Year after year, concerns about cyber attacks keep on growing among corporate organizations. Both the impact of the attacks that occurred last year and the perception of how necessary security is have grown in 2017. Those are the overall conclusions of the extract from Ernst & Young’s 2017 Global Information Security Survey (GISS), the 20th edition of the survey EY yearly publishes detailing organizations’ concerns about cybersecurity.
Preparation against cyber attacks
Companies can find huge potential benefits on IoT since they are able to extract a large amount of new data from a big range of new devices. But along with it, exposure to attacks that could cause damage to companies’ networks has also increased.
A logical consequence is that companies are increasing their investment in prevention mechanisms and cybersecurity and according to the GISS survey many organizations are doing so. However, up to 70% declare their need for an up to 25% more funding, and it is disturbing to find out that very few really expect their CEOs to allocate more budget unless a major attack happens. There is big room for improvement here. Prevention against cyber crimes is the key and companies must take action and apply security policies to reduce the risk.
Understanding the threats
In order to prepare against cyber attacks and be able to properly react to them, organizations must have a correct understanding of the potential risks they are facing.
And not “them” just as organizations, but each and every employee within them.
The employee is typically the “weakest link” in the cybersecurity chain. Hence, it is vital to build an exhaustive security consciousness amongst them by adopting cybersecurity as part of the company’s corporate culture. In this sense, the survey reflects that one of the biggest fears companies have is exactly that: employees’ lack of awareness and understanding of the damage cyber threats could cause to businesses.
Reacting to the attacks
Firstly, tools such as intruder detection and protection systems (IDS/IPS) are crucial to respond quickly and effectively to cybersecurity attacks. On the one hand, they allow your company to be aware of any attempt to attack your systems. On the other, they keep your sensitive data well protected and safe. However, the survey points out that 3 out of 4 organizations consider their vulnerability detection systems far from being mature enough to fight common cyber attacks.
Secondly, as mentioned before, employees’ understanding of the importance of cybersecurity is the key to its prevention. Furthermore, they are also the first line of defense towards malicious acts that might be committed against the organization. Consequently, companies must plan and regularly perform educational guidance and sermonize about the topic.
Finally, coordination is fundamental in order to prepare a proper defense and take the right corrective actions against the attacks. If organizations want to take cybersecurity seriously, they should place it in the core of their structure. In this regard, having a specific Security Operations Center (SOC) is becoming more and more common in organizations, that is good news.
These SOC are in charge of defining security policies, providing prevention tools, educating their employees, and preparing defense and contention plans in the event of any cyber attacks. Moreover, the SOC should have a prominent place within the organization, having direct contact with the board, to whom it should report periodically.
The survey shows that half of the respondents do not yet have any department similar to a SOC. Fortunately, it also highlights that this figure has notoriously improved compared to previous years.
Comparing the results of this year’s survey to previous years’, we can extract that organizations understanding the real risks of cyber attacks take their cybersecurity protection, education, and defense very seriously. Additionally, although numbers show some improvement, most companies still have a lot of work to do to be prepared for existing and forthcoming security threats that they will, eventually, have to face for sure. IoT is enlarging the potential attack surfaces that organizations expose to the outside world, so reinforcing their security is vital. The future of IoT will be security-focussed, or it will not be at all.
Article written by Juan Pérez-Bedmar, Pre-sales Manager at Barbara IoT.