Cybersecurity remains a significant concern despite the progress companies worldwide have made in the past two to three years building up corporate shields against breaches, EY research suggests.
A majority (87%) of more than 1,700 C-suite, information security, and IT executives EY polled worldwide said they lacked confidence in their company’s level of cybersecurity.
They are most worried about poor user behaviour around mobile devices such as laptops, smartphones, and tablets (73%), unauthorised access (54%), and the inability to identify suspicious traffic over networks that connect an increasing number of devices (49%).
“Boards and C-suites are becoming more informed,” said Marco Bodellini, CPA/CITP, CGMA, an internal auditor and consultant in New Orleans. “They’re realising that you have hackers and hacker nations out there that are becoming very advanced and looking at this as a business model to make money.
“[Boards and C-suites] are also realising that spending money on cybersecurity – buying a whole bunch of software and hardware, hiring an expert or two – doesn’t mean you don’t have to worry about it.”
Cybersecurity is better incorporated into corporate risk management in the US than in Europe, but executives in Europe are also waking up to the threat of cyberattacks, said Alex Lattner, ACMA, CGMA, head of finance at the Deutsche Cyber Sicherheitsorganisation (DSCO). Four large German multinational companies, Volkswagen, Bayer, Allianz, and BASF, founded DCSO in 2015 to work with government agencies and improve cybersecurity in German industry.
Cybersecurity risks persist
Risks persist despite the cybersecurity arms race, the EY survey found. Effective services and tools that companies can use to resist cyberattacks exist and cybersecurity budgets are increasing, but more than half (57%) of the participants in the EY survey reported recent, significant cybersecurity incidents.
Spotty compliance with policies and guidelines or insufficient policies create vulnerabilities, Bodellini and Lattner suggested.
More training and awareness are needed to prevent employees from clicking on links that download malware. And password policies are frequently too lax or not followed.
Sixty-one per cent of respondents in the EY survey considered budget constraints an obstacle to better cybersecurity. But more money doesn’t necessarily translate into more security.
“There’s no way to purchase absolute assurance,” Bodellini said.
To balance budget constraints with security demands, companies should focus on identifying and classifying their data based on their level of importance to determine the level of protection needed. Additionally, not only should companies perform regular maintenance, such as timely vendor patch updates, but also risk assessments to determine vulnerabilities. Companies should ensure contemplated software and hardware purchases are aligned with the organization’s IT governance policies and enterprise architecture requirements.
Also, hiring skilled IT people may improve cybersecurity, but 56% of respondents to the EY survey said lack of skilled resources is the second biggest challenge for corporate cybersecurity operations behind budget constraints.
Best practices to prepare for, manage, and recover from a cyberattack
Companies have made significant progress in taking measures to resist cyberattacks, according to EY. They have not spent as much time, effort, and money on preparing for and recovering from an attack. Especially the involvement of the board and C-level executives in both areas has been low.
To improve cybersecurity, Bodellini suggested some best practices to prepare, manage, and recover from a cyberattack.
- Inventory the business’s data, identify the most valuable asset, and prioritise it for protection.
- Prepare a written incident response plan and practise its steps.
- Consider purchasing data breach insurance and using the risk management tools many insurers provide.
- Adopt and test compliance with standards and security frameworks developed by different industries.
- Determine whether the company is subject to multiple security breach notification standards, including disclosure requirements.
- Practise and test backup and restoration procedures regularly as part of business continuity and disaster recovery practices.
- Establish contacts with all stakeholders, such as regulators, organisations sharing cybersecurity information, suppliers, vendors, and law enforcement.
- Assess the breach once it is discovered and repeatedly afterwards to determine its extent and damage.
- Perform actions to reduce the impact of an ongoing attack or contain a breach.
- Record and collect data while preserving evidence for a forensic examination.
- Document what is occurring, the actions that were taken to respond, and the conclusions that were reached.
- Avoid using a compromised computer system to communicate.
- Refrain from retribution, such as hacking back into a network suspected of spearheading an attack.
- Perform all notification required by local, state, and federal laws and by contractual obligations.
- Communicate with law enforcement.
- Determine the root cause of the data breach and show compliance with the incident response plan.
- Debrief everybody involved in responding to a data breach and conduct a lessons-learned exercise that addresses systematic weaknesses and suggestions to improve the incidence response plan.
- Continue to monitor the cyber network for anomalies and unusual activity.
—Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is a CGMA Magazine senior editor.