Enterprises not equipped to handle rising cyber threats

by Sohini Bagchi    Nov 06, 2013

cyber threat

Cybersecurity is becoming a sizzling topic in the enterprise. However, recent studies show that very few organizations are adequately equipped to deal with the rising cyber threats. The reason being, most companies are not spending judiciously on IT security to defend themselves against cyber-attacks that are becoming more sophisticated.

A recent global information security survey from consultancy Ernst & Young reveals that while security officers and senior executives are paying more attention to the topic of cyber security, nearly one third respondents had seen at least a 5% increase in the number of security incidents in their organizations. Therefore, it is no longer the lack of awareness that is holding them back as was the case in the past, but the need to improve cybersecurity becomes the need of the hour.

Unintelligent spending on cyber-security can backfire on the organization as below are some areas cyber security experts believe most enterprises fail to understand and they recommend what can be done to get the best results.

Lack of a culture of security

IT investment is more about people than technology in recent times and the same applies to IT security as a rule. In such as scenario, it is important that companies recruit skilled professionals and train them accordingly. Unfortunately, the Ernst & Young study found that the available pool of talent is insufficient with over 50% of the respondents cited a lack of skilled workers as a barrier to meeting all security priorities. The scarcity of talent is not being properly addressed by an increasing number of executives, the survey found. The percentage of respondents citing a lack of executive awareness or support rose to 31% this year, from 20% last year.

Moreover, training the workforce is an even more important part of security practice. “IT security training and awareness programs mostly do not include creative elements. Attractive newsletters, posters and blogs followed by games and quiz often enhance the culture of security within the organization,” says Lawrence Orans, Research Director, Gartner. He believes videos are also helpful in demonstrating how best to cope with cyber threats and can be made for people of different generation.

Not prioritizing IT security spends

A major challenge organizations are facing is that even though they are spending on emerging technologies such as cloud, social media and mobility, their IT security budget has not increased adequately. The study shows lack of sufficient funds continues to remain a key challenge for companies to run their IT security strategies, but emphasizes on intelligently spending the funds.The Ernst and Young report shows that over the next 12 months, 14% of security budgets are being allocated to new technologies by companies, yet respondents said they were unsure whether they were ready to handle the risks posed by corporate use of social media.

“A larger percentage of budgets need to be directed at security innovation along with emerging technologies within the enterprise, such as the use of mobile devices and social media,” Ken Allan, EY global information security leader. He believes that new technologies like mobility, cloud etc in fact require a much greater attention to security because of the rising threat incidents. As a result organizations need to be more forward-looking and keep aside their IT security budget accordingly.

Unintelligent tech investment

Although companies should invest in areas such as antivirus, identity and access management, encryption, intrusion detection, etc, experts believe that instead of simply investing in any area of cyber security, it is important for companies to look for specific areas where attackers would be interested in and organize defenses around those areas. Gathering and sharing intelligence on cyber attackers threatening data, networks and business processes can turn out to be critical for organizations in combating attacks. A recent Forrester Research also reveals that nearly 75% respondents believe improving threat intelligence is a top priority for organizations. For example, companies with widespread mobile practices should invest in mobile-based security technologies or opt for a cloud-based security system based on their business requirement.  To become more efficient in cybersecurity, businesses should take time to understand the attackers targeting them and then decide on the defense strategies and technology.

Long evaluation cycle

The length of time for IT security evaluation tends to be annual for most organizations. But Andy Steingruebl, senior manager, customer and eco-system security at PayPalbelieves this is ineffective, as it does not reinforce knowledge. Security strategies and programs should be revisited every 3 months. this gives newer perspectives to threats and enables the organization to deal with threat more effectively.

On a positive note, senior executives are taking a lot more interest in the topic of cyber security today, believe experts. Last year, very few companies had dedicated information security professionals who reported to senior executives. This year, 35% report quarterly on the state of information security to the company board and the chief executive showing there has been a moderate increase in the level of awareness when it comes to dealing with IT security, says the Ernst & Young report, stating that once CSOs and the C-suites learn to prioritize their areas of spends, the level of threat incidents will significantly reduce.