Most companies don’t believe their information security meets their organization’s needs

More than one-third (36%) of global organizations still lack confidence in their ability to detect sophisticated cyber attacks, according to EY.

The survey of 1,755 organizations from 67 countries examines some of the most important cybersecurity issues facing businesses today and finds that 88% do not believe their information security structure fully meets their organization’s needs. When it comes to IT security budgets, 69% say that their budgets should be increased by up to 50% to align their organization’s need for protection with its managements’ tolerance for risk.

The most likely sources of cyber attacks: criminal syndicates (59%), hacktivists (54%) and state-sponsored groups (35%) retained their top rankings. However, compared with last year’s survey, respondents rated these sources as more likely: up from 53%, 46%, and 27%, respectively, in 2014.

The survey found that companies currently feel less vulnerable to attacks arising from unaware employees (44%) and outdated systems (34%); down from 57% and 52%, respectively, in the 2014 Global Information Security Survey (GISS). However, they feel more threatened today by phishing and malware. Forty-four percent of respondents (compared with 39% in 2014) ranked phishing as their top threat; 43% consider malware as their biggest threat versus 34% in 2014.

The survey also finds that organizations are falling short in thwarting a cyber attack:

• 54% say they lack a dedicated function that focuses on emerging technology and its impact
• 47% do not have a security operations center
• 36% do not have a threat intelligence program, while 18% do not have an identity and access management program.

More than half (57%) said that the contribution and value that the information security function provides to their organization is compromised by the lack of skilled talent available, compared with 53% of respondents in the 2014 survey, indicating that the situation is deteriorating, rather than improving.

Paul van Kessel, Global Risk Leader, EY, says: “Cybersecurity is inherently a defensive capability, but organizations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralize threats before damage can occur. It is imperative that organizations consider cybersecurity as an enabler to build and keep customers’ trust.”