You are on page 1of 32

Sophos – Nordics IT Security Research

October 2019
Project overview and methodology

• The survey was conducted among 328 IT and IT security decision makers
in organisations of 150+ employees across three markets:
• Sweden: 153
• Denmark: 123
• Finland: 52

• At an overall level results are accurate to ± 5.4% at 95% confidence limits


assuming a result of 50%.

• The interviews were conducted online by Sapio Research in September


and October 2019 using an email invitation and an online survey.
Summary and Overview
Protections are increasingly not up to scratch – 9 in 10 (91%) fell victim to a
1 cyber attack despite having up-to-date cybersecurity protection in place.

Security threats are going undetected – A third (32%) don’t know how long a
2 threat has been in a system, with the average known time being 8 and a half
hours.

IT technology is lacking – Two-thirds (66%) believe there should be more


3 investment into technology solutions to improve data security in their
organisation. With 14% saying their organisation does not have the right
security technology in place.

Remote working causing issues in Finland – Finnish IT professionals report


4 higher levels of security change caused by an increase remote working
(58%), with a quarter of know attacks discovered on a mobile device (24%)
and a third coming from an external device (33%).

Skilled staff shortages – 71% believe recruiting and retaining skilled IT


5 security professionals is a significant (or greater) challenge to their
organisation's ability to deliver IT security
Key stats

78% of IT 2 cyber
attacks – Data breaches (39%) are the most
professionals have common type of cyberattack, followed
experienced a average fallen by phishing emails (35%), and software
cyber attack in the victim to in last exploitation (30%)
last year
year

36% say they have a formal 71% agree that A quarter (23%)
policy in place for checking the data security is taken
– lack confidence
more seriously now
IT security strength of all of their in their employees
than it was 2 years
suppliers ago to protect data
Main Findings
IT security teams are approximately half the size of wider IT teams
NB: We think this 50% figure is higher than it should be, this could be for a couple of reasons:
• People do not define security professionals as part of the ‘IT Team’ and therefore the size of the IT teams are
understated
• That although many IT members will not have a specific security role, around half have high responsibility for
security within the organisation

0 0%
3% Entire team

0% Dedicated IT security
1
11% Average (median)

7% Total 150 to 499 500 to 999 1000+


2 to 5
24% employees employees employees
IT team size 15.5 9.4 15.5 31
6 to 10 26%
27%
IT security
7.8 6.7 8.1 8.9
team size
11 to 20 34%
18% Proportion of
50% 71% 52% 29%
IT staff
21-50 17%
10%

51+ 16%
7%

Q1. What is the size of your IT team – including strategic planning through to admin and support? Base: 328
: people are there in this team?
Q2. Is there a dedicated IT security professional or team, and, if so, how many
According to senior IT professionals, approximately 63% of staff use the IT
systems that their team has responsibility for

1 to 25 2%

Average (median): 489 people


26-100 8% Or 63% of staff (using median
company size at S2)
101-250 19%

251-500 22%

501-1000 25%

1,001-5,000 15%

5,001-10,000 3%

10,000+ 7%

Q3. How many employees in your organisation use the IT systems your IT team has responsibility for? Base: 328
:
On average, organisations have fallen victim to almost two (1.84) cyber attacks in
the last year. Just 22% have not experienced one

Only 12% in
None 22% Average (mean): 1.84 attacks
Finland

1 15%

2 19%

3 24%

4 5%

5+ 9%

Don’t know 8%

Q4. How many cyberattacks has your organization fallen victim to in the last year – defined as cyberattacks that your Base: 328
:
organization was unable to prevent from entering your network and/or endpoints?
Data breaches (39%) are the most common type of cyberattack, followed by
phishing emails (35%), and software exploitation (30%)

Data breach 39% 45% in Sweden

Phishing emails 35% 46% in organisations


employing 1000+ people

Software exploit 30%

Malicious code 27%

Credential theft 24%

Cryptojacking 22%

Ransomware 22%

Don’t know 0%

Other type of attack 0%

Q5. What type of cyberattack(s) has your organization been hit with in the last year? Base: 231 (those that have been
: hit by a cyber attack in the last year)
Of those that have been hit by a cyberattack in the last year, the most common
places they were discovered were ‘in the network’ (40%), and ‘on the server’ (33%)

In the network 40%

On the server 33% 40% in Denmark

At the endpoint 16%

On a mobile device Including 24% in


10%
Finland

Don’t know 1%

Other 0%

Q6. Thinking about the most significant cyberattack that your organization has been hit by in the last year, where did Base: 231 (those that have been
your organization find/discover this attack? : hit by a cyber attack in the last year)
At the time of the most significant cyberattack, 91% claim they had up-to-date
cybersecurity protection

