Is Cybersecurity About More Than Protection?
Our Global Information Security Survey 2018-19 sees spending on cybersecurity rise, but organizations need to take even more action.
After a year in which organizations have been rocked by a series of large-scale cybersecurity breaches and ongoing recriminations over state-sponsored interventions, this year’s EY Global Information Security Survey (GISS) shows cybersecurity continuing to rise up the board agenda. Organizations are spending more on cybersecurity, devoting increasing resources to improving their defenses, and working harder to embed security-by-design.
It’s not easy… do you recognize this?
The number of fake emails sent worldwide – every day 
Personal and sensitive data records compromised between January 2017 and March 2018 
English local authorities relying on unsupported server software 
Number of government officials using “Password123” as their password in just one US state 
Stolen identities used to make fake comments during a US inquiry into net neutrality 
Phishing emails sent out by a single campaign during the first quarter of 2018 
High cost impact
Average cost of a data breach last year 
The challenge is for organizations to progress on three fronts.
However, the survey results also suggest that organizations need to do more. More than three-quarters (87%) of organizations do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated.
1. Protect the enterprise
Our analysis suggests that significant numbers (77%) of organizations are still operating with only limited cybersecurity and resilience. They may not even have a clear picture of what and where their most critical information and assets are – nor have adequate safeguards to protect these assets.
Cyber readiness still lagging
Of organizations still operating with only limited cybersecurity and resilience
That is why it is important for most organizations to continue to zero in on the very basics of cybersecurity. They should first:
Identify the key data and intellectual property (the “crown jewels”)
Review the cybersecurity capabilities, access-management processes and other defenses
Upgrade the shield that protects the company.
2. Optimize cybersecurity
This year’s GISS suggests that 77% of organizations are now seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities. These organizations are continuing to work on their cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently. Part of that effort is considering and implementing artificial intelligence, robotic process automation, analytics and more to increase the security of their key assets and data.
At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way. Smaller companies are more likely to be lagging behind. While 78% of larger organizations say their information security function is at least partially meeting their needs, that falls to just 65% among their smaller counterparts.
Cyber criminals are raising their game, and the price of failure is high. In one recent attack, an Indian bank lost 944 million rupees (US$13.5m) after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines.8
3. Enable growth
Organizations are now convinced that looking after cyber risk and building in cybersecurity from the start are imperative to success in the digital era. The focus now should also be on how cybersecurity will support and enable enterprise growth. The aim? To integrate and embed security within business processes from the start and build a more secure working environment for all. Security-by-design should be a key principle as emerging technologies move center stage.
Organizations have embarked on digital transformation journeys. The nature of each transformation varies depending on the organization, but they all include one or more of the following components:
To achieve these goals, organizations will need an innovative cybersecurity strategy rather than responding in a piecemeal and reactive way. The customer experience must be a key consideration.
These three imperatives must be pursued simultaneously and we explore these topics in more detail in this year’s EY Global Information Security Survey (pdf). The frequency and scale of the security breaches all around the world show that too few organizations have implemented even basic security.
However, even as they seek to catch up, organizations must also move forward, fine-tuning existing defenses to optimize security and support their growth. As the digital transformation agenda forces organizations to embrace emerging technologies and new business models – often at pace – cybersecurity needs to be a key enabler of growth.