- 87% of organizations surveyed operate with limited cybersecurity and resilience
- 77% currently work with basic cybersecurity protections and are seeking to move toward fine-tuning capabilities
- 82% of boards fail to make cybersecurity a strategic agenda item
A year after organizations were rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, this year’s EY Global Information Security Survey 2018-19 (GISS) Is cybersecurity about more than protection? shows cybersecurity continuing to rise up the board agenda. The survey of more than 1,400 C-level cybersecurity and risk leaders from some of the world’s largest and most recognized organizations, with revenues ranging from less than USD 10 million to over USD 10 billion, examines some of the most urgent concerns about cybersecurity and their efforts to manage them.
The survey finds that 87% of organizations operate with a limited budget to provide for the level of cybersecurity and resilience they require and that 55% of organizations don’t make the protection of the organization an integral part of their overall business strategy and execution plans. Surprisingly, larger organizations are more likely to fall short on this point than smaller organizations (58% versus 54%). However, cybersecurity budgets are on the rise with larger companies being more likely to have increased budgets this year (63%) and next year (67%) than smaller companies (50% and 66%, respectively).
A majority of organizations (77%) are now seeking to move beyond basic cybersecurity protections toward fine-tuning their capabilities using advanced technologies like artificial intelligence, robotic process automation and analytics among others. These organizations are continuing to work on their cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently. However, the survey found that 8% of respondents feel that their information security function fully meets their needs currently with 78% and 65% of larger and smaller organizations respectively saying their information security function is at least partially meeting their needs.
All the organizations surveyed are going through digital transformation projects and are increasing their spending on emerging technologies. The study reveals cloud computing (52%), cybersecurity analytics (38%) and mobile computing (33%) as the highest priorities for cybersecurity investment in emerging technologies this year.
Paul van Kessel, EY Global Advisory Cybersecurity Leader, says:
“Organizations today are increasingly investing in emerging technologies as part of their digital transformation programs, and while these have created multiple new possibilities, they also create new vulnerabilities and threats. Organizations should be aware that building a level of trust with customers is critical to the success of their transformation programs. To build this trust cybersecurity needs to be embedded in the DNA of the organization starting with making it an integral part of the business strategy.”
Careless/unaware employees rank as highest vulnerability and most organizations may not identify all breaches and incidents
Organizations concede that they would be unlikely to step up their cybersecurity practices or spend more money unless they suffered some sort of breach or incident that caused very negative impacts. The survey finds that the riskiest vulnerabilities are careless/unaware employees (34%), outdated security controls (26%), unauthorized access (13%) and related to cloud-computing use (10%). Only 8% say their security functions fully meet their needs and 38% of respondents are unlikely to detect a sophisticated breach, whereas less than 10% believe they have mature security systems. However, many organizations (82%) are unclear about whether they are successfully identifying breaches and incidents. Among organizations that have been hit by an incident over the past year, less than a third (31%) say the compromise was discovered by their security center.
Cybersecurity does not fully influence organizations’ strategic plans, the person responsible not a board member
Organizations are now convinced that looking after cyber risk and building in cybersecurity from the start is imperative to success in the digital era. The survey finds, only 18% of organizations saying that information security fully influences business strategy plans on a regular basis while 60% of organizations say that the person directly responsible for information security is not a board member. However, 70% of all organizations (73% and 68% of the larger and smaller organizations, respectively) say their senior leadership has a comprehensive understanding of security or is taking positive steps to improve their understanding.
Thomas Koch, Cybersecurity Leader at EY Luxembourg, says: “Cybersecurity is beginning to get the attention it deserves, as cyber risks are increasingly becoming an integral part of the strategic decisions made by organizations. An approach based on security-by-design and a tested cyber crisis management will determine the ability of an organization to adequately withstand and respond to a cyber attack. This resilience will be a key enabler towards using new technology and seizing emerging opportunities.”
For more information and to download the report, visit ey.com/giss.
Notes to Editors
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.