54
30
49
Proximus NXT Cybersecurity Survey Report 2024
Cyber attacks frequently made national headlines in 2023. The diverse activities and scale of the organizations targeted indicate that every company is a potential target. How do Belux companies perceive this threat and what means are they deploying to combat it? Together with trading partners Proximus SpearIT, Davinsi Labs and Telindus Luxembourg, Proximus NXT polled CEOs, CIOs and other decision-makers on the topic for the fifth consecutive year.
The impact of cybersecurity on businesses in Belgium and Luxembourg
1
Cybersecurity incidents
2
Types and
their impact
3
Cybersecurity maturity
& strategy
4
ICT department
and staff
5
A look to
the future
Chapter 1
Cybersecurity incidents
Due to digital transformation, working from home and the rise of new technologies, the ‘attack surface’ of cybercriminals is increasing year after year. At the same time, hackers are increasingly better organized and employ more sophisticated modes of attack. According to the International Monetary Fund, the number of incidents has more than doubled since the Covid pandemic. It goes without saying that Belux companies are also targets.
One in three
9%
30%
61%
I don't know
Yes
No
Has your company been forced to deal with cybersecurity incidents in the past 12 months?
In 2023, 30% of respondents report having experienced a cybersecurity incident*, a percentage in line with the previous year’s results. That over a third of ‘incident-free’ participants admitted to having little confidence in their ability to detect incidents may indicate an underestimate.
Larger organizations more frequently affected
Of the respondents who were aware of a cyber attack, more than 80% recorded fewer than 6 incidents. Nearly two in 10 of the impacted companies recorded more than 5 attacks. Remarkably, in 22% of cases, those who did not detect incidents did not know whether their organization had neutralized attacks.
Larger organizations (with 250 or more employees) are more likely to fall prey to cybersecurity incidents than small and medium-sized businesses (with 10 to 249 employees). Among very large companies (+ 2,000 employees), 45% reported experiencing an incident in the past 12 months. This could be because very large companies are better able to detect attacks, or because they are more likely to be attacked due to the larger attack area.
Amount of employees
I don't know
No
Yes
Has your company faced one or more cybersecurity incidents in the last 12 months?
Number of detected incidents
How many cybersecurity incidents have been detected within your organization during the last 12 months?
(*) Any event or action such as ransomware, phishing, DDoS attacks, etc., that has affected the confidentiality, integrity and availability of an organization’s information systems, and has resulted in loss of productivity, legal consequences, reputational damage, data loss, etc.
1
Cybersecurity incidents
2
Types and
their impact
3
Cybersecurity maturity
& strategy
4
ICT department
and staff
5
A look to
the future
Chapter 2
Types of incidents and their impact
According to Verizon's 2024 Data Breach Investigations Report, 62% of financially motivated incidents involved ransomware or extortion. Verizon calculated the median loss at $46,000 per breach. However, financial losses from incidents also happen due to data corruption and destruction, loss of productivity, and theft of intellectual property or personal data.
Types of incidents
What type of incident(s) did your company experience?
Intentional or not?
Three-quarters of respondents had experienced social engineering attacks, such as phishing, vishing and smishing. In these cases, cybercriminals exploit human psychology to gain unauthorized access or extract sensitive information. This high prevalence underlines the need for robust defenses and ongoing awareness-raising of employees. Note, too, the emergent use of deep fakes with which cybercriminals are attempting to deceive them.
Nearly half the affected companies declared malware incidents. Three-quarters of these cases were combined with ransomware. These proportions remain fairly stable compared to the previous year.
Imperfections in software code or system configurations create vulnerabilities. They compromise data integrity and security and represent 41% of the reported cases.
A quarter of incidents were the result of carelessness or inadvertent mistakes by employees. For example, wrong configurations or unintentional clicks can lead to a security breach. Nearly 30% of incidents were intentionally committed by internal or external parties who purposefully carried out attacks. A combination of both factors was involved in 44% of cases. The results of Verizon’s 2024 Data Breach Investigation Report confirm these figures. They found that inadvertent errors were the root cause in 68% of investigated incidents.
