At least a third of global organisations (global: 36 per cent, Singapore: 30 per cent) still lack confidence in their ability to detect sophisticated cyberspace attacks, according to the annual EY’s Global Information Security Survey (GISS) 2015, Creating trust in the digital world.
The survey of 1755 organizations from 67 countries, including 35 from Singapore, examines some of the most important cybersecurity issues facing businesses today and finds that 88 per cent and 80 per cent of global and Singaporean respondents respectively do not believe their information security architecture is sufficient to meet their security needs.
According to respondents, when asked about their IT security budgets, 69 per cent and 56 per cent of global and Singapore respondents stated that their budgets should be increased by up to 50 per cent, in order to align their organisation’s need for protection with its managements’ tolerance for risk.
Paul O’Rourke, EY’s Asia-Pacific Cyber Security Leader said, “Organisations are embracing the digital world with enthusiasm, but there must be a corresponding uptick in addressing the increasingly sophisticated cyber threats. Businesses should not overlook or underestimate the potential risks of cyber breaches. Instead, they should develop a laser-like focus on cybersecurity and make the required investments.
O’Rourke added, “The only way to make the digital world fully operational and sustainable is to enable organizations to protect themselves and their clients and to create trust in their brand.”
In terms of the most likely sources of cyber attacks, criminal syndicates (59 pe r cent), employees (56 per cent) and hacktivists (54 per cent) retained their top rankings globally, with state-sponsored threats (35 per cent) in the sixth place. However, compared with last year’s survey, respondents globally rated criminal syndicates, hacktivists and state-sponsored as more likely than in 2014: up from 53 per cent, 46 per cent, and 27 per cent, respectively.
Gerry Chng, Ey’s ASEAN and Singapore Information Security Leader says: “With the widespread focus on digitisation and productivity improvements using technology as an enabler, employees are increasingly having access to more digital information.
Chng added, “It is natural that hackers target the weakest link in the chain by attacking such employees through either social engineering or delivering targeted malicious software. Without the right level of training, culture, and enabling technologies, employees may easily fall prey to such tactics.”
More companies feel less vulnerable to attacks arising from unaware employees and outdated systems, compared with 57 per cent and 52 per cent respectively in 2014. However, phishing and malware are perceived as increasing threats. Singaporean firms perceived unaware employees and malware as the top two threats and vulnerabilities, followed by cyber attacks targeting a disruption of their It infrastructure.
Chng explained that with cyberspace risks manifested through an array of channels, organisations should re-evaluate their cyber-risk readiness capabilities and ensure that they are “…adopting a risk-initiated approach to anticipate possible threats to their organisation, and prioritize their investments in cyber defense based on the potential impact to the business.”
A little over half the companies surveyed by EY globally and locally admitted to lacking a dedicated function focused on emerging technologies and their associated impact, with slightly less than 50 per cent admitting to a lack of a security operations centre. 36 per cent and 15 per cent of global and Singapore respondents lacked a threat intelligence program, while 18 percent, both globally and locally, lacked identity and access management programmes.
However, more than half the companies surveyed in the city-state disclosed plans to invest more in addressing cybersecurity concerns for 2016. But many survey respondents contributed that their organisation’s information security function was compromised by a lack of skilled talent available. When compared with 53 per cent of respondents in the 2014 survey, this indicates a deteriorating situation, rather than an improvement.
Chng concluded: “Cybersecurity is inherently a defensive capability, but organisations should not wait to become victims. Instead, they should take an ‘active defense’ stance, with advanced security operations centers that identify potential attackers and analyze, assess and neutralise threats before damage can occur. It is imperative that organizations consider cybersecurity as an enabler to build and keep customers’ trust.”