This year’s EY Global Information Security Survey 2018-19 – Is cybersecurity about more than protection? – shows that cybersecurity is continuing to rise up the board agenda.
The survey, of more than 1,400 cybersecurity and risk leaders from organisations with revenues ranging from less than $10 million to more than $10bn, examines some of the most urgent concerns about cybersecurity and their efforts to manage them.
A majority of organisations (77 per cent) are seeking to move beyond basic cybersecurity protections toward fine-tuning their capabilities using advanced technologies such as artificial intelligence, robotic process automation and analytics among others.
These organisations are continuing to work on the cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently.
However, the survey found that eight per cent of respondents feel that their information security function fully meets their needs, with 78 per cent of larger organisations and 65 per cent of smaller ones saying their information security function is at least partially meeting their needs.
Channel Island focus
For organisations in the Channel Islands, one of the biggest focus areas is third-party service providers.
Leo Boessenkool, Head of ITRA for EY in the Channel Islands, explains: “Many financial service organisations in the Channel Islands rely heavily on third-party involvement for many aspects of their business functions, including infrastructure and core software.
"Vulnerabilities increase with the inclusion of third parties and with that comes potential risk. Therefore, it is essential that steps are taken to ensure the appropriate measures are taken to respond to these risks.”
All the organisations surveyed are going through digital transformation projects and are increasing their spending on emerging technologies. The study reveals cloud computing (52 per cent), cybersecurity analytics (38 per cent) and mobile computing (33 per cent) as the highest priorities for cybersecurity investment in emerging technologies this year.
• Careless/unaware employees rank as highest vulnerability, and most organisations may not identify all breaches and incidents
Organisations concede that they would be unlikely to step up their cybersecurity practices or spend more money unless they suffered some sort of breach or incident that caused very negative impacts. The survey finds that the riskiest vulnerabilities are careless/unaware employees (34 per cent), with skills shortage also being an issue for organisations.
Boessenkool said: “The financial services industry across the Channel Islands is being impacted by the skills shortage, and finding information security professionals is no exception. It is therefore crucial that appropriate training is provided to current employees to enable them to spot security breaches and manage the risks accordingly, creating a vigilant employee culture with regards to cyber security.”
Other vulnerabilities found in the survey include outdated security controls (26 per cent), unauthorised access (13 per cent) and related to cloud-computing use (10 per cent). Only eight per cent say their security functions fully meet their needs and 38 per cent of respondents are unlikely to detect a sophisticated breach, whereas less than 10 per cent believe they have mature security systems.
However, many organisations (82 per cent) are unclear about whether they are successfully identifying breaches and incidents. Among organisations that have been hit by an incident over the past year, less than a third (31 per cent) say the compromise was discovered by their security center.
“Some 53 per cent of respondents also indicated they have no programme, or an obsolete one of the following; vulnerability identification, threat intelligence, breach detection, incidence response, data protection and identify and access management, the latter two being felt in the Channel Islands” warned Mr. Boessenkool.
“Based on my experience in the Channel Islands, organisations without a large parent organisation have been slower at adopting structured identity and access management solutions. Without these solutions in place, you are putting yourself in a vulnerable position as your risk exposure subsequently increases. I would strongly recommend reviewing what procedures, if any, your organisation has in place and implementing the appropriate defenses.”
• Cybersecurity does not fully influence organisations’ strategic plans, the person responsible not a board member
Organisations are convinced that looking after cyber risk and building in cybersecurity from the start is imperative to success in the digital era. The survey finds, only 18 per cent of organisations saying that information security fully influences business strategy plans on a regular basis while 60 per cent of organisations say that the person directly responsible for information security is not a board member.
However, 70 per cent of all organisations (73 per cent and 68 per cent of the larger and smaller organisations, respectively) say their senior leadership has a comprehensive understanding of security or is taking positive steps to improve their understanding.
This lack of strategic focus seems to be having a knock on impact on budgets, as the survey finds that 87 per cent of organisations operate with a limited budget to provide for the level of cybersecurity and resilience they require. However, cybersecurity budgets are on the rise with larger companies being more likely to have increased budgets this year (63 per cent) and next year (67 per cent) than smaller companies (50 per cent and 66 per cent, respectively).
• To download the full report click here