Cybersecurity lexicon
Secure your business in 4 easy steps
Research report
Methodology
Survey report, Belgium and the Netherlands
Due to growing digitization and more and better-organized cyberattacks, the cyberthreat to businesses continues to increase. Virtually every IT and business manager considers cybersecurity an absolute priority. But how do they handle it in practice? Together with Proximus SpearIT, Davinsi Labs and Telindus Nederland, Proximus asked CEOs, CIOs and other decision makers in Belgium and the Netherlands.
Proud member of proximusaccelerators.eu
Governance, risk management and compliance are the highest priorities.
Nearly half are experiencing a shortage of cybersecurity specialists.
43% do not provide employees with security awareness training.
38% of respondents have no active security strategy.
1 out of every 10 affected companies has had to halt their activities, at least partially, due to an attack.
Social engineering is the most common incident.
Companies are worried about being hit by a cyber incident (again).
The 7 main conclusions of the survey
of respondents are worried about being hit by cyber incident (again).
%
87
Any event or action that threatens the confidentiality, integrity or availability of the information systems of a company, with or without consequences or damage.
34% of respondents are aware that a cyber incident* occurred at their organization in 2021. Of the 62% who indicate that no incident occurred, only 38% claim to be absolutely certain of this.
Almost 9 out of 10 respondents say they are concerned about becoming the victim of a cyber incident (again), including those who experienced no incidents in 2021.
What are the trends and threats concerning security in 2022?
2021
2020
2019
- Almost 1 out of every 2 SMEs* does not (definitely) know whether an incident has occurred in the past 12 months.
- More than half of large companies detected at least one incident in the past year, while only a quarter of SMEs are aware of an incident.
- In our 2020 survey, 42% of SMEs reported being the victim of a cyber incident. That fell to 26% in 2021, which is still higher than the 2019 figure of 19%.
Every company – large or small – is a
potential target
Has your company dealt with (a) cybersecurity incident(s) in the past 12 months?
An SME has fewer than 250 employees.
Recognizing and preventing phishing
Social engineering was the most common cybersecurity incident in 2021. With this technique, cybercriminals use people to penetrate a computer system or extract confidential information. Phishing and spear-phishing are forms of social engineering. The widespread use of this technique can be linked to the increase in telework during the pandemic.
70% of incidents reported were intentional
40% of respondents experienced unintentional incidents such as negligence or a mistake.
Specific cybersecurity incidents in 2021
- Social engineering (13%)
- Spam (13%)
- Lost or stolen devices (9%)
It’s noteworthy that 5% of respondents indicate that they have been the victim of a serious targeted attack, also known as an advanced persistent threat (APT).
Top 3 cybersecurity incidents in 2021
Digitalks podcast
The question for companies is no longer whether they will experience a cyber incident but when it will occur. The Digitalks podcast arms you with the knowledge you need to detect incidents and decide when prevention is needed.
All affected respondents agree that every incident incurs costs or has a negative impact. Reputational damage, reporting costs and lost time account for most of the indirect costs.
27% report reputational damage
Almost 3 in 10 victims indicate that they have experienced reputational damage. 36% of victims say the incident was also noted by external parties.
Every company holds sensitive data, such as customer data of people or businesses, intellectual property rights, and so forth. A data leak or cyberattack can damage trust with customers, partners and suppliers.
1 in 8 companies have suffered more than €10,000 in damage
26% of respondents could not estimate how much a cyber incident had cost them. And 1 in 8 companies said it caused more than €10,000 in damage.
12% had to halt their activities, at least partially
At 12% of companies that experienced an incident, staff were unable to work for a period of time. For 33% of victims, this work interruption lasted longer than a week.
What was the impact of these cybersecurity incidents on your organization in the past 12 months?
How much do you estimate these incidents cost?
“Without a plan, you’re nowhere”
Jaya Baloo, CISO at Avast Software, explains how cybersecurity should be based on a strategy.
A strategy for managing cyber incidents forms the basis of an advanced risk policy and a company-wide approach to security. Just 58% of businesses say they have such a strategy in place, which is an increase of 9% to 2020. A strategy is under development at a quarter of the companies surveyed. On the other hand, 13% indicate that they have not yet begun the process of building a strategy.
Does your company have a strategy for the management of cybersecurity incidents?
Businesses with more than 250 employees are the most advanced with regard to their cybersecurity strategy. A strategy has been deployed least often among medium-sized SMEs with 50–250 employees, one is most often under development in that category.
