Focusing on cybersecurity issues, the 2015 GISS study by Ernst&Young shows that the majority of companies (88%) believe that their information systems do not meet their security needs. Concerning the sources of threats, they are 59% to cite criminal organizations before hacktivists (54%), but also increasingly designate groups sponsored by States (35%).
The auditing and consulting firm EY (Ernst&Young) has just published its 18eannual study on computer security. The 2015 edition of the GISS (Global Information Security Survey) was devoted to the cybersecurity threats that companies have to face. It surveyed 1,755 organizations in 67 countries. information meet their security needs, which must cover all dimensions of the company (finance, supply chain, CRM, HR, etc.), which is also in full digital transformation. However, only 36% think they would not be able to detect a sophisticated attack, compared to 56% last year. This is a significant improvement in EY’s view, while reminding companies to keep in mind that the level of sophistication of attacks is continually increasing.
The IoT will complicate security issues
As a preamble to its 2015 GISS study, EY emphasizes the importance of fully understanding the challenges posed by cybersecurity. Companies are considering the opportunities brought by the digital transformation and are accelerating their projects in this direction. But in their haste, they overlooked some precautions and underestimated some risks, the firm notes. The realization that the digital world also offered a potential norm of exploitation for crime came late. Likewise, the complexity of the interconnectivity between users, enterprises and IoT objects, and the unintended consequences that result, are only beginning to emerge. To fully understand and apprehend the challenges they face, organizations must ask themselves four sets of questions, advises the audit firm. First, what threats do you think you have to deal with and how can you combat them? Second, what are the worst-case scenarios for you, how do you detect the faintest signals and constantly maintain the highest level of alert? Third, why are you still so vulnerable, is it a lack of measures in your current environment, because you don’t have mechanisms to adapt to changes, or because you don’t have a proactive approach to neutralize sophisticated cyberattacks? Finally, fourth, what is active defense and how to build it, what needs to be improved?
In 2020, 85% of business relationships will be managed without human interaction, according to a Gartner report (which dates back to 2011), recalls EY. However, the results of the 2015 GISS study show, for example, that for 68% of respondents, monitoring their ecosystem does not appear to be a challenge in the context of the Internet of Things. Or, still, still in the context of the IoT, which 67% do not see as a security problem either the management of the development of access points to their organization.
Is employee negligence better taken into account?
When asked which vulnerabilities have grown the most in the past 12 months, respondents cited employee negligence or ignorance first (18%) and second only to outdated security architectures and information ( 15%). However, points out EY, these two concerns, mentioned this year by respectively 44% and 34% of those questioned, already came first last year and, moreover, a higher level corresponding to 57% and 52% of respondents. For the firm, this means that companies are thinking of covering these vulnerabilities in a more effective way.
In terms of identified threats, phishing comes first this time (19%), followed by malware (viruses, worms, Trojan horses, etc.) and zero-day attacks (16%), cyberattacks aimed at stealing financial information (15%), intended to disrupt the company’s activity (15%) or to seize its data or intellectual property (13%). Then come fraud (12%), espionage and natural disasters (9%). On average, 44% of respondents said this year they see phishing as the main threat, up from 39% last year. Same trend on the side of malware, seen by 43% as the first threat against 34% in 2014. The evolution is clear but, this time, EY wonders if it is accurate or if it is a bad perception .
Organized crime cited as main source of attacks
What would counter cyber threats? For 42% of respondents, knowing your assets well is key knowledge in the field of security. Surveyed on their ability to estimate the damage resulting from cyber-incidents suffered over the past 12 months, only 20% of them can do so. When it comes to designating the most likely sources of attacks, organized crime is mentioned in 59% of cases (compared to 53% in 2014). But company employees are not far behind, mentioned in 56% of cases, followed by activist groups (54% compared to 46% in 2014) and solitary hackers (43%). EY points out the progress recorded on attacks possibly sponsored by States: 35% of respondents cite them against only 27% last year.
Of planned investments next year in these areas, 69% of respondents believe they should increase their cybersecurity budget to better protect their data, yet 84% of respondents believe they will incur the same or less , on the protection of their intellectual property, 70% will spend the same on operational security (antivirus, security patches, encryption, etc.) and, finally, 62% will keep the same level of expenditure on their capacities to respond to incidents. However, notes EY, a large part of the companies questioned do not seem to be equipped to deal with cyberattacks. Thus, 54% of respondents admit to lacking a service devoted to the impact of new technologies and 47% do not have a security supervision center, while 36% simply do not have a threat detection program. . Finally, 18% have absolutely no identity and access management program.
