08/10/2014
Ernst & Young study identified three main obstacles to security
For 56% organizations it is unlikely or unlikely that they will be able to detect a sophisticated cyber attack. The result is the annual Global Information Security Survey, carried out 17 years ago by Ernst & Young (EY). The survey was conducted between June and August 2014. 1,825 respondents from 60 countries participated — 54 in Brazil.
The research identified three main obstacles facing businesses today: lack of agility, lack of budget and lack of cybersecurity training.
In terms of lack of agility, the survey showed that companies understand that there is a clear and present danger, but organizations are not moving fast enough to mitigate the risks. According to the survey, 67% of executives at large companies believe there are increasing threats from cyberattacks, but more than a third (37%) do not have the real-time information needed.
The lack of budget is also critical. The companies' total information security budget will be the same over the next 12 months for 43% of respondents. Sergio Kogan, partner at EY, highlights that only 5% stated that the current budget will decrease. “While there is increased attention to cybercrime on boards and among non-executive directors, it appears that this interest does not translate into additional budgetary resources. There is still a need for more money and greater resources to effectively face the growing threats”, says the partner.
The lack of training, another obstacle, also puts companies on alert. According to EY research, 53% of companies say that the lack of qualified human resources is one of the main obstacles for the information security program. Additionally, only 5%'s organizations have a threat intelligence team with dedicated analysts and external consultants who assess information for credibility, relevance, and exposure against threat actors.
For 38% of respondents, "careless or unaware employees" is the number one vulnerability facing companies. "Outdated information security controls" and "use of cloud computing" are second and third priorities, respectively (35% and 17%).
Cyberattacks for theft of financial information is the main threat detected by companies (according to 28% of the respondents), and a priority issue to be solved. Next are attacks "to disrupt or deface the organization" (25%) and "to steal intellectual property or data" (20%).
The study identified that companies must go through three different stages to reach cybersecurity maturity: Activate, Adapt and Anticipate. In the first phase, you need a solid cybersecurity foundation, which comprises a comprehensive set of information security measures that will provide a basic—but not ideal—defense against cyberattacks. At this stage, organizations lay their foundations.
In the next stage, enterprise security measures must adapt to keep pace and meet changing business requirements and dynamics, or over time they will become less and less effective. “At this stage, organizations work to keep their cybersecurity up to date,” says Sergio Kogan.
In the later phase, organizations need to develop tactics to detect and mitigate potential cyberattacks. They need to know exactly what to protect and have appropriate responses to likely attack scenarios. “At this stage, a mature intelligence capability to address cyber threats, a solid risk assessment methodology, an experienced incident response mechanism and an informed organization are needed,” explains the EY partner. At this stage, organizations prevent cyber attacks from occurring.
EN 
PT 
