Year after year, concerns about cyber attacks keep growing among corporate organizations. Both the impact of the attacks occurred last year and the perception of how necessary security is have grown during 2017. Those are the overall conclusions to extract from Ernst & Young’s 2017 Global Information Security Survey (GISS), the 20th edition of the survey EY yearly publishes detailing organizations’ concerns about cybersecurity.
Preparation against cyber attacks
Companies can find huge potential benefits on IoT, as they will extract a big amount of new data from a big range of new devices. But along with it, exposure to attacks that could cause damage in companies’ networks has also increased.
A logical consequence is companies increasing their investment in prevention mechanisms and cybersecurity and according to GISS survey many organizations do. However, up to 70% declare their need for up to 25% more funding, and it is disturbing to find out that very few really expect their CEOs to allocate more budget unless a major attack happens. There is big room for improvement here. Prevention against cyber crimes is the key and companies must take actions and apply security policies to reduce the risk.
Understanding the threats
In order to prepare against cyber attacks and be able to properly react to them, organizations must have a correct understanding of the potential risks they are facing.
And not “they” just as organizations, but each and every employee within.
The employee is typically the “weakest link” in the cybersecurity chain. Hence, it is vital to build an exhaustive security consciousness on them, adopting cybersecurity as part of the company’s corporate culture. In this sense, the survey reflects that one of the biggest fears companies have is that exactly: employees’ lack of awareness and understanding of the damage cyber threats may produce to business.
Reacting to the attacks
Firstly, tools such as intruder detection and protection systems (IDS/IPS) are crucial to respond quickly and effectively to cybersecurity attacks. On one hand, they allow your company to be aware of any attempt to attack your systems. On the other, they keep your sensitive data well protected and safe. However, the survey points out that 3 out of 4 organizations consider their vulnerability detection systems far from being mature enough to fight common cyber attacks.
Secondly, as mentioned before, employees’ understanding of the importance of cybersecurity is key for the prevention. Furthermore, they are also the first line of defense towards malicious acts that might be committed against the organization. Consequently, companies must plan and regularly perform education and evangelization about the topic.
Finally, coordination is fundamental in order to prepare a proper defense and take the right corrective actions against attacks. If organizations want to take cybersecurity seriously, they should place it in the core of their structure. In this regard, having a specific Security Operations Center (SOC) is becoming more and more common in organizations, that is good news;
These SOC are in charge of defining security policies, providing prevention tools and education to their employees, and preparing defense and contention plans in the event of cyber attacks. Moreover, the SOC should have a prominent place within the organization, having direct contact with the board, to whom it should report periodically.
The survey shows that half of the respondents do not yet have any department similar to an SOC. Fortunately, it also highlights that this figure has notoriously improved compared to previous years.
Comparing the results of this year’s survey to previous years’, we can extract that organizations understanding the real risks of cyber attacks take their cybersecurity protection, education and defense very seriously. Additionally, although numbers show some improvement, most companies still have a lot of work to do to be prepared for existing and coming security threats that they will, eventually, face for sure. IoT is enlarging the potential attack surfaces that organizations expose to the outside world, so reinforcing their security is vital. Future of IoT will be security-focussed, or won’t be at all.