Executives at global organizations are more confident than ever that their companies can predict and resist a sophisticated cyber attack, but most also recognize their organization falls short of needed investments and plans to recover from a breach in today’s expanding threat landscape, according to a new study.
EY’s annual “Global Information Security Survey (GISS)—Path to cyber resilience: Sense, resist, react” found that half of the survey’s respondents indicated their organization could detect a sophisticated cyber attack—the highest level of confidence since 2013—due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centers (SOCs) and active defense mechanisms. Nonetheless, despite these investments, 86 percent of the respondents also indicated that their organization’s cyber security capabilities does not fully meet their organization’s needs.
The survey of 1,735 C-suite leaders and IT executives and managers from large, global companies examines the cyber security issues businesses face. Among other notable findings, the survey found that more than half (57 percent) of respondents said their organization had a cyber incident in the past year. Tellingly, nearly half (48 percent) of the respondents cited outdated information security controls or architecture as their highest vulnerability—an increase from 34 percent in the 2015 survey.
Business continuity and disaster recovery was cited by respondents as their top priority (57 percent), along with data leakage and data loss prevention (57 percent). Although 42 percent of the respondents say their company plans to increase spending this year on data leakage and loss prevention, only 39 percent of the respondents say the company plans to spend more on business continuity and disaster recovery.
“Organizations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks,” says Paul van Kessel, EY Global Advisory Cybersecurity Leader. “Organizations therefore need to sharpen their senses and upgrade their resistance to attacks. Executives also need to think beyond just protection and security, and consider ‘cyber resilience’—an organization-wide response that helps prepare for and fully address these inevitable cyber security incidents. In the event of an attack, they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and, ultimately, their own future, at risk.”
I was also interested to read that although the survey found that respondents continue to cite the same key areas of concern for their cyber security, they also said all of their top cyber security threats, including malware, phishing, cyber attacks to steal financial information, or cyber attacks to steal intellectual property or data are markedly on the rise. For example, respondents said they see increased risks from the actions of careless or unaware employees (55 percent compared with 44 percent in 2015) and unauthorized access to data (54 percent compared with 32 percent in 2015).
Meanwhile, the executives also noted that obstacles to their information security function are virtually unchanged from last year, including: budget constraints (61 percent compared with 62 percent in 2015), lack of skilled resources (56 percent compared with 57 percent in 2015), and lack of executive awareness or support (32 percent, the same as in 2015).
Do the responses of the survey respondents mirror what you think about your company? Are you confident the organization can predict and resist a sophisticated cyber attack? If there is a cyber incident, is there a plan to maintain business continuity?