Very few organisations have fully incorporated all relevant risks and threats into their current digital strategy, research finds.
Today, all organisations are digital by default. However, it has never been more difficult for organisations to map the digital environment in which they operate, or their interactions with it. Every organisation’s technology infrastructure is both custom-made and increasingly complex, spanning networks that consist of tools and technologies that may be on-premises or in the cloud – or, quite commonly, a combination of both.
Yet there is no reward without risk. Digital business inherently means utilising new technology, connecting devices and operating platforms, embracing different ways of working, building large-scale data silos, and so on. The convergence of Internet of Things networks with what were once separate and self-contained — and therefore more manageable — systems represents a fundamental change.
The World Economic Forum now rates a large-scale cybersecurity breach as one of the five most serious risks facing the world today. The scale of the threat is expanding drastically: by 2021, the global cost of cybersecurity breaches will reach $6 trillion according to Cybersecurity Ventures’ 2017 Cybercrime Report, double the total for 2015.
Spending Keeps Soaring
Coping with digital challenges and mitigating risks still represents a major burden for organisations across the board. To gain cyber resilience and combat cybercrime, organisations continue to increase their spending on cybersecurity. Of 1,200 C-suite leaders and other senior executives polled by EY for the 2017-18 Global Information Security Survey (GISS), 70% say they require up to 25% more funding, and the rest require even more than this. However, only 12% expect to receive an increase of more than 25%.
For many organisations, the worst may have to happen for these calls to be met. Asked what kind of event would result in cybersecurity budgets being increased, 76% of survey respondents said the discovery of a breach that caused damage would be lead to greater resources allocated.
By contrast, 64% said an attack that did not appear to have caused any harm would be unlikely to prompt an increase in the organisation’s cybersecurity budget. This is higher than the figure reported last year – which is concerning, given that an attack can cause harm that isn’t immediately obvious.