Research: European businesses ‘unprepared for increasing cyber attacks’

A Cloudflare study has revealed that 64% of business leaders, including the retail and financial services sectors, expect a cybersecurity incident in the next 12 months, but only 29% feel highly prepared to defend against them

The report, called “Shielding the Future: Europe’s Cyber Threat Landscape Report” shares the latest data on how organisations are coping with rising volumes of cybersecurity incidents, their levels of preparedness, and top challenges.

These new findings reveal an ongoing concern around growing cybersecurity threats and a feeling of unpreparedness among European businesses.

The survey, which was conducted with more than 4,000 business and technology leaders across 13 European markets (Benelux, CEER, DACH, Nordics, Southern Europe, UK), found that 40% of organisations experienced a cybersecurity incident in the last 12 months. 

Of those that suffered such an event, 84% report that the frequency of these events has increased over the same period, with almost one in five (16%) suffering a cybersecurity attack every 6-11 days. Meanwhile, 62% say that attacker dwell time has also increased in the same time period. 

Looking ahead, two-thirds (66%) of respondents believe that they will see even more attacks within the next year and a significant 64% say that they expect to suffer a cybersecurity incident within the next 12 months. 

Concerningly, despite the increasing volume and frequency of these attacks, only 29% of respondents say they are highly prepared for cybersecurity incidents in the future.

Additionally, industries that had experienced fewer attacks were also among those least prepared. Just 28% of those working in healthcare and 31% of those working in education claimed to have suffered an attack in the last 12 months. For those same industries, the perceived level of preparedness for an incident in the future was low – just 18% and 19%, respectively.

The reverse is true for those in the IT & technology industry. With almost half (49%) being attacked in the last year, however, organisations in this field are seemingly on their guard. Over a third (35%) of respondents from this sector say they are highly prepared for an attack, making it the industry most confident in its ability to deal with an incident, followed by companies in financial services and retail (32% and 31% respectively).  

When looking at organisational size, the lack of preparation by smaller businesses is a particular concern, with only a quarter (25%) claiming to be highly prepared. Medium-sized and large businesses do not fare much better though, with only 27% and 32%, respectively, claiming high levels of preparedness.

For those businesses impacted by a cybersecurity breach, more than a third of respondents (39%) say that the most significant effect remains financial. More than one in five (22%) claim to have lost revenue following an incident. In addition, 23% have suffered increased insurance premiums, 22% have paid fines, and another 23% have experienced legal action. A further one in five (19%) have been forced to lay off members of the team due to the financial losses experienced in the aftermath of an incident. 

Looking at the numbers more closely, almost two-fifths (38%) of respondents say that the financial impact of the incidents they suffered cost between £788,000 and £1.576 million, while a quarter (25%) estimated the loss to be £1.576 million or more. 

A further 17% said that reputational damage was the most significant effect. Additionally, 31% put growth plans on hold in the aftermath of an incident, while over a quarter (28%) have temporarily suspended business operations. 

It’s unsurprising that financial gain was at the heart of many attacks (48%) across the European countries surveyed. However, survey respondents also believe that the threats they have experienced have a much wider range of objectives.

The majority (53%) of those impacted by an incident in the last 12 months say that the main purpose was to plant spyware. And  almost half (48%) of those surveyed say that ransomware plants were the main purpose for the attack. 

When it comes to the most commonly experienced attack vectors, these too are diverse. Phishing tops the list, with almost three in five (59%) respondents claiming to have seen this approach. That’s closely followed by web attacks (58%) and DDoS attacks (37%). Also prevalent were stolen credentials and business email compromise, with almost a third (32%) having experienced these.  

When it comes to tackling these issues, onboarding more products seems to be the go-to response. In fact, nearly half (49%) have more than 11 different products and solutions. The vast majority (72%) believe that this complexity is having a negative impact on their effectiveness, and yet two-thirds (67%) expect the number of tools they adopt to increase in the next 12 months. 

Notably, the three most pressing challenges cybersecurity decision makers and leaders face are: consolidating and simplifying cybersecurity estate (48%); modernising applications used by organisation (47%); and modernising networks operated by organisation (42%). 

Further education on Zero Trust is required for maximum impact

Respondents report three clear problems in the existing architectures they work with: applications and data stored in the public cloud; limited oversight over IT supply chains; and over-reliance on VPNs to protect applications (with each factor mentioned by 34% of respondents).

Given these problems, it is unsurprising that securing a hybrid workforce is a top priority, coming in the top three for more than a third (36%) of our respondents. 

Worryingly, for many organisations, deployment of countermeasures is a long way behind, and in some cases not yet started. Despite widespread recognition of its ability to protect hybrid or remote workers, when looking at deployment of Zero Trust network access., just 25% of respondents say this solution is fully deployed and over half (58%) say that Zero Trust adoption is still in its early stages.  

While two-fifths (44%) say they are optimistic about the ability of Zero Trust to consolidate technology upgrades, our respondents also indicated a lack of faith in their leadership teams’ knowledge of the tool. In fact, the majority (86%) believe their leadership does not fully understand it, while nearly one in five (16%) say their leadership has either partial or no real understanding. According to 42% of those surveyed, this lack of understanding is the single biggest barrier to adoption.

Despite increased budgets, funding, talent, and training remain challenges

With business leaders anticipating more cybersecurity incidents, it’s positive to see that 54% of respondents expect their IT budget for cybersecurity to increase in the next year.

A quarter (25%) of business and IT leaders expect cybersecurity to make up at least 20% of their organisations’ IT spend in the year ahead. And of those expecting a budgetary increase, two thirds (66%) anticipate a rise of more than 10%. 

For the majority, protecting their networks remains the number one investment area, with nearly 24% of the budget allocated to this pillar on average. Despite being the area where respondents see a significant lack of preparedness, devices are set to receive the second lowest allocation of budget share. 

In terms of how this budget allocation is decided, the top two determinants were the number of incidents experienced (34%) and the cost of dealing with them (20%), revealing that most organisations appear to remain reactive in their funding allocation decisions. 

Funding remains the top concern for 46% of our respondents. However, other concerns, such as a lack of talent (41%) as well as the evolving business requirements and user needs (30%) also keep business and tech leaders awake at night.  

Interestingly, despite the increasing volume of attacks, a quarter (25%) cite a lack of buy-in from leadership as a key challenge. With less than a quarter (23%) having not undertaken leadership or general employee training, it is therefore unsurprising that 21% of business and IT leaders rate their organisations’ cybersecurity culture as weak or neutral.

“Organisations across Europe are managing an increasingly complex cybersecurity landscape, all while ensuring operational efficiency, regulatory compliance, and uninterrupted productivity. With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organisations’ technological and security frameworks,” said Andy Lockhart, Head of EMEA at Cloudflare. “This significant challenge requires innovative solutions capable of integrating diverse technological components into a cohesive and agile framework. The age of siloed legacy infrastructures is giving way to a new model of “any-to-any” cloud platforms, creating catalysts for innovation and growth. By concentrating on strategic integration any-to-any cloud platforms empower leaders to transform technological challenges into competitive advantages. Adopting this approach will help shape a future where connectivity and innovation are at the heart of business success, opening the door to unlimited possibilities,” adds Lockhart.

Photo by Kasia Derenda on Unsplash

AUTHOR

Stuart O'Brien

All stories by: Stuart O'Brien