Cybersecurity awareness increases, but critical gaps remain

Cybersecurity has never ranked higher on the agenda of Belgian companies. Yet despite increased efforts, the findings show that there is still a long road ahead. A new study by the Cyber Security Coalition and KPMG reveals that growing awareness does not always translate into decisive action.

Late last year, the Belgian Cyber Security Coalition, in collaboration with KPMG, published a study based on a survey of nearly 270 companies. The large-scale research examined how organizations across the country approach cybersecurity. The findings were both encouraging and sobering.

“The positive development is that awareness has truly taken hold,” says Jan De Blauwe, Chair of the Coalition. “Businesses recognize that incidents are a reality and that regulations apply. Yet responses to these risks still vary greatly in terms of maturity and agility.”

“Cybersecurity is very much on the agenda, particularly as threat levels increase,” explains Benoît Watteyne, Partner for Cybersecurity Services at KPMG. “Geopolitical tensions are accelerating this trend, and digital transformation is creating more opportunities for attacks. On top of that, AI is making cybercriminals faster and more effective.

De Blauwe points to significant differences among respondents. “Some companies are investing heavily in cybersecurity. A quarter allocate 10 percent or more of their IT budget, which is a healthy level. On the other hand, a large group remains far below that benchmark. Nearly a quarter have no cybersecurity budget at all, while another quarter spend only five percent or less.”

“There are clear differences between sectors,” Watteyne continues. “Financial institutions and pharmaceutical companies have been subject to strict requirements for years and therefore invest more heavily. Small and medium-sized enterprises remain the biggest concern, even as customers and partners raise their cybersecurity expectations.”

One possible explanation identified by the study is so-called cyber fatigue. “We are seeing signs of exhaustion, resistance, and even a lack of motivation around cybersecurity,” says Watteyne. “In some cases, people are worn down by a constant stream of campaigns and initiatives, making them less attentive to what truly matters. In the past, we may also have been too naive in assuming that cybersecurity was a one-time investment.”

De Blauwe and Watteyne stress the importance of clearly defining ownership of cybersecurity within the organization. “Identify which decisions tend to fall through the cracks and assign a clear owner. Do not become paralyzed by dashboards and assessments either. They often reveal so many vulnerabilities that organizations lose sight of what truly matters. This can result in indifference or a lack of prioritization. Turn measurement into a decision point: determine which KPIs matter most and take action where the risks are highest.”

“Cybersecurity is too big a task for one person alone,” says Watteyne. “That is why organizations need to build broad internal support to translate policy into practice. Investing in people is essential, but launching a training program does not mean everyone will automatically participate. Management backing is crucial. A signal of encouragement from the CEO can make a real difference for the entire organization.”

“Think of cybersecurity as a business enabler,” Watteyne explains. “Show your colleagues how achieving specific certifications can attract more opportunities. When faced with a report full of recommendations, start with manageable, concrete actions instead of attempting to fix everything at once. These quick wins help build momentum and prove that progress is being made.”

De Blauwe agrees. “Aim high, start small, and move fast. Cybersecurity is more than an IT issue; it’s a strategic risk. That is why organizations should appoint an ambassador outside IT to communicate the message internally. Collaboration is also important. Through the Coalition, we aim to share knowledge among cybersecurity experts across companies so that everyone can learn from each other.”

The Cyber Security Coalition and KPMG surveyed nearly 270 Belgian organizations about their approach to cybersecurity. The research paints a picture of evolving threats and highlights the risks of AI, deepfakes, and disinformation. The report stems from the structural collaboration between both organizations and serves as a starting point to make Belgian companies even more secure.

This article was created in collaboration with De Tijd and L'Echo.