Organisations need to invest more money into cyber security defences if they are to fight back against the growing threat of data breaches, an Ernst & Young survey has found.
According to the professional services firm’s Global Information Security Survey 2018–19, 87% of respondents said they don’t have the budget to deal with threats – despite an upwards trend in cyber security spending.
Ernst & Young suggests that organisations address this issue in three ways.
1. Protect the enterprise
An essential aspect of cyber security is determining which assets are most important and where they are located. It’s only when you know what needs to be protected that you can build appropriate defences in line with your budget.
Unfortunately, EY believes that few organisations have a clear picture of this. This isn’t a surprise because, according to the survey, more than half of organisations don’t make protecting their organisation an integral part of business operations.
To rectify this, EY recommends that organisations answer several questions, such as what its most valuable information assets are, what threats it faces and what its regulatory responsibilities are.
That last point is crucial, not only because of the potential penalties for non-compliance but also because legal requirements can guide you towards effective security.
The GDPR (General Data Protection Regulation), for example, includes a comprehensive list of security and privacy best practices. Granted, it’s a complex piece of legislation, and meeting all of its requirements will take time and effort, but that’s the case however you approach cyber security.
2. Optimise cyber security
Despite budgetary constraints, 77% of organisations say they are seeking to move beyond basic cyber security protections to fine-tune their capabilities.
Although this is good news, it might cause organisations to spread their resources too thinly. The basics – like staff awareness training and security testing – still need to be maintained, and as the threat of cyber crime continues to spiral, the cost of retaining your current level of protection grows.
EY suggests that the best approach might be to rethink your cyber security framework to look for more efficient ways of operating. There’s a good chance that, as organisations expand their defence capabilities, their practices will be duplicated or become outdated.
By making a short-term investment in updating your operations, you could reap the benefits for years to come.
EY also points to the emerging challenge of data breach notification. Many organisations don’t consider this part of their cyber security strategy, because it doesn’t help prevent incidents.
However, the sheer number of threats you face means you can’t rely on your ability to prevent breaches. With an effective system for identifying and disclosing incidents, you can reduce the costs that follow breaches, protect your reputation and meet your regulatory requirements. These are the same goals as your other cyber security strategies, so you should consider it part of your overall defence strategy.
3. Enable growth
EY’s final recommendation is to look for ways to integrate security practices within business processes from the outset of any new projects.
Security by design is a fundamental principle of the GDPR, and if your organisation is to follow suit, EY says you’ll need to focus on emerging technologies and customer experience.
Many organisations now regard emerging technologies as a top priority when considering their cyber security budgets. In most cases, this simply means using the Cloud more, but EY suggests that organisations should also consider making use of robotic process automation, machine learning, artificial intelligence and the Internet of Things.
Cyber security is a moving target
These three recommendations aren’t stepping stones towards security, warns EY. You can’t expect to progress from protection to optimisation to growth, because that belies the point; they must be addressed in unison as part of your overall cyber security strategy.
You must also accept that cyber security is a moving target, so there’s no need to focus too much on your security posture at any one moment in time. Instead, look for strategies that allow you to address the immediate future while remaining flexible enough to stay prepared for the long-term.
Anyone interested in finding appropriate solutions for their organisation should take a look at our range of products and services. Whether you’re looking for general advice or specific solutions geared towards legal and best practice compliance, we’re here to help.
Subscribe to our Weekly Round-up for all the latest cyber security news and advice.