Most Organisations Lack Cyber Resilience

Uploaded on 2019-07-25 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

Despite increasing threats, many organisations continue to run with only token cybersecurity and resilience. 

According to Ernst & Young's Global Information Security Survey 2018-19, over half of organisations fail to make organisational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%). 

Overall, EY reports, a solid 77% of organisations still operate with only lackluster cyber security and resilience.

They may even lack a clear idea of what their most critical information assets are and where they're located, never mind having adequate safeguards in place to protect them.

Fortunately, cyber-security budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it's because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyber-attacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. 

Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

"Importantly, more organisations are now beginning to recognize the broad nature of the threat," says Richard Watson, EY's Asia-Pacific cybersecurity head. 

"One thing that has changed for the better over the past 12 months, partly because of some of those big cyber-attacks we've seen at a global level, is a growing realisation that security is also about maintaining the continuity of business operations, and not only about the security of data and privacy."

No Room for Russian Roulette
Given this reality, it's jaw-dropping that many organizations seem to think they shouldn't beef up their cybersecurity practices or dedicate more money to IT unless they're hit by a major security incident. For 63% of organisations, a security breach that results in no harm wouldn't lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn't manifest until later). Still, many organisations are unclear about whether they're successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organisations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cyber-security and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cyber-crime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cyber-security and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organisation is positioned to deal with a prospective cyber-attack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organisations, the CIO assumes this responsibility. 

However, in 60% of organisations, the person directly responsible for information security does not sit on the board. Some 70% of organisations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. 

Right now, smaller organisations are better at keeping their board informed about information security matters than larger organisations. That said, larger organisations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organisations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway.  Seventy-eight percent of larger organisations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organisations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organisations are grappling with skills shortages, while 25% report that their budgets are constrained. 

Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. 
Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don't produce information security reports, in contrast with 16% of larger organisations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won't go away anytime soon. 
Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024, some studies even predict as much as 3.5 million cyber vacancies. 

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Dark Reading

You Might Also Read:

Business Leaders Are Ignoring Cyber Risks:

30% Of Business Leaders Would Pay Ransom:

 

 

« From Ciphers To Cyber Security
Cyber Criminals Are Targeting Latin America »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

Spirion

Spirion

Spirion offers data discovery, classification, and protection tools for your business's privacy, security, and compliance program to avoid gaps and risks.

Systancia

Systancia

Systancia offer solutions for the virtualization of applications and VDI, external access security, Privileged Access Management (PAM), Single Sign-On (SSO) and Identity and Access Management (IAM).

Centre for Development of Advanced Computing (C-DAC)

Centre for Development of Advanced Computing (C-DAC)

C-DAC is the premier R&D organization of the indian Ministry of Electronics & Information Technology. Areas of research include cyber security.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

Atlantic Council Digital Forensic Research Lab (DFRLab)

Atlantic Council Digital Forensic Research Lab (DFRLab)

The Atlantic Council’s DFRLab has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

Miradore

Miradore

Miradore is a software company specializing in effective, cloud-based device management. Our goal is to help IT Service Providers and IT departments secure and control devices.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Vumetric Cybersecurity

Vumetric Cybersecurity

Vumetric is an ISO9001 certified company offering penetration testing, IT security audits and specialized cybersecurity services.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

Jisc

Jisc

Jisc is a membership organisation working in partnership with the UK’s research and education communities to develop the digital technologies they need to teach, discover and thrive.

Mitigate Cyber

Mitigate Cyber

Mitigate Cyber (formerly Xyone Cyber Security) offer a range of cyber security solutions, from threat mitigation to penetration testing, training & much more.

Conceal

Conceal

Conceal’s mission is to stop ransomware and credential theft for companies of all sizes by developing innovative solutions that provide social engineering protection in any browser.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.