Additionally, more than one-third of respondents (38%) across all regions experienced unauthorised or improper resource, application or data access, with North American organisations (39%) significantly more likely than Europeans (26%) to have encountered related data exfiltration, anomalous or malicious traffic.
The Cybersecurity Resource Allocation and Efficacy (CRAE) Index, created by Cyberrisk Alliance (CRA) and underwritten by Pulse Secure, is a quarterly, time-series tracker that measures the overall focus and direction of North American and European organisations’ cyber security activities, spending, and perceived progress over time. Scores above 50 indicate a spending or efficacy increase and scores below 50 show a spending or efficacy decrease.
Compared to the previous quarter, overall resource allocation and spending on IT security rose (66.5 in Q2 compared to 66.7 in Q3). In contrast, overall efficacy dropped (75.8 in Q2 compared to 74.2 in Q3), indicating that the increased expenditure did not result in a higher perception of improved security results. In North America, spending remained flat between Q2 and Q3 (66.5), but with a greater allocation towards reactive versus proactive security allocation. In contrast, the European CRAE Index showed an increase in quarterly spending and allocation (68.4 in Q3 compared to 66.5 in Q2) that focused on more proactive measures, with a similar reduction in efficacy (dipping to 74.4 Q3 from 74.9 Q2). The score was higher (by 1.9 points) for Europe than for North America, possibly propelled by organisations advancing the European Union’s General Data Protection Regulation (GDPR) safeguards.
Healthcare resource allocation and spending growth accelerated in Q3 by 5.8 points to an index score of 69.6 points and the financial services and insurance industries concentrated on recovery, including developing/executing recovery plans and procedures, coordinating communications during recovery activities, and implementing improvements based on lessons learned. Respondents cited an increase in security efficacy response, which jumped 2.9 points, suggesting increased growing optimism about recovery plans and future improvements.
Manufacturing showed increased confidence in new strategies and regulations with the impact of working from home requirements due to the pandemic and many respondents indicating positive changes to improved security policies within their organisations. Even with such improvement, phishing and ID/credential theft was the top cyber security threat (52%), with internal compliance and audit events (45%) and endpoint and IoT threats (42%) rounding out the top three for manufacturing.
High Tech and Business Services spending dropped 3.8 points to 64.1, as did efficacy by 7.3 points to 72.4. Even though respondents noted increased attacks in number and scope, as well as increased sophistication and adaptability of adversaries, this industry sector saw slower growth in every sub-index category — indicating a softening resource expansion.
“This is a useful piece of cyber security research that gives IT and information security leaders directional insight into what is happening on the ground from a peer and industry perspective,” said Mike Riemer, chief security architect at Ivanti. “The findings highlight that organisations are furthering security investments in proactive technologies to address expanded threats due to increased remote workplace requirements, and that security practitioners need to further their focus on optimising processes and controls to turn the tide of efficacy confidence.”