Our Global Information Security Survey 2018-19 sees spending on cybersecurity rise, but organizations need to take even more action.
After a year in which organizations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, this year’s EY Global Information Security Survey (GISS) shows cybersecurity continuing to rise up the board agenda. Organizations are spending more on cybersecurity, devoting increasing resources to improving their defenses, and working harder to embed security-by-design.
The survey reveals that cybersecurity continues to rise up the board agenda with 7 in 10 organizations stating their executive management teams now have a comprehensive understanding of cybersecurity. Organizations are spending more on cybersecurity too, devoting increasing resources to improving their defenses, and working harder to embed security-by-design.
However, the results also suggest that organizations need to do more. 87% of organizations say they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated.
Read the full reportDownload
What do Nordic and Global organizations have in common?
Information security does not hold a strong influence in organizations’ business strategy, which is affecting the total annual amount spent on it
Both in the Nordics and globally information security is still lagging in terms of influencing business strategy and plans, with more than 50% of respondents stating that information security influences business strategy in a limited matter or not at all. This demonstrates that organizations still don’t see security as a competitive advantage and disregard the impact that a breach can have on their reputation and consequently on their profit and losses, as well as other relevant costs, such as fines coming from GDPR regulation, etc. Consequently, more than 60% of Nordic and global organizations spend less than US$ 1 million in information security, which may not be enough for many organizations depending on their dimension and specific context.
Nordic and global organizations are not meeting their expectations when it comes to reporting cybersecurity capabilities and incidents
93% of the Nordic and 86% of the global organizations are receiving reports that don't fully meet their expectations. Only around 20% of the reports contain the number of cyber-attacks and only around 5% give information on financial impact of significant data breaches, which should be key topics on reporting capabilities. Also, organizations usually communicate externally when data is compromised within the first month, which may be considered to be too late in some cases and many organizations never report this to the different relevant stakeholders (e.g. regulators, suppliers, customers, etc.).
Nordic and global organizations agree on their top 5 vulnerabilities and threats
Organizations feel that their vulnerabilities come mainly from careless or unaware employees and from outdated information security controls or architecture, this representing more than 50% of the top vulnerabilities that increased their risk exposure over the last 12 months. In terms of threats, Phishing and Malware are the two biggest threats identified by organizations as responsible for increase in their risk exposure in the last 12 months. However, there is a slight difference in the responses, where Nordics consider Fraud to be their third highest threat, while cyber-attacks to deface the organization are perceived to be the third one for the Global area.
How do Nordic organizations stand out from the Global?
More than 90% of organizations have an information security function that does not fully meet their needs, with only 2% meeting them in the Nordics
As the security functions meet the organizations needs even less in the Nordics (2% instead of 8% globally), especially skill shortage is a problem for the Nordics. The skills shortage extends throughout levels of seniority as well, with a lack of cybersecurity people with business knowledge and a predominance of technical security skills. One major reason for skill shortage is because there are problems with recruiting the right competences. Around 60% of organizations are planning to improve their information security function, which should reduce the gap in the upcoming years.
Relatively much less boards/executive level members take direct responsibility for information security in the Nordics than globally
In the Nordic organizations the direct responsibility for information security is held less at board/executive level, when compared with global organizations. This means that the direct responsibility is at a lower level, which may lead to decision making that does not take in consideration the entire perspective of the organization. It may also be perceived by others in the organization as being less importance and take more time for projects/activities in this area to be executed since there is no board/executive level member directly responsible for it.
Nordics Security operations centers (SOC) are less effective than the global ones because they are too technical and lack business orientation
In relative terms, Nordic organizations are having more significant incidents (68%) than global organizations (54%). Even if both globally and in the Nordics around half of the organizations report having a Security Operations Centre (SOC), the Nordic’s SOC are identifying relatively less incidents (21%) than the Global ones (30%). The main reason for this is that Nordic’s SOC are still too technical and lack business orientation, which makes them less effective in addressing business needs. This is also why 59% of the cybersecurity incidents are being discovered in the Nordics internally by a business function compared with 45% globally.
In the Nordics more breaches result in financial losses, where improper configuration is identified as a root cause for latest significant breaches
In relative terms, Nordic organizations have had more information security incidents over the past year that have resulted in a financial loss, mainly of less than US$100,000. The main cause for latest significant breaches in the Nordics were improper configuration, which is much lower globally. This is followed by Malware and Phishing, which are also both perceived as main root causes for latest significant breaches. Nordic and global organizations identified careless employees has the most likely source of cyber-attacks. As for main differences, the Nordics considered to a larger extent that a state sponsored attacker, criminal syndicates and suppliers may be a likely source of a cyber-attack.