Threats, Vulnerabilities & Security Spending, According to CIOs & CISOs
Ernst & Young’s Global Information Security Survey 2014 revealed the current state of information security among a sample of organizations today, from new threats and vulnerabilities to challenges new security solutions need to address.
One of the reasons for different information security concerns and challenges is the new threat landscape - “the disappearing perimeter” that sums up a combination of mobility, consumerization, the cloud and a changing ecosystem of increasingly interconnected work and home environments.
New Threats & Vulnerabilities
Perceived threats and attackers are also shifting. In previous surveys, organizations identified employees as their biggest threats, at 53 percent, while this year’s survey shows more diversity and variance in perceived threats, moving from internal to external. These new threats included more combinations of different types, including criminal syndicates (53%); state-sponsored hackers (27%); hacktivists (46%); and ‘lone wolf’ hackers (41%).
When it comes to being vulnerable, organizations report that careless or unaware employees were the cause of leaving their company exposed to the possibility of an attack at 38 percent. A close second (35%) attributes the cause to outdated information security controls or architecture.
Top threats include attacks seeking to:
- Steal financial data
- Deface or disrupt their organization
- Steal intellectual property or data
Yet, with an increase in new, external threats, respondents said their information security budgets would stay the same over the next year, with only 5 percent reporting an increase. How are organizations supposed to stay secure with rising threats but relatively flat security spending?
It may just mean companies need to get smarter about security - choosing the right security solutions carefully in order to maximize the return on value, while avoiding the expense in depth phenomena often associated with defense in depth strategies. Securing endpoints, like user logins to internal networks and data, is one place to start.
Another issue is performance; many organizations are spread too thin and attempt to maintain an expansive IT and security environment with not enough resources or experts to support it. That means a security solution needs to have minimal overhead and ongoing maintenance as well as a streamlined initial deployment to reduce the man hours needed to get something in place, especially relevant as organizations grow unexpectedly in users and data.
The report also calls out access to data as a key area of risk; claiming that organizations have weak Identity and Access management programs. Onboarding and ex-employees present a risk, with an ease of inappropriate access to data. They include detailed recommendations for creating a Security Operations Center (SOC) that actually works, including questions that you should ask your organization when it comes to attack preparedness:
- Do you know what you have that others may want? Those type of assets could include intellectual property, people’s personal information, financial information and business information.
- Do you know how your business plans could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and if the assets have been compromised?
- Do you have a plan to react to the attack and minimize the harm caused?
Survey participants included CIOs, CISOs and infosec/infotech executives from 25 different sectors worldwide. The top industries included banking and capital markets, insurance and diversified industrial products and chemicals.
Learn more about modern security solutions that can reduce upfront costs while securing employee access to data against the biggest threats and vulnerabilities facing organizations today in our Two-Factor Authentication Evaluation Guide.