Nearly Half of Organizations Underestimates Level of Risk

Veritas Technologies LLC released findings of new research that shows 45% of organizations may be miscalculating the severity of threats to their business.

The study, Data Risk Management: The State of the Market – Cyber to Compliance, which polled 1,600 executives and IT practitioners across 13 global markets, provides insights into the most pressing risks, their impacts and how organizations plan to navigate them.

Despite risk factors like interest rates and inflation pressing hard on organizations, ransomware and multi-cloud complexity are also growing concerns for businesses of all kinds. However, when survey respondents were initially asked whether their organizations were currently at risk, almost half (48%) said no. But after being presented with a list of individual risk factors, respondents of all levels recognized the challenges facing their organizations with 97% then identifying a risk to their organizations.

Notably, 15% of those surveyed did not believe their organizations could survive another 12 months given the risks they currently face. There was a disconnect, however, between the C-suite and those working in the trenches of protecting their organizations’data, which could point to a communications issue: 23% of senior executives predicted the demise of their organizations in the next year, compared to just 6% of analysts and technicians.

Matt Waxman, SVP and GM for data protection, Veritas, said: “The first step in addressing a problem is recognizing it’s there. When the risks are laid out in black and white, it’s hard to ignore the reality of today’s complex business operating environment. The risks are everywhere and require constant vigilance. While an overwhelming majority of respondents ultimately acknowledged the presence of risks and most said they’re taking steps to address them, the data suggests it may not be enough.“

Clear and present danger
Given the macro landscape and daily news headlines, the survey responses are a clear reflection of the times. Participants identified data security (46%), economic uncertainty (38%) and emerging technologies, such as AI, (36%) as the top threats faced by their organizations from among an extensive list of possible hazards. Traditional threats like competition and a shortage of talent took 4^th and 5^th place. Geopolitical instability fell even further down the list to 7^th place.

AI is proving to be a double-edged sword for organizations. There have been numerous reports over recent months of bad actors adopting AI solutions to create more sophisticated and compelling ransomware attacks on organizations. It has additionally been recognized as a risk factor for businesses who fail to put proper guardrails in place to stop employees from breaching data privacy regulations through the inappropriate use of generative AI tools. Conversely, AI is also tipped to be one of the best solutions for businesses to fight back vs. hackers since its capabilities can be harnessed to automate the detection of, and response to, malicious activities.

Additionally, 87% of those surveyed admitted they had experienced a negative impact from risks, including reputational and financial harm. When asked which risks had resulted in actual damage to their organizations, data security was again highest, with 40% of respondents attesting to related damages. Economic uncertainty was the second most common risk to have affected organizations, with 36% having been hurt. Damages from competition came in third at 35% and emerging technologies, such as AI, at 33%.

The effects of data security breaches were underscored by the number of organizations who had been hit by ransomware attacks. A sizable majority (65%) said that over the past 2 years their organizations had been the victims of at least one successful ransomware attack in which hackers were able to infiltrate their systems. 26% of those who experienced a successful attack said they did not report it. Breaches that caused a failure to comply with regulatory requirements cost respondents’ organizations, on average, more than $336,000 in regulatory compliance fines during the last year.

Caught in the crosshairs
For many respondents, the level of risk is rising. More (54%) were likely to say risks to data security have increased rather than decreased (21%) over the last 12 months. Yet they may not fully appreciate their own vulnerabilities. This perception gap emerges in light of how organizations representing specific sectors assessed their risk vs. how their responses were scored via a risk rating scale.

Researchers assigned each respondent a “risk ranking” score based on their answers and what these revealed about their adherence to security best practices. While the public sector ranked as the most at-risk group, just 48% of those respondents rated themselves as being at risk. Similarly, only 52% of respondents from the energy, oil/gas and utilities sector viewed themselves at risk.

Most at-risk sectors		Most at-risk countries/regions
1	Public sector	1	UK
2	Energy, oil/gas and utilities	2	France
3	Media, leisure and entertainment	3	China
4	Construction and property	4	Singapore
5	Manufacturing and production	5	Japan
6	IT, technology and telecom	6	US
7	Business and professional services	7	Australia
8	Financial services	8	Nordics
9	Healthcare	9	DACH
10	Biopharma	10	India

Shoring up their defenses, but are they doing enough?
For organizations aiming to mitigate data security risks, many have increased their data protection budgets as much 30% over the last 12 months. The average data protection and security team size also grew by 21-22 staff members. 89% said staffing levels are at an adequate level for keeping their organizations secure.

Along with staffing additions, organizations are exploring other ways to fortify their defenses. Despite ranking AI and emerging technologies as a top risk, 68% are looking at AI and ML to boost security. Given AI’s dual nature as a force for both good and bad, the question going forward will be whether their organizations’ AI protection can evolve ahead of hackers’ AI attacks.

The research also appears to expose another chink in the armor with more than a third (38%) reporting that they have no data recovery plan in place or have only a partial plan. That presents cause for concern considering nearly half (48%) experienced data loss at least once in the past 2 years.

Waxman continued: “The caution is for organizations to avoid approaching their data security strategy with a false sense of confidence. The recent spate of high-profile data breaches has proven no organization is immune. If data is like gold dust, guard your treasure. Be prepared with a comprehensive cyber resiliency plan for protecting and recovering your data from edge to core to cloud. Rehearse the plan regularly and recalibrate as needed. Being forewarned is forearmed and by strengthening your data security posture, you can successfully navigate the risks.“

Research methodology
Veritas commissioned Vanson Bourne to survey 1,600 respondents in August and September 2023 across Australia, Brazil, China, the DACH region, France, India, Japan, the Nordics, Singapore, South Korea, the United Arab Emirates, the UK and USA. Respondents held executive or practitioner level positions in organizations of at least 1,000 employees from any sector.