Categorizing respondents based on incidents
Large companies take the lead
Does your company have a strategy for managing cybersecurity incidents?
A good cybersecurity awareness training program reduces the chance of human error. Employees learn to recognize phishing, for example, so your company can defend itself against the most common cyber incident, social engineering. A third of the companies surveyed provide no training at all, however, while 6% conduct training in an ad hoc manner and 3% are still in the development phase. By contrast, a third of the organizations provide training several times per year.
Do employees in your company receive cybersecurity awareness training?
Expand IT support externally?
Over 4 in 10 of those surveyed are experiencing a shortage of cybersecurity specialists within the IT department. Of all the companies with over 50 employees, more than half report a scarcity of such profiles.
Do you have a shortage of cybersecurity specialists?
- 59% of responding companies seek help from external providers to monitor and manage their cybersecurity infrastructure.
- 38% of the companies surveyed rely on a mix of their own IT personnel and an IT partner. An equally large group of respondents streamlines IT security completely under their own management, while 21% choose total outsourcing.
Who monitors and manages your cybersecurity infrastructure?
6 in 10 companies rely on an external provider
Percentage in relation to the total of the priorities cited
What are the top 3 cybersecurity priorities for your organization?
The top 3 cybersecurity priorities of the respondents are remarkably often around policy, such as employee awareness training, cybersecurity insurance and regulations such as GDPR. These topics lie in the area of governance, risk management and compliance (GRC).
Network security is also still an important priority for many companies. This area is closely followed by workplace security. The importance of securing the workplace has been increasing for several years due in part to the emergence of ransomware and the large number of employees working at home.
Secure your company in 4 steps
Discover Proximus’ 360° approach to securing your organization. Choose what works for you, from covering specific areas to an all-inclusive service.
Digitalks podcast
A podcast on cybersecurity with new insights, tips and best practices from experts.
Survey report, Belgium and the Netherlands
How companies manage cybersecurity?
Proud member of proximusaccelerators.eu
Due to growing digitization and more and better-organized cyberattacks, the cyberthreat to businesses continues to increase. Virtually every IT and business manager considers cybersecurity an absolute priority. But how do they handle it in practice? Together with Proximus SpearIT, Davinsi Labs and Telindus Nederland, Proximus asked CEOs, CIOs and other decision makers in Belgium and the Netherlands.
The 7 main conclusions of the survey
of respondents are worried about being hit by cyber incident (again).
%
87
Governance, risk management and compliance are the highest priorities.
Nearly half are experiencing a shortage of cybersecurity specialists.
43% do not provide employees with security awareness training.
38% of respondents have no active security strategy.
1 out of every 10 affected companies has had to halt their activities, at least partially, due to an attack.
Social engineering is the most common incident.
Companies are worried about being hit by a cyber incident (again).
2021
2020
2019
Companies are worried about being hit by a cyber incident (again)
An SME has fewer than 250 employees.
- Almost 1 out of every 2 SMEs* does not (definitely) know whether an incident has occurred in the past 12 months.
- More than half of large companies detected at least one incident in the past year, while only a quarter of SMEs are aware of an incident.
- In our 2020 survey, 42% of SMEs reported being the victim of a cyber incident. That fell to 26% in 2021, which is still higher than the 2019 figure of 19%.
Has your company dealt with (a) cybersecurity incident(s) in the past 12 months?
Any event or action that threatens the confidentiality, integrity or availability of the information systems of a company, with or without consequences or damage.
Every company – large or small – is a potential target
What are the trends and threats concerning security in 2022?
34% of respondents are aware that a cyber incident* occurred at their organization in 2021. Of the 62% who indicate that no incident occurred, only 38% claim to be absolutely certain of this.
Almost 9 out of 10 respondents say they are concerned about becoming the victim of a cyber incident (again), including those who experienced no incidents in 2021.
Social engineering is the most common incident
40% of respondents experienced unintentional incidents such as negligence or a mistake.
70% of incidents reported were intentional
Specific cybersecurity incidents in 2021
- Social engineering (13%)
- Spam (13%)
- Lost or stolen devices (9%)
It’s noteworthy that 5% of respondents indicate that they have been the victim of a serious targeted attack, also known as an advanced persistent threat (APT).
