2023 GLOBAL REVIEW
DATA RISK MANAGEMENT
The State of the Market— Cyber to Compliance
Organizations and their employees need to balance data risk with their roles and responsibilities every day. The ability to manage risk is a foundation of a successful and growing organization. Emerging risks and risk perceptions can have a profound impact—for some organizations, they can be too much.
We interviewed 1,600 executives and IT practitioners from multiple regions and industries.
Explore the global report summary.
Discover the greatest risks organizations experience today and how this translates into action.
Data security is the standout risk among a litany of threats.
When asked to identify the greatest risks, respondents were most likely to rank data security among the top three, followed by risks from economic uncertainty and emerging technologies like AI.
Data Security
Economic Uncertainty
Emerging Technologies
Data security is under constant, and unprecedented, threat levels.
Risk is on the rise.
Over the last 12 months across all types of risk:
54%
say the level of risk has increased.
21%
say the level of risk has decreased.
93%
of executives report actual damage, such as financial and reputational, from the risks they face.
Executives are more likely to be involved in key conversations about operations and may have a more accurate view.
82%
of practioners report actual damage, such as financial and reputational, from the risks they face.
Practitioners are less likely to be involved in key conversations about operations and may have a less accurate view.
72%
of executives report their organization experienced a successful ransomware attack in which an attacker gained access to the system.
Senior leaders may be limiting transparency to avoid widespread panic.
57%
of practitioners report their organization experienced a successful ransomware attack in which an attacker gained access to the system.
Senior leaders may be limiting transparency to avoid widespread panic.
Perhaps more concerning is that 26% report they’ve experienced an attack, but haven’t reported it publicly.
Ransomware attacks are not the only type of cyberattack.
Data loss events are happening across organizations’ infrastructure.
Digitally focused organizations distribute data across multiple environments. The pandemic provided the torchlight for many organizations to accelerate their uptake in cloud services.
Attackers are constantly probing systems for weaknesses. For them, data is gold.
Data security and data compliance are undeniably intertwined.
With increased focus on risks from data security, leaders must ensure that they don’t lose sight of regulatory requirements and remain compliant. Staying compliant ensures organizations not only avoid relevant fines, but also protects the brand reputation.
$336,219
Average fine levied on organizations that have failed to meet compliance regulations.
$450,924
Average fine levied on organizations in EMEA that have failed to meet compliance regulations.
$321,806
Average fine levied on organizations in APAC that have failed to meet compliance regulations.
$180,087
Average fine levied on organizations in the Americas that have failed to meet compliance regulations.
What are organizations doing to address increasing risks?
Organizations have responded by increasing data protection budgets and staffing.
Average budget increase for all environments measured.
(on-premises, private cloud, public cloud)
21–22 People
Average staffing increase for data protection and data security teams.
68%
Adoption of
AI/ML
Harnessing the benefits of AI.
Organizations are looking at more ways to boost their defenses. Key among these is the implementation of AI and/or machine learning. AI—no doubt the current buzzword—has the potential to improve efficiencies and help security teams.
It’s important to note that emerging technologies such as AI also bring new threats. However, one of AI’s anticipated benefits is reducing data security risk.
Recovery plans and rehearsals are crucial.
The greater the preparation, the faster an organization and its employees can react during a security incident.
A well-defined recovery plan can go a long way to minimize damage. Having an incomplete plan risks wasting crucial time in such an event.
of respondents have a data recovery plan in place.
of respondents say it’s only a partial plan.
5–6 weeks
Average frequency of automated recovery rehearsals.
Organizations currently perform automatic rehearsal and manual recovery exercises on their data and critical applications only every five to six weeks, on average.
These exercises must be done on a more regular basis to ensure quick recovery from data security threats, no matter how data or process has changed.
Most organizations underestimate the task ahead.
When presented with the different risk categories, both executives and practitioners admit that their organizations are perhaps more at risk than they initially thought.
Overall risk:
About half considered their organization to be currently at risk.
Individual risk factors:
Nearly all indicated that their organization experiences risk.
Industry is also a factor.
Different industries have different perspectives on being "at risk."
78%
Media, Leisure, & Entertainment
77%
Biopharma
62%
Manufacturing & Production
62%
Healthcare
For some organizations, the level of risk will be too much.
15%
of organizations say the level of risk will put them out of business within the next 12 months.
This is highest among...
Organizations in EMEA
20%
Organizations with 3,000+ Employees
17%
Job Roles in Financial Operations
32%
So what does it all mean?
In a world where organizations face different threats every day, it’s not just those that are willing to take business risks that will succeed. It’s those who most effectively minimize threats that will be the best positioned to survive and thrive.
