European Businesses Anticipate More Cybersecurity Attacks, But Feel Unprepared for Them
New Cloudflare study reveals that 64% of business leaders expect a cybersecurity incident in the next 12 months, but only 29% feel highly prepared to defend against them
This Press Release is also available in Deutsch, Français, and Nederlands.
London, UK, June 18, 2024 — Cloudflare, Inc. (NYSE: NET), the leading connectivity cloud company, today released a new study focused on cybersecurity in Europe. The report, called “Shielding the Future: Europe's Cyber Threat Landscape Report” shares the latest data on how organisations are coping with rising volumes of cybersecurity incidents, their levels of preparedness, and top challenges.
These new findings reveal an ongoing concern around growing cybersecurity threats and a feeling of unpreparedness among European businesses.
Cybersecurity attacks are increasing in volume and frequency
The survey, which was conducted with more than 4,000 business and technology leaders across 13 European markets (Benelux, CEER, DACH, Nordics, Southern Europe, UK), found that 40% of organisations experienced a cybersecurity incident in the last 12 months.
Of those that suffered such an event, 84% report that the frequency of these events has increased over the same period, with almost one in five (16%) suffering a cybersecurity attack every 6-11 days. Meanwhile, 62% say that attacker dwell time has also increased in the same time period.
Looking ahead, two-thirds (66%) of respondents believe that they will see even more attacks within the next year and a significant 64% say that they expect to suffer a cybersecurity incident within the next 12 months.
Majority of organisations unprepared for cybersecurity threats
Concerningly, despite the increasing volume and frequency of these attacks, only 29% of respondents say they are highly prepared for cybersecurity incidents in the future.
Additionally , industries that had experienced fewer attacks were also among those least prepared. Just 28% of those working in healthcare and 31% of those working in education claimed to have suffered an attack in the last 12 months. For those same industries, the perceived level of preparedness for an incident in the future was low – just 18% and 19%, respectively.
The reverse is true for those in the IT & technology industry. With almost half (49%) being attacked in the last year, however, organisations in this field are seemingly on their guard. Over a third (35%) of respondents from this sector say they are highly prepared for an attack, making it the industry most confident in its ability to deal with an incident, followed by companies in financial services and retail (32% and 31% respectively).
When looking at organisational size, the lack of preparation by smaller businesses is a particular concern, with only a quarter (25%) claiming to be highly prepared. Medium-sized and large businesses do not fare much better though, with only 27% and 32%, respectively, claiming high levels of preparedness.
The cost of a breach is more than financial
For those businesses impacted by a cybersecurity breach, more than a third of respondents (39%) say that the most significant effect remains financial. More than one in five (22%) claim to have lost revenue following an incident. In addition, 23% have suffered increased insurance premiums, 22% have paid fines, and another 23% have experienced legal action. A further one in five (19%) have been forced to lay off members of the team due to the financial losses experienced in the aftermath of an incident.
Looking at the numbers more closely, almost two-fifths (38%) of respondents say that the financial impact of the incidents they suffered cost between GBP 788,000 ($1M) and GBP 1.576 million ($2M), while a quarter (25%) estimated the loss to be GBP 1.576 million ($2M) or more.
A further 17% said that reputational damage was the most significant effect. Additionally, 31% put growth plans on hold in the aftermath of an incident, while over a quarter (28%) have temporarily suspended business operations.
Businesses aim to simplify and modernise solutions in the face of diverse threats
It’s unsurprising that financial gain was at the heart of many attacks (48%) across the European countries surveyed. However, survey respondents also believe that the threats they have experienced have a much wider range of objectives.
The majority (53%) of those impacted by an incident in the last 12 months say that the main purpose was to plant spyware. And almost half (48%) of those surveyed say that ransomware plants were the main purpose for the attack.
When it comes to the most commonly experienced attack vectors, these too are diverse. Phishing tops the list, with almost three in five (59%) respondents claiming to have seen this approach. That’s closely followed by web attacks (58%) and DDoS attacks (37%). Also prevalent were stolen credentials and business email compromise, with almost a third (32%) having experienced these.
When it comes to tackling these issues, onboarding more products seems to be the go-to response. In fact, nearly half (49%) have more than 11 different products and solutions. The vast majority (72%) believe that this complexity is having a negative impact on their effectiveness, and yet two-thirds (67%) expect the number of tools they adopt to increase in the next 12 months.
Notably, the three most pressing challenges cybersecurity decision makers and leaders face are: consolidating and simplifying cybersecurity estate (48%); modernising applications used by organisation (47%); and modernising networks operated by organisation (42%).
Further education on Zero Trust is required for maximum impact
Respondents report three clear problems in the existing architectures they work with: applications and data stored in the public cloud; limited oversight over IT supply chains; and over-reliance on VPNs to protect applications (with each factor mentioned by 34% of respondents).
Given these problems, it is unsurprising that securing a hybrid workforce is a top priority, coming in the top three for more than a third (36%) of our respondents.
Worryingly, for many organisations, deployment of countermeasures is a long way behind, and in some cases not yet started. Despite widespread recognition of its ability to protect hybrid or remote workers, when looking at deployment of Zero Trust network access, just 25% of respondents say this solution is fully deployed and over half (58%) say that Zero Trust adoption is still in its early stages.
