One year after organizations were shaken by a series of widespread cyber attacks and ongoing accusations of government-funded interventions, cyber security continues to occupy an increasingly important place on the board of directors agenda, according to EY Global Information Security Survey 2018-19 (GISS) Is cybersecurity about more protection?
A study of more than 1,400 cyber security leaders of the world's largest and most recognized organizations, with revenues ranging from less than $ 10 million to over $ 10 billion, analyzes the most urgent security concerns cybernetics and their efforts to manage them.
According to the study, 87% of organizations operate with a limited budget to ensure the level of cyber security and the necessary resistance, and 55% of organizations do not integrate the organization's protection into the overall business strategy and execution plans.
Surprisingly, large organizations are more likely to fail in this approach than smaller organizations (58% vs. 54%). However, budgets for cyber security are on the rise, with larger companies more likely to raise budgets this year (63%) and next year (67%) than smaller companies (50% and 66% respectively).
Most organizations (77%) are currently struggling to overcome their basic cyber-security protection status and are looking to refine their capabilities using advanced technologies such as artificial intelligence, process automation, data analysis, and more. However, the study shows that only 8% of respondents believe that their information security function fully responds to their needs, while 78% and 65% of the larger and smaller organizations, respectively, declare that at present , their information security function partially responds to their needs.
All organizations surveyed are experiencing digital transformation projects and are increasing their spending on the integration of emerging technologies. According to the study, the main priorities for IT security investments in emerging technologies this year are cloud computing (52%), computer analysis (38%) and mobile data processing (33%).
Careless employees are the most vulnerable, and most organizations are not sure to identify all attacks and incidents
Organizations admit that they are unlikely to increase their cyber security practices or spend more money unless they have suffered an attack or incident that produced a very negative impact. The study finds that vulnerabilities with the highest associated risks are negligent / unaware of these risks (34%), overtaxed security controls (26%), unauthorized access (13%) and cloud computing (10%).
Only 8% declare that their security functions fully meet their needs and 38% are unlikely to detect a sophisticated cyber attack, while less than 10% believe they have mature security systems. However, many organizations (82%) do not know to what extent they successfully identify attacks and incidents. Less than one-third (31%) of the organizations that have experienced a security incident in the past year said the damage was discovered by their security center.
Cyber security is not fully integrated into the strategic plans of organizations, the responsible person is not a member of the board of directors
Organizations are now convinced that cyber-threat tracking and the inclusion of cyber security from the very beginning in the business plan are imperative for success in the digital age.
However, according to the study, only 18% of organizations say IT security is regularly taken into account in strategic business plans, while 60% of organizations declare that the person directly responsible for information security is not a member of the board administration.
However, 70% of the organizations surveyed (73% of the large organizations and 68% of the small organizations, respectively) declare that senior leaders have a high level of understanding of the security issue or that they improve their understanding.