Trying to prevent cyberattacks is not enough

Experts say it’s not a case of whether you will be attacked online but when. So get ready to fight back

Security issue: Irish companies remain behind the international curve in several key areas of information security

Security issue: Irish companies remain behind the international curve in several key areas of information security

 

Despite indications of a steady rise in threats to digital data from hackers, international cybercrime gangs, and even disgruntled ex-employees, Irish companies remain behind the international curve in several key areas of information security.

According to the 16th annual Global Information Security Survey from Ernst & Young, Irish companies lagged their counterparts internationally in security investment. Only 29 per cent said they had increased their security budgets by more than 5 per cent in the previous 12 months, compared to 43 per cent of companies globally.

Looking ahead, 49 per cent of global companies said they would be increasing spend on information security, compared to 24 per cent of Irish organisations. And global companies indicate they will spend more than Irish companies when they make that investment, 34 per cent versus 18 per cent.

“I think the likelihood of being exploited now is almost a certainty. Worldwide, with cyberattacks, it’s not a case of if, but when,” says Hugh Callaghan, financial services advisory director at Ernst & Young Ireland.

Addressing threats
Irish companies tend to put their IT security budget into tools to prevent attacks, but they need to be able to detect attacks and to address them while they are underway too, says Callaghan.

What is encouraging is that Irish businesses are far more likely than many others around the world to be reporting information security issues directly to the board or other top governing level within their organisation, he says. Some 65 per cent of Irish respondents, compared to 48 per cent of global respondents, said this was done on a monthly or quarterly basis. “But there’s still questions how this information is governed in Ireland,” he says.

Though a significant number of Irish organisations keep the board informed of information security issues within the company, a far lower number actually have information security report directly to a chief information officer or a similar role, as opposed to simply reporting to the IT division.

Only 24 per cent of Irish companies have information security reporting to a chief information officer or similar executive, compared to 46 per cent of global companies. “So, they’re still putting information security primarily as an IT function,” says Callaghan. “You have to ask whether the issue is being given enough of a governance role.”

Ivan O’Brien, advisory director at Ernst & Young Ireland, thinks Irish reluctance to prioritise IT security at a higher level is in part be due to cutbacks and a recessionary economy, but notes there’s also “an ongoing Irish trend” to approach it in this way. “The question for the board is, ‘Are they doing enough and are they taking it seriously?’ ” he says.

In general, Irish companies included in the survey indicated they had similar priorities to organisations worldwide. Business continuity and disaster recovery; data leak prevention; and compliance monitoring were the top three priorities for all.

However, Irish companies gave lower priority than their international counterparts to recruiting new security resources, information security transformation, threat and vulnerability management, privacy, identity and access management, and security awareness and training. On the upside, Irish firms now conduct more assessments of their main external partners, vendors and contractors than the average for international companies at 59 per cent compared to 52 per cent locally.

Data protection
The prospect of much stricter data protection legislation coming in the next 12 to18 months, in the form of a fresh EU directive, means organisations risk significant fines if they have data breaches.

“That’s very attention grabbing,” says Callaghan and is likely to push security to higher priority.

Overall, 31 per cent of global respondents to the survey said there had been at least a 5 per cent rise in security incidents at their organisation in the previous year. However, budgets remain constrained, and 65 per cent said that even with a plan for increased security spending, meeting the needs of their organisation in this area would be a challenge.

Better intelligence
Callaghan says the main steps businesses should take to improve their information security approach are to obtain better intelligence through improved security systems, to increase monitoring for threats, and to get executive level support.

“In Irish companies, the basics are still a huge challenge. There tends to be so-so intelligence, and very little monitoring of threats. And, lack of executive support is a major inhibitive factor.”

O’Brien says organisations in Ireland also face difficulty in finding people with the right skills in the information security area.

“It’s economically, crucially important for Ireland to get this right. If the country wants to be a technology hub, we need to be leading in this area,” Callaghan says.

The report includes the responses of 1,909 executives from 64 countries.