Swiss organizations better prepared to predict and resist cyber attacks – but still a long way to go

“EY Global Information Security Survey”

  • Share
  • 40% of the organizations surveyed in Switzerland said they could detect a sophisticated cyber attack
  • 35% of Swiss respondents rate business continuity and disaster recovery as a high priority, but only 20% are planning to invest more in these areas next year
  • 44% do not have an agreed communications strategy or plan in place in the event of a significant attack
  • Most of the Swiss organizations (90%) surveyed are concerned about poor user awareness and behavior around mobile devices

ZURICH, 2 FEBRUARY 2017 – Findings of the 19th annual EY Global Information Security Survey show that 40% of the organizations surveyed in Switzerland believe they could detect a sophisticated cyber attack. This belief stems from investments in cyber threat intelligence to predict what they can expect from an attack as well as continuous monitoring mechanisms, security operations centers and active defense mechanisms. “Swiss organizations are quite confident that they can predict and resist a sophisticated cyber attack,” concludes Tom Schmidt, EY Cybersecurity Leader Switzerland. This might be one of the reasons why some organizations are reluctant to invest in and plan for the recovery from a breach in today’s expanding threat landscape. The survey of 1,735 organizations globally (49 in Switzerland) examines some of the most compelling cybersecurity issues facing businesses today in the digital ecosystem.

Most cybersecurity functions still not up-to-date
However, despite investments into cybersecurity, 84% of those surveyed in Switzerland (86% globally) say their cybersecurity function does not fully meet their organization’s needs. Well over half (59%) of Swiss organizations do not have a formal threat intelligence program or have only an informal one. When it comes to identifying vulnerabilities, nearly half (49%) do not have any or only informal vulnerability identification capabilities, and 42% do not have a security operations center to continuously monitor for cyber attacks.

When asked about recent significant cybersecurity incidents, 65% of Swiss respondents and 57% of the global respondents said they had had an incident. More than a third (37%) cited outdated information security controls or architecture as their highest vulnerability, which is significantly lower than globally (48%). In addition, Swiss respondents (in line with the global results) said all of their top cybersecurity threats, including malware, phishing, cybersecurity to steal financial information, fraud, or zero day attacks are on the rise.

Top cybersecurity threats within Swiss companies

 

2015

2016

Change

Malware

34%

53%

+ 19pp

Phishing

41%

62%

+ 21pp

Cyberattacks to steal financial information

22%

46%

+ 24pp

Fraud

33%

47%

+ 14pp

Zero day attacks

45%

57%

+ 12pp

Attackers come up with new tricks
Tom Schmidt says: “Organizations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks. Organizations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to ‘cyber resilience’ – an organization-wide response that helps them prepare for and fully address these inevitable cybersecurity incidents. In the event of an attack, they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and ultimately their own future at risk.”

Swiss respondents rated data leakage and loss prevention (56%), security awareness and training (56%) and identity and access management (55%) as their top priorities. This is in contrast to the global results, where business continuity and disaster recovery – which are at the heart of an organization’s ability to react to an attack – were rated by respondents as their top priority (57%). In Switzerland, only one-third (35%) of organizations consider this to be a top priority. Although 43% of Swiss respondents plan to spend more this year on data leakage and loss prevention, only 20% plan to spend more on business continuity and disaster recovery – half as many as globally

Vulnerabilities and obstacles remain
This year’s survey also shows that Swiss respondents continue to cite the same key areas of concern for their cybersecurity, such as the increased risks from the actions of careless or unaware employees (64% compared with 52% in 2015) and vulnerabilities related to mobile computing use (41% compared with 27% in 2015). Meanwhile, the main obstacles to their information security function are virtually unchanged from last year, except for the lack of skilled resources, which has increased significantly in Switzerland.

 

2015

2016

Change

Lack of skilled resources

36%

53%

+17pp

Budget constraints

56%

59%

+3pp

Lack of executive awareness or support

38%

37%

-1pp

Management and governance issues

33%

31%

-2pp

Lack of quality tools for managing information security

15%

24%

+9pp

Fragmentation of compliance/regulation

28%

24%

-4pp

Digital ecosystem and connected devices pose challenges
Despite the connected nature of today’s digital ecosystem, the survey found that 82% of Swiss organizations said it was unlikely they would increase their cybersecurity spending after a breach that did not appear to do any harm to their operations. Also, 80% said it was unlikely they would increase their information security spending if a competitor was attacked, while 82% said it was unlikely they would increase their information security spending if a supplier was attacked.

In the event of an attack that definitely compromised data, half of the Swiss respondents (50%) would not notify customers who had been impacted within the first week. Overall, 44% of Swiss respondents do not have an agreed communications strategy or plan in place in the event of a significant attack.

When it comes to devices, organizations are struggling with the number of devices that are continuously being added to their digital ecosystem. Most of the Swiss organizations (90%) surveyed are concerned about poor user awareness and behavior around mobile devices, such as laptops, tablets and smartphones. More than a third (38%) cited the loss of a smart device as a top risk associated with the growing use of mobile devices because they encompass both information and identity loss.

About the survey
EY’s 19th annual Global Information Security Survey captures responses from 1,735 C-suite leaders and IT executives and managers from most of the world’s largest and most recognized global companies. The survey was conducted between June 2016 and August 2016.

Find the global report and other relevant information on our dedicated website: www.ey.com/giss


Download


About the global EY organization

The global EY organization is a leader in assurance, tax, transaction, legal and advisory services. We leverage our experience, knowledge and services to help build trust and confidence in the financial markets and in economies all over the world. We are ideally equipped for this task – with well trained employees, strong teams, excellent services and outstanding client relations. Our global mission is to drive progress and make a difference by building a better working world – for our people, for our clients and for our communities.

The global EY organization refers to all member firms of Ernst & Young Global Limited (EYG). Each EYG member firm is a separate legal entity and has no liability for another such entity’s acts or omissions. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information, please visit www.ey.com.

EY’s organization is represented in Switzerland by Ernst & Young Ltd, Basel, with ten offices across Switzerland, and in Liechtenstein by Ernst & Young AG, Vaduz. In this publication, “EY” and “we” refer to Ernst & Young Ltd, Basel, a member firm of Ernst & Young Global Limited.