New research reveals that cyber-attacks by unsophisticated hackers this year have successfully exploited vulnerabilities that many of the world's famed businesses were already aware of but did nothing to fix.
Despite upcoming laws that will charge them millions in penalties if found non-compliant, many businesses worldwide continue to neglect standard security procedures.
The latest evidence comes from the 20th annual EY Global Information Security Survey (GISS), which breaks some disconcerting news regarding the willingness of big businesses to beef up security.
While the surveyed companies weren’t named in the report, the research was conducted with the aid of “1,200 C-level leaders of the world's largest and most recognized organizations.” Here’s what EY found:
Only 56% of those surveyed are changing or planning to change their strategies due to the increased impact of cyber threats. Even though most organizations are spending more on cybersecurity, only 12% expect an increase of more than 25% this year.
Potential damage from a cyber-attack isn’t always immediately obvious, yet 64% say an attack that “did not appear to have caused any harm” would not likely persuade the powers-that-be to spend more on cybersecurity.
Many, however, recognize that lack of adequate resource allocation can increase cybersecurity risks. As many as 20% of respondents admit they do not have enough of a grasp on current information security implications and vulnerabilities to decide what needs to be done.
Cybersecurity budgets are bigger in organizations that place dedicated security officers in key lines of business, as well as in companies that report on cybersecurity to the board audit committee at least twice a year.
However, while 50% report to the board regularly, only 24% say the go-to person with responsibility for cybersecurity sits on that board. Moreover, only 17% of respondents say boards have enough of a grasp on IT security matters to properly assess the effectiveness of preventive measures.
The report also reveals, perhaps most importantly, that common attacks described as “cyberattacks carried out by unsophisticated, individual attackers” have successfully exploited vulnerabilities that many of the surveyed organizations were aware of. According to EY analysts, this finding points to “a lack of rigor in implementing standard security procedures.”
Other findings include:
- Malware and phishing are regarded as the most prolific threats in the past 12 months
- Careless, unaware and/or malicious employees are seen as the most significant increasing vulnerability to organizations' security
- 75% rate the maturity of their vulnerability identification as "very low to moderate."
- 12% say they have no formal breach-detection program
- 35% describe their data-protection policies as ad-hoc or non-existent
- 38% either have no identity and access program or have not formally agreed on such a program.
- 57% of respondents have an “informal” threat intelligence program or do not have one at all
- just 12% of respondents can confidently say they can detect a sophisticated cyberattack targeting their organization