Is cybersecurity about more than protection?

By

Paul van Kessel

EY Global Advisory Cybersecurity Leader

Boardroom cybersecurity discussion leader. Values simplicity in language. Enjoys sports and travel. Proud father of a daughter and a son.

5 minute read 10 Oct 2018
Related topics Cybersecurity Digital Advisory

Our Global Information Security Survey 2018-19 sees spending on cybersecurity rise, but organizations need to take even more action.

After a year in which organizations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, this year’s EY Global Information Security Survey (GISS) shows cybersecurity continuing to rise up the board agenda. Organizations are spending more on cybersecurity, devoting increasing resources to improving their defenses, and working harder to embed security-by-design.

It’s not easy… do you recognize this?

Email scams

6.4b

The number of fake emails sent worldwide – every day [1]

Data breaches

1.9b

Personal and sensitive data records compromised between January 2017 and March 2018 [2]

Outdated software

50%

English local authorities relying on unsupported server software [3]

Human error

1,464

Number of government officials using “Password123” as their password in just one US state [4]

Digital astroturfing

2m

Stolen identities used to make fake comments during a US inquiry into net neutrality [5]

Social engineering

550m

Phishing emails sent out by a single campaign during the first quarter of 2018 [6]

High cost impact

US$3.62m

Average cost of a data breach last year [7]

The challenge is for organizations to progress on three fronts.

However, the survey results also suggest that organizations need to do more. More than three-quarters (87%) of organizations do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated.

1. Protect the enterprise

Our analysis suggests that significant numbers (77%) of organizations are still operating with only limited cybersecurity and resilience. They may not even have a clear picture of what and where their most critical information and assets are – nor have adequate safeguards to protect these assets.

Cyber readiness still lagging

77%

Of organizations still operating with only limited cybersecurity and resilience

That is why it is important for most organizations to continue to zero in on the very basics of cybersecurity. They should first:

  • Identify the key data and intellectual property (the “crown jewels”)
  • Review the cybersecurity capabilities, access-management processes and other defenses
  • Upgrade the shield that protects the company.

2. Optimize cybersecurity

This year’s GISS suggests that 77% of organizations are now seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities. These organizations are continuing to work on their cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently. Part of that effort is considering and implementing artificial intelligence, robotic process automation, analytics and more to increase the security of their key assets and data.

At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way. Smaller companies are more likely to be lagging behind. While 78% of larger organizations say their information security function is at least partially meeting their needs, that falls to just 65% among their smaller counterparts.

Cyber criminals are raising their game, and the price of failure is high. In one recent attack, an Indian bank lost 944 million rupees (US$13.5m) after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines.8

3. Enable growth

Organizations are now convinced that looking after cyber risk and building in cybersecurity from the start are imperative to success in the digital era. The focus now should also be on how cybersecurity will support and enable enterprise growth. The aim? To integrate and embed security within business processes from the start and build a more secure working environment for all. Security-by-design should be a key principle as emerging technologies move center stage.

Organizations have embarked on digital transformation journeys. The nature of each transformation varies depending on the organization, but they all include one or more of the following components:

To achieve these goals, organizations will need an innovative cybersecurity strategy rather than responding in a piecemeal and reactive way. The customer experience must be a key consideration.

These three imperatives must be pursued simultaneously and we explore these topics in more detail in this year’s EY Global Information Security Survey (pdf). The frequency and scale of the security breaches all around the world show that too few organizations have implemented even basic security.

However, even as they seek to catch up, organizations must also move forward, fine-tuning existing defenses to optimize security and support their growth. As the digital transformation agenda forces organizations to embrace emerging technologies and new business models – often at pace – cybersecurity needs to be a key enabler of growth.

  • The 21st annual edition of the EY Global Information Security Survey captures the responses of over 1,400 C-suite leaders and information security and IT executives/managers, representing many of the world’s largest and most recognized global organizations. The research was conducted from April to July 2018.

    “Larger organizations” are defined in this report as organizations with annual revenues of US$1b or more. This group represents one-third of the total respondents to this survey. “Smaller organizations” are defined in this report as organizations with annual revenues below US$1b. This group represents two-thirds of the total respondents to this survey.

    1. Dark Reading, August 27, 2018. [https://www.darkreading.com/endpoint/64-billion-fake-emails-sent-each-day/d/d-id/1332677]
    2. Chronology of Data Breaches, March 2018. [https://www.privacyrights.org/data-breaches]
    3. Computing, August 23, 2018. [https://www.computing.co.uk/ctg/news/3061558/fifty-per-cent-of-councils-in-england-rely-on-unsupported-server-software]
    4. The Washington Post, August 22, 2018. [https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/]
    5. Naked Security, 24 May 2018. [https://nakedsecurity.sophos.com/2018/05/24/2-million-stolen-identities-used-to-make-fake-net-neutrality-comments/]
    6. Dark Reading, 26 April 2018. [https://www.darkreading.com/vulnerabilities---threats/new-phishing-attack-targets-550m-email-users-worldwide/d/d-id/1331654]
    7. Ponemon Institute, July 2017. [https://www.ponemon.org/blog/2017-cost-of-data-breach-study-united-states]
    8. Info Security, August 16, 2018. [https://www.infosecurity-magazine.com/news/indian-bank-loses-135m-in-global/]

Summary

The survey reveals that cybersecurity continues to rise up the board agenda with 7 in 10 organizations stating their executive management teams now have a comprehensive understanding of cybersecurity. Organizations are spending more on cybersecurity too, devoting increasing resources to improving their defenses, and working harder to embed security-by-design.

However, the results also suggest that organizations need to do more. 87% of organizations say they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated. 

About this article

By

Paul van Kessel

EY Global Advisory Cybersecurity Leader

Boardroom cybersecurity discussion leader. Values simplicity in language. Enjoys sports and travel. Proud father of a daughter and a son.

Related topics Cybersecurity Digital Advisory