5 causes of cyber inequity and the systemic risk it creates

According to the World Economic Forum, the distance between organizations that are cyber-resilient enough to thrive and those fighting to survive is widening at an alarming rate.

The 2024 Global Cybersecurity Outlook, published this month in collaboration with Accenture, found that the number of organizations that maintain a healthy baseline of cyber capability commensurate with their operational resilience requirements shrank 31% over the past two years. Eleven percent more of those organizations reported insufficient cyber resilience than two years ago.

Insufficient cyber resilience is particularly pronounced and worsening among small organizations and those in less-developed regions.

The smallest organizations by annual revenue (less than or equal to $250 million per year) and the smallest organizations by number of employees (less than or equal to 250 employees) are more than twice as likely than the largest organizations (generating at least $5.1 billion per year and with 100,000 staff or more) to say their cyber resilience does not meet their critical operational resilience requirements. Insufficient cyber resilience has also risen a troubling 32% since 2022 for smaller revenue organizations but has held steady for the largest organizations over the same two-year period.

Perhaps unsurprisingly, cyber disparity also mirrors uneven economic development across regions. For example, according to the 2024 report, South America and Africa had the highest number of organizations that reported insufficient cyber capability, while North America and Europe reported the lowest.

Although it’s encouraging that some organizations are coming up the capability curve, the least capable organizations – many of which are their ecosystem and supply chain partners – are falling further behind and becoming perpetually unable to keep up with the leading organizations. As a result, the downside risk for everyone outweighs the benefit for a few.

In fact, the 2024 Global Cybersecurity Outlook found that 41% of organizations that experienced a material impact from a cyber incident in the past 12 months said a third party caused it. Moreover, 54% of organizations don’t sufficiently understand cyber vulnerability in their supply chain. Even 64% of executives who believe their organization is baseline cyber resilient believe they still have an inadequate understanding of their supply chain cyber vulnerabilities.

The disparity will likely accelerate in the coming years as small differences between organizational capabilities continue to create a bigger divide over time and new technology quickly redefines the threat and defensive landscape. Business and cyber executives agree. For example, 56% of leaders surveyed for the 2024 outlook said that generative AI will advantage attackers over defenders in the next two years.

How did we get here? Five big factors, among others, continue to separate the leading and the lagging organizations.

For organizations that do not make cyber capability a business priority, it becomes a foundational issue that pervades decision-making on most aspects of the organization’s cyber programme and widely hamstrings the organization’s operations and strategy.

Such organizations include those that do not integrate it into the business’s everyday work, infuse it into corporate culture or consistently invest accordingly. The 2024 Global Cybersecurity Outlook reports that 78% of organizations confident in their cyber resilience integrate cyber into their enterprise risk management and 93% trust their CEO to speak externally about their cyber risk.

Many organizations prioritizing cyber in their business learned to do so the hard way after being targeted heavily or publicly suffering a significant incident.

Aerospace, defence, banking and high tech were a few of the earliest, most impacted sectors and continue to be heavily targeted. Attack trends have since spread to all industries, however, and according to the 2024 outlook, 29% of organizations were materially impacted by a cyber incident in the past 12 months.

Industry regulation of cyber security and data privacy requirements often raises the overall baseline capability among its member organizations. Whether out of concern for human safety like healthcare, national security like high tech and defence, or to protect a critical global system like financial services, regulation is slowly but surely working to raise the standard of practice.

Sixty percent of executives participating in the 2024 Global Cybersecurity Outlook agree that cyber and privacy regulations effectively reduce risk in their organization’s ecosystem, up 21% since 2022.

Although some amount of geo-economic stratification is expected and creates healthy tension, the grade of our current global trajectory is more harmful than healthy. First, consider that although spending on information technology globally grew approximately 5.5%, global spending on cyber security and risk management far outpaced it, growing approximately 14%.

Now consider that although 63% of the world’s population is connected to the internet, that figure is 27% for least-developed countries. This disparity only partly indicates that the geographic divide has to do with more than just healthy market forces and will worsen exponentially in the coming years.

Regardless of geography, many organizations can’t afford the rising cost of access to adequate cybersecurity capability. That includes the cost of procuring and maintaining tools and services and competing for the right talent.

While already acknowledging small organizations and those in the least-developed countries are disproportionately affected by cyber inequity, it’s also relevant that, globally, only 22% of organizations say that they have the talent and skills they need to meet their cyber objectives. Such demand creates high-intensity competition that the largest, most affluent organizations will dominate. This shortage in capacity is sometimes called the “cyber poverty line.”

The good news is that executives are beginning to recognize cyber disparity and its collective impact and are beginning to collaborate to address it. Ninety percent of the 120 public and private sector executives surveyed at the Forum’s Annual Meeting on Cybersecurity said that urgent action is required to address this growing cyber inequity.

It’s not just talk. There is growing cooperation among the public and private sectors to uplift organizations that do not have the resources to achieve the necessary cyber resilience. The European Union’s Cyber Resilience Act and the US Cybersecurity Infrastructure and Security Agency’s Secure by Design, Secure by Default campaign are notable examples of collective efforts.

In the end, however, it’s down to executives and their organizations to take action, work with private and public sectors to reinforce cyber resiliency and secure its ecosystem from vulnerability, without which an organization can never truly be secure.