Growing in frequency, sophistication and sheer audacity, cyber attacks pose an increasing threat to Irish organisations. But many executives and board members trying to come to grips with the issue and to understand the implications for their businesses are discovering that they lack the technical know-how they need to really comprehend where their operations and businesses are vulnerable. Hugh Callaghan says that as cyber criminals become increasingly sophisticated companies need to adapt to ensure they have the appropriate risk mitigation procedures in place and that they invest accordingly to protect their customers and their brands.
EY’s latest Global Information Security Survey highlights the scale of this threat. The research finds that cyber attacks in Ireland have increased by nearly a third in two years, with the majority of these attacks aimed at stealing data and disrupting systems. Unfortunately, the risk these attacks represent continues to be exacerbated by poor staff awareness and behaviours.
Conducted with 1,735 C-suite leaders, information security and IT executives globally, including 54 in Ireland, the survey found that almost three out of four Irish organisations (72 per cent) had experienced a significant cyber security incident. This compared to 57 per cent globally. It is also a 29 per cent increase in Irish organisations reporting incidents compared to 2014 and highlights the increasing prevalence of such attacks and the real risk they present for companies, large and small, across Ireland.
While Irish organisations are stepping up their spend and management focus on the issue, poor employee awareness, inadequate knowledge of information security at board level and insufficient budgets are still exposing companies to undue risk. Not only are Irish businesses vulnerable, therefore, many are not fully prepared to deal with an incident. Although an encouraging 68 per cent have an incident response plan, including root cause analysis, two in five (42 per cent) have no communications response strategy for significant cyber attacks involving data compromise.
Furthermore, more than two out of three respondents both in Ireland and globally said that up to 50 per cent more budget was needed to keep their organisation within its risk appetite, highlighting a requirement for increased funding within organisations to mitigate against growing cyber threats. With their security budgets continuing to rise, however, Irish organisations are on the right trajectory. Almost two thirds (65 per cent) of Irish executives surveyed said their organisation’s information security budget had increased within the past 12 months. The research also found that the adoption of cyber insurance is maturing more rapidly in Ireland than elsewhere, with nearly two in five (39 per cent) Irish respondents already having cyber insurance that meets their needs – 50 per cent more than the global average.
These findings demonstrate that Irish businesses are now more focussed than ever on managing cyber risk. But they are still playing catch-up with cyber criminals, who continue to find ways around organisations’ security controls and to exploit their employees’ lack of awareness in order to steal money and data. As advisors to clients across Ireland and internationally in the areas of cybersecurity transformation, cyber threat management, identity and access management, data protection and cyber resilience, EY is witnessing an increase in cyber attacks that not only steal data but also destroy it. Indeed, there is a real threat of a significant cyber security incident putting an unprepared organisation out of business, so there is an onus on companies to protect themselves by stepping up their focus and investment in tackling this threat.
Looking beyond investment in cyber defences and risk mitigation, half (50 per cent) of the Irish executives surveyed said that their boards had insufficient knowledge of information security to fully evaluate the risks the organisation is facing and the measures it is taking – mirroring the global position. Small wonder, then, that only one in five (20 per cent) organisations fully consider cyber security implications in their business strategy and plans, although at least a further two in five (44 per cent) are planning a more thorough consideration.
On top of this, employee awareness was identified as a significant vulnerability for Irish companies dealing with cyber attacks. Careless or unaware employees (36 per cent) was at the top of the list of factors increasing an organisation’s risk exposure. Compounding this, poor employee awareness and behaviour was perceived by 85 per cent of executives as the biggest risk in relation to the increased use of mobile devices in their organisation, with a further two in five (39 per cent) stating that it was the leading cause of the most significant cyber breach experienced by their company in the past 12 months. It is therefore no surprise that security awareness topped the list of priorities for both Irish and global organisations in the next 12 months, with three in four (75 per cent) executives ranking it as their highest priority.
In response to these increasing threats EY recently opened an expanded Advanced Security Centre (ASC), which is the largest cyber facility of its kind within the professional services sector in Ireland. The technologies within this facility allow the firm’s cyber professionals to interact in real-time with others in EY’s network of ASCs around the world, allowing them to swiftly identify new attacks as they unfold, find solutions and help deploy them immediately – thus protecting client companies from significant risk. All organisations are in an ‘arms race’ with cyber-criminals. With this in mind, it is vital that they are in a position to detect a breach and ready to respond appropriately when the inevitable happens.
This article was originally published in the February 2017 edition of Finance Dublin