Many firms still unprepared for cyber attack, EY survey shows

More than a third of organisastions have no real-time insight on cyber risks necessary to combat rising threats, a survey has shown.

These organisations also lack the agility, budget and skills to mitigate known vulnerabilities to prepare for and address cyber security, according to EY’s latest annual Global Information Security survey.

Of the 1,825 executives polled in 60 countries, 43% said their organisation’s total information security budget will stay approximately the same in the coming 12 months despite increasing threats.

More than half said a lack of skilled resources is one of the main obstacles, with just 5% saying their organisations have a threat intelligence team with dedicated analysts.

Last year 50% highlighted a lack of skilled resources and 4% said they had a threat intelligence team with dedicated analysts.

The survey showed “careless or unaware employees” ranked as the top vulnerability companies face, with 38% of respondents saying this is their first priority.

Outdated information security controls or architecture was ranked second, followed by the use of cloud computing.

Stealing financial information, disrupting or defacing the organisation, and “stealing intellectual property or data were ranked as the top three threats.

According to the survey, organisations need to do a better job of anticipating attacks in an environment where it is no longer possible to prevent all cyber breaches.

“Cyber attacks have the potential to be far-reaching – not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance,” said Mark Brown, executive director of cyber security and resilience at EY.

“Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries,” he said.

According to Brown, many organisations still fall short in mastering the foundational components of cyber security.

“The UK government has attempted to fill this void by introducing the Cyber Essential Scheme, but the survey’s findings highlight that organisations are not taking the basic steps, such as setting up a security operations centre or putting in place an incident response plan, and this continues to be a major cause for concern,” he said.

Brown said UK organisations should engage with UK government-backed initiatives such as Cyber information Sharing Partnership (CISP) and Cert-UK as well as establishing internal capabilities to respond to cyber threats.

The survey found fewer than 20% of orgnisations have real-time insight on cyber risks, only 20% have access to published sources of cyber attacks on their sector peers and only a third of organisations said they had well-defined and automated identity and access management processes.

The report encourages all organisations to embrace cyber security as a core competitive capability, which requires keeping the organisation in a constant state of readiness, anticipating where new threats may arise and shedding the “victim” mindset of operating in a perpetual state of anxiety.

Ken Allan, EY’s global information security leader said that, in addition to internal threats, organisations need to think broadly about their business ecosystem and how relationships with third parties and suppliers can impact their security posture.

“It’s only by reaching an advanced stage of cyber security readiness that an organisation can start to reap the real benefits of its cyber security investments.

“By putting the building blocks in place and ensuring that the program is able to adapt to change, companies can start to get ahead of cyber crime, adding capabilities before they are needed and preparing for threats before they arise,” he said.