3%
25%
28%
44%
Accidental
I don't know
Intentional
Both accidental and intentional
The incident(s) that occured were:
Consequences of the incidents
Infrastructure and data
Cyber incidents affect devices such as laptops, desktops and/or mobile devices in nearly half of incidents. Cloud infrastructure, servers and network infrastructure are also frequently damaged. Equally disastrous and possibly even more far-reaching is the impact on customer information (22%), operational data (19%), and intellectual property or employee data (both 11%).
What physical assets were impacted?
What digital assets were impacted?
Financial impact
Nearly half of respondents reported decreased productivity resulting from cybersecurity incidents. A similar number reported attack-related costs, including notifying authorities, customers and stakeholders.
Reputational damage, including negative publicity, loss of trust and damage to brand image, also occurs frequently. Surprisingly, about 30% of respondents reported that they had not experienced any direct financial impact or damage. This may be due to effective security measures or incidents that did not directly affect the company profits.
Cyber incidents prevented employees from performing their duties in one in four of the affected targets. This is down from the 2023 cybersecurity report (30%). In most cases, the unavailability was limited to only a few employees for up to one week.
(*) Scam by telephone (voice) in which the criminals trick the victim into passing on private information.
(**) Scammer pretends to be a trusted source (bank, government, etc.) by text message and tries to obtain personal or financial information.
AI and cybersecurity
Artificial intelligence (AI) is finding its way into every business environment. It helps organizations work more efficiently and generates extra insights. A dual picture is emerging in the field of cybersecurity. AI helps to detect threats faster but, at the same time, offers hackers an additional attack weapon. Hence, AI is creating a new dynamic in the field of cybercrime, where the message is more than ever to proactively undertake the necessary actions and take on a strong partner.
Almost half
What was the impact of the cybersecurity incident(s) on your company over the last 12 months?
1
Cybersecurity incidents
2
Types and
their impact
3
Cybersecurity maturity
& strategy
4
ICT department
and staff
5
A look to
the future
Chapter 3
Cybersecurity maturity & strategy
Cyber attacks can manifest themselves in any business department. A sophisticated strategy that covers the entire organization is, therefore, essential.
IT leaders show low confidence in their internal and external communications and public relations concerning incidents. They also rate their ability to contain and eradicate threats as weak.
Identify, Protect, Detect, Respond & Recover is a popular framework from NIST to map cybersecurity actions. It shows that among those surveyed, predicting and identifying (Identify) potential risks is the least well established. Prevention and detection are already better, but there is still room for improvement. The average level of practicality lies in taking the necessary actions (Respond) and the recovery process (Recover).
Large companies are more likely to have higher cybersecurity maturity across the five core functions of the framework. On the other hand, there is still room for growth among SMEs, especially in Identify and Respond.
High confidence
Low confidence
external
communication
lessons learned
implementation
Does your company have a cybersecurity incident response process in place and how confident are you in your incident management capabilities?
Yes large enterprises
Yes SMB
Does your company have a cybersecurity strategy in place?
Recovery action
Recovery took one to four weeks for a fifth of the companies. Nearly 28% purchased cybersecurity insurance, while a quarter of respondents consider such a policy unnecessary. Another portion of the companies surveyed are looking into it or are unaware of the current status of their insurance.
Reasons not to purchase insurance:
- Cost-related
- A policy that does not cover the risk
- Management and organizational factors
Has your company subscribed to a cybersecurity insurance policy?