Top 3 cybersecurity incidents in 2021
Recognizing and preventing phishing
Social engineering was the most common cybersecurity incident in 2021. With this technique, cybercriminals use people to penetrate a computer system or extract confidential information. Phishing and spear-phishing are forms of social engineering. The widespread use of this technique can be linked to the increase in telework during the pandemic.
How much do you estimate these incidents cost?
1 in 8 companies have suffered more than €10,000 in damage
26% of respondents could not estimate how much a cyber incident had cost them. And 1 in 8 companies said it caused more than €10,000 in damage.
27% report reputational damage
Almost 3 in 10 victims indicate that they have experienced reputational damage. 36% of victims say the incident was also noted by external parties.
Every company holds sensitive data, such as customer data of people or businesses, intellectual property rights, and so forth. A data leak or cyberattack can damage trust with customers, partners and suppliers.
12% had to halt their activities, at least partially
At 12% of companies that experienced an incident, staff were unable to work for a period of time. For 33% of victims, this work interruption lasted longer than a week.
What was the impact of these cybersecurity incidents on your organization in the past 12 months?
Digitalks podcast
The question for companies is no longer whether they will experience a cyber incident but when it will occur. The Digitalks podcast arms you with the knowledge you need to detect incidents and decide when prevention is needed.
1 out of 10 affected companies has had to halt their activities, at least partially
All affected respondents agree that every incident incurs costs or has a negative impact. Reputational damage, reporting costs and lost time account for most of the indirect costs.
Of the respondents who are aware of an incident having occurred, most also have a cybersecurity strategy in place for managing incidents. Among respondents who don’t (definitively) know whether they have been affected by an incident, the percentage with a strategy is half as high.
Categorizing respondents based on incidents
Businesses with more than 250 employees are the most advanced with regard to their cybersecurity strategy. A strategy has been deployed least often among medium-sized SMEs with 50–250 employees, one is most often under development in that category.
Does your company have a strategy for managing cybersecurity incidents?
Large companies take the lead
Does your company have a strategy for the management of cybersecurity incidents?
“Without a plan, you’re nowhere”
Jaya Baloo, CISO at Avast Software, explains how cybersecurity should be based on a strategy.
38% of respondents have no active security strategy
A strategy for managing cyber incidents forms the basis of an advanced risk policy and a company-wide approach to security. Just 58% of businesses say they have such a strategy in place, which is an increase of 9% to 2020. A strategy is under development at a quarter of the companies surveyed. On the other hand, 13% indicate that they have not yet begun the process of building a strategy.
Do employees in your company receive cybersecurity awareness training?
A good cybersecurity awareness training program reduces the chance of human error. Employees learn to recognize phishing, for example, so your company can defend itself against the most common cyber incident, social engineering. A third of the companies surveyed provide no training at all, however, while 6% conduct training in an ad hoc manner and 3% are still in the development phase. By contrast, a third of the organizations provide training several times per year.
43% of the organizations do not train employees in cyber-security awareness
- 59% of responding companies seek help from external providers to monitor and manage their cybersecurity infrastructure.
- 38% of the companies surveyed rely on a mix of their own IT personnel and an IT partner. An equally large group of respondents streamlines IT security completely under their own management, while 21% choose total outsourcing.
Who monitors and manages your cybersecurity infrastructure?
Do you have a shortage of cybersecurity specialists?
6 in 10 companies rely on an external provider
Expand IT support externally?
Over 4 in 10 of those surveyed are experiencing a shortage of cybersecurity specialists within the IT department. Of all the companies with over 50 employees, more than half report a scarcity of such profiles.
Nearly half of IT departments are experiencing a shortage of cyber-security specialists
Percentage in relation to the total of the priorities cited
What are the top 3 cybersecurity priorities for your organization?
The top 3 cybersecurity priorities of the respondents are remarkably often around policy, such as employee awareness training, cybersecurity insurance and regulations such as GDPR. These topics lie in the area of governance, risk management and compliance (GRC).
Network security is also still an important priority for many companies. This area is closely followed by workplace security. The importance of securing the workplace has been increasing for several years due in part to the emergence of ransomware and the large number of employees working at home.
Governance, risk management and compliance are the highest
priorities
Secure your company in 4 steps
Discover Proximus’ 360° approach to securing your organization. Choose what works for you, from covering specific areas to an all-inclusive service.
Digitalks podcast
A podcast on cybersecurity with new insights, tips and best practices from experts.