How to take a forward-looking approach to cyber-security

Although many companies are seeing cyber-security threats rise, many lack the resources to handle these risks, a new global survey shows.

Two-thirds (67%) of organisations report facing rising threats in their information security risk environment, according to EY’s Global Information Security Survey, which polled 1,825 organisations in 60 countries.

More than half of the respondents (53%) said that a lack of skilled resources is one of the main difficulties they face in their information security protections. And 37% said their organisations have no real-time insight on cyber risks.

A forward-looking, anticipatory stance with enabling of early detection and quick response can help organisations protect themselves, according to the report.

“Organisations will only develop a risk strategy of the future if they understand how to anticipate cyber-crime,” Paul van Kessel, EY’s global risk leader, said in a news release. “Cyber-attacks have the potential to be far-reaching – not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage, and regulatory non-compliance. Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cyber-criminals into more formidable adversaries.”

To properly anticipate and respond to risks, the report says organisations need:

• Support at the top. Leadership needs to make cyber-security a core business issue and consider cyber-security resources in a dynamic decision process.
• Prioritisation of assets. Organisations need to understand the assets that are most valuable to the business and anticipate what the effects would be if they are breached.
• Understanding of their environment. Companies need awareness of the wider threat landscape and how it relates to the organisation.
• Constant evolution. The nature and frequency of threats change over time, and organisations need to constantly learn and adjust to keep pace.
• Confidence in response. Scenario planning and regular rehearsals of incident response tactics can provide organisations with valuable preparation.

“It’s only by reaching an advanced stage of cyber-security readiness that an organisation can start to reap the real benefits of its cyber-security investments,” Ken Allan, EY’s global information security leader, said in a news release. “By putting the building blocks in place and ensuring that the programme is able to adapt to change, companies can start to get ahead of cyber-crime, adding capabilities before they are needed and preparing for threats before they arise.”

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.