According to the EY Global Information Security Survey 2018–19, organizations are forced to focus on the fundamentals of defense and neglect more advanced processes.
This is a worrying trend, as it could exacerbate the problem in the future. So, how can you address it?
Protect the enterprise
The most important part of cybersecurity is identifying which assets are most important and where they are located. It’s only when you know what needs to be protected that you can build appropriate defenses in line with your budget.
Unfortunately, EY believes that few organizations have a clear picture of this. This isn’t a surprise because, according to the survey, more than half of organizations don’t make protecting their organization an integral part of business operations.
To rectify this, EY recommends that organizations ask:
- What are our most valuable information assets?
- What are our most obvious cybersecurity weaknesses?
- What are the threats we’re facing?
- Who are the potential threat actors?
- Have we already been breached or compromised?
- How does our protection compare with our competitors?
- What are our regulatory responsibilities, and do we comply with them?
That last point is crucial, not only because of the potential penalties for non-compliance but also because legal requirements can guide you towards effective security.
The GDPR (General Data Protection Regulation), for example, includes a comprehensive list of security and privacy best practices. Granted, it’s a complex piece of legislation, and meeting all of its requirements will take time and effort, but that’s the case however you approach cybersecurity.
Despite budgetary constraints, 77% of organizations say they are seeking to move beyond basic cybersecurity protections to fine-tune their capabilities.
Although this is good news, it might cause organizations to spread their resources too thinly. The basics – like staff awareness training and security testing – still need to be maintained, and as the threat of cybercrime continues to spiral, the cost of retaining your current level of protection grows.
EY suggests that the best approach might be to rethink your cybersecurity framework to look for more efficient ways of operating. There’s a good chance that, as organizations expand their defense capabilities, their practices will be duplicated or become outdated.
By making a short-term investment in updating your operations, you could reap the benefits for years to come.
You can assess the efficiency of your defenses by asking:
- What is our cybersecurity strategy?
- What is our tolerance and appetite for risk?
- Are there any low-value activities we could do more quickly or cheaply?
- How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us?
- Where do we need to strengthen our capabilities?
- What can we stop doing?
EY also points to the emerging challenge of data breach notification. Many organizations don’t consider this part of their cybersecurity strategy, because it doesn’t help prevent incidents.
However, the sheer number of threats you face means you can’t rely on your ability to prevent breaches. With an effective system for identifying and disclosing incidents, you can reduce the costs that follow breaches, protect your reputation and meet your regulatory requirements. These are the same goals as your other cybersecurity strategies, so you should consider it part of your overall defense strategy.
EY’s final recommendation is to look for ways to integrate security practices within business processes from the outset of any new projects.
Security by design is a fundamental principle of the GDPR, and if your organization is to follow suit, EY says you’ll need to focus on emerging technologies and customer experience. You should also ask:
- Is our entire supply chain secure?
- How do we design and build new channels that are secure by design?
- Where does cybersecurity fit into our digital transformation-enabled business model?
- Could strong privacy and data protection give us a competitive advantage?
- How focused on cybersecurity is our board as it pursues our digital ambitions?
- How are our most senior executives taking ownership of, and showing leadership on, cybersecurity?
- Do we have enough focus on cybersecurity in our entire ecosystem?
Many organizations now regard emerging technologies as a top priority when considering their cybersecurity budgets. In most cases, this simply means using the Cloud more, but EY suggests that organizations should also consider making use of robotic process automation, machine learning, artificial intelligence and the Internet of Things.
You must move forward
These three recommendations aren’t stepping stones towards security, warns EY. You can’t expect to progress from protection to optimization to growth, because that belies the point; they must be addressed in unison as part of your overall cybersecurity strategy.
You must also accept that cybersecurity is a moving target, so there’s no need to focus too much on your security posture at any one moment in time. Instead, look for strategies that allow you to address the immediate future while remaining flexible enough to stay prepared for the long-term.