1
Cybersecurity incidents
2
Types and
their impact
3
Cybersecurity maturity
& strategy
4
ICT department
and staff
5
A look to
the future
Chapter 4
ICT department
and staff
The ‘war for talent’ rages fiercely within the IT and cybersecurity sectors. For many companies, it is difficult to recruit and retain those possessing the right profiles. An Agoria survey showed that the cybersecurity sector had more than 1,200 job openings, at a rate of 16%, higher than the IT sector. Consequently, given the ever-increasing attack intensity, the gap between desired and available cybersecurity competencies is only widening.
More than half
Internal action or outsourcing?
About four companies in ten rely exclusively on internal IT staff to monitor cyber threats. Over 30% employ a hybrid model, using both internal IT and Managed Security Services Providers (MSSPs). Surprisingly, 13% of companies do not have designated staff or required monitoring tools for cybersecurity alerts.
Who monitors the cybersecurity alerts of your company?
Skill gap
More than half of respondents experienced a shortage of specialized personnel in the security department. That’s significantly higher than the previous year when 36% struggled with a gap in cybersecurity skills. That higher percentage clashes somewhat with the observation that a significant number of companies rely purely on their own IT department. However, a significant portion of decision-makers do intend to close the skills gap through hiring. Surprisingly, a quarter of respondents have no concrete strategy in that regard.
How do you intend to close the skill gap in your security department?
The survey report indicates a growing awareness. Most companies recognize the importance of education and carry out active campaigns. This is never the case for nearly a fifth of organizations. While that percentage is still high, it is the half of the previous year’s cybersecurity survey.
How often does your company organize cybersecurity awareness campaigns (training, phishing test emails, etc.)?
Expert Wouter Vandenbussche takes a deep dive into the results and explains the report in 11 minutes.
Dive into the results
1
Cybersecurity incidents
2
Types and
their impact
3
Cybersecurity maturity
& strategy
4
ICT department
and staff
5
A look to
the future
Chapter 5
A look to
the future
In the rapidly changing world of cybersecurity, inaction is not an option. A proactive approach that includes the necessary reactive processes ideally figures high on the agenda of every organization.
More than one in five
For almost all respondents, concerns about incidents were at least as high as the previous year. For most, it had even increased. Technical complexity is increasing due to the growing number of cybersecurity solution providers. More than 80% of respondents engage fewer than 10 security partners to secure their organizations. Half expect stabilization, while more than 20% expect an increase.
1%
45%
54%
May concern has decreased
My concern has increased
My concern stayed the same
Has your concern about the possibility of facing a cybersecurity incident increased or decreased in the last 12 months?
Evolution of cybersecurity budgets
Nearly half of the surveyed organizations plan to maintain current spending levels. However, a significant portion want to boost the cybersecurity budget, despite the overall increased pressure on spending in the business sector. These figures are similar to those of the previous year.
1%
14%
15%
22%
48%
Will strongly decrease (-20%)
I don't know
I cannot disclose this information
Will strongly increase (+20%)
Will stay the same
What is the evolution of your organization's cybersecurity budget for the next 12 months?
The four priorities for the next 12 months
Participants in this survey consider the following four elements to be top priorities for the coming year:
1. Operational readiness
Organizations prioritized asset management, vulnerability management and maintaining robust monitoring systems. The ability to respond appropriately to incidents and backup redundancy are critical.
2. User awareness & training
Educating staff remains essential. Ongoing training and awareness programs help employees understand cybersecurity best practices. Preventing phishing attacks through user education is considered a priority.
3. Risk & compliance
Organizations are actively assessing risks while acting in compliance with regulations (such as NIS2) and implementing cybersecurity standards. Managing risk effectively while meeting industry requirements are key concerns.
Organizations are actively assessing risks while acting in compliance with regulations (such as NIS2) and implementing cybersecurity standards. Managing risk effectively while meeting industry requirements are key concerns.
4. Security measures
Strengthening security measures stands out as a common theme. Privacy protection and implementing endpoint detection on all devices are essential.
How resilient would your organization be in the event of a cyber incident? Learn how to increase your company’s cyber resilience and cybersecurity maturity in six steps.
