When the technology that’s all around just works, the world works.

RESEARCH | May 10, 2022 |2 Min Read

Cybersecurity risk in 5 stats

Security breaches and budgets are both on the rise, according to new research

Chief information security officers (CISOs) operate in a much riskier world than they did just a few years ago. The variety of corporate security threats has grown, along with the frequency and costs of cyberattacks to organizations of all sizes and industries.

Compounding CISOs’ misery, digital transformation, expanding supply chains, and the push for innovation have added to remote work to expand every organization’s attack surface.

How prepared are companies to manage such risks? A new ThoughtLab global survey, co-sponsored by ServiceNow, asked 1,200 executives in 14 economic sectors to evaluate the cybersecurity challenges they face, and the progress they’re making in response. Here are some highlights:

+24% Cost increase of cybersecurity breaches from 2020 to 2021

Between 2020 and 2021, the average cost of a security breach per firm jumped from $3.35 million to $4.17 million. Healthcare took the biggest hit, with an average increase of $8.6 million per organization.

Top 3 causes of the biggest attacks

  • Human error
  • Misconfigurations
  • Unknown assets

Human error is the biggest source of corporate security breaches, whether it’s workers getting deceived by phishing attacks or overworked staff pushing a button to say “YES” before enough checks are done.

As companies expand their investment in cloud systems and tools, OT, and DevOps, misconfiguration of settings and apps leaves more dangerous pathways open for hackers to exploit. Another big risk comes from remote employees who use unsanctioned equipment and networks—so-called shadow IT—to get work done.

14.2% Percentage of IT budget spent on cybersecurity in 2022

Companies are spending more on cybersecurity in 2022 than they did in 2021. Security leaders will allocate 15.5% of overall IT spend to cybersecurity in 2022, a 2% increase from 2021. (Average security spend for all firms is 14.2% of the total IT budget.)

The top people-focused initiative planned is upskilling and developing cybersecurity and IT staff. The top technology planned investments include conducting regular risk assessments, audits, and stress tests; developing and maintaining a cyber-incident response and recovery plan; and prioritizing protection of IT and OT assets as well as remediation of vulnerabilities.

Most cyber-mature industries

  • Life sciences
  • Insurance
  • Telecommunications

How do companies manage cyber risk in different industries? The survey found levels of sophistication and leadership vary widely by company and industry. Life science firms led all other sectors in cybersecurity response planning, risk mitigation, and threat analysis. Insurance, ranked separately from financial services, came in a close second.

40% Percentage of firms using a new team approach to cybersecurity

Cybersecurity is shifting from a one-leader model to more of a team approach. Four in 10 of surveyed organizations report having a cross-organizational alliance—including compliance, legal, operations, data privacy, risk management, and the C-suite—that works with cybersecurity teams to manage overall risk. These support a larger CISO role in data privacy, compliance, fraud, and third-party/supply-chain risk management.


 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Related articles

Companies are playing catch-up on cybersecurity
Companies are playing catch-up on cybersecurity

For many organizations, investing ahead of the breach is a hard sell

Navigating the future of data privacy
Navigating the future of data privacy

How AI and design thinking could help keep data safe

​​When Dev meets Sec
​​When Dev meets Sec

Bringing developers and security teams together doesn’t have to put speed at odds with safety. DevSecOps ultimately improves culture and products.

Securing hospitals against cyberattack
Securing hospitals against cyberattack

The healthcare industry is a soft target for nation-state and terrorist hacking groups. Waiting for the next attack is not the answer.