Chapter 2. Findings: Understanding Cyber Risks and Response Readiness:
4. Concerns about cyberattacks are starting to have measurable negative business implications in some areas
Concern is apparent, however, about cyberattacks slowing value capture from cloud computing, mobile technologies and some healthcare technologies. About 78% of companies surveyed say security concerns delayed adoption of public cloud computing by a year or more, and 43% note that such concerns delayed enterprise mobility capabilities by a year or more. “We have started to experiment with mobile devices,” says the chief security officer (CSO) of a financial institution. “However, the delay has been mainly because there are too many potential threats.” In healthcare, concerns about cyber resilience are not delaying the adoption of most technologies, though large hospital networks report that security issues have led to postponing the introduction of connected medical devices by up to a year. “Most devices have no security applications on them at all,” says another hospital’s CISO. “Anyone can just get in and manipulate whatever they want.”
Cyber resilience controls are having a significant impact on front-line productivity. About half of companies overall said that controls had at least a moderate impact on end-use productivity. Half of the high-tech executives cited existing controls as “a major pain point” for users and as limiting the ability of employees to collaborate. (See Figure 7.)
FIGURE 7: IMPACT OF CYBERSECURITY CONTROLS ON FRONT-LINE PRODUCTIVITY
Actual spending on cyber resilience may also be much higher than most executives assume, the research indicates. “Indirect” spending on information technology (IT) security to adjust to new risks and provide ongoing responses to cyber risks may be a significant cost driver for IT organizations. Direct IT security spending ranged from 2% to 10% of total IT spend in the companies researched. But chief Internet strategy officers estimated incremental activity driven by security requirements at between 2% and 25% of total IT spend.
In general, insurance and healthcare executives believe they spend too little on cybersecurity. Banking and high-tech executives say their spending on cybersecurity is about right. (See Figure 8.)
FIGURE 8: SPENDING ON CYBERSECURITY