Cybersecurity concerns rise as business are more aware of threats & vulnerabilities

03 April 2017 Consultancy.uk

Cybersecurity concerns continue to feature at organisations globally, with more and more companies concerned about vulnerabilities and threats to their networks. Identifying suspicious activity on IoT networks and mobile device misuse remain key areas of concern, as is the poor security behaviour/awareness of personnel. Those charged with defending businesses tend to be underfunded and misunderstood. 

Digitalisation of business processes, as well as the addition of a host of devices to the wider business network, is able to drive a range of benefits, flow lower costs to improved maintenance outcomes. The new technology is not without problems however, Internet of Things devices are, in particular, prone to security vulnerabilities, creating a swathe of additional channels through which hackers might be able to infiltrate otherwise secure networks. Cyber attacks global had an estimated economic impact of $400 billion in 2016.

To better understand the current state of company defences, EY ran a survey titled ‘EY’s Global Information Security Survey’, which looked at the current practices reported by 1,735 participants from global business across 20 sectors.

What do you consider to be the information security challenges of the IoT for your organisation?

The study found that when it comes to securing their IoT devices across their networks, 49% cited identifying suspicious traffic over the network as a challenge, followed by 46% that cited ‘ensuring that the implemented security controls are meeting the requirements of today. Losing track of IoT devices is third equal, with 46% of respondents saying that ‘knowing all their assets’ is a challenge.

The areas of least concern to respondents regarding their IoT devices’ information security is the ‘defining and monitoring of the perimeters of the businesses ecosystem’, cited by 34% of respondents, ‘managing the growth in access points to their organisation’, cited by 35% of respondents, and ‘finding hidden or unknown zero-day attacks’, cited by 40% of respondents.

What are the main risks associated with the growing use of mobile devices for organisations

Aside from the broad range of IoT on the network, company are also increasingly concerned about mobile devices. These devices, which often leave the business premises and are used on networks outside the business environment, pose a variety of risks.

The firm found that the biggest concern companies have with the devices, is ‘poor user awareness/behaviour’, cited by 50% of respondents. Business user losing one of their devices has increasingly detrimental consequences for both users and companies, which, aside from information, now also includes a loss of identity – cited as a risk by 50% of respondents. The hijacking of devices comes third, cited by 32% of respondents as an issue.

Areas of least risk are cited as ‘hardware interoperability issues of devices’, which around 16% of respondents noted as an issue, followed by ‘organised cyber criminals selling hardware with Trojans or backdoors already installed, cited by 19% as an issue.

Security threats and vulnerabilities

Resisting cyber-attacks is another key method for avoiding being penetrated by cybercriminals. The survey therefore asked respondents to explicate how they are focusing on mitigating potential risks to limit the number of threat avenues. The research shows that across the board, companies have become more concerned about vulnerabilities and threats to their organisation in 2016, compared to 2015.

The survey therefore asked respondents to disclose which threats and vulnerabilities have most increased your risk exposure over the last 12 months. The results highlight that the areas in which business feel vulnerable is changing: businesses have again become concerns about careless or unaware employees, up from 44% of respondents in 2015 to 55% in 2016, this is followed by outdated information security or architecture, where risks of exposure has increased from 34% of respondents to 48%.

The threats landscape too has shifted somewhat, with malware becoming increasingly seen as a problem, up from 43% in 2015 to 52% last year, while phishing threats have increased from 44% of respondents to 51% this year.

The main challenges for information operations at businesses

The research also sought to identify obstacles and reasons challenging the information security operation’s contribution and value to the organisation. The biggest cited reason (by 61% of respondents) is that cyber security operations have budget constraints, the department is often seen as a cost post with the value of a stopped attack not easily seen by management. A lack of skilled people comes next, cited by 56% of respondents, while a lack of executive awareness or support takes the number three spot, cited by 32% of respondents.

The areas of seen as the least drag on the abilities of internal resources is ‘fragmentation of compliance/regulations, cited by 19% of respondents, and management and governance issues, cited by 28% of respondents.

Which of the following information security areas are defined in terms of high, medium and low priority

Going forward, the research finds that a majority of companies (57%) place ‘business continuity/disaster recovery’ as a high priority, while 33% give it a medium priority. Data leakage/data loss prevention comes in first equal, also cited by 57% of respondents as an area of high priority. Raising the security awareness of staff through training is the third highest priority, cited by 55% of respondents, while implementing security operations takes fourth spot with 52% of respondents.