Secure your business in six steps
54
30
49
The impact of cybersecurity on businesses in Belgium and Luxembourg
Cyber attacks frequently made national headlines in 2023. The diverse activities and scale of the organizations targeted indicate that every company is a potential target. How do Belux companies perceive this threat and what means are they deploying to combat it? Together with trading partners Proximus SpearIT, Davinsi Labs and Telindus Luxembourg, Proximus NXT polled CEOs, CIOs and other decision-makers on the topic for the fifth consecutive year.
Proximus NXT Cybersecurity Survey Report 2024
How many cybersecurity incidents have been detected within your organization during the last 12 months?
(*) Any event or action such as ransomware, phishing, DDoS attacks, etc., that has affected the confidentiality, integrity and availability of an organization’s information systems, and has resulted in loss of productivity, legal consequences, reputational damage, data loss, etc.
Amount of employees
I don't know
No
Yes
Has your company faced one or more cybersecurity incidents in the last 12 months?
Of the respondents who were aware of a cyber attack, more than 80% recorded fewer than 6 incidents. Nearly two in 10 of the impacted companies recorded more than 5 attacks. Remarkably, in 22% of cases, those who did not detect incidents did not know whether their organization had neutralized attacks.
Number of detected incidents
Larger organizations more frequently affected
Larger organizations (with 250 or more employees) are more likely to fall prey to cybersecurity incidents than small and medium-sized businesses (with 10 to 249 employees). Among very large companies (+ 2,000 employees), 45% reported experiencing an incident in the past 12 months. This could be because very large companies are better able to detect attacks, or because they are more likely to be attacked due to the larger attack area.
In 2023, 30% of respondents report having experienced a cybersecurity incident*, a percentage in line with the previous year’s results. That over a third of ‘incident-free’ participants admitted to having little confidence in their ability to detect incidents may indicate an underestimate.
I don't know
Yes
No
Has your company been forced to deal with cybersecurity incidents in the past 12 months?
9%
30%
61%
One in three
Due to digital transformation, working from home and the rise of new technologies, the ‘attack surface’ of cybercriminals is increasing year after year. At the same time, hackers are increasingly better organized and employ more sophisticated modes of attack. According to the International Monetary Fund, the number of incidents has more than doubled since the Covid pandemic. It goes without saying that Belux companies are also targets.
Cybersecurity incidents
Chapter 1
Three-quarters of respondents had experienced social engineering attacks, such as phishing, vishing and smishing. In these cases, cybercriminals exploit human psychology to gain unauthorized access or extract sensitive information. This high prevalence underlines the need for robust defenses and ongoing awareness-raising of employees. Note, too, the emergent use of deep fakes with which cybercriminals are attempting to deceive them.
Nearly half the affected companies declared malware incidents. Three-quarters of these cases were combined with ransomware. These proportions remain fairly stable compared to the previous year.
Imperfections in software code or system configurations create vulnerabilities. They compromise data integrity and security and represent 41% of the reported cases.
Almost half
(*) Scam by telephone (voice) in which the criminals trick the victim into passing on private information.
(**) Scammer pretends to be a trusted source (bank, government, etc.) by text message and tries to obtain personal or financial information.
AI and cybersecurity
Artificial intelligence (AI) is finding its way into every business environment. It helps organizations work more efficiently and generates extra insights. A dual picture is emerging in the field of cybersecurity. AI helps to detect threats faster but, at the same time, offers hackers an additional attack weapon. Hence, AI is creating a new dynamic in the field of cybercrime, where the message is more than ever to proactively undertake the necessary actions and take on a strong partner.
Reputational damage
No costs, no damage
Other costs or negative impact: re-installation
Reduced productivity
Costs / resources linked to the reporting of the incident(s)
What was the impact of the cybersecurity incident(s) on your company over the last 12 months?
Nearly half of respondents reported decreased productivity resulting from cybersecurity incidents. A similar number reported attack-related costs, including notifying authorities, customers and stakeholders.