Running up-to-date protection

NOT running up-to-date protection

16% in Denmark
9%

91%

Q7. Was your organization running up to date cybersecurity protection at the time of the most significant attack that it Base: 231 (those that have been
suffered in the last year? : hit by a cyber attack in the last year)
Although the vast majority (81%) knew how the cyberattack got into their
organisations environment, almost a third (32%) don’t know how long it was there
before it was detected

Knowledge of how attack got into organisations How long the threat was in the environment
environment before it was detected

I don’t I don’t
know this know this
19% 32%

I know this
81% I know this
68%

Though 93% in Though 87% in


Finland Finland

Q8. Thinking about the most significant cyberattack that your organization has been hit by in the last year, do you know a) how the attack Base: 231 (those that have been
: before it was detected?
got into your organization’s environment and b) how long the threat was in the environment hit by a cyber attack in the last year)
Cyberattacks come from a large variety of sources, with the most common being
via email (24%)

Via email 24%

Via software we were using 19%

Via a malicious or compromised


19%
website

Via a USB stick/external device 18% 33% in Finland

Don’t know 19%

Other 1%

Q9. How did the most significant cyberattack that your organization has been hit by in the last year, get into your Base: 231 (those that have been
organization’s environment? : hit by a cyber attack in the last year)
On average, it takes 8.5 hours before a cyberattack is detected

37% in organisations employing 1000+

Average (median): 8.5 hours


32%

24%

16% 17%

6%
4%
1% 0% 0%
Less than an Between 1-4 Between 5-12 Between 13-24 Up to a week Up to a month More than a More than a Don’t know
hour hours hours hours month but no year
longer than a
year

Q10. Thinking about the most significant cyberattack that your organization has been hit by in the last year, how long Base: 231 (those that have been
was the threat in your organization’s environment (system/network) before it :was detected? hit by a cyber attack in the last year)
Data loss and damage to the business (both 41%) are the biggest concerns
when it comes to the effects of cyberattacks

50% of 1000+ companies Data loss 41%


52% of 1000+
Damage to the business 41% companies and just
30% of 150 to 499
39% in the Cost (time/effort) of dealing with the employee size
private sector 35%
issue companies
Personal job security 28%
Damage to the image of IT across the 37% in the
28% public sector
business

Cost (money) of dealing with the issue 27%

Dealing with compliance/auditors 16%

I don't have any concerns 3%

Don't know 1%

Other 1%

Q11. What are/would be your biggest concerns from your organization being hit by cyberattack(s)? Base: 328
:
71% agree that data security is taken more seriously now than it was 2 years ago,
and 66% believe there should be more investment into technology solutions that
help improve data security in their organisation
% Agree –
experienced a
% Agree cyber attack in
Don’t know Strongly disagree Disagree Neither agree not disagree Agree Strongly agree last year

Data security is taken more seriously in my organisation 71% 70%


now than it was 2 years ago
2% 8% 17% 40% 32%

I believe there should be more investment into


technology solutions that will help us to improve data 2% 7% 24% 42% 24% 66% 71%
security in our organisation

I believe the overall IT security threat level facing my


organisation’s data is growing
3% 7% 23% 42% 21% 64% 61%

Our business leaders aren’t prepared for the next


generation of tech disruption
9% 14% 26% 30% 18% 48% 55%

I believe that when it comes to IT security, my


organisation does not do enough to limit the risk/impact 12% 21% 23% 29% 14%
of human error and lack of knowledge
43% 53%

I don’t believe our IT team currently has enough visibility


into our systems to identify security incidents
13% 19% 27% 27% 14%
40% 49%

51% public sector vs 34% private sector

Q12. To what extent do you agree or disagree with these statements in the context of your organisation? Base: 328
:
An increase in remote, flexible, and mobile working (47%) and a greater use of cloud
applications overall (46%) are the biggest drivers of changes in IT security

Increase in remote, flexible and mobile working 47% 58% in Finland

Greater use of cloud applications overall 46%

The ambition to become a more digital


organisation 42% 51% in organisations employing
1000+ people

More collaborative working across the


organization 41%

There are no initiatives that are driving changes


in IT security within our organisation 2%

Other 2%

Q13. Which of the following are driving changes in IT security in your organisation? Base: 328
:
The biggest concerns when it come to IT security are the risk of targeted
ransomware attacks (32%) and the continued use of legacy systems (28%)

The risk of targeted ransomware attacks 32% 39% in organisations


employing 1000+ people
Continued use of legacy systems 28%

Employee skills 27%


Unmonitored use of freely available cloud storage
solutions (Dropbox, Box, Google Docs etc.) 26%

Rising number of daily malware attacks 26%


Greater number of employee-owned devices used in the
work network 25%

More remote and flexible working 24%

The risk of targeted attacks by nation states 23%


Increased use of official (company introduced) cloud
applications 23%
There are no areas of concern relating to my
organisation’s IT security 2%

