Research shows that attacks on businesses are growing in sophistication, putting immense pressure on the security professionals tasked with keeping work – and employees – protected.

By Heino Gevers , senior director: customer support at Mimecast

Based on research conducted by Mimecast in 2022, 77% of global cybersecurity leaders said the number of attacks against their company has grown or remained constant over the past year. Among South African companies, 41% reported a loss in revenue due to a successful ransomware attack, while 39% experienced significant downtime in the wake of a ransomware attack.


Attacks pushing security professionals to breaking point

The unrelenting volume of cyberattacks is putting immense pressure on the security professionals tasked with protecting organisations, which has severe consequences for their mental health.

Mimecast research found that more than half of South African cybersecurity decision-makers find their job is becoming more stressful every year. Nearly six in ten (58%) also said ransomware attacks have had a negative impact on their mental health.

Unsurprisingly, 22% of South African cybersecurity decision-makers are considering leaving their roles in the next two years due to stress and burnout.

There is also growing recognition at executive and board level that cyber risk is business risk, further exacerbating the pressure on security teams.

Recent qualitative research conducted by Mimecast that sourced insight from 78 business leaders across 12 countries, found widespread concern over the impact of phishing and poor employee cyber hygiene. The C-level respondents highlighted the importance of implementing a layered security strategy, supported by a security culture that permeates every level of the organisation.


Cybersecurity budgets remain contentious

The ongoing digitalisation of organisations’ business processes is creating a far greater attack surface for criminals to exploit potential vulnerabilities. In fact, the World Economic Forum recently listed cyber risks among its top ten global long-term concerns, ahead of environmental damage and geo-economic confrontation.

Developing suitable defences against cyber threats requires a company-wide effort, but understanding of cyber risk at a board level is often lacking. Mimecast’s Behind the Screens report shows that many CISOs cite knowledge gaps within their boards, putting them at a disadvantage when attempting to prove ROI for cybersecurity efforts.

This is especially important in light of the near-universal calls for greater budget allocations to fund cybersecurity initiatives. South African respondents in Mimecast’s State of Email Security 2023 report cited underfunding of 13.5%, the highest rate of all countries surveyed.

Qualitative data supports this. Most global security leaders that formed part of Mimecast’s Behind the Screens report said they need a budget increase of 10% to 20%.


Close gap between cyber and business risk to unlock budget

Cybersecurity decision-makers wishing to unlock additional budget to fund cyber defences should take care to establish the close link between cyber risk and business risk. Based on insights from global security leaders, the following could help security professionals have higher-value board-level discussions about the organisation’s cyber defences:

  • Avoid jargon when explaining the mid- top long-term risks presented by cyber threats.
  • Link cyber threats to business outcomes by focusing on why the organisation suffered a cyberattack. For example, due to an over-reliance on single security providers.
  • Align cyber risk with business risk to ensure cybersecurity is understood within the broader business.
  • Avoid perpetual crises by being tactical about how cyber risks are framed in board discussions. This will help board members adequately quantify cyber risks without having to be in a post-breach crisis mode.

Additionally, it’s important that leaders make mental health a priority in their organisation by ensuring it’s a regular topic of conversation and that there are dedicated programmes to avoid stress and burnout. People who are stressed are more likely to make mistakes which could leave the individual – and in turn the entire business – vulnerable to a cyberattack.

Cyberattacks will continue to grow in sophistication and scale, posing immense challenges to organisations and the security teams that keep their systems, data and employees protected. And with many security professionals suffering from burnout and stress , organisations need to make smart strategic decisions over their security posture.

By prioritising cybersecurity at a board level and allocating sufficient resources to cyber defences, organisations can close the security gap and protect their own systems and data as well as safeguard the defenders that keep the rest of the organisation safe.