The research found that the areas of least priority for companies surveyed is ‘securing cryptocurrencies’, cited by 76% of respondents as a low priority and 6% as a high priority, securing emerging technologies comes second, cited by 67% of respondents as a low priority and 8% as a high priority, followed by robotic process automation, cited by 69% of respondents as a low priority and 8% as a high priority.

Matt Chambers, EY Global Power & Utilities, Risk and Cybersecurity Leader, says, “Cybersecurity efforts must evolve with advancing technology. The proliferation of digital devices and the convergence of operational technology (OT) and information technology (IT) environments are creating new efficiencies and business improvements but are also increasing the attack surface of power and utility companies. Now, with attackers casting their sights on bigger targets, critical infrastructure is more at risk than ever before.”

Profile

More news on

×

Boards of top UK firms must do more on cyber-awareness

06 March 2019 Consultancy.uk

A new report released by the UK Government has found that UK businesses need to do more to build awareness in their firms, if they are to fend off cyber-attackers. The study found that an all-time high of 72% of businesses now see cyber-threats as a top risk, but just less than half of UK boards do not have a comprehensive understanding of the critical assets at risk from cyber-attacks.

Digital technology has revolutionised modern business, with a rate of innovation present in many companies that arguably eclipses that of the industrial revolution. The huge opportunities presented by technology mean that many firms have rushed to digitalise their offerings; but while this means they are able to take advantage  of the latest trends, it has also opened innumerable doors for cyber-criminals looking to use technology to loot corporations from across the globe.

Illustrating the extent to which cyber-crime has boomed in the last decade, in the final quarter of 2018, a study commissioned by Bromium and presented by Dr. Michael McGuire at RSA found that the cyber-crime economy has grown to an estimated $1.5 trillion dollars annually. That is only a conservative estimate – but that conservative figure alone is so large that if it constituted a national GDP, instead of a collection of digital frauds, it would be the world’s 13th largest economy.

Amid this state of play, it is easy to see why cyber-security has become one of the key watchwords of any board room in the 21st century. The cyber-security consulting segment has boomed, with the world’s 10 largest operators in the segment bringing in more than $11 billion in related fees, as businesses tap external expertise to help find areas where they can improve their defences. As noted by a new UK Government report, the legacy of this spike in consulting activity is that almost all UK businesses now have a cyber-security strategy, with only 4% admitting otherwise. 

Cyber threats are increasingly seen as high risk in comparison to other risks that businesses face

This comes at the end of a sea-change in attitudes toward cyber-security over the last five years. According to the 2018 FTSE 350 Cyber Governance Health Check, in 2013, the largest minority of businesses felt cyber-threats represented a low operational risk, at 38%, compared to just 25% who saw it as a very high group risk. Now, the two opinions have seen a dramatic reversal, with only 6% seeing cyber-security as a low threat, compared to a huge 72% of businesses which see it as a very high risk. Considering the high profile hacks that occurred in the interim, this is perhaps not that surprising.

However, while cyber-awareness in general is at an all-time high, this is where the positive news ends. According to the study, while the vast majority of firms in the UK have a cyber-security plan in place, only 46% have a dedicated budget to enact that strategy. Should their financial positions change rapidly in the near future – something increasingly likely with the prospect of a No Deal Brexit still looming over the horizon – then that plan could fall by the wayside, with the funding shortfall exposing firms to even greater financial damage in the near future.

The study, released by the Department for Digital, Culture, Media & Sport (DCMS) in March 2019, was undertaken in partnership with Winning Moves and support from EY, KPMGPwC and Deloitte, working with their FTSE 350 clients to participate in the survey. The study also found that while most businesses have incident response plans, most are not testing them: 95% of FTSE 350 businesses have an incident response, but a mere 57% test their crisis incident response plans regularly. With companies facing the consistently evolving threat of cyber-attacks, that could leave major chinks in their armour undiscovered until it is too late.

Board understanding of business-critical assets

Similarly, many firms also seem oblivious to the threat posed by their wider supply chains, which if left unchecked, provide hackers with a blank cheque to access company data. A majority of boards do not recognise supply chain risks beyond the first tier, as 77% of FTSE 350 businesses told researchers they did not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

Meanwhile, almost half of UK boards do not understand the critical assets at risk from cyber-attacks. 54% of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive, while of that, only 12% said understanding was the best it could be. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding, suggesting that key progress is being made, but also that there is a great deal of room for improvement.

Commenting on the findings, Digital Minister Margot James said, “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”