Security

Why 0% of US companies believe their information security strategy is working

According to a survey from EY, security incidents are increasing, but firms don't feel prepared to mitigate the threats.

No US company has an information security function that is meeting all of its needs, according to EY's Global Information Security Survey. According to the survey, 0% of US companies in 2017 said their security needs were fully met by their current information security function, down from 11% in 2016. The number was 11% for companies worldwide.

So, what is holding them back? Some 53% of the respondents said that a lack of skilled resources was keeping their information security operation from contributing more. The report didn't mention whether the lack of resources spoke specifically to too few employees, or a lack of specific skills among current employees.

Globally, respondents also said that more money was needed to improve their security approach. According to the report, 87% said they need up to 50% more funding to be effective in cybersecurity. Despite this need, only 12% of respondents expected to receive a funding increase of over 25%.

SEE: Security awareness and training policy (Tech Pro Research)

A data breach may lead to greater resources for some professionals, but only if it caused a lot of damage, the report said. Among those surveyed, 76% said a breach that caused damage could lead to more funds. However, 64% said that the discovery of an attack that didn't cause any harm probably wouldn't lead to a budget increase for security.

Currently, many companies do not feel that they could properly detect a high-level cybersecurity attack. Only 12% of the survey respondents said it was very likely that they'd be able to detect a sophisticated attack.

The biggest threat to these companies is their own employees, the report found. Globally, 77% said a careless staff member would be the most likely source of an attack, while 81% of US companies said the same.

In terms of how security is set up within these companies, 63% said that cybersecurity is considered a part of IT. However, 48% said they don't have a security operation center, and 57% don't have a formal threat intelligence program, the report found. And only 32% of boards have cybersecurity expertise that could help them oversee such risks.

To improve their security posture, company leaders must encourage education.

"Organizations may feel more confident about confronting the types of attack that have become familiar in recent years, but still lack the capability to deal with more advanced, targeted assaults; they may not even be aware of attack methods that are emerging," the report said. "To be cyber resilient, however, organizations must increase their understanding rapidly - it is likely that they will face all of these categories of attack at one time or another, and possibly simultaneously."

Once they have begun pursuing education, firms must assume the worst possible outcome and begin protecting themselves against common exploits and vulnerabilities, the report said.

The 3 big takeaways for TechRepublic readers

  1. According to an EY report, 0% of US companies and 11% of global companies don't believe their information security function is fully meeting their needs.
  2. Some 53% of respondents said that a lack of skills resources was holding them back from achieving proper information security.
  3. IT needs more funds to improve security, but only cyber breaches that cause damage will encourage a bigger investment from the company, according to 76% of respondents.

Also see

lock.jpg
Image: iStockphoto/merznatalia

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox