Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/11/2019
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Most Organizations Lack Cyber Resilience

Despite increasing threats, many organizations continue to run with only token cybersecurity and resilience.

According to Ernst & Young's Global Information Security Survey 2018-19, over half of organizations fail to make organizational protection a key part of their strategic plans. After soliciting the opinions of approximately 1,400 C-suite leaders, EY concludes that larger firms are somewhat more prone to fall short in this area than smaller ones (58% versus 54%).

Overall, EY reports, a solid 77% of organizations still operate with only lackluster cybersecurity and resilience. They may even lack a clear idea of what their most critical information assets are and where they're located, never mind having adequate safeguards in place to protect them.

Fortunately, cybersecurity budgets are increasing, though bigger firms are more likely to increase their investments in 2019 (63%) and 2020 (67%) than smaller companies (50% and 66%).

System Outages
Whether it's because of the convergence of operational technology (OT) and IP-based IT networks or the growing use of cloud computing, corporate reliance on the availability of global IT infrastructure is ballooning. And the consequences are rising as well.

Cyberattacks to disrupt the business are now ranked as the third-biggest threat, after phishing (No. 1) and malware (No. 2). This comes as no surprise because distributed denial-of-service (DDoS) attacks, for instance, can trigger a major service interruption that will bring the business to a standstill. Outages have always been painful, but given the trend toward moving workloads and applications off-premises, and operating revenue-critical platforms, business operations virtually come to a stop if the IP network collapses.

"Importantly, more organizations are now beginning to recognize the broad nature of the threat," says Richard Watson, EY's Asia-Pacific cybersecurity head. "One thing that has changed for the better over the past 12 months, partly because of some of those big cyberattacks we've seen at a global level, is a growing realization that security is also about maintaining the continuity of business operations — and not only about the security of data and privacy."

No Room for Russian Roulette
Given this reality, it's jaw-dropping that many organizations seem to think they shouldn't beef up their cybersecurity practices or dedicate more money to IT unless they're hit by a major security incident.

For 63% of organizations, a security breach that results in no harm wouldn't lead to higher spending (although, typically, seemingly innocuous breaches can cause harm that doesn't manifest until later). Still, many organizations are unclear about whether they're successfully identifying breaches and incidents.

These firms are playing with fire. As noted in the EY report, the Ponemon Institute estimates the average cost of a security breach to be $3.62 million per incident.

Tackling Corporate Governance
A mere 18% of organizations say that information security has a regular bearing on business strategic plans, a finding that reveals a basic disconnect between cybersecurity and the C-suite. Over half of the EY survey respondents say that information security only somewhat or does not influence their business strategy.

Today, when the digital age and cybercrime is in full bloom, this is somewhere between unwise and unacceptable. In fact, cybersecurity and business strategy must go hand-in-hand and be a continuing agenda item for all executive and non-executive boards, as many of board decisions will influence how well the organization is positioned to deal with a prospective cyberattack.

That said, increasingly, the ultimate responsibility for information security lies with the people at the top levels of the company. For 40% of organizations, the CIO assumes this responsibility. However, in 60% of organizations, the person directly responsible for information security does not sit on the board.

Some 70% of organizations report that their senior leaders have a thorough grasp of security or are taking positive steps to better their knowledge of it. Without question, this trend will increase as security becomes a key driver of growth. Right now, smaller organizations are better at keeping their board informed about information security matters than larger organizations. That said, larger organizations have made more progress: 73% have at least a limited understanding of information security, compared with 68% of their smaller counterparts.

Swinging in the Dark
Less than one in 10 organizations says its information security function fully meets its needs, and many are concerned that much-needed improvements are not yet underway. Seventy-eight percent of larger organizations say their information security function is at least partially meeting their needs, but that number drops to just 65% among their smaller counterparts.

Overall, 92% of organizations are concerned about their information security capabilities in certain important areas. For instance, resources: 30% of organizations are grappling with skills shortages, while 25% report that their budgets are constrained. Smaller firms are particularly worried; 28% of them say their information security function does not currently meet their needs or must be improved. Just over half (56%) report skills shortages or budget constraints.

A paltry 15% of firms say their information security reporting fully meets their expectations. Among those that suffered an incident in the past year, less than a third say their security team discovered the breach. Smaller companies will need to move particularly quickly to address the security reporting issue: almost a quarter (23%) don't produce information security reports, in contrast with 16% of larger organizations. Only 5% describe the financial implications of each breach.

Addressing the Skills Challenge
Although the right personnel are critical to solving information security challenges, recruiting said personnel is easier said than done. The ongoing and global IT security skills shortage won't go away anytime soon. Estimates project a worldwide shortfall of about 1.8 million security professionals by 2024 — some studies even predict as much as 3.5 million cyber vacancies. At least the shortfall is democratic: Everyone across the board is running into trouble finding the expertise they need, even in the most well-resourced sectors. Take financial services. "The best graduates no longer want to work in the industry, which is hampering efforts to recruit across the sector," says Jeremy Pizzala, EY Global Financial Services cybersecurity leader.

The upshot is that depending on an in-house team to deal with IT security is probably an exercise in futility. Today, firms must think laterally and place much more emphasis on machine learning, automation, and AI to either replace or complement external service providers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11949
PUBLISHED: 2020-05-28
testserver.cgi of the web service on VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to obtain arbitrary files from a camera's local filesystem. For example, this affects IT9388-HT devices.
CVE-2020-11950
PUBLISHED: 2020-05-28
VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects IT9388-HT devices.
CVE-2020-13645
PUBLISHED: 2020-05-28
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verificat...
CVE-2020-13643
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-13644
PUBLISHED: 2020-05-28
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accord...