The 2015 edition of EY’s annual Global Information Security Survey, Creating trust in the digital world, has revealed a corporate world still worried about the latest generation of cyber-attacks.
The survey of 1,755 organizations from 67 countries found that 88% do not believe their information security structure fully meets their organization’s needs and that when it comes to IT security budgets, just over two-thirds want their budgets to be increased by up to 50% to align their organization’s need for protection with its management's tolerance for risk.
There were a variety of sources of concern for respondents. The most likely sources of cyber-attacks cited were criminal syndicates (59%), hacktivists (54%), and state-sponsored groups (35%) retained their top rankings. However, compared with last year’s survey, respondents rated these sources as more likely: up from 53%, 46%, and 27%, respectively, in 2014.
Encouragingly, the survey also found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively, than they did a year earlier. However, they feel more threatened today by phishing and malware. Almost half (44%) of respondents ranked phishing as their top threat—up from 39% in 2014—while 43% consider malware as their biggest threat. The latter figure was 34% in 2014.
“Organizations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats,” commented EY Global Cybersecurity Leader Ken Allan. “Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cybersecurity and make the required investments. The only way to make the digital world fully operational and sustainable is to enable organizations to protect themselves and their clients and to create trust in their brand.”
But such protection was not being felt in general by respondents who felt that organizations were falling short in thwarting a cyber-attack. Just over half (54%) indicated that their firm lacked a dedicated function that focuses on emerging technology and its impact while 47% did not have a security operations center.
Slightly more than a third (36%) did not have a threat intelligence program, while 18% did not have an identity and access management program. More than half (57%) said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.
Offering advice on how firms needed to react, EY global risk leader Paul van Kessel said: “Cybersecurity is inherently a defensive capability, but organizations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralize threats before damage can occur. It is imperative that organizations consider cybersecurity as an enabler to build and keep customers’ trust.”