You could be under cyber attack — now

  • Share

In the time it takes to read this, a significant percentage of organizations will suffer a cyber attack.

It could be weeks before you find out and even longer before you can assess the extent of it.

The attacker has probably been roaming around your network for months — undetected. And the associated costs of the breach may be staggering.

In Under cyber attack: EY’s Global Information Security Survey 2013, we find that many organizations have made significant progress in the last 12 months to improve their defenses against cyber attacks.

However, their positions remain reactive. They are addressing only the risks they know without seeking to understand the risks that are lurking around the corner.

To be a cybersecurity innovator, organizations must set their sights on the far horizon. Innovating requires a fundamental transformation of the information security program to fortify against both the known and the unknown cyber risks proactively.

1. What’s the issue?

According to our survey, more organizations recognize the extent and depth of the threats they face — from the top of the organization to the shop floor.

Information security is now seen as vital to the ongoing health of the organization. This is exemplified by the 70% of organizations whose information security policies are now owned at the highest organizational level.

Organizations seem to be making improvements in a number of areas:

EY chart - improved areas for cybersecurity

Yet, for every step organizations are taking in the right direction, there remain miles to go:

EY chart - areas requiring more attention for cybersecurity

As the rate and complexity of cyber attacks continue to increase, organizations need to act quickly to avoid leaving themselves exposed to a costly and brand-damaging security incident that shakes the confidence of consumers and shareholders.

2. Why now?

Although organizations are making good progress in improving how they manage the risks that they already know, only 17% of respondents indicated that their information security function fully meets the needs of the company. They still have a long way to go.

And time is running out. The volume of cyber risks that organizations don’t know about, particularly when it comes to emerging technologies, is growing at a rate too fast for many organizations to keep up.

3. How does this affect you?

As new technologies drive marketing and customer-oriented initiatives, information security chases associated cyber threats from behind. Mergers and acquisitions, structural changes within the organization and entrance into new markets all place additional stress on the information security function to provide adequate protection.

These pressures will only increase as the pace of emerging technologies continues to accelerate — as will the cyber risks. Not considering these risks until they arise gives cyber attackers an advantage that can be disastrous for the organization.

4. What’s the fix?

Average organizations are making improvements in the risk areas they know, but leading organizations are doing more.

We have grouped 10 risk areas into four categories where we see leading organizations expanding improvement opportunities:

1. Commitment from the top
  • Board support. Organizations need executive support to establish a clear charter for the information security function and a long-term strategy for its growth.

2. Organizational alignment
  • Strategy. Information security must develop strong, clearly defined relationships with a wide range of stakeholders across the business and establish a clearly defined and formalized governance and operating model.
  • Investment. Organizations need to be willing to invest in cybersecurity.

3. People, processes and technology to implement
  • People. Today's information security function requires a broad range of capabilities with a diversity of experiences. Technical IT skills alone are no longer enough.
  • Processes. Processes need to be documented and communicated, but information security functions also need to develop change management mechanisms to quickly update processes when opportunities for improvement arise.
  • Technology. To gain the most value from a technology solution, information security functions must supplement their technology deployment efforts with strategic initiatives that address proper governance, process, training and awareness.

4. Operational enablement
  • Continuous improvement. Organizations must establish a framework for continuously monitoring performance and improving their information security programs in the areas of people, process and technology.
  • Physical security. Organizations should ensure that all their information security technology is physically secure, especially with consideration for access to Wi-Fi. A security operations center can enable information security functions to respond faster, work more collaboratively and share knowledge more effectively.
  • Analytics and reporting. Signature and rule-based tools are no longer as effective in today's environment. Instead, information security functions may wish to consider using behavior-based analytics against environmental baselines.
  • Environment. Information security requires an environment with a well-maintained enterprise asset management system (which includes criticality of supported business processes) to manage events associated with business priorities and assess the true risk or impact to the organization.

Acting on these opportunities for improvement will enable organizations to more proactively respond to know cyber risks and anticipate unknown ones. However, to be a cyber threat innovator, organizations need to constantly scan the horizon, searching for the vulnerabilities in each opportunity emerging technology brings.

5. What’s the bottom line?

As our Global Information Security Survey suggests, organizations are improving their response to known cyber threats.

Unfortunately, too often information security continues to be viewed as a compliance exercise. To be a leader in information security, organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions.

However, to be an information security innovator, organizations have to do much more. They need to be prepared to fundamentally transform their information security programs where necessary.

In all instances, leadership is the key. After all, when it comes to cracking the information security code, 80% of the solution is not technical — it’s a case of good governance.