Other 0%

Q14. In your experience, which of the following give you biggest cause for concern when it comes to your organisation's IT Base: 328
security? :
The most common ways IT security is managed are ‘in-house only’ (34%) and ‘part
of a shared service hosted by the organisation’ (also 34%)
Including 45%
of those who 42% of Swedish
haven’t had a It is in-house for our organisation only 34% respondents and 42%
cyber attack in of 1000+ companies
the last year
It is part of a shared service hosted by
our organisation 34% Only 26% of Swedish
respondents

It is outsourced to a private provider 14%

It is provided by another public sector


organisation 14%

We have neither an in-house team nor an


external provider 2%

I don’t know 2%

Q15. Which of the following best describes your organisation's IT security currently? Base: 328
:
Almost half (49%) are maintaining IT and security services in-house, however 37%
are moving towards managed services

46% in Finland
37%

We are moving towards managed services

We are maintaining IT and security


services in-house
14%
We are using a combination of the two

49%

Q16. Which of these best describes your organisation’s future policy with regards to IT and security services? Base: 328
:
14% don’t feel their organisation has the right security technology in place to
protect its IT

24% in Denmark

No
Don’t know
14%
7%

Yes
80%

Q17. Do you feel your organization has the right security technology in place to protect its IT? Base: 328
:
90% say they have a formal policy in place for checking the IT security strength of
their suppliers, but 27% only do it for smaller suppliers, and 27% only do it for
larger, enterprise suppliers

Yes, regardless of size 36%

Yes, but only for our enterprise 90% ‘yes’


27%
suppliers

Yes, but only for our smaller


27%
suppliers

No, but we have an informal


7%
policy, we take it on trust

Don’t know 2%

No, not at all 1%

Q18. Do you have a formal policy in place for checking the IT security strength of your suppliers? Base: 328
:
71% believe recruiting and retaining skilled IT security professionals is a
significant (or greater) challenge to their organisation’s ability to deliver IT security

It’s the single biggest challenge 24%

71%
It’s a significant challenge but
47%
not the biggest

It’s somewhere in the middle 24%

It’s towards the bottom 4%

Don’t know 2%

Q19. To what extent is recruiting and retaining skilled IT security professionals a challenge to your organisation’s ability to Base: 328
deliver IT security? :
Almost a quarter (23%) are not confident that employees in their organisation will
always take the right steps to protect data

No Don’t know
23% 6%

Yes
71%
Just 56% in organisations
employing 500-999 people

Q20. Are you confident that employees in your organisation will always take the right steps to protect data? Base: 328
:
48% of organisation provide employees with IT security policy information and
reasoning, and 45% have implemented strict processes about how to deal with
cybersecurity throughout the whole organisation

Provides employees with policy


information and reasoning 48%

Has implemented strict processes about


how to deal with cybersecurity throughout 45%
the whole organisation

Conduct regular training programs 43%

Offers incentives (i.e. prizes) for


adherence to compliance and best practise 29%

Changed recruitment strategies (including


induction processes) to strengthen IT 27% 38% in Finland
security knowledge

Other 0%

My organisation has not taken any steps to


keep employees up to date with IT security 3%

Q21. Which of the following steps does your organisation take to keep employees up to date with IT security? Base: 328
:
Demographics
Country

38%

Sweden
Denmark
47% Finland

16%

S0. Which country are you in? Base: 328


:
Role & Department

Role Department

C-level business role 20%


87%

CISO/CIO 31% IT

Senior management/director/head Information


12%
of department security

Management 14% 13%

Supervisor 23%

S4. Which of the following best describes your level of seniority? Base: 328
S1. Which department do you primarily work within at your organization? :
Company Size

150 – 249 13%

250 – 499 19%


Average (median): 781 people

500 – 999 32%

1000 – 4999 20%

5000+ 16%

S2. Counting all locations, how many employees work for your organisation? Base: 328
:
Sectors & Industry
Sectors Industry
Software/Technology 33%
Finance/Insurance/Accounting 10%
Manufacturing 10%
2%
63% Telecommunication 6%
1% Healthcare 6%
Communication/Marketing/Advertising 5%
Construction 5%
Services 4%
Education 3%
34% Agriculture 3%
Other 3%
Government 3%
Public sector (including healthcare, government, education etc.) Real Estate 2%
Private sector (privately owned organisations) Transportation/Utilities 2%
Third sector (voluntary sector) Retail 2%
Other Hospitality 2%
Wholesale trade 1%

S5. Which of the following sectors do you primarily work in? Base: 328
Q22. Which of the following most closely describes your industry? :
Age and Gender

Age Gender

18 - 24 11%
79%
Male
25 - 34 43%
Female

Do not wish to
35 - 44 24% disclose

45 - 54 15% 21%

55 - 64 5% 0%

65+ 1%

Q24. What is your age, please? Base: 328


Q23. Are you…? :