Disciplined evolution needed to address cyber security


16 November 2014

Having a continual improvement culture also allows organisations to learn from past mistakes and evolve their security management in a disciplined manner.

While organisations acknowledge that they face rising threats in their information security risk environment, many lack the agility, budget and skills needed to address security.

Ernst & Young’s (EY) annual Global Information Security survey “Get Ahead of Cybercrime”, which surveyed 1,825 organisations in 60 countries this year, found that most (67 per cent) faced rising threats in their information security risk environment, but over a third (37 per cent) lacked the real-time insight on cyber risks that was necessary to combat these threats.

The situation did not look like it was going to improve any time soon. About 43 per cent of respondents said that their organisations’ total information security budget would stay the same in the coming 12 months despite increasing threats, which was only a marginal improvement to 2013 when 46 per cent said budgets would remain stagnant.

Over half (53 per cent) cited lack of skilled resources as one of the main obstacles challenging their information security programmes, with only 5 per cent of respondents indicating that they had a threat intelligence team with dedicated analysts. 

In terms of vulnerabilities, “careless or unaware employees” was the most widely cited, with 38 per cent of respondents saying that it was their first priority. “Outdated information security controls or architecture” and “cloud computing use” were second and third respectively (35 per cent and 17 per cent).

In terms of threats, “stealing financial information”, “disrupting or defacing the organisation” and “stealing intellectual property or data” were the top three threats for 28 per cent, 25 per cent and 20 per cent of respondents respectively.

Organisations need to do a better job of anticipating attacks in an environment where it is no longer possible to prevent all cyber breaches, and where threats come from ever more resourceful and well-funded sources, said the EY report.

It encouraged organisations to embrace cybersecurity as a core competitive capability, which meant remaining in a constant state of readiness, anticipating where new threats may arise and shedding the “victim”. To achieve this, it recommended that organisations 

  • Remain alert to new threats: Leadership should address cyber threats/risks as a core business issue, and put in place a dynamic decision process that enables quick preventative action.
  • Understand the threat landscape: Organisations should have a comprehensive, yet targeted, awareness of the wider threat landscape and how it relates to the organisation, and invest in cyber threat intelligence.
  • Know your “crown jewels”: There should be a common understanding across the organisation of the assets that are of greatest value to the business, and how they can be prioritised and protected.
  • Focus on incident and crisis response: Organisations should regularly test their incident and response capabilities.
  • Learn and evolve: Cybersecurity forensics is a critical piece of the puzzle. Organisations should closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.

Gerry Chng, EY’s Asean information security leader, said establishing a solid foundation to build up cybersecurity capabilities was crucial in today’s landscape across Southeast Asia.

“Attackers have been methodically studying our defence strategies and finding ways to circumvent them very successfully. Organisations need to stop mindlessly applying security solutions in the hope that such problems will go away if one spends enough money on the latest technology."

Instead, linking security objectives and risk profile to the required people, process, and technology controls will allow organisations to allocate the right resources to safeguard what matters most to them. Having a continual improvement culture also allows organisations to learn from past mistakes and evolve their security management in a disciplined manner, he said.