Skip to navigation Skip to main content Skip to footer

Organisations could pay the price as heightened risk tolerances expose transformation projects to hackers

21 October 2021

New research from NCC Group suggests that companies have struggled to pay off cyber debts accrued during the pandemic.

Digital transformation programmes could be vulnerable to cyber attacks due to increased risk tolerances and ongoing cyber security challenges, according to new global research of 500 cyber security decision makers by NCC Group.

Seventy-six per cent admitted that they had increased their risk tolerances to allow changes to their operating model (such as remote working) during the pandemic. Simultaneously, organisations are struggling with security challenges that include balancing proactive security improvements with everyday operations, knowing which risks to prioritise and digesting the volume and complexity of reports from third parties after a security assessment.

The research suggests that this ongoing cyber debt has negatively affected organisations’ security postures: forty-five per cent said that their transformation projects had inherited legacy security issues, with just thirty per cent integrating cyber security into those programmes. If legacy systems remain connected to the internet or an organisation’s network, hackers can exploit vulnerabilities in them and use them to infiltrate other areas of the organisation.

After cutting cyber budgets and freezing recruitment of security staff during the pandemic, most organisations plan to increase spending to address their cyber debt. More than half (55%) said that they planned to increase security spending by thirty per cent or more, while just four per cent planned to decrease spending by the same amount.

However, nearly sixty per cent said that they will rely on internal scoring mechanisms to measure their cyber security posture, while less than a quarter have a structured security improvement plan in place for the next 12 months.

Ian Thomas, Managing Director for NCC Group Assurance UK & ROW, said: “It’s clear that the pressures of the pandemic have forced organisations to increase their risk tolerance and temporarily cut spending on cyber security, it’s a double hit. In doing so, they have exposed themselves to legacy security issues, which could ultimately cost organisations more money by derailing vital transformation projects if they do not repay this cyber debt.

“What is encouraging is to see organisations planning to increase security spending to address this debt. That said, it’s vital that these funds are invested as part of a strategic security improvement plan to ensure that legacy security issues are remediated effectively and to provide ongoing improvements to an organisation’s security posture.” 

Note to editors


This research questioned 500 senior IT security decisions makers, directors and senior managers in five countries (United Kingdom, Germany, Denmark, Netherlands and the United States) who work in a range of industries including financial services, telecoms and technology, local, regional and state Government and higher education.

Market Research Report

You can read the research report in full here