Organisations are developing a growing gap between business needs and the ability to tackle new and complex security threats, according to Ernst & Young's latest Global Information Security Survey.
The survey of 1,700 organisations globally found 72% of respondents are seeing an increasing level of risk due to the significant growth in external threats. But only about a third of these organisations have updated their information security strategy in the past 12 months.
With 61% of organisations using or considering cloud computing services within the next year, a growth of 16% year-on-year, the report said the threat of security breaches has become an after-thought in the rush to adapt to the rapidly changing landscape.
"It is estimated cyber security attacks cost the UK economy £27bn a year. Confronted with diminishing borders and changing business and IT models including cloud services, business leaders urgently need to ask themselves how to respond to new and emerging risks and whether their strategy meets their needs," said Jane Cannon, Ernst & Young security and resilience partner.
The focus must move from short-term fixes to a more holistic approach integrated with long-range strategic corporate goals, she said.
Although 59% of respondents plan on increasing their information security budgets in the coming 12 months, only 48% believe information security strategies adequately address risk and only 51% have documented strategies in place, the study found.
With 46% of respondents stating that there are increased risks due to internal vulnerabilities, it is critical that organisations are aware of the risks posed by "bring your own devices" and other similar policies, the report said.
Respondents named cloud computing as their top information security funding priority for the coming 12 months. Many organisations are still unclear of the implications of cloud, and are increasing their efforts to better understand the impact of its adoption and the risks.
Nearly half of respondents listed the implementation of cloud computing as a difficult or very difficult challenge, and more than half have not implemented any controls to mitigate the risks associated with cloud computing. The most frequently taken measure is stronger oversight on the contract management process with cloud providers, but even this is only done by 20% of respondents, indicating a high and possibly misguided level of trust.
The survey shows only 12% of respondents are presenting information security topics at each board meeting.
Under half of respondents said their information security function is meeting the needs of the organisation. In the UK, the main reason cited by respondents for this is a lack of skilled resources.
"This shows that within the UK we have a significant shortage of skilled workers in this field when compared to our international counterparts. Urgent action is required to tackle this to ensure that UK based companies can continue to defend themselves against these growing threats," said Steve Holt, financial services partner for Ernst & Young.
"Data loss is on the rise. Our results show that 66% of companies have still not implemented data leakage solutions. Given customer expectations that companies will protect their personal data, more needs to be done in plugging the leaks," he said.
Most respondents (72%) claimed external malicious attacks were their top risk. To help address potential risks posed by social media, organisations seem to be adopting a hard-line response. More than half (53%) have responded by blocking access to sites rather than embracing the change and adopting enterprise-wide measures.
Jane Cannon said a pragmatic and pro-active response, rather than a reactive one, was required.
"Information security needs to be more visible in the boardroom with a clearly defined strategy that will support the business in the cloud and elsewhere. Most companies still have a long way to go to make this a reality," she said.
To manage IT risks effectively, said Cannon, organisations need to get a broad and comprehensive view of the entire IT risk landscape to help identify and manage current IT risks and challenges, as well as those that may evolve over time.