SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
No confidence in detecting sophisticated cyber attacks
Tue, 1st Dec 2015
FYI, this story is more than a year old

Businesses across the world are lacking confidence when it comes to their ability to detect sophisticated cyber attacks, according to findings from the latest Global Information Security Survey from EY.

The survey of more than 1700 organisations reveals that 88% of respondents do not believe their information security structure fully meets their organisation's needs.

When it comes to IT security budgets, 69% say that their budgets should be increased by up to 50% to align their organisation's need for protection with its managements' tolerance for risk.

The survey found the most likely sources of cyber attacks were criminal syndicates (59%), employees (56%) and hacktivists (54%), with state-sponsored (35%) in the sixth place.

“Organisations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats,” says Ken Allan, global cybersecurity leader, EY.

“Businesses should not overlook or underestimate the potential risks of cyber breaches,” he says.

“Instead, they should develop a laser-like focus on cybersecurity and make the required investments. The only way to make the digital world fully operational and sustainable is to enable organisations to protect themselves and their clients and to create trust in their brand.

The survey found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and out-dated systems (34%); down from 57% and 52%, respectively, in the 2014.

However, they feel more threatened today by phishing and malware. Forty-four percent of respondents (compared with 39% in 2014) ranked phishing as their top threat; 43% consider malware as their biggest threat versus 34% in 2014.

The survey found that organisations are falling short in thwarting a cyber attack, with 54% saying they lack a dedicated function that focuses on emerging technology and its impact. Forty seven percent do not have a security operations centre, and 36% do not have a threat intelligence programme, while 18% do not have an identity and access management programme.

More than half (57%) of the respondents say the contribution and value that the information security function provides to their organisation is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.

Paul van Kessel, global risk leader, EY, says, “Cybersecurity is inherently a defensive capability, but organizations should not wait to become victims.

“Instead, they should take an ‘active defense' stance, with advanced security operations centres that identify potential attackers and analyse, assess and neutralise threats before damage can occur,” he says.

“It is imperative that organisations consider cybersecurity as an enabler to build and keep customers' trust,” van Kessel adds.