A new survey has discovered that out of the 1,909 executives questioned, 96% believe their business is unprepared for a cyber attack.
Ernst & Young, who carried out the research, said in its report:
As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless and often politically motivated.
There are several reasons cited as to why businesses continue to feel vulnerable to attack.
The largest issue identified via the survey was financial, with 65% of respondents saying that budget constraints posed the biggest barrier to meeting security expectations.
In smaller businesses, with annual revenues under $10 million, the level of concern about budgets rose to 71%.
But with 68% of the respondents saying that their security function only partially meets the needs of the business, security professionals would seem to have much work to do in order to justify any increases in funding that they hope to acquire.
Of more concern, perhaps, was the finding that many businesses are struggling to acquire the required information security skills.
50% of those surveyed said that a lack of skilled resources was a problem within their organisation. Furthermore, 31% of businesses cited issues at executive level, saying that there was a shortage of support or awareness.
Another perennial problem, that of the growth in the number of threats, was also apparent. 59% of respondents said that their company had seen an increase in the number of external threats over the last year.
Some 31% said that the number of security incidents over that same period had increased by at least 5%.
Mark Brown, Ernst & Young’s director of information security, said,
This year's results show that while businesses are faced with a rising number of security breaches, budget constraints and talent shortages mean that they fail to put in place those systems that match their needs.
It’s not all bad news though. The survey also highlighted the fact that 70% of organisations said that their information security policies are now handled at the “highest level” within the business, with the person in charge of security reporting directly to the CEO in 1 in 10 companies.
In 35% of the businesses, the security team reported to the board on a quarterly basis, and just over 10% reported on a monthly basis.
Despite concerns over budget constraints, almost half of the responding firms said that the funds made available to the security team were actually on the rise.
Small businesses with a turnover of less than $10m saw the biggest budget increases in percentage terms.
Ernst & Young say there is more still to be done:
Organizations are making good progress in improving how they manage the risks they already know. However, with only 17% of respondents indicating that their Information Security function fully meets the needs of the company, they still have a long way to go.
One area in which improvement could certainly take place is security awareness. I was shocked to see that only 23% of the companies in this survey placed it in their top two priorities and 32% considered it the least important part of the security mix.
As Ernst & Young say:
Organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. These efforts need to be championed by executives at the highest level of the organization, who need to be aware that 80% of the solution is non-technical — it’s a case of good governance.
Tellingly, the report ends by saying that:
Too frequently, information security is perceived as a compliance necessity and a cost burden to the business. Executives need to view information security as an opportunity that can truly benefit the company and its customers.