Reputational damage, including negative publicity, loss of trust and damage to brand image, also occurs frequently. Surprisingly, about 30% of respondents reported that they had not experienced any direct financial impact or damage. This may be due to effective security measures or incidents that did not directly affect the company profits.
Cyber incidents prevented employees from performing their duties in one in four of the affected targets. This is down from the 2023 cybersecurity report (30%). In most cases, the unavailability was limited to only a few employees for up to one week.
Financial impact
Employee information
Intellectual property
Operational data
Customer information
What digital assets were impacted?
Office equipment
Machines
Network infrastructure
Cloud infrastructure, servers
Laptops, desktops,
mobile devices
What physical assets were impacted?
Infrastructure and data
Cyber incidents affect devices such as laptops, desktops and/or mobile devices in nearly half of incidents. Cloud infrastructure, servers and network infrastructure are also frequently damaged. Equally disastrous and possibly even more far-reaching is the impact on customer information (22%), operational data (19%), and intellectual property or employee data (both 11%).
Consequences of the incidents
25%
3%
28%
44%
Accidental
I don't know
Intentional
Both accidental and intentional
The incident(s) that occured were:
A quarter of incidents were the result of carelessness or inadvertent mistakes by employees. For example, wrong configurations or unintentional clicks can lead to a security breach. Nearly 30% of incidents were intentionally committed by internal or external parties who purposefully carried out attacks. A combination of both factors was involved in 44% of cases. The results of Verizon’s 2024 Data Breach Investigation Report confirm these figures. They found that inadvertent errors were the root cause in 68% of investigated incidents.
Intentional or not?
Social engineering
Malware
Software bug / misconfiguration
Web application attack
Policy violation
Theft / loss of devices
Violation of regulations
Identity theft
Ransomware
Unauthorized activities
Denial of Service attack
Data leak
Zero day, exploit of vulnerabilities
Cyber espionage
Advanced Persistent Threat
What type of incident(s) did your company experience?
Types of incidents
According to Verizon's 2024 Data Breach Investigations Report, 62% of financially motivated incidents involved ransomware or extortion. Verizon calculated the median loss at $46,000 per breach. However, financial losses from incidents also happen due to data corruption and destruction, loss of productivity, and theft of intellectual property or personal data.
Types of incidents and their impact
Chapter 2
IT leaders show low confidence in their internal and external communications and public relations concerning incidents. They also rate their ability to contain and eradicate threats as weak.
No, but currently under assessment
Not yet, but will be done within the next 12 months
No, for other reason namely:
I don't know
Yes
No, we don't need such an insurance
Has your company subscribed to a cybersecurity insurance policy?
Reasons not to purchase insurance:
- Cost-related
- A policy that does not cover the risk
- Management and organizational factors
Yes large enterprises
Yes SMB
Does your company have a cybersecurity strategy in place?
external
communication
lessons learned
implementation
Does your company have a cybersecurity incident response process in place and how confident are you in your incident management capabilities?
High confidence
Low confidence
Recovery action
Recovery took one to four weeks for a fifth of the companies. Nearly 28% purchased cybersecurity insurance, while a quarter of respondents consider such a policy unnecessary. Another portion of the companies surveyed are looking into it or are unaware of the current status of their insurance.
Identify, Protect, Detect, Respond & Recover is a popular framework from NIST to map cybersecurity actions. It shows that among those surveyed, predicting and identifying (Identify) potential risks is the least well established. Prevention and detection are already better, but there is still room for improvement. The average level of practicality lies in taking the necessary actions (Respond) and the recovery process (Recover).
Large companies are more likely to have higher cybersecurity maturity across the five core functions of the framework. On the other hand, there is still room for growth among SMEs, especially in Identify and Respond.
Cyber attacks can manifest themselves in any business department. A sophisticated strategy that covers the entire organization is, therefore, essential.