While two-fifths (44%) say they are optimistic about the ability of Zero Trust to consolidate technology upgrades, our respondents also indicated a lack of faith in their leadership teams’ knowledge of the tool. In fact, the majority (86%) believe their leadership does not fully understand it, while nearly one in five (16%) say their leadership has either partial or no real understanding. According to 42% of those surveyed, this lack of understanding is the single biggest barrier to adoption.
Despite increased budgets, funding, talent, and training remain challenges
With business leaders anticipating more cybersecurity incidents, it’s positive to see that 54% of respondents expect their IT budget for cybersecurity to increase in the next year.
A quarter (25%) of business and IT leaders expect cybersecurity to make up at least 20% of their organisations' IT spend in the year ahead. And of those expecting a budgetary increase, two thirds (66%) anticipate a rise of more than 10%.
For the majority, protecting their networks remains the number one investment area, with nearly 24% of the budget allocated to this pillar on average. Despite being the area where respondents see a significant lack of preparedness, devices are set to receive the second lowest allocation of budget share.
In terms of how this budget allocation is decided, the top two determinants were the number of incidents experienced (34%) and the cost of dealing with them (20%), revealing that most organisations appear to remain reactive in their funding allocation decisions.
Funding remains the top concern for 46% of our respondents. However, other concerns, such as a lack of talent (41%) as well as the evolving business requirements and user needs (30%) also keep business and tech leaders awake at night.
Interestingly, despite the increasing volume of attacks, a quarter (25%) cite a lack of buy-in from leadership as a key challenge. With less than a quarter (23%) having not undertaken leadership or general employee training, it is therefore unsurprising that 21% of business and IT leaders rate their organisations' cybersecurity culture as weak or neutral.
“Organisations across Europe are managing an increasingly complex cybersecurity landscape, all while ensuring operational efficiency, regulatory compliance, and uninterrupted productivity. With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organisations’ technological and security frameworks,” said Andy Lockhart, Head of EMEA at Cloudflare. “This significant challenge requires innovative solutions capable of integrating diverse technological components into a cohesive and agile framework. The age of siloed legacy infrastructures is giving way to a new model of "any-to-any" cloud platforms, creating catalysts for innovation and growth. By concentrating on strategic integration any-to-any cloud platforms empower leaders to transform technological challenges into competitive advantages. Adopting this approach will help shape a future where connectivity and innovation are at the heart of business success, opening the door to unlimited possibilities,” adds Lockhart.
To find out more about the Europe Cyber Threat Landscape Report, please check out:
Survey Methodology
This survey was conducted by Sandpiper Communications, on behalf of Cloudflare across a total of 4,261 leaders responsible for cybersecurity in small (150 to 999 employees), medium (1,000 to 2,499 employees), and large (more than 2,500 employees) organizations. Respondents were drawn from a wide range of industries: Business & Professional Services; Construction & Real Estate; Education; Energy, Utilities & Natural Resources; Financial Services; Gaming; Government; Healthcare; IT & Technology; Manufacturing; Media & Telecoms; Retail; Transport; Travel and Tourism & Hospitality. Respondents were based in 13 markets across Europe: Belgium, Czech Republic, Denmark, France, Germany, Italy, Netherlands, Norway, Poland, Spain, Sweden, Switzerland, and the United Kingdom (n=207 to 432 per country), and were surveyed online and recruited via general business panels. The survey was aimed at building a better understanding of the threat landscape facing Chief Information Security Officers (CISOs) and their teams across Europe, unearthing valuable insights and trends, and gauging responses and outcomes. The survey was conducted in March 2024.
About Cloudflare
Cloudflare, Inc. (NYSE: NET) is the leading connectivity cloud company on a mission to help build a better Internet. It empowers organizations to make their employees, applications and networks faster and more secure everywhere, while reducing complexity and cost. Cloudflare’s connectivity cloud delivers the most full-featured, unified platform of cloud-native products and developer tools, so any organization can gain the control they need to work, develop, and accelerate their business.
Powered by one of the world’s largest and most interconnected networks, Cloudflare blocks billions of threats online for its customers every day. It is trusted by millions of organizations – from the largest brands to entrepreneurs and small businesses to nonprofits, humanitarian groups, and governments across the globe.
Learn more about Cloudflare’s connectivity cloud at cloudflare.com/connectivity-cloud. Learn more about the latest Internet trends and insights at radar.cloudflare.com.
Follow us: Blog | X | LinkedIn | Facebook | Instagram
Forward-Looking Statements
This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s plans and objectives, Cloudflare’s global network, and Cloudflare’s products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s Head of EMEA, and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on May 2, 2024, as well as other filings that Cloudflare may make from time to time with the SEC.
The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.
© 2024 Cloudflare, Inc. All rights reserved. Cloudflare, the Cloudflare logo, and other Cloudflare marks are trademarks and/or registered trademarks of Cloudflare, Inc. in the U.S. and other jurisdictions. All other marks and names referenced herein may be trademarks of their respective owners.