No 1 security vulnerability is careless or unaware employees: EY survey
By Digital News Asia November 5, 2014
- 37% of organisations have no real-time insight on cyber risks
- They lack agility, budget and skills to combat rising cybercrime
CARELESS or unaware employees has been cited as the No 1 vulnerability companies face when it comes to cyber-security, according to EY’s annual Global Information Security survey.
This year’s report, entitled Get Ahead of Cybercrime, surveyed 1,825 organisations in 60 countries this year, EY said in a statement.
When it comes to ‘careless or unaware employees,’ 38% of respondents said it is their first priority, with ‘outdated information security controls or architecture’ and ‘cloud computing use’ coming in second and third respectively (35% and 17%).
‘Stealing financial information,’ ‘disrupting or defacing the organisation’ and ‘stealing intellectual property or data’ are the top three threats – 28%, 25% and 20% respectively say it is their first priority.
READ ALSO: Accidental sharing by staff bigger threat to data loss: Kaspersky Lab
Most organisations (67%) are facing rising threats in their information security risk environment, but over a third (37%) have no real-time insight on cyber risks necessary to combat these threats.
Companies are lacking the agility, the budget and the skills to mitigate known vulnerabilities and successfully prepare for and address cybersecurity, EY said.
Forty-three percent of respondents say that their organisation’s total information security budget will stay approximately the same in the coming 12 months despite increasing threats, which is only a marginal improvement to 2013 when 46% said budgets would not change.
Over half (53%) say that a lack of skilled resources is one of the main obstacles challenging their information security programme, and only 5% of responding companies have a threat intelligence team with dedicated analysts.
These figures also represent no material difference to 2013, when 50% highlighted a lack of skilled resources and 4% said they had a threat intelligence team with dedicated analysts.
This year’s survey finds that organisations need to do a better job of anticipating attacks in an environment where it is no longer possible to prevent all cyber breaches, and where threats come from ever more resourceful and well-funded sources, EY said.
“Organisations will only develop a risk strategy of the future if they understand how to anticipate cybercrime,” said EY’s global risk leader Paul van Kessel.
“Cyber-attacks have the potential to be far-reaching – not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance.
“Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries.
“Too many organisations still fall short in mastering the foundational components of cybersecurity. In addition to a lack of focus at the top of the organisation and a lack of well-defined procedures and practices, too many of the organisations we surveyed reveal they do not have a security operations centre.
“This is a major cause for concern,” said van Kessel.
EY’s Asean information security leader Gerry Chng said that establishing a solid foundation to build up cybersecurity capabilities is crucial in today’s landscape across South-East Asia.
“Attackers have been methodically studying our defence strategies and finding ways to circumvent them very successfully. Organisations need to stop mindlessly applying security solutions in the hope that such problems will go away if one spends enough money on the latest technology.
Security as part of business ecosystem
The report encourages organisations to embrace cybersecurity as a core competitive capability. This requires keeping the organisation in a constant state of readiness, anticipating where new threats may arise and shedding the ‘victim’ mindset of operating in a perpetual state of anxiety.
To reach this state, the report recommends:
- Remaining alert to new threats: Leadership should address cyber threats/ risks as a core business issue, and put in place a dynamic decision process that enables quick preventative action.
- Understanding the threat landscape: Organisations should have a comprehensive, yet targeted, awareness of the wider threat landscape and how it relates to the organisation, and invest in cyber threat intelligence.
- Knowing your ‘crown jewels’: There should be a common understanding across the organisation of the assets that are of greatest value to the business, and how they can be prioritised and protected.
- Focusing on incident and crisis response: Organisations should regularly test their capabilities.
- Learning and evolving: Cybersecurity forensics is a critical piece of the puzzle. Organisations should closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.
“Beyond internal threats, organisations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture,” said EY’s global information security leader Ken Allan.
“It’s only by reaching an advanced stage of cybersecurity readiness that an organisation can start to reap the real benefits of its cybersecurity investments.
“By putting the building blocks in place and ensuring that the programme is able to adapt to change, companies can start to get ahead of cybercrime, adding capabilities before they are needed and preparing for threats before they arise,” he added.
For further information and to download the 2014 report, visit www.ey.com/GISS.
Related Stories:
Basic security products don't cut it anymore: IDC
Security is a process
IT leaders on the harsh reality of cyber-protection
Govt malware, insider threats to dominate security landscape: CyberArk
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.