Cybersecurity maturity & strategy
Chapter 3
Several times a year
Never
Once a year
Continously
How often does your company organize cybersecurity awareness campaigns (training, phishing test emails, etc.)?
The survey report indicates a growing awareness. Most companies recognize the importance of education and carry out active campaigns. This is never the case for nearly a fifth of organizations. While that percentage is still high, it is the half of the previous year’s cybersecurity survey.
Reskilling or internal promotion of internal IT staff
By using freelancers or external consultants
No strategy in place
I don't know
Recruitment
Outsourcing
How do you intend to close the skill gap in your security department?
More than half of respondents experienced a shortage of specialized personnel in the security department. That’s significantly higher than the previous year when 36% struggled with a gap in cybersecurity skills. That higher percentage clashes somewhat with the observation that a significant number of companies rely purely on their own IT department. However, a significant portion of decision-makers do intend to close the skills gap through hiring. Surprisingly, a quarter of respondents have no concrete strategy in that regard.
Skill gap
No one / we don't have monitoring tools
Both internal IT staff and MSSP
Mother / sister company
Other
IT partner / MSSP
Own internal IT staff
Who monitors the cybersecurity alerts of your company?
Internal action or outsourcing?
About four companies in ten rely exclusively on internal IT staff to monitor cyber threats. Over 30% employ a hybrid model, using both internal IT and Managed Security Services Providers (MSSPs). Surprisingly, 13% of companies do not have designated staff or required monitoring tools for cybersecurity alerts.
More than half
The ‘war for talent’ rages fiercely within the IT and cybersecurity sectors. For many companies, it is difficult to recruit and retain those possessing the right profiles. An Agoria survey showed that the cybersecurity sector had more than 1,200 job openings, at a rate of 16%, higher than the IT sector. Consequently, given the ever-increasing attack intensity, the gap between desired and available cybersecurity competencies is only widening.
ICT department
and staff
Chapter 4
Expert Wouter Vandenbussche takes a deep dive into the results and explains the report in 11 minutes.
Dive into the results
How resilient would your organization be in the event of a cyber incident? Learn how to increase your company’s cyber resilience and cybersecurity maturity in six steps.
Secure your business in six steps
Strengthening security measures stands out as a common theme. Privacy protection and implementing endpoint detection on all devices are essential.
4. Security measures
Educating staff remains essential. Ongoing training and awareness programs help employees understand cybersecurity best practices. Preventing phishing attacks through user education is considered a priority.
2. User awareness & training
Organizations prioritized asset management, vulnerability management and maintaining robust monitoring systems. The ability to respond appropriately to incidents and backup redundancy are critical.
1. Operational readiness
The four priorities for the next 12 months
Participants in this survey consider the following four elements to be top priorities for the coming year:
14%
1%
15%
22%
48%
Will strongly decrease (-20%)
I don't know
I cannot disclose this information
Will strongly increase (+20%)
Will stay the same
What is the evolution of your organization's cybersecurity budget for the next 12 months?
1%
45%
54%
May concern has decreased
My concern has increased
My concern stayed the same
Has your concern about the possibility of facing a cybersecurity incident increased or decreased in the last 12 months?
Evolution of cybersecurity budgets
Nearly half of the surveyed organizations plan to maintain current spending levels. However, a significant portion want to boost the cybersecurity budget, despite the overall increased pressure on spending in the business sector. These figures are similar to those of the previous year.
For almost all respondents, concerns about incidents were at least as high as the previous year. For most, it had even increased. Technical complexity is increasing due to the growing number of cybersecurity solution providers. More than 80% of respondents engage fewer than 10 security partners to secure their organizations. Half expect stabilization, while more than 20% expect an increase.
More than one in five
In the rapidly changing world of cybersecurity, inaction is not an option. A proactive approach that includes the necessary reactive processes ideally figures high on the agenda of every organization.
A look to
the future
Chapter 5
