Under cyber-attack, EY's 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives, from 64 countries worldwide and from 25 industry sectors. This year’s results show that as companies continue to invest heavily to protect themselves against cyber-attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.
The leaps that organizations are making
- 68% of respondents state business continuity and disaster recovery as their top two priorities
Generally, organizations name business continuity and disaster recovery as their top information security priority for the next 12 months. Cyber risks and cyber threats, data leakage and data loss prevention, information security transformation, and compliance monitoring round out the top five.
- 43% of organizations indicate that information security budgets are on the rise
Within the government and public sectors, some respondents reported budget increases, but a majority indicate that their budgets have stayed the same as last year. Small businesses with a turnover of less than US$10m or businesses located in rapid-growth markets report the highest increases as a percentage of their budgets.
- 62% of organizations have not aligned their information security strategy to their risk appetite or tolerance
Although there have been improvements in alignment to business and IT strategies, many organizations have made no moves to improve their alignment with the organization’s risk appetite or with today’s risk environment. Financial services organizations are more aligned, while organizations in rapid-growth markets are less aligned.
This lack of alignment suggests that when setting budgets or determining resource requirements, too few organizations consider the cyber risks they are prepared to accept or must defend against at all costs, and far too many organizations only look inward to satisfy themselves that they are adequately protected against cyber risks — a view that may be costly when an attack occurs.
- 45% of respondents say mobile computing has most changed their risk exposure, while 70% find security of smartphones and tablets important
A few years ago, organizations could not imagine employees using their personal smartphones and tablets for work purposes. In fact, bring your own device (BYOD) only entered the market in 2009; widespread adoption of BYOD has only occurred recently. Yet, as we continue to hear about sensitive or confidential security breaches by those using smartphones and tablets, the question becomes: Who is responsible for the smartphone’s data — employer or employee? And how often is the smartphone being updated and security notifications appearing?
- Information security departments are still feeling the pinch
Despite half of the respondents planning to increase their budget by 5% or more in the next 12 months, 65% cite an insufficient budget as their number one challenge to operating at the levels the business expects; and among organizations with revenues of US$10m or less this figure rises to 71%.
- Information security departments struggle with a lack of skilled resources
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50% of respondents citing an internal lack of skilled resources as a barrier to value creation. Similarly, where only 20% of previous survey participants indicated a lack of executive awareness or support, 31% now cite it as an issue.
“Lack of budgets to attract qualified talent is a global problem. This is particularly acute in Europe, where governments and companies are struggling to recruit the most valuable talent to their teams. As a result, while organizations feel they are addressing the right priorities, many indicate that they do not have the skilled resources to support their needs”, says Carmen Adamescu, Director of the IT Consultancy Department, EY Romania.
“This year’s survey shows that organizations are moving in the right direction, but more still needs to be done. There are promising signs that the issue is now gaining attention at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35%”, adds Carmen Adamescu