More than one-third of global organizations still lack confidence in their ability to detect sophisticated cyber attacks, EY survey finds
Eighty-eight percent of companies don’t believe their information security fully meets their organization’s needs / 69 percent say they should spend more money on cyber security to protect data / Criminal syndicates, hacktivists and state-sponsored groups cited as most likely sources of cyber attacks
Zurich, 18 November 2015 – More than one-third (36%) of global organizations still lack confidence in their ability to detect sophisticated cyber attacks, according to EY’s annual Global Information Security Survey 2015, “Creating trust in the digital world”.
The survey of 1,755 organizations from 67 countries (including Switzerland) examines some of the most important cyber security issues facing businesses today, and finds that 88% do not believe their information security structure fully meets their organisation’s needs.
When it comes to IT security budgets, 69% say that their budgets should be increased by up to 50% to align their organization’s need for protection with its management's tolerance for risk. The most likely sources of cyber attacks: criminal syndicates (59%), hacktivists (54%) and state-sponsored groups (35%) retained their top rankings. However, compared with last year’s survey, respondents rated these sources as more likely: up from 53%, 46%, and 27%, respectively, in 2014. Markus Thomas Schweizer, Managing Partner of Advisory Services at EY Germany, Switzerland and Austria, states: “Organizations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats. Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cyber security and make the required investments. The only way to make the digital world fully operational and sustainable is to enable organizations to protect themselves and their clients and to create trust in their brand”.
Vulnerabilities and threats: a shift in perceptions
The survey found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively, in the 2014 Global Information Security Survey (GISS). However, they feel more threatened today by phishing and malware. Forty-four percent of respondents (compared with 39% in 2014) ranked phishing as their top threat; 43% consider malware as their biggest threat versus 34% in 2014. The survey also finds that organizations are falling short in thwarting a cyber attack:
- 54% say they lack a dedicated function that focuses on emerging technology and its impact
- 47% do not have a security operations centre
- 36% do not have a threat intelligence program, while 18% do not have an identity and access management program
More than half (57%) said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.
Tom Schmidt, Partner at EY Financial Services Advisory and Cyber security Leader FSO Switzerland, says: “Cyber security is inherently a defensive capability, but organizations should not wait to become victims. Instead, they should take an ‘active defence’ stance, with advanced security operations centres that identify potential attackers and analyse, assess and neutralise threats before damage can occur. It is imperative that organizations consider cyber security as an enabler to build and keep customers’ trust.”
Some examples of the industries surveyed:
|EY’s Global Information Security Survey 2015 – Sector highlights|
|Industries|| Likely sources |
of cyber attacks
| Top priorities for |
|Companies not changing security budget over next 12 months|
|Consumer products|| Employees: 61% |
Criminal syndicates: 52%
External contractors: 43%
Business continuity/disaster recovery resilience: 59%
Data leakage/data loss prevention: 50%
Incident response capabilities: 40%
|Banking and capital markets|| Cyber attacks to steal financial information: 21% |
Data leakage/data loss prevention: 67%
Business continuity/disaster recovery: 56%
Identify and access management: 56%
|Power and utilities|| Business continuity/disaster protection: 52% |
Data leakage/data loss prevention: 44%
Security operations, such as anti-virus, patching, encryption: 43%
About the global EY organization
The global EY organization is a leader in assurance, tax, transaction, legal and advisory services. We leverage our experience, knowledge and services to help build trust and confidence in the financial markets and in economies all over the world. We are ideally equipped for this task – with well trained employees, strong teams, excellent services and outstanding client relations. Our global mission is to drive progress and make a difference by building a better working world – for our people, for our clients and for our communities.
The global EY organization refers to all member firms of Ernst & Young Global Limited (EYG). Each EYG member firm is a separate legal entity and has no liability for another such entity’s acts or omissions. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information, please visit www.ey.com.
EY’s organization is represented in Switzerland by Ernst & Young Ltd, Basel, with ten offices across Switzerland, and in Liechtenstein by Ernst & Young AG, Vaduz. In this publication, "EY" and "we" refer to Ernst & Young Ltd, Basel, a member firm of Ernst & Young Global Limited.