Ernst & Young questions UK Organizations IT Security

Blog originally published by FlowTraq™, authored by Larry Nuttall

In his article, “IT security at 96 per cent of UK businesses“, Computing UK author Sooraj Shah reacted to the Ernst & Young Global Information Technology Survey released in October 2013.

“Only four per cent of UK organisations have IT security functions that fully meet their needs, a new survey released by one of the “big four” international professional services firms, Ernst & Young, claims. Ernst & Young’s 16th annual Global Information Security Survey asks 1,900 senior executives worldwide about cyber security within their business. This includes the level of awareness and actions taken by the firms to thwart attacks.”

Shah’s Computing UK article focuses on the the lack of budget and skilled resources to fight against cyber-threats cited by UK Organizations. He also mentions the pace of technology evolution and the reactive response of most organizations – not addressing security risks until they arrive.

While 66% of survey participants reported that security incidents within their organizations had increased by at least 5% over the past 12 months, the majority of them felt that their IT Security functions were inadequate to handle increasing numbers of attacks, big data requirements, and the security challenges on the horizon.

Ernst & Young’s Global Information Security Survey 2013

The report that sparked Shah’s article “Under cyber attack – EY’s Global Information Security Survey 2013. Insights on governance, risk and compliance October 2013” is a detailed survey on the state of IT Security in Global Organizations.

The report suggests a less operational and more  risk-oriented oriented approach to network security:  “Analysis, reporting, presentation and other methods are used to spot potential problems, and these problems are communicated and solved together with the business departments now in a more active way, which was rather passive in the past.”

EY-CyberThe survey calls for organizations to “Build a holistic capability to correlate seemingly unconnected events and to detect behavioral anomalies using analytical tools and models”.

And, that “Signature and rule-based tools are no longer as effective in today’s environment. Instead, information security functions may wish to consider using behavior-based analytics against environmental baselines.”

“Nearly one-third of organizations still do not have a threat intelligence program, and slightly more than one-third have an informal program. In terms of vulnerability identification, nearly one in four has no program. […]  This is surprising, as without it organizations have little visibility into where the cyberthreats are and where a cyber attack may be coming from.”

You can download the full Survey here.