European companies are investing too little in cybersecurity, according to the new report of the European Union Agency for Cybersecurity (ENISA).
The report showed that companies are allocating just 0,4% more of their IT budget to cybersecurity from 2021 to 2022, despite a jump of 25% of the cost of major cyber incidents in the same period.
The findings come from a survey that asked 1,080 OES (Operators of Essential Services) and DSP (Digital Services Providers) from all 27 member states of the European Union about how they invest in cybersecurity and whether they’re following the rules under the NIS (Network and Information) Directive.
The NIS Directive is a critical piece of EU-wide legislation that sets common requirements for the cybersecurity of network and information systems. The goal of the legislation is to establish a comprehensive and collaborative approach to cybersecurity that protects both consumers and businesses and addresses evolving cybersecurity challenges.
A little under half of all organizations that took part in the survey said they don’t plan to hire information security FTEs (Full Time Equivalents) in the next 2 years, and one of the reasons is that they’re facing some hiring issues. For instance, 83% of the surveyed organizations said they had trouble recruiting people in at least one of the listed information security domains.
This, in turn, affects how vulnerabilities are managed and fixed. According to the report, only 28% of the organizations would take a week to fix critical asset vulnerabilities. More than half of the organizations in the transport sector need one month to fix critical vulnerabilities and 21% need between one and six months to do the same.
In response to the report, EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, highlighted the need for continual skill development and investment to deal with the evolving cyber threat landscape.
“Allocating sufficient budgetary and human resources to cybersecurity is key to our success. Managing vulnerabilities is essential and must go hand-in-hand with “secure by design” initiatives. In the meantime, we do need to continually invest in areas such as identifying, managing, and reporting vulnerabilities that can have an impact on the security of the whole Digital Single Market,” Lepassaar said.