A compliance mindset and collaboration are key to dealing with a surge in cyber crime. Here’s what risk managers need to know

Global cybersecurity threats are increasing in volume and severity, with malware, ransomware and phishing all on the rise.

For instance, the number of companies experiencing ransomware attacks surged by over 27% in the past year, according to the 2024 Thales Data Threat Report.

ransomware, system hacked

Despite this escalating threat, less than half of organisations have a formal ransomware plan in place, with 8% resorting to paying the ransom demands

The research - which surveys nearly 3000 IT and security professionals in 18 countries across 37 industries, found that malware stands out as the fastest-growing threat of 2024 with 41% of enterprises experiencing an attack of this kind.

Cloud assets, including SaaS applications, cloud-based storage, and cloud infrastructure management, were the primary targets for such attacks.

What does it mean for risk managers?

The report showed that for a second year running, human error remains the leading cause of data breaches, with 31% of enterprises pinpointing this as the root cause.

However, there is evidence that poor compliance is also a key cause of breaches.

The research found that over two-fifths (43%) of enterprises failed a compliance audit in the past twelve months – with the report highlighting a very clear correlation between compliance and data security.

Of those that failed a compliance audit in the past twelve months, 31% had experienced a breach that very same year. This compares to just 3% of those who had passed compliance audits.

“The key takeaway for business leaders and risk managers here is to adopt a compliance-first mindset.”

Furthermore, only a third (33%) of organisations say they are able to fully classify all of their data, with a worrying 16% stating that they classify very little or none it.

Chris Harris, EMEA technical associate vice president, data security products at Thales said: “In a complex threat landscape, it’s more important than ever for businesses to know exactly what they’re trying to protect, and this is also key to staying compliant with frequently changing regulatory requirements.

“The key takeaway for business leaders and risk managers here is to adopt a compliance-first mindset. As part of this, they may want to consider bringing their compliance and security functions together. This would represent a big step forward in strengthening their cyber defences and building trust with their customers.”

How to mitigate the risks

The research identified the biggest cause of data breaches as human error, so this should be one of the first areas for organisations to address.

Enterprises should design processes and technology around people, and take a realistic view of human vulnerabilities instead of simply blaming them for poor security practices.

However, even if all reasonable protective measures are taken, cybercriminals are creative and the threat of ransomware will remain.

“Increase stakeholder buy-in by communicating the positive business impact that proactive security has” 

The research revealed that less than 50% of respondents across all verticals and company sizes have a formal ransomware plan, so companies need to be much more prepared in how terms of how they would respond to an attack.

Harris said: “Ransomware response is a coordinated responsibility with legal implications, but regular stress-testing of the plan will highlight any addressable gaps in controls or procedures.

“A wider ambition should be to increase stakeholder buy-in by communicating the positive business impact that proactive security has for developers, auditors, users, lines of business and customers. A more collaborative approach will ensure greater alignment and allow enterprises to better defend against global threats to data.”

Looking ahead: Emerging technology poses both threats and opportunities

The report also explored which emerging technologies are top-of-mind for IT and security professionals, with 57% identifying Artificial Intelligence (AI) as a huge source of concern. This was closely followed by IoT (55%) and Post Quantum Cryptography (45%).

That said, enterprises are also looking at the opportunities that emerging technologies bring, with over a fifth (22%) planning to integrate Generative AI into their security products and services in the next 12 months, and a third (33%) planning to experiment integrating the technology.