Survey Cites Cyber Crime as Main Threat to Organisations' Survival
With information security functions not fully meeting the needs in 83% of organisations, 93% of companies globally are maintaining or increasing their investment in cyber security to combat the increasing threat from cyber attacks, according to a survey released by EY, formerly Ernst & Young.
EY’s 16th annual global information security survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally. This year’s results show that as companies continue to invest heavily to protect themselves against cyber attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.
Thirty-one percent of respondents report the number of security incidents within their organisation has increased by at least 5% over the last 12 months. Many have realised the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70% cof the organisations surveyed.
“This year’s survey shows that organisations are moving in the right direction, but more still needs to be done urgently,” said Paul van Kessel, EY global risk leader. “There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives in 2013 this jumped to 35%.”
Ken Allan, EY global information security leader said: “Cyber-crime is the greatest threat for organizations’ survival today. While budget allocations toward security innovation are inching their way up, enabling organisations to channel more resources toward innovating solutions that can protect them against the great unknown the future many information security professionals continue to feel that their budgets are insufficient to address mounting cyber risks.”
Despite half of the respondents planning to increase their budget by 5% or more in the next 12 months, 65% cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organisations with revenues of US$10m or less this figure rises to 71%.
Of the budgets planned for the next 12 months, 14% is earmarked for security innovation and emerging technologies. As current technologies become further entrenched in an organisation’s network and culture, awareness is needed of how employees use the devices, both in the workplace and in their personal lives. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
“Organisations need to be more forward-looking,” adds Allan. “Moreover, if organisations are putting all their energy into addressing current technology issues, how will they protect themselves against technologies that are just around the corner or are about to appear on the horizon? If organisations still don’t have a high level of confidence after four years of mobile device use in the workplace, how will they face the challenge of managing and defending against personal and hosted clouds for example?”
Although information security is focusing on the right priorities, in many instances the function doesn’t have the skilled resources or executive awareness and support needed to address them. In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50% of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20% of previous survey participants indicated a lack of executive awareness or support, 31% now cite it as an issue.
Allan adds: “A lack of skilled talent is a global issue. It is particularly acute in Europe, where governments and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool. As a result, while organisations feel they are addressing the right priorities, many indicate that they do not have the skilled resources to support their needs.”
Looking ahead van Kessel concludes: “Organisations must undertake more proactive thinking, with tone-from-the-top support. Greater emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions is needed. The pace of technology evolution will only accelerate as will the cyber risks and by not considering risks until they arise gives cyber attackers the advantage, jeopardising an organisation’s survival.”