Cybersecurity: How mature are large organisations?

As the number of cyberattacks increases (crime, hacktivism, state) – even more so in a shaken geopolitical context – organisations must speed up their digital transformation. They must ask, what is the current state of security within the various sectors? and what are the strengths and weaknesses of large organisations when it comes to cybersecurity?

To answer such questions, Wavestone has conducted a detailed benchmark based on a field assessment of more than 180 security measures – relative to the requirements of the international NIST CSF Framework & ISO 27001/2 standards. Over the past 3 years, data from over 75 organisations, accounting for over 3 million users, has been aggregated and analysed. The results demonstrate that large organisations still have a long way to go, with an overall maturity score of only 46%.

Organisations covered by critical infrastructures’ security regulations (NIS/LPM) stand out as more mature (55.4% VS 43.3%).

Thanks to its CERT-Wavestone incident response team, Wavestone manages numerous cyber-attacks on behalf of its clients. In the study, the main vulnerabilities exploited by cybercriminals have been mapped and a specific maturity assessment was conducted on this basis. From this, it appears that:  

• 30% of organisations continue to be highly prone to the risk of ransomware attacks. This phenomenon mostly affects services and the public sectors, although certain financial or industrial players are not immune. 
• Extremely large organisations (CAC40 type) are more difficult targets, as they display a higher level of maturity (55%). 

From a sectoral point of view, those who invest the most are the industrial (7%) and public services (6.6%). In contrast, the finance (5.8%), energy (5.5%) and services’ (4%) sectors remain shyer. However, it should be mentioned that finance has heavily invested in previous years, and has IT budgets unrivaled by other business sectors.

• Regarding the strategic axes of cybersecurity, maturity on detection and reaction to attacks has matched the level of effort put on protection (with 46%, 45% and 47% respectively). This is due to massive investments in these areas in recent years. However, the ability to reconstruct in the wake of an attack remains a complex issue to address (40% of maturity). 

• Regarding protection technologies, the majority of organisations have succeeded in widely deploying the most effective solutions: EDRs (advanced computer and server protection tool) and multi-factor authentication (MFA). On average, 51% of organisations have an EDR tool deployed at 67%; and 61% of organisations have deployed an MFA at 63%. But plenty remains to be done on Active Directory security (only 24% of cyber teams analyse incidents at their cyber center) and resilience (only 17% of organisations have fully tested their IT recovery plan). 

• For the industrial sector, the biggest issue still consists in securing industrial information systems (35% of maturity). Legacy systems were conceived without by-default security and are now becoming increasingly open and interconnected. As such, initial efforts have been made. For instance, setting up a governance (50%) and engaging isolation processes (66%), but they are often difficult to complete. In addition, these perimeters are still barely monitored (22%). 

• Due to the volume of assets involved, the most difficult challenges of today remain in application and data security, and surprisingly cloud security. Where, poor practices are still in force pertaining to application and data security. For instance, more than 42% of the organisations allow administrators access to the cloud with a simple login / password.

“Instinctively, we believe that the cloud is secure. This can be true when using providers’ services, but many securing measures remain the responsibility of organisations… and are unfortunately often forgotten! This is a major issue for the security of new applications“, says Gérôme BILLOIS.