CRD #1

Research highlights for security leaders from validated sources released between 24-30 June 2024, followed by a hyperlinked list of all monitored reports during the period.

Cloud security top of the budgets; humans the constant weakness to address

According to a global survey by Thales of close to 3000 security professionals worldwide in companies with revenue exceeding $100M, cloud security is the highest priority category in security spending. According to the study, the main perceived cause for cloud data breaches is human error or misconfiguration, followed by known and zero-day vulnerability exploitations.

Human error identified as the root cause for cyber incidents is a well-established observations reported constantly across cybersecurity research. It is thus also not surprising that a Fortinet study of 1800+ cybersecurity decision-makers shows that training and certifying security staff, as well as raising overall employee cyber competencies are rated as top priorities, followed by purchasing better security solutions and expanding security staff headcount. Regarding security staff, the most needed skills reportedly also relate to cloud security, followed by cyber threat intelligence and malware analysis.

Insurers almost always pay out, but incident costs are higher than coverage

A survey of 5000 cybersecurity/IT leaders worldwide by Sophos reveals that insurers almost always pay out claims at some capacity. However, incident costs are never fully covered – on average, insurers reportedly paid 63% of the overall damages of an incident. The main reason for this level of coverage was that total costs exceed the policy limits (63%), followed by situations where costs were incurred without the insurers' permission (58%). The mean estimated cost to recover from a ransomware attack was $2.73M according to the study.

More organisations acquire cyber insurance coverage as prices lower

As the cyber insurance market continues to experience rapid growth worldwide – with Europe leading the way – with more organisations buying coverage, data from Howden Insurance indicates a cooling down in terms of the overall premium costs. The cost for insurance dramatically rose during COVID, but Howden's data shows that prices are finally gradually lowering (or at least slowing down) from 2023, giving reason to critically re-evaluate and negotiate on previously agreed premium levels.

Compliance requirements key to unlock extra funding

AT&T's survey of 1000+ senior executives looked into factors that most likely provide a push to increase cybersecurity budgets, providing some guidance on how security leaders can argue for more funding: new compliance conditions sit at the top (46%), followed by competitor's breaches (42%), internal breaches (38%) as well as insurance requirements (37%).

Too many cybersecurity tools hinder efficiency

A Ponemon Institute study involving 650 cybersecurity professionals from small to large enterprises worldwide found that organisations use 56 separate cybersecurity technologies on average. It does not come as a surprise that 40% respondents see that they have too many tools to achieve effective cybersecurity and only a third is satisfied with the number of tools used.

Leaders held personally accountable for incidents

There has been much talk in recent years about the increasing pressures CISOs and other leaders face with regard to personal costs and accountability for cyber incidents, leading to stress, burnout and high levels of staff turnover. As a worrying statistics relating to these claims, global survey data from Fortinet found that a staggering 51% of decision-makers report that directors or executives have faced negative personal consequences due to a cyber incident in the form of fines, loss of position or employment or even jail time.

Reports monitored: June 26-30

To take a deeper dive in the topics most relevant for you, we've listed all the research reports that were published in the last week of June.

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.