Cyber-crime is greatest global threat to organisations’ survival
Friday 29 November 2013 — Cyber-attacks are firmly on the New Zealand radar as 64% of New Zealand organisations cite an increase in external threats to their information, according to EY’s 2013 Global Information Security Survey (GISS). But doing anything about it seems some way off.
The survey, which included New Zealand’s largest banking and capital markets players, shows New Zealand companies focussing most heavily on ‘traditional’ areas like business continuity and implementing security standards, while lagging in the critical area of data loss prevention and protection.
Key survey findings for New Zealand organisations are:
- The information security function fully meets business needs in only 26% of organisations
- Despite greater awareness of threats through public incidents, moves to protect data and manage access strongly lag behind the rest of the world. None of the New Zealand organisations participating in the survey ranked data loss prevention and protection as a top priority area over the next 12 months
- Half of the organisations globally intend to invest more resources into information security; only a third of NZ respondents indicated they are increasing investment in information security but are still investing less than they would like to as a result of competing priorities for limited investment capacity
- However, New Zealand companies are making identity and access management (IAM) their ‘top priority’ in the next 12 months
- Organisations must be forward-looking and prepare for emerging technologies
EY New Zealand Information Security Leader, Ken Wallace, comments: “Although businesses appear to understand the growing threat, they are not yet experiencing enough operational delivery or brand pain to justify to themselves or their customers, meaningful investment in longer-term information security. For Boards and executive teams the key question for 2014 is; do you want to address information security as a risk today or reactively address it as a major operational or brand issue tomorrow?”
Under cyber-attack, EY's 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally. This year’s results show that as companies continue to invest heavily to protect themselves against cyber-attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.
In further global findings:
Thirty-one percent of respondents globally report the number of security incidents within their organisation has increased by at least 5% over the last 12 months. Many have realised the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70% of the organisations surveyed.
Paul van Kessel, EY Global Risk Leader comments “This year’s survey shows that organisations are moving in the right direction, but more still needs to be done – urgently. There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35%.”
Ken Allan, EY Global Information Security Leader adds: “Cyber-crime is the greatest threat for organisations’ survival today. While budget allocations toward security innovation are inching their way up, enabling organisations to channel more resources toward innovating solutions that can protect them against the great unknown – the future – many information security professionals continue to feel that their budgets are insufficient to address mounting cyber risks.”
Information security departments are still feeling the pinch
Despite half of the respondents planning to increase their budget by 5% or more in the next 12 months, 65% cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organisations with revenues of US$10m or less this figure rises to 71%.
Of the budgets planned for the next 12 months, 14% is ear-marked for security innovation and emerging technologies. As current technologies become further entrenched in an organisation’s network and culture, organisations need to be aware of how employees use the devices, both in the workplace and in their personal lives. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
Ken Allan explains: “Organisations need to be more forward-looking. Moreover, if organisations are putting all their energy into addressing current technology issues, how will they protect themselves against technologies that are just around the corner or are about to appear on the horizon? If organisations still don’t have a high level of confidence after four years of mobile device use in the workplace, how will they face the challenge of managing and defending against personal and hosted clouds for example?”
Information security departments struggle with a lack of skilled resources
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50% of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20% of previous survey participants indicated a lack of executive awareness or support, 31% now cite it as an issue.
Looking ahead Paul concludes: “Organisations must undertake more proactive thinking, with tone-from-the-top support. Greater emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions is needed. The pace of technology evolution will only accelerate – as will the cyber risks and by not considering risks until they arise gives cyber attackers the advantage, jeopardizing an organisation’s survival.”
For further information and to download the 2013 report, visit www.ey.com/GISS
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. For more information about our organization, please visit ey.com.
This news release has been issued by Ernst & Young New Zealand, a member firm of Ernst & Young Global Limited.
EY New Zealand
Tel: + +64 9 308 1085
+64 272 312 017