Organizations are at high risk from cyber attacks; common attack methods still successful, EY survey finds
Organizations believe that today’s cyber threat landscape places them at high risk of cyber attacks, according to the 20th annual EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber attacks www.ey.com/giss
The survey of nearly 1,200 C-level leaders of the world’s largest and most recognized organizations examines some of the most urgent concerns about cybersecurity and their efforts to manage them.
Findings show that 56% of those surveyed are making or planning to make changes to their strategies and plans due to the increased impact of cyber threats, risks and vulnerabilities. The rapid acceleration of connectivity within their global organizations – fueled by the growth of Internet of Things (IoT) – has introduced new vulnerabilities for increasingly sophisticated cyber attackers to exploit. The report reveals that common attacks – cyber attacks carried out by unsophisticated, individual attackers – successfully exploited vulnerabilities that organizations were aware of, which indicates a lack of rigor in implementing standard security procedures.
Paul van Kessel, EY Global Advisory Cybersecurity Leader, says:
“The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organizations. Also, the increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introduces new risks and vulnerabilities across the organization. Therefore, as organizations transform into the digital age, they must examine their digital ecosystem from every angle to protect their businesses today, tomorrow and far into the future.”
Findings reveal that most organizations continue to increase their spending on cybersecurity, with more than 90% of respondents saying they expect higher budgets this year. With mounting cyber threats demanding a more robust response, 87% say that they require up to 50% more funding. However, only 12% expect to receive an increase of more than 25% this year.
Seventy-six percent of respondents say the discovery of a breach that caused harm is most likely to trigger the increased allocation of budgets. By contrast, 64% (compared to 62% last year) say an attack that did not appear to have caused any harm would be unlikely to prompt an increase in cybersecurity budget, despite the reality that harm caused by a cyber attack may not be immediately obvious.
Many respondents also recognize that lack of adequate resource allocation can increase cybersecurity risks, with 56% saying that they have made changes or are reviewing changes to their strategies and plans to address this. However, 20% admit that they do not have enough appreciation of current information security implications and vulnerabilities to undertake such a review.
Increasing threats from malware and careless employees
Malware (64% compared to 52% in 2016) and phishing (64% compared to 51% last year) are perceived as the threats that have most increased organizations’ risk exposure in the last 12 months. Careless or unaware employees are seen as the most significant increasing vulnerability to organizations’ security (60% compared to 55% in 2016). When it comes to the most likely source of attack, 77% considered careless members of staff as the most likely source, followed by criminal syndicates (56%) and malicious employees (47%).
When fighting back against an advanced attack – those carried out by sophisticated and well organized groups – many organizations have serious concerns about the level of sophistication of their current cybersecurity systems. Seventy-five percent of respondents rate the maturity of their vulnerability identification as “very low to moderate.” A further 12% say they have no formal breach detection program in place, while 35% describe their data protection policies as ad-hoc or non-existent, and 38% either have no identity and access program or have not formally agreed such a program.
To help improve their preparedness, most organizations recognize the need for a Security Operations Center (SOC), which provides a centralized, structured and coordinated hub for all cybersecurity activities. However, 48% of respondents say they still do not have an SOC, whether in-house or outsourced. Moreover, just 57% of respondents have an informal threat intelligence program – or do not have one at all – with just 12% of respondents confident that they can detect a sophisticated cyberattack made on their organization.
The study also shows that cybersecurity budgets are higher in organizations that:
- Place dedicated business line security officers in key lines of business
- Report at least twice a year on cybersecurity to the board and audit committee
- Specifically identify IT “crown jewels” and differentially protect these assets
The report highlights that organizations with good governance processes underlying their operational approach are able to practice security-by-design – building systems and processes that can respond to unexpected risks and emerging dangers. The findings also show, however, that there is a long way to go before this becomes standard practice. While 50% say that they report to the board regularly, only 24% say the person with responsibility for cybersecurity sits on their board and just 17% say boards have sufficient knowledge of information security to fully evaluate the effectiveness of preventive measures.
Van Kessel says: “We believe that in the future businesses will collaborate and work with each other to share knowledge to help increase cyber resiliency. It is imperative, therefore, that organizations move beyond thinking about cybersecurity as an IT issue, and focus on good cybersecurity governance and security-by-design.”