- Half (50%) of Irish organisations have no real-time insight on cyber risks, lacking the agility, budget and skills to combat rising cybercrime
- Almost half (47%) of Irish organisations believe it unlikely they would detect a sophisticated cyber attack
- Organisations need to maintain a constant state of readiness to respond to cyber attacks and anticipate where new threats may arise
Despite increasing external threats, 47% of Irish organisations are unlikely to be able to detect a sophisticated cyber attack according to EY’s annual Global Information Security survey, Get Ahead of Cybercrime, which this year surveyed 1,825 organisations in 60 countries, including Ireland.
While Irish organisations have a greater awareness of the various cyber threats currently at play, the findings indicate that companies lack the agility, budget and skills to mitigate known vulnerabilities and successfully prepare for and address cyber attacks. Although 82% of Irish respondents reported that security spending will increase somewhat over the next 12 months, worryingly, despite the expected increases in spend, over 50% of Irish respondents still cite budget as their main obstacle to their cyber security programme.
Hugh Callaghan, EY EMEIA Financial Services Advisory Director, commented: “Organisations now acknowledge that outright prevention of sophisticated cyber attacks is unrealistic and that only half of respondents are confident of detecting attacks. Enhancing the monitoring required to detect attacks and enable rapid response will require significant investment in a security operations centre capability, which is not widely reflected in short term budget expectations. This means that vulnerability to cyber attacks will continue and security functions will struggle in fully meeting the needs of the business.”
Consistent with survey results over recent years, when asked about their top 5 concerns, 71% of Irish organisations regard their leading internal weakness as careless or unaware employees. The top two external threats cited by respondents were cyber attacks aimed at stealing financial information and malware threats (41% each). Recent mainstream media reports of sophisticated malware would appear to validate this view.
This year’s survey finds that organisations need to do a better job of anticipating attacks in an environment where it is no longer possible to prevent all cyber breaches, and where threats come from ever more resourceful and well-funded sources.
Half (50%) of Irish organisations say that a lack of skilled resources is one of the main obstacles challenging their information security programme and only 6% of respondents have a threat intelligence team with dedicated analysts. “The purpose of threat intelligence is to understand the threats specific to your organisation and inform rapid decision-making. This includes understanding ‘who’ and ‘what’ that is targeting you and your industry peers in order to anticipate attacks before they occur and to inform your prevention, monitoring and response activities” commented Callaghan.
Hugh Callaghan added: “Ireland continues to enjoy its international reputation as ‘the Silicon Valley of Europe’. However; the results of the survey indicate that while they have come a long way, Irish organisations need to further educate themselves on the realities of cyber crime in order for Ireland to maintain its competitive edge as a leader in technology and digital services. Success in the digital economy is founded on trust and cyber security breaches can severely damage that trust. Ireland needs to be regarded as a safe place to do business online.
Accordingly, organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy marks for cyber criminals into less attractive targets.”
Ivan O’Brien, EY IT Advisory Director commented: “Too many organisations still fall short in moving beyond the foundational components of cyber security. In addition to a lack of focus at the top of the organisation, lack of a clearly articulated risk appetite, and a lack of well-defined cyber security strategy and framework, many of the organisations we surveyed revealed they have or utilise a security operations centre but many are not integrating and aligning the services within their business”.
O’Brien added: “Beyond internal threats, organisations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture. It’s only by reaching an advanced stage of cyber security readiness that an organisation can start to reap the real benefits of its digital investments. By putting the building blocks in place and ensuring that the programme is able to adapt to change, companies can start to get ahead of cybercrime, adding capabilities before they are needed and preparing for threats before they arise.”
The report encourages organisations to embrace cyber security as a core competitive capability. This requires keeping the organisation in a constant state of readiness, anticipating where new threats may arise and shedding the “victim” mindset of operating in a perpetual state of anxiety. To reach this state, the report recommends:
- Remaining alert to new threats: Leadership should address cyber threats/risks as a core business issue, and put in place a dynamic decision process that enables quick preventative action.
- Understanding the threat landscape: Organisations should have a comprehensive, yet targeted, awareness of the wider threat landscape and how it relates to the organisation, and invest in cyber threat intelligence.
- Knowing your “crown jewels”: There should be a common understanding across the organisation of the assets that are of greatest value to the business, and how they can be prioritised and protected.
- Focusing on incident and crisis response: Organisations should regularly test the organisation’s capabilities.
- Learning and evolving: Cyber security forensics is a critical piece of the puzzle. Organisations should closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.
EY is a global leader in assurance, tax, transaction and advisory services. The
insights and quality services we deliver help build trust and confidence in the
capital markets and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our stakeholders. In so
doing, we play a critical role in building a better working world for our people,
for our clients and for our communities.
EY refers to the global organisation and may refer to one or more of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about
our organisation, please visit ey.com.
© 2015 Ernst & Young. Published in Ireland. All Rights Reserved.