Cyber security still a learning curve for most companies

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two new reports.

Cyber security still a learning curve for most companies
Cyber security still a learning curve for most companies

The surveys were carried out independently by EY and Ponemon Institute with the results, both published today, illustrating the difficulties companies have in defending against a rapidly-evolving cyber-threat landscape.  

In its annual ‘Get Ahead of Cyber-crime' global information security survey, big four consultancy EY found that many organisations are still unprepared for ‘inevitable' cyber-attacks – and put this down to poor preparation and tools among others things.

In a study which gathered the opinions of 1,825 organisations across 60 countries, the group found that 37 percent of organisations have no real-time insight into cyber-risks, with this coming down to a mixture of a lack of agility, budget and skills.

These infosec pros cited ‘careless' or ‘unaware' employees as their biggest vulnerability, but said that “outdated information security controls or architecture” (35 percent) and cloud computing (17 percent) are also persistent issues as they struggle to keep up with cyber-criminals. The survey indicated that companies are most concerned about the theft of financial information, followed by business disruption and losing intellectual property.

Despite these escalating threats, budgets – contrary to a recent PwC report – look set to stay around the same. Approximately half of respondents (43 percent) expect their organisation's information security budget to stay the same in the year ahead – despite 67 percent saying that they are facing increasing cyber-threats. However, this is still a slight improvement on the previous year, when 46 percent said that budgets would not change.

The much-cited cyber-security skills gap appears to be a far greater concern though; 53 percent said that a lack of skilled resources is one of the main obstacles challenging their information security programme while only four percent said that they had a threat intelligence team with dedicated analysts.

In a statement released alongside the report, EY's executive director of cyber-security and resilience, Mark Brown, said that many companies are still behind on reacting proactively to a security incident.

“Cyber-attacks have the potential to be far-reaching – not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance,” he said.

“Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cyber-criminals into more formidable adversaries.”

Brown continued that, even despite the launch of the Cyber Essentials Scheme, organisations ‘are not taking the basic steps, such as setting up a security operations centre or putting in place an incident response plan'.

Meanwhile, in related news, a study conducted by Ponemon Institute and commissioned by data protection specialists SafeNet, revealed the numerous concerns that companies are having around securing data in the cloud.

The study, which is entitled “The Challenges of Cloud Information Governance: A Global Data Security Study”, surveyed more than 1,800 IT and IT security professionals worldwide and found that almost half of corporate data stored in cloud environments is not managed or controlled by the IT department. To add to this, just one in four (19 percent) said that they were very confident they knew about all cloud computing apps, platforms and infrastructure services in place in their organisation.

Protecting this data seems a much larger problem though; more than two-thirds (71 per cent) say it is more difficult to protect sensitive data in the cloud using conventional security practices, and nearly half (48 per cent) say it's more difficult to control or restrict end-user access to cloud data.

This has forced 34 percent to implement a policy requiring the use of encryption and other security measures, while 43 percent say that their firm is using private data network connectivity. Nearly two-fifths, or 39 percent, of respondents say their organisations use encryption, tokenisation or other cryptographic tools to protect data in the cloud. 

Some 33 percent say they don't know what security solutions they use, which seemingly ties into the finding that the majority of respondents (70 percent) believe it's complex to manage privacy and data protection regulations in a cloud environment.

 “The findings reveal that global organisations are struggling to secure data in the cloud due to the lack of critical governance and security practices in place,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.

“To create a more secure cloud environment, organisations can begin with simple steps such as including IT security in establishing security policies and procedures; increasing visibility into the use of cloud applications, platforms, and infrastructure; and protecting data with encryption and stronger access controls, such as multi-factor authentication.”