You could be under cyber attack — now
In the time it takes to read this, a significant percentage of organizations will suffer a cyber attack.
It could be weeks before you find out and even longer before you can assess the extent of it.
The attacker has probably been roaming around your network for months — undetected. And the associated costs of the breach may be staggering.
In Under cyber attack: EY’s Global Information Security Survey 2013, we find that many organizations have made significant progress in the last 12 months to improve their defenses against cyber attacks.
However, their positions remain reactive. They are addressing only the risks they know without seeking to understand the risks that are lurking around the corner.
To be a cybersecurity innovator, organizations must set their sights on the far horizon. Innovating requires a fundamental transformation of the information security program to fortify against both the known and the unknown cyber risks proactively.
According to our survey, more organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor.
Information security is now seen as vital to the ongoing health of the organization. This is exemplified by the 70% of organizations whose information security policies are now owned at the highest organizational level.
Organizations seem to be making improvements in a number of areas:
Yet, for every step organizations are taking in the right direction, there remain miles to go:
As the rate and complexity of cyber attacks continue to increase, organizations need to act quickly to avoid leaving themselves exposed to a costly and brand-damaging security incident that shakes the confidence of consumers and shareholders.
Although organizations are making good progress in improving how they manage the risks that they already know, only 17% of respondents indicated that their information security function fully meets the needs of the company. They still have a long way to go.
And time is running out. The volume of cyber risks that organizations don’t know about, particularly when it comes to emerging technologies, is growing at a rate too fast for many organizations to keep up.
As new technologies drive marketing and customer-oriented initiatives, information security chases associated cyber threats from behind. Mergers and acquisitions, structural changes within the organization and entrance into new markets all place additional stress on the information security function to provide adequate protection.
These pressures will only increase as the pace of emerging technologies continues to accelerate — as will the cyber risks. Not considering these risks until they arise gives cyber attackers an advantage that can be disastrous for the organization.
Average organizations are making improvements in the risk areas they know, but leading organizations are doing more.
We have grouped 10 risk areas into four categories where we see leading organizations expanding improvement opportunities:
|1. Commitment from the top|| |
|2. Organizational alignment|| |
|3. People, processes and technology to implement|| |
|4. Operational enablement|| |
Acting on these opportunities for improvement will enable organizations to more proactively respond to know cyber risks and anticipate unknown ones. However, to be a cyber threat innovator, organizations need to constantly scan the horizon, searching for the vulnerabilities in each opportunity emerging technology brings.
As our Global Information Security Survey suggests, organizations are improving their response to known cyber threats.
Unfortunately, too often information security continues to be viewed as a compliance exercise. To be a leader in information security, organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions.
However, to be an information security innovator, organizations have to do much more. They need to be prepared to fundamentally transform their information security programs where necessary.
In all instances, leadership is the key. After all, when it comes to cracking the information security code, 80% of the solution is not technical — it’s a case of good governance.