Nearly 40 years after the first PC rolled off the production line, the hope is that companies would have a firm grip on information security issues. Yet our new Risk:Value Report shows there is still a lot of work to do. It crystallizes in one shocking statistic: one third of global decision makers believe their organization would rather pay a hacker’s ransom than invest in information security.

A further 16% stated that they didn’t know, meaning only half of all respondents would prefer to invest in IT security over taking a reactive approach! The findings are particularly concerning, given the growth in ransomware as identified in our latest Global Threat Intelligence Report (GTIR). According to the GTIR, ransomware attacks surged by a massive 350% in 2017.

This wait-and-see attitude towards security investment is of particular concern after incidents such as WannaCry and Petya. First, it shows that many companies are still prepared to take a short-term, reactive approach to security to drive down costs, rather than adopting a longer-term, strategic and preventative approach.

Second, there is no guarantee that cyber criminals will honour any ransom that a company pays, and it also serves to feed a damaging criminal enterprise.

Finally, with many ransomware players demanding payment in cryptocurrency, companies that do decide to pay the ransom could render themselves vulnerable to wild swings in asset value.

Levels of confidence about being vulnerable to attack also seem to be unrealistic according to our report, with around half of respondents claiming their organization has not been affected by a data breach. More worrying is the 12% globally who are not even sure.

The research also found that, year on year, companies are still failing when it comes to communicating information security policies. Over half (57%) claim to have a policy in place, just 1% up from last year, while 26% are working on one. And, although 81% of respondents with a policy in place say it is actively communicated internally, just 39% admit employees are fully aware of it.

Comparing this year’s figures to 2017, it appears organizations are also failing to progress their incident response plans. Just 49% say they have implemented a plan, with a further 30% in the process, a change from 48% and 31% respectively in 2017. This suggests that just 1% have finished a response plan since last year.

We are however encouraged that organizations are looking to work with third party security providers to support them in their efforts when it comes to security. Only 1% of respondents currently use a third-party managed security services provider but 37% plan to.

Companies have found it more efficient and cost effective to partner with security specialists like NTT Security to assess their third party risk exposure, develop a sustainable security program and continuously monitor their IT estate for targeted threats.

To learn more about the cybersecurity stance of global business decision makers, download our Risk:Value report at