4 minute read 13 Mar 2019
Designers group brainstorming in office

How organizations are leaving their core business open to cyber risks.

4 minute read 13 Mar 2019
Related topics Cybersecurity Digital

When it comes to cybersecurity, not all areas of the business are equal.

A recent report by HfS Reseach and EY, Why enterprises are leaving themselves open to significant risk , has found that many organizations are focusing their cybersecurity efforts primarily on growth areas, and as a result leaving their core businesses exposed and vulnerable.

The research also reveals that enterprises know the risks – not least because major breaches and fines frequently make headline news – yet they do not make fortifying existing business units against risk a priority. Instead, enterprises are focused on developing resilience in new areas as their businesses grow.

Unfortunately, threats will find their way into the core of the business through the path of least resistance. Time and time again, there are reports of legacy systems compromising entire organizations, which is in contrast to more modern technologies which are designed from the ground up to minimize risk.

Awareness versus action

The key findings of the report include:

  • Organizations understand the importance of securing their data. They have developed security policies, and security is a top-three initiative for 63% of enterprises
  • The biggest inhibitor of security readiness is the lack of executive support
  • 46% of organizations review their security policy every year, while only 26% review it every two years
  • Fewer than 30% see their increasing exposure online and their drive to digital as motivators to invest in security
  • External security service providers can offer important strategic and tactical assistance to clients
  • More than 50% of organizations are likely to use an external security service provider in the next 12 months. However, 53% of enterprises state that data sensitivity is the main barrier to outsource security services
Time and again, there are reports of legacy systems compromising entire organizations, which is in contrast to more modern cybersecurity protections which are built into every new initiative from the ground up, to embed trust by design.
Kris Lovejoy
EY Global Advisory Cybersecurity Leader

Lack of effective communication between CISO and the Board leads to inadequate support

Many CISOs are often subject matter experts who struggle to communicate the business value of security to the Board. On the “flip side”, the Board is not versed in cybersecurity. The result is a communication divide with the Board often unable to effectively assess the security team's success in protecting the business.

Cybersecurity breaches set to rise.


The number of enterprises that have experienced or expect to experience an internal breach in the next 12–18 months.

The countries that adopt the technology first are also the first to reap its rewards.

According to the report, 71% of enterprises have experienced or expect to experience an internal breach in the next 12–18 months, and 62% expect or have experienced an external breach in the same period. This is an arresting finding – this sense of inevitability among executives could be pushing security down the list of concerns.

When asked about the biggest inhibitor of their enterprise security readiness, the top respondent’s answer was: limited support from the corporate or executive level management.

The way forward

With government regulators and customers more focused on information and data security, enterprises would be well advised to bring in the expertise and execution capabilities to patch holes and build a security-focused business culture as the business drives forward.

Security policy development should not be a one-time check-the-box activity for compliance, however. Just under half (48%) of enterprises review their security policy every year, but large enterprises are leading the way, with 38% indicating that they review their security policy every quarter.

It is important to regularly review and update security policies to take account of changing technologies, business practices, and new hires. For example, with the rise of the contingent workforce, it is increasingly challenging to stay abreast of how many people an organization employs, which applications they each have access to, and what editing rights they have once they access these applications.

The report concludes with some pragmatic recommendations for organizations to improve their cybersecurity:

  • Put your money where your mouth is. Highlighting security as a top corporate initiative is positive, but the C-suite must follow this up with an investment commitment.
  • Articulate the importance of security. Security professionals and executives must work harder together to articulate the importance of security to their board.
  • Treat your security policy and access control rights as living documents that require updating regularly. Security threats appear out of nowhere; policies and controls relevant a month ago may not be now.
  • Consider the security implications of all new business initiatives you embark upon. Ensure that security plays an integral role in all new IT projects.
  • Give equal weight to your current environment. Be honest with yourself about current security risks across people, processes, and technology.
  • Use an external security service provider for strategic and tactical assistance. Security service providers can help you develop a security strategy and implement security solutions. They can also offer threat intelligence, detection, incident response, and ongoing management services. They are likely to be able to perform in some areas more effectively than your internal security team, because it is difficult to stay abreast of all potential threats on an ongoing basis.
  • Be open-minded when selecting an external security service provider. There are different types of security service providers in the market, with different core capabilities. Security teams should work closely with the C-Suite to identify gaps and establish preferred services to contract.


When it comes to cybersecurity, not all areas of the business are equal – organizations are more focused on new areas than old ones. This is just one example throughout the findings of a recent survey by HfS Research and EY. It also suggests that the C-suite know about cyber risks of this strategy, but are failing to act. What should organiztions be doing to protect their core businesses units?

About this article

Related topics Cybersecurity Digital