Digital transformation programmes could be vulnerable to cyber-attacks, due to increased risk tolerances and ongoing cyber security challenges, according to new global research of 500 cyber security decision makers by NCC Group.

Some 75% admitted that they had increased their risk tolerances to allow changes to their operating model (such as remote working) during the pandemic. Simultaneously, organisations are struggling with security challenges that include balancing proactive security improvements with everyday operations, knowing which risks to prioritise, and digesting the volume and complexity of reports from third parties after a security assessment.

LEGACY SECURITY ISSUES
The research suggests that this ongoing cyber debt has negatively affected organisations’ security postures: 45% said that their transformation projects had inherited legacy security issues, with just 30% integrating cyber security into those programmes. If legacy systems remain connected to the internet or an organisation’s network, hackers can exploit vulnerabilities in them and use them to infiltrate other areas of the organisation. After cutting cyber budgets and freezing recruitment of security staff during the pandemic, most organisations plan to increase spending to address their cyber debt. More than half (55%) said that they planned to increase security spending by thirty per cent or more, while just 4% planned to decrease spending by the same amount. However, nearly 60% said that they will rely on internal scoring mechanisms to measure their cyber security posture, while less than a quarter have a structured security improvement plan in place for the next 12 months.

RISK TOLERANCE STEPPED UP
Ian Thomas, managing director for NCC Group Assurance UK & ROW, comments: “It’s clear that the pressures of the pandemic have forced organisations to increase their risk tolerance and temporarily cut spending on cyber security; it’s a double hit. In doing so, they have exposed themselves to legacy security issues, which could ultimately cost organisations more money by derailing vital transformation projects, if they do not repay this cyber debt.

“What is encouraging is to see organisations planning to increase security spending to address this debt. That said, it’s vital that these funds are invested as part of a strategic security improvement plan to ensure that legacy security issues are remediated effectively and to provide ongoing improvements to an organisation’s security posture.”