Most organizations (67%) are facing rising threats in their information security risk environment, but over a third (37%) have no real-time insight on cyber risks necessary to combat these threats. This is one of the topline findings of EY’s annual Global Information Security survey, Get Ahead of Cybercrime,
which this year surveys 1,825 organizations in 60 countries.
Companies are lacking the agility, the budget and the skills to mitigate known vulnerabilities and successfully prepare for and address cybersecurity. Forty-three percent of respondents say that their organization’s total information security budget will stay approximately the same in the coming 12 months despite increasing threats, which is only a marginal improvement to 2013 when 46% said budgets would not change.
Over half (53%) say that a lack of skilled resources is one of the main obstacles challenging their information security program and only 5% of responding companies have a threat intelligence team with dedicated analysts. These figures also represent no material difference to 2013, when 50% highlighted a lack of skilled resources and 4% said they had a threat intelligence team with dedicated analysts.
”Careless or unaware employees” is revealed as the number one vulnerability companies face, with 38% of respondents saying it is their first priority, and ”outdated information security controls or architecture” and “cloud computing use” are second and third respectively (35% and 17%). ”Stealing financial information,” “disrupting or defacing the organization” and “stealing intellectual property or data” are the top three threats (28%, 25% and 20% respectively say it is their first priority).
This year’s survey finds that organizations need to do a better job of anticipating attacks in an environment where it is no longer possible to prevent all cyber breaches, and where threats come from ever more resourceful and well-funded sources.
Carmen Adamescu, Executive Director, EY Romania, states:
"Organizations will only develop a risk strategy of the future if they understand how to anticipate cybercrime. Cyber-attacks have the potential to be far-reaching – not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance. Organizations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries.”
The report encourages organizations to embrace cybersecurity as a core competitive capability. This requires keeping the organization in a constant state of readiness, anticipating where new threats may arise and shedding the “victim” mindset of operating in a perpetual state of anxiety.
To reach this state, the report recommends:
- Remaining alert to new threats: Leadership should address cyber threats/risks as a core business issue, and put in place a dynamic decision process that enables quick preventative action.
- Understanding the threat landscape: Organizations should have a comprehensive, yet targeted, awareness of the wider threat landscape and how it relates to the organization, and invest in cyber threat intelligence.
- Knowing your “crown jewels”: There should be a common understanding across the organization of the assets that are of greatest value to the business, and how they can be prioritized and protected.
- Focusing on incident and crisis response: Organizations should regularly test the organization’s capabilities.
- Learning and evolving: Cybersecurity forensics is a critical piece of the puzzle. Organizations should closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.
Carmen Adamescu, Executive Director, EY Romania adds: "Beyond internal threats, organizations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture. It’s only by reaching an advanced stage of cybersecurity readiness that an organization can start to reap the real benefits of its cybersecurity investments. By putting the building blocks in place and ensuring that the program is able to adapt to change, companies can start to get ahead of cybercrime, adding capabilities before they are needed and preparing for threats before they arise."
About EY Romania
EY is one of the world's leading professional services firms with approximately 190,000 employees in 700 offices across 150 countries, and revenues of approximately $27.4 billion in the fiscal year that ended on 30 June 2014. Our network is the most integrated at global level and its vast resources allow us to help our clients benefit from every opportunity. In Romania, EY has been a leader on the professional services market since its set up in 1992. Our over 500 employees in Romania and Moldova provide seamless assurance, tax, transactions, and advisory services to clients ranging from multinationals to local companies. Our offices are based in Bucharest, Cluj-Napoca, Timisoara, Iasi and Chisinau. From 1 July 2013, Ernst & Young becomes EY, the logo has been modified in response to this change and the company's new tagline becomes "Building a better working world". The new visual identity reflects the new strategy of EY, Vision 2020. For more information, please visit www.ey.com.