By Rob Starr, Big4.com Content Manager
EY’s recent Global Information Security Survey examined cybersecurity practices and attitudes at 1,755 organizations in 67 countries. This latest addition dealt with several important and pertinent issues including the nature of today’s attacks, how they unfold, organizational vulnerability and the shift to an Active Defense model. Siobhan McDermott, Principal, Ernst & Young LLP, answered some of our questions about cybersecurity.
What’s the nature of today’s cybersecurity threats?
The nature of the digital world – with data everywhere – means that all organizations must be mindful that they are more vulnerable to cybersecurity threats than ever before. Cyber attackers are constantly changing their tactics, intensifying their persistence, and expanding their capabilities. Today’s increasingly “subtle” nature of cyber attacks is also on the rise. Cyber criminals can spend months inside an organization to find information they store for a future attack, or piece together data that helps them eventually win the prize they seek. In the meantime, they take the time to protect themselves from being detected by organizations, sometimes creating diversionary tactics to draw attention away from what they are actually doing.
Often times, cyber criminals will keep the stolen information and use it later – or share it among the cyber criminal community, further spreading the potential for cyber attacks. So, although there’s a more indirect nuance to attacks, the degree of impact is far from subtle; they can be more destructive than ever before.
And in another new and insidious aspect, we are also seeing very targeted, specific activities linked to specific individuals. Cyber attackers have been on their social media pages, or scrutinized a person’s area of interest – such an alma mater, sports team, or new feed they follow – and can target individuals in this way.
How have they (cyber attacks) evolved?
The 1,755 global organizations who participated in EY’s Global Information Security Survey 2015, Creating trust in the digital world, were asked which vulnerabilities and threats have most increased their risk exposure over the last 12 months. Today, companies feel less vulnerable to attacks arising from unaware employees and outdated systems, but they feel more threatened today by phishing and malware, with 44% of respondents (compared with 39% in 2014) ranking phishing as their top threat versus 34% in 2014; 43% consider malware as their biggest threat versus 34% of last year’s respondents.
Most tellingly, more than one-third (36%) of global organizations surveyed said they still lack confidence in their ability to detect sophisticated cyber attacks, and 88% of companies don’t believe their information security fully meets their organization’s needs.
What are some of the rapidly expanding opportunities for innovation where cybersecurity is concerned?
The proliferation of digital devices and capabilities – smart phones, connected devices over the “Internet of Things,” sensors, and more – can create unintended consequences as vulnerable data is amassed. For example, social media is always “on,” and users frequently share information without fully appreciating the need for privacy and security. As data is increasingly stored in the cloud or with third parties, there’s less control over that data, with an infinitely more complex cyber ecosystem and increased risk. These days, new legislation and regulations are forcing changes in processes which contribute to opening up new vulnerabilities and broadening the potential for organizations to be the victims of a cyber attack.
As a result, with the evolution of digital devices, services, platforms and channels, organizations need innovative cybersecurity measures more than ever.
Besides adopting innovative cybersecurity measures, organizations must also adopt new ways to think about cybersecurity, and regard it as a necessary component that makes the digital world fully operational and sustainable; a tool that is absolutely necessary for companies to unlock growth and expansion, and their own innovation..
What should organizations be looking for in cybersecurity?
First, organizations must identify the areas with the highest value and most risk — those that require the ultimate in protection against harm from cyber incidents. Next, it is imperative that organizations can identify and prevent cyber incidents as early as possible. To do so, they need comprehensive radar that keeps watch over a variety of indicators, and can raise alerts and alarms when a certain threshold is crossed. Determining the thresholds is directly related to organizations’ tolerance for risk, and the imperative to accurately identify which be the most damaging cyber-crime-related incidents.
What’s in the future?
For one thing, we’re going to see a continued evolution in the mind set around cyber security. Cybersecurity is not an inhibitor in the digital world; rather it helps make the digital world fully operational and sustainable. By adopting a cyber security program that is specifically tailored to an organization, companies and organizations can again focus on serving their clients, and operating and expanding their businesses.
Also, as the Internet of Things (IoT) grows – with more and more devices connected to the Internet – companies building these devices will begin to incorporate security as part of their device design, up front. They must embed security into the front end, with a better understanding of the potential threat of that comes with a connected device. Why? As connected devices proliferate, users will demand devices that protect them and their personal mobile devices, whether it’s a phone, a fitness monitor, a refrigerator or a smart car. Building this level of trust in the IoT arena will be a key to companies that want to differentiate themselves and compete for and win customers’ loyalty.
Finally, the growth in the demand for talent in cyber security will continue. So far, demand is outpacing supply, and there’s a huge need across all industries to find the resources and people who can help adjust the balance of the digital world toward sustainability and safety, and to help organizations better protect their operations and their customers – and create trust in their brand.