Organisations are more confident than ever that they can predict and resist a sophisticated cyber attack. But; they are falling short of investments and plans to recover from a breach. This is according to an annual Global Information Security Survey (GISS), titled Path to cyber resilience: Sense, resist, react from the audit firm EY.
Now in its 19th year, the survey of 1,735 organisations globally examines some cybersecurity issues. Findings showed that half (50pc) of those surveyed said they could detect a sophisticated cyber attack – the highest level of confidence since 2013 – due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centres (SOCs) and active defense mechanisms.
However, despite these investments, 86pc of those surveyed say their cybersecurity function does not fully meet their organisation’s needs.
Nearly two-thirds (64pc) of those surveyed do not have formal threat intelligence, or have only informal. As for identifying vulnerabilities, more than half (55pc) do not have vulnerability identification capabilities or only have informal capabilities, and 44pc do not have a SOC to continuously monitor for cyber attacks.
When asked about recent significant cybersecurity incidents, more than half (57pc) of respondents said they had an incident. Nearly half (48pc) cited outdated information security controls or architecture as their highest vulnerability – an increase from 34pc in the 2015 survey.
Respondents said all of their top cybersecurity threats, including malware, phishing, cybersecurity to steal financial information, or cyber attacks to steal intellectual property or data are on the rise.
Richard Brown, Risk Assurance IT Leader, EY UK and Ireland says: “Organisations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks. Organisations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to ‘cyber resilience’ – an organisation-wide response that helps them prepare for and fully address these inevitable cybersecurity incidents. In the event of an attack they need to have a plan and be prepared to repair the damage quickly and get the organisation back on its feet. If not, they put their customers, employees, vendors and ultimately their own future, at risk.”
Business continuity and disaster recovery – which is at the heart of an organisation’s ability to react to an attack – was rated by respondents as their top priority (57pc), along with data leakage and data loss prevention (57pc). Although 42pc plan to spend more this year on data leakage and loss prevention, only 39pc plan to spend more on business continuity and disaster recovery.
This year’s survey also shows that respondents continue to cite the same key areas of concern for their cybersecurity, such as the increased risks from the actions of careless or unaware employees (55pc compared with 44pc in 2015) and unauthorized access to data (54pc compared with 32pc in 2015). Meanwhile obstacles to their information security function are virtually unchanged from last year, including:
– Budget constraints (61pc compared with 62pc in 2015)
– Lack of skilled resources (56pc compared with 57pc in 2015)
– Lack of executive awareness or support (32pc, the same as in 2015).
Despite the connected nature of business, the survey found that 62pc of global organisations said it was unlikely they would increase their cybersecurity spending after a breach that did not appear to do any harm to their operations. Also, 58pc said it was unlikely they would increase their information security spending if a competitor was attacked, while 68pc said it was unlikely they would increase their information security spending if a supplier was attacked. In the event of an attack that definitely compromised data almost half of the respondents (48pc) would not notify customers who had been impacted within the first week. Overall, 42pc of respondents do not have an agreed communications strategy or plan in place in the event of a significant attack.
When it comes to devices, organisations are struggling with the number of devices that are continuously being added to their digital ecosystem. Almost three-quarters (73pc) of organisations surveyed are concerned about poor user awareness and behaviour around mobile devices, such as laptops, tablets and smartphones. Half (50pc) cited the loss of a smart device as a top risk associated with the growing use of mobile devices because they encompass both information and identity loss.
