The average company experiences two to three effective attacks per month


Three-quarters of security executives are confident in their ability to protect their company from cyberattacks, despite roughly one in three targeted attacks resulting in an actual security breach, which equates to two to three effective attacks per month for the average company, new research by Accenture has found.

Accenture surveyed 2,000 enterprise security practitioners representing companies with annual revenues of $1bn or more in 15 countries about their perceptions of cyber risks, the effectiveness of current security efforts and the adequacy of existing investments.

The survey found that for 51% of executives it takes months to detect sophisticated breaches while a third of all successful breaches are not discovered at all by the security team.

“Cyberattacks are a constant operational reality across every industry today and our survey reveals that catching criminal behaviour requires more than the best practices and perspectives of the past. There needs to be a fundamentally different approach to security protection starting with identifying and prioritising key company assets across the entire value chain,” said Kevin Richards, managing director at Accenture Security, North America. “It is also clear that the need for organisations to take a comprehensive end-to-end approach to digital security – one that integrates cyber defence deeply into the enterprise – has never been greater.”

Research findings further showed that most companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat.

Only 37% said they are confident in their ability to monitor for breaches and only 36% said the same about minimising disruptions.

If given extra budget, 44-54% of respondents would ‘double down’ on their current cybersecurity spending priorities, even though those investments have not significantly deterred regular and ongoing breaches, Accenture said.

These priorities include protecting the company’s reputation (54%), safeguarding company information (47%), and protecting customer data (44%). Far fewer companies would invest the extra funds in efforts that would directly affect their bottom line, such as mitigating against financial losses (28%) or investing in cybersecurity training (17%).