EY: Organisations are not prepared for cyber-attacks

04 November 2014 Consultancy.uk 3 min. read
More news on

Although cyber security is threatening two-thirds of organisations, and this threat is recognised by the professionals working at these organisations, 37% of organisations are unprepared for a cyber-attack, concludes EY in a new report. This causes a concern and organisations need to be in a constant state of alert as at one point they will be a victim of a cyber-attack.

Professional services firm EY recently released its ‘Global Information Security Survey’ report that looks into information security and its threats. For this year’s edition, EY surveyed 1,825 respondents* between June and August 2014 from 60 countries worldwide, working in 25 different industries.

Profile of survey participants

In its report, EY states that organisations should be aware that at one point they will be targeted by cyber criminals and have their security breached, and they should actually assume that even if they are not aware of any breach, they have already been targeted. EY’s survey reveals that 67% of organisations are facing rising threats in their information security risk environment. When looking at sources of a cyber-attack, employees are, just as last year, seen as the biggest risk with 57%. Criminal syndicates represent a good second with 53%, followed by hacktivists with 46% and lone wolf hackers with 41%.

Most likely sources of attack

Looking at vulnerabilities, the biggest vulnerability identified is ‘careless or unaware employees’ which is named by 38% of the professionals surveyed as their first priority, followed by ‘out-dated information security controls or architecture’, which is named by 35% as their first priority. ‘Unauthorized access’ is mentioned by 14% as their first priority, and ‘social media use’ only by 7%.


The consulting firm states that although a majority of the organisations surveyed are aware of the vulnerabilities of their company, and see information security as an increasingly important area, more than one-third (37%) of them are completely unprepared for a cyber-attack. According to EY this is a reason for concern. “Cyber-attacks have the potential to be far-reaching - not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance,” says Paul van Kessel, Global Risk Leader at EY.

One of the main obstacles mentioned for cyber security is a lack of skilled resources and a lack of budget. And although this is recognised by the respondents, 43% of them state that their organisation is not planning to increase the cyber security budget in the near future despite increasing threats. EY concludes by saying that organisations need to do a better job of anticipating cyber-attacks, especially in an environment where it is no longer possible to prevent all cyber breaches and hackers are becoming more sophisticated are better funded. According to the firm, organisations need to be in a constant state of readiness and embrace cyber security as a core competitive capability.

* Respondents included chief information officers, chief information security officers, chief executive officers and other information security executives.