- 56% of respondents say that businesses have sidestepped cyber processes to facilitate requirements around remote working
- 77% of respondents warn of an increase in the number of disruptive attacks
- 39% warn their organization’s budget is not adequate to manage new challenges
Adopting to new working practices, as a result of the COVID-19 pandemic, has businesses exposed to more and increasingly sophisticated cyber attacks and brought underfunded cyber defenses into the spotlight, according to the EY Global Information Security Survey 2021 (GISS).
This year's GISS, which surveyed more than 1,000 cybersecurity leaders at organizations worldwide, finds that more than half (56%) say that businesses have sidestepped cyber processes to facilitate new requirements around remote or flexible working. At the same time, cyber leaders say they have never been as concerned as they are now about their ability to manage the cyber threat (43%) with more than three in four (77%) warning that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months (compared to 59% in previous year’s GISS).
Kris Lovejoy, EY Global Consulting Cybersecurity Leader, says:
“The speed of change that businesses have had to adopt to this past year came with a heavy price. The need to rapidly transform to survive meant that security was often overlooked. The risks of simply moving on, especially as businesses look to maintain some of these working practices in the post-COVID-19 era, without addressing these cyber gaps, are very real and increasingly urgent. Recent ransomware events only serve to underscore how critical immediate action is.”
Cybersecurity budgets are out of sync with need
Despite the growing threat of cyber attacks, cybersecurity budgets remain low relative to overall IT spend, according to this year’s GISS. While respondents’ organizations had average revenues of US$11b in the last financial year, the average spend on cybersecurity was just $5.28m.
Almost four in ten respondents (39%) warn that their organization’s budget is below what is required to manage the new challenges that have arisen in the last 12 months. The same percentage say that cybersecurity expenses are not factored adequately into the cost of strategic investments, such as an IT supply chain transformation. At the same time, more than one-third (36%) say it is only a matter of time until their organizations suffer a major breach that could have been avoided had there been more appropriate investment in cybersecurity defenses.
Lovejoy says: “The impact of underfunding and budget restrictions will be acutely felt as disruptive events become more frequent and more sophisticated. Just like safety and security are part and parcel of any physical product development process, it can no longer be an afterthought in the development of digital products and services. Like night follows day, failure to introduce security in digital products and services will lead to an increase in the number of successful cybersecurity breaches.”
Building relationships with the C-suite can turn crisis into an opportunity
The essential relationships between cybersecurity leaders and other functions in the business, lack positivity and strength, according to the 2021 GISS.
Responding cyber leaders (41%) describe their relationship with the marketing function as negative, while 28% say their relationship with business owners is poor. As a result, while 36% of respondents in 2020 were confident that cybersecurity teams were being consulted at the planning stage of new business initiatives, this figure has fallen to 19% in 2021. Just 25% think senior business leaders would describe their organization’s cybersecurity function as commercially minded.
Errol Gardner, EY Global Vice Chair – Consulting, says:
“CISOs are central to an organization’s efforts to transform and deliver long-term value. Investing in building a strategic relationship between CISOs, CEOs and the rest of the C-suite will help ensure that transformation programs are not only successful, but also implemented in a cyber-secure way for the organization and its people.
“While CEOs are on a path to realize their vision and transform their business through technology, they can’t afford to turn a blind eye to the cyber risks this poses. At the same time, it falls on CISOs to ensure that CEOs have the right understanding of the value that investing in cybersecurity brings and that they recognize that as an integral part of the transformation journey.”
Notes to editors
EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.
About the 2021 EY Global Information Security Survey
The data in this year’s GISS report is based on a survey of CISOs and other senior leaders at 1,010 organizations, carried out between March and May 2021. CISOs and other C-suite professionals comprised 50% of respondents; the others were C-1 cybersecurity professionals.
This was a global survey with Europe, Middle East, India and Africa (EMEIA) accounting for 43% of respondents, the Americas 36% and the Asia-Pacific region 20%. Respondents included CISOs or their equivalents from the financial services; consumer products and retail; health and life sciences; energy; government and technology; and media and entertainment, and telecommunications (TMT) sectors. Each business included in the data for this report had annual revenues exceeding US$1b.