18 Dec 2017 - {{hitsCtrl.values.hits}}
Common attack methods still successful, EY survey finds
Organisations believe that today’s cyber-threat landscape places them at high risk of cyber-attacks, according to the 20th annual EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber attacks.
The survey of nearly 1,200 C-level leaders of the world’s largest and most recognised organisations examines some of the most urgent concerns about cybersecurity and their efforts to manage them.
Findings show that 56 percent of those surveyed are making or planning to make changes to their strategies and plans due to the increased impact of cyber-threats, risks and vulnerabilities. The rapid acceleration of connectivity within their global organisations - fueled by the growth of Internet of Things (IoT) - has introduced new vulnerabilities for increasingly sophisticated cyber-attackers to exploit. The report reveals that common attacks - cyber-attacks carried out by unsophisticated, individual attackers - successfully exploited vulnerabilities that organisations were aware of, which indicates a lack of rigor in implementing standard security procedures.
EY Sri Lanka Advisory Leader Arjuna Herath says: “The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organisations. Also, the increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introduces new risks and vulnerabilities across the organisation. Therefore, as organisations transform into the digital age, they must examine their digital ecosystem from every angle to protect their businesses today, tomorrow and far into the future.”
Findings reveal that most organisations continue to increase their spending on cybersecurity, with more than 90 percent of respondents saying they expect higher budgets this year. With mounting cyber-threats demanding a more robust response, 87 percent say that they require up to 50 percent more funding. However, only 12 percent expect to receive an increase of more than 25 percent this year.
Also, 76 percent of respondents say the discovery of a breach that caused harm is most likely to trigger the increased allocation of budgets.
By contrast, 64 percent (compared to 62 percent last year) say an attack that did not appear to have caused any harm would be unlikely to prompt an increase in cybersecurity budget, despite the reality that harm caused by a cyber attack may not be immediately obvious.
Many respondents also recognise that lack of adequate resource allocation can increase cybersecurity risks, with 56 percent saying that they have made changes or are reviewing changes to their strategies and plans to address this. However, 20 percent admit that they do not have enough appreciation of current information security implications and vulnerabilities to undertake such a review.
Increasing threats from malware and careless employees
Malware (64 percent compared to 52 percent in 2016) and phishing (64 percent compared to 51 percent last year) are perceived as the threats that have most increased organisations’ risk exposure in the last 12 months. Careless or unaware employees are seen as the most significant increasing vulnerability to organisations’ security (60 percent compared to 55 percent in 2016). When it comes to the most likely source of attack, 77 percent considered careless members of staff as the most likely source, followed by criminal syndicates (56 percent) and malicious employees (47 percent).
When fighting back against an advanced attack - those carried out by sophisticated and well organised groups - many organisations have serious concerns about the level of sophistication of their current cybersecurity systems. 75 percent of respondents rate the maturity of their vulnerability identification as “very low to moderate.” A further 12 percent say they have no formal breach detection programme in place, while 35 percent describe their data protection policies as ad-hoc or non-existent,and 38 percent either have no identity and access programme or have not formally agreed such a programme.
To help improve their preparedness, most organisations recognise the need for a Security Operations Center (SOC), which provides a centralised, structured and coordinated hub for all cybersecurity activities. However, 48 percent of respondents say they still do not have an SOC, whether in-house or outsourced. Moreover, just 57 percent of respondents have an informal threat intelligence programme - or do not have one at all - with just 12 percent of respondents confident that they can detect a sophisticated cyber-attack made on their organisation.
The study also shows that cybersecurity budgets are higher in organisations that:
The report highlights that organisations with good governance processes underlying their operational approach are able to practice security-by-design - building systems and processes that can respond to unexpected risks and emerging dangers. The findings also show, however, that there is a long way to go before this becomes standard practice.
While 50 percent say that they report to the board regularly, only 24 percent say the person with responsibility for cybersecurity sits on their board and just 36 percent say boards have sufficient knowledge of information security to fully evaluate the effectiveness of preventive measures.
Herath says: “We believe that in the future businesses will collaborate and work with each other to share knowledge to help increase cyber-resiliency. It is imperative, therefore, that organizations move beyond thinking about cybersecurity as an IT issue, and focus on good cybersecurity governance and security-by-design.”
23 Nov 2024 1 hours ago
23 Nov 2024 1 hours ago
23 Nov 2024 3 hours ago
23 Nov 2024 4 hours ago
23 Nov 2024 6 hours ago