Luis Álvarez, CEO of SIA, states that “half of the companies have not yet incorporated cybersecurity into their agendas and merely deal with it tactically, focusing on the acquisition of tools and disregarding crucial aspects such as culture, processes and people.”
Companies should consider cybersecurity as part of their governance policy. But this situation is far from being achieved: 68% still have no CISO (Chief Information Security Officer), the executive responsible for information security and its alignment with the business goals.
This means that 82% of companies do not keep up-to-date records of digital assets that need protection, and 90% do not use the most advanced cybersecurity techniques, two essential aspects to guarantee full protection, a fact which highlights the remaining room for improvement.
However, and contrary to this trend, the Minsait and SIA report highlights that companies in the Banking, Telecommunications & Media, and Insurance & Energy industries stand out for their high stage of completion, investment in new technologies and search for innovative responses to cybersecurity challenges. The most evolved companies have articulated a long-term vision and are committed to cybersecurity as a cornerstone for the growth and sustainability of their business. Moreover, they have turned this factor into a lever for improving their digital services.
The report on Digital Maturity in Cybersecurity shows that companies are aware of the challenge they face, and have made a significant effort in the last year, which deserves recognition. However, the dynamism of cyber threats and the difficulties involved in their comprehensive management within the entire security chain (which requires a multidisciplinary approach) are two of the major obstacles that are holding back progress. Their success relies on the protection needed to grow and do business online in the years to come.
In the more than 400 pages of the report, SIA’s cybersecurity experts review the best practices and measures for protecting a company, and provide a road map that includes identifying risks, implementing actions for protection, determining a strategy to detect attacks, having specialists to be able to respond effectively, and ensuring recovery capabilities.