Along with the expansion of the digital universe, cyber-security investments have been climbing, reaching $86.4 billion in 2017, according to market research from Gartner. Although expenditures have constantly risen in the past decade and are poised to surpass $100 billion by 2020, the overwhelming majority of Chief Information Security Officers (CISOs) are concerned about keeping up with the rising threats as their organizations roll out digital strategies.
According to ServiceNow’s Global CISO Study, a mere 19 percent of some 300 CISOs across a variety of industries felt their organizations were highly effective at preventing a security incident. Eight out of ten CISOs are highly concerned that breaches are going unaddressed. Even worse, another 78 percent are worried about their ability to detect a breach in the first place. Here are six reasons why.
1. Lax risk management
Digitally astute organizations are building immense data silos and a third platform in an effort to reinvent their business. They’re taking advantage of mobile computing, social media, cloud computing, data analytics and the Internet of Things (IoT) to capture market share and create new revenue streams. Along with this pursuit, they’re exposing themselves to a radically changing threat landscape – yet few are undertaking the necessary adjustments. Ernst & Young’s Global Information Security Survey revealed that only 5 percent of respondents have significantly changed their organization’s strategy and plans in the recent past, even after recognizing they are exposed to an increasing number of risks. The vast majority of them see no necessity for any adjustments.
2. Misclassified data sets
Many organizations follow a one-size-fits-all approach and aren’t aware of the true composition of their data silo. In turn, they find themselves underprotecting their crown jewels and overprotecting less precious assets. According to the E&Y report, some 51 percent rank their customers’ personal information as the most sensitive. Surprisingly, only 11 percent rate their respective IP rights as the most or second-most valuable group of assets. Personal data from board members or other senior officials is deemed as more valuable than R&D findings, patents and non-patented IP, basically on par with other corporate strategic projects.
3. Lackluster crisis management
Despite increasing cyber-threats, many organizations fail to prepare for a potential crisis. Of the executives surveyed by E&Y, almost half (42 percent) do not possess a pre-agreed communications plan in the event of a significant breach. In the aftermath of an attack, 39 percent say they would make a public announcement to the media within the first seven days. While 70 percent would notify their regulator, a whopping 46 percent would not notify customers, even when customer data had been exposed. Another 56 percent would not notify suppliers, even if supplier data had been exposed.
Too many organizations continue to rely upon a do-it-yourself approach when it comes to testing or managing their cyber-resilience. However, only a few have the needed internal skills and capabilities to do so. Self-phishing is carried out by eight out of ten organizations, while six out of ten conduct their own penetration tests, according to E&Y. A staggering 81 percent perform their own incident investigations, and another 83 percent conduct their own threat intelligence analysis. While this might sound positive at first glance, many organizations lack the in-depth expertise in-house and lull themselves into an illusory comfort zone.
5. Running blind
With a massively increasing dependency on technology in the digital era, a successful cyber-attack can cut off entire revenue streams and result in severe damages – be it legal fees, fines or destroyed brand recognition. Yet, 89 percent of respondents do not analyze the financial implications of a significant breach. Of those that have experienced an incident during the past 12 months, almost half (49 percent) have no insight as to what the financial damage was or might be. Consequently, as much as 52 percent of the executives polled think their boards are not entirely aware of the risks their organization is facing and the measures put in place.
6. Board members in the dark
Very few CISOs are fully empowered and deeply involved into the overall supervision of the organization. Some 75 percent of those responsible for cyber-security have no seat in the boardroom, so that the board has to rely on reports instead. However, just one out of four reports provides an overall threat level, and only a third (35 percent) of reporting reveals weaknesses in the organization’s security landscape, as highlighted by E&Y. While a static approach might have worked in the past, succeeding in the digital age will require a different mindset altogether. Companies that do not assess the security implications of every business decision run the risk of undermining their resilience.
The findings suggest that raising the confidence level and gaining cyber-resilience is not just related to the financial spend. In fact, spending is – at best – only half the battle. If these investments aren’t backed up by an additional set of measures that help to overcome the organizational barriers outlined above, this spending will be heavily undermined and might eventually peter out. Ironing out these loopholes requires mindshare and top-level commitment across the entire C-suite.
Moreover, organizations often spend vast amounts of money on security measures, only to have them bypassed by something as trivial as a patch not being applied right away. Those not instantly deploying patches unnecessarily expose themselves to threats. (WannaCry and GoldenEye attacks are two recent examples that created headlines due to missing patches.) To bolster their cyber-resilience, organizations need to rely much more on analytics and automation. Given the rising number of cyber-threats, organizations that neglect to put tools in place run the risk of “alert fatigue”, meaning that the security team will be bombarded with alerts without being able to determine severity levels, impact, and so on. As a result, it will take them too long to respond to critical alerts that need immediate action.