Organisations at high risk from cyber attacks; common attack methods still successful

• EY survey finds 56% of organisations surveyed are concerned about the increasing impact of cyber threats on their strategies and plans
• 87% say they require up to 50% more funding to address increased cyber threats
• Only 12% say they are likely to detect a sophisticated cyberattack

Organisations believe that today’s cyberthreat landscape places them at high risk of cyber attacks, according to the 20th annual EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber attackswww.ey.com/giss.

The survey of nearly 1,200 C-level leaders of the world’s largest and most recognised organisations examines some of the most urgent concerns about cybersecurity and their efforts to manage them. 

Findings show that 56% of those surveyed are making or planning to make changes to their strategies and plans due to the increased impact of cyber threats, risks and vulnerabilities. The rapid acceleration of connectivity within their global organisations – fuelled by the growth of Internet of Things (IoT) –has introduced new vulnerabilities for increasingly sophisticated cyber attackers to exploit. The report reveals that common attacks – cyber attacks carried out by unsophisticated, individual attackers –successfully exploited vulnerabilities that organisations were aware of, which indicates a lack of rigor in implementing standard security procedures.

EY Sri Lanka Advisory Leader Arjuna Herath says: “The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organisations. Also, the increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introduces new risks and vulnerabilities across the organisation. Therefore, as organisations transform into the digital age, they must examine their digital ecosystem from every angle to protect their businesses today, tomorrow and far into the future.” 

Findings reveal that most organisations continue to increase their spending on cybersecurity, with more than 90% of respondents saying they expect higher budgets this year. With mounting cyberthreats demanding a more robust response, 87% say that they require up to 50% more funding. However, only 12% expect to receive an increase of more than 25% this year.

76% of respondents say the discovery of a breach that caused harm is most likely to trigger the increased allocation of budgets. By contrast, 64% (compared to 62% last year) say an attack that did not appear to have caused any harm would be unlikely to prompt an increase in cybersecurity budget, despite the reality that harm caused by a cyber attack may not be immediately obvious.

Many respondents also recognise that lack of adequate resource allocation can increase cybersecurity risks, with 56% saying that they have made changes or are reviewing changes to their strategies and plans to address this. However, 20% admit that they do not have enough appreciation of current information security implications and vulnerabilities to undertake such a review. 

Increasing threats from malware and careless employees

Malware (64% compared to 52% in 2016) and phishing (64% compared to 51% last year) are perceived as the threats that have most increased organisations’ risk exposure in the last 12 months. Careless or unaware employees are seen as the most significant increasing vulnerability to organisations’ security (60% compared to 55% in 2016).When it comes to the most likely source of attack, 77% considered careless members of staff as the most likely source, followed by criminal syndicates (56%) and malicious employees (47%). 

When fighting back against an advanced attack – those carried out by sophisticated and well organised groups – many organisations have serious concerns about the level of sophistication of their current cybersecurity systems. 75% of respondents rate the maturity of their vulnerability identification as “very low to moderate.”A further 12% say they have no formal breach detection program in place, while 35% describe their data protection policies as ad-hoc or non-existent, and 38% either have no identity and access program or have not formally agreed such a program.

To help improve their preparedness, most organisations recognise the need for a Security Operations Center (SOC), which provides a centralised, structured and coordinated hub for all cybersecurity activities. However, 48% of respondents say they still do not have an SOC, whether in-house or outsourced. Moreover, just 57% of respondents have an informal threat intelligence program – or do not have one at all – with just 12% of respondents confident that they can detect a sophisticated cyberattack made on their organisation. 

The study also shows that cybersecurity budgets are higher in organisations that:

• Place dedicated business line security officers in key lines of business
• Report at least twice a year on cybersecurity to the board and audit committee 
• Specifically identify IT “crown jewels” and differentially protect these assets 

The report highlights that organisations with good governance processes underlying their operational approach are able to practice security-by-design – building systems and processes that can respond to unexpected risks and emerging dangers. The findings also show, however, that there is a long way to go before this becomes standard practice. While 50% say that they report to the board regularly, only 24% say the person with responsibility for cybersecurity sits on their board and just 36% say boards have sufficient knowledge of information security to fully evaluate the effectiveness of preventive measures. 

Herath says: “We believe that in the future businesses will collaborate and work with each other to share knowledge to help increase cyber resiliency. It is imperative, therefore, that organisations move beyond thinking about cybersecurity as an IT issue, and focus on good cybersecurity governance and security-by-design.”