In 2022 alone, global cyberattacks increased by 38%, resulting in substantial business loss, including financial and reputational damage. Meanwhile, corporate security budgets have risen significantly because of the growing sophistication of attacks and the number of cybersecurity solutions introduced into the market. With this rise in threats, budgets, and solutions, how prepared are industries and countries to effectively address today’s cyber risk?
CYE’s new Cybersecurity Maturity Report 2023 tackles this question by shedding light on the strength of cybersecurity in different sectors, company sizes, and countries. It highlights which industries and countries have the most robust cyber postures and which are lagging, as well as the most prevalent vulnerabilities in today’s cyber threat landscape.
The analysis is based on two years’ worth of data, collected from over 500 organizations in 15 countries, and spanning 11 industries and a range of company sizes. It measures cybersecurity maturity across seven different security domains, including application level security, network level security, identity management and remote access, and more.
Here are the top findings:
Finding #1: Larger Budgets Don’t Necessarily Mean Better Cybersecurity
Among countries, Norway scored the highest on overall cybersecurity maturity level, followed by Croatia and Japan. Although these countries do not have the substantial cybersecurity budgets of countries such as the US, UK, and Germany, they do have advanced regulatory systems. Other possible reasons that Norway, Croatia, and Japan took the lead include early cybersecurity adoption in these countries and unified planning by governments and organizations. This finding illustrates how large financial investments do not necessarily translate into high maturity levels.
Finding #2: Tech Companies Score Average
Among sectors, energy and financial industries came out on top for overall cybersecurity maturity level, while healthcare, retail, and government agencies were among the lowest. Surprisingly, the tech industry scored about average, which is possibly because of the larger attack surface such companies typically must defend compared to other sectors.
The average score could also be because tech companies tend to adopt new technologies that could be particularly vulnerable to attacks and exploits. In addition, tech companies tend to experience growth much faster than other sectors, which can be an additional challenge when trying to maintain a strong cyber posture.
Finding #3: Small and Medium Organizations Score Higher Than Large Organizations
Surprisingly, small- and medium-sized organizations had better cybersecurity maturity scores than organizations with over 10,000 employees. This could be because small organizations may have an easier time protecting their small attack surfaces. With medium-sized organizations, investing in cybersecurity solutions is clearly a priority. When it comes to large organizations, however, having to defend such a large attack surface clearly has an effect on the level of cybersecurity maturity.
Finding #4: Nearly One-Third of Companies Lack Effective Password Policies
The study found that 32% of organizations were found to have weak password policies—a highly solvable problem that companies apparently have not adequately tackled. In addition, 23% of organizations were found to have weak authentication mechanisms. This is concerning, because the combination of the two issues empowers hackers, who can then simply log in with minimal effort.
Recommendations for Better Cybersecurity Maturity
The overall takeaway from the report is that most organizations are not adequately prepared for the threat of cyberattacks. However, organizations can still achieve a high cybersecurity maturity posture without a large budget, if they plan and spend correctly.
To protect themselves, organizations should invest in capabilities, rather than tools; perform comprehensive assessments to prevent hackers from exploiting vulnerabilities; and develop an integrated approach to cybersecurity with board-level accountability. Cybersecurity optimization solutions such as CYE can help by combining technology, people, and processes to manage organizational cyber risk and perform cyber risk quantification to understand threats and prioritize mitigation.