The Business Continuity Institute
Global organizations are more confident than ever that they can predict and resist a sophisticated cyber attack, but are falling short of investments and plans to recover from a breach in today's expanding threat landscape. This is according to a new study conducted by EY.
The annual Global Information Security Survey (GISS) - Path to cyber resilience: Sense, resist, react - showed that half (50%) of those surveyed said they could detect a sophisticated cyber attack – the highest level of confidence since 2013 – due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centres (SOCs) and active defence mechanisms. However, despite these investments, 86% of those surveyed say their cyber security function does not fully meet their organization's needs.
Business continuity professionals are well aware of the threat the cyber world poses to their organizations, as identified in the Business Continuity Institute's latest Horizon Scan Report. In this report cyber attack and data breach were ranked as the top two threats with the vast majority of respondents to a global survey (85% and 80% respectively) expressing concern about the prospect of them materialising.
Despite the report noting that business continuity and disaster recovery – which is at the heart of an organization's ability to react to an attack – was rated by respondents as their top priority (57%), along with data leakage and data loss prevention (57%), only 39% plan to spend more on business continuity and disaster recovery.
Paul van Kessel, EY Global Advisory Cyber Security Leader says: "Organizations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks. Organizations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to 'cyber resilience' – an organization-wide response that helps them prepare for and fully address these inevitable cyber security incidents. In the event of an attack they need to have a plan and be prepared to repair the damage quickly and get the organization back on its feet. If not, they put their customers, employees, vendors and ultimately their own future, at risk."
This year's survey also shows that respondents continue to cite the same key areas of concern for their cyber security, such as the increased risks from the actions of careless or unaware employees (55% compared with 44% in 2015) and unauthorized access to data (54% compared with 32% in 2015). Meanwhile obstacles to their information security function are virtually unchanged from last year, including:
- Budget constraints (61% compared with 62% in 2015)
- Lack of skilled resources (56% compared with 57% in 2015)
- Lack of executive awareness or support (32%, the same as in 2015)
Despite the connected nature of today's digital ecosystem, the survey found that 62% of global organizations said it was unlikely they would increase their cyber security spending after a breach that did not appear to do any harm to their operations. Also, 58% said it was unlikely they would increase their information security spending if a competitor was attacked, while 68% said it was unlikely they would increase their information security spending if a supplier was attacked. In the event of an attack that definitely compromised data almost half of the respondents (48%) would not notify customers who had been impacted within the first week. Overall, 42% of respondents do not have an agreed communications strategy or plan in place in the event of a significant attack.
When it comes to devices, organizations are struggling with the number of devices that are continuously being added to their digital ecosystem. Almost three-quarters (73%) of organizations surveyed are concerned about poor user awareness and behavior around mobile devices, such as laptops, tablets and smartphones. Half (50%) cited the loss of a smart device as a top risk associated with the growing use of mobile devices because they encompass both information and identity loss.