Photo - Jason Yuen, Partner, IT Risk and Assurance, EY Malaysia.
Tax and financial consultancy EY's annual global survey shows that Malaysian organisations are as unprepared for cyber attacks as their global peers.
EY Malaysia partner, IT risk and assurance, Jason Yuen said globally more than a third of organisations (67 percent) are facing rising threats in their information security risk environment, but over a third (37 percent) have no real-time insight on cyber risks necessary to combat these threats.
The top cybercrime vulnerability came from careless or unaware employees while the top threat was the theft of financial information, said Yuen, adding that the report showed that 38 percent of respondents said 'careless or unaware employees' was their first priority followed by 'outdated information security controls or architecture' and 'cloud computing use" are second and third respectively (35 percent and 17 percent).
He said that 'stealing financial information,' 'disrupting or defacing the organisation' and 'stealing intellectual property or data' are the top three threats (28 percent, 25 percent and 20 percent respectively said it was their first priority).
More than half (53 percent) say that a lack of skilled resources is one of the main obstacles challenging their information security programme and only 5 percent of responding companies have a threat intelligence team with dedicated analysts. This shows little improvement from the 2013 figure of 50 percent.
Yuen said that this year's study showed that organisations needed to focus more on anticipating attacks. Companies are lacking the agility, the budget and the skills to mitigate known vulnerabilities and prepare for and address cybersecurity.
Forty-three (43) percent of respondents say that their organisation's total information security budget will stay about the same in the coming 12 months despite increasing threats, which is only a slight improvement to 2013 when 46 percent said budgets would not change, he said.
Major cause for concern
EY's global risk leader, Paul van Kessel, said, "Organisations will only develop a risk strategy of the future if they understand how to anticipate cybercrime. Cyber-attacks have the potential to be far-reaching - not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance. Organizations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cybercriminals into more formidable adversaries. "
"Too many organisations still fall short in mastering the foundational components of cybersecurity," said Kessel. "In addition to a lack of focus at the top of the organisation and a lack of well-defined procedures and practices, too many of the organizations we surveyed reveal they do not have a security operations centre. This is a major cause for concern."
EY Malaysia's Yuen said: "Beyond internal threats, organisations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture."
"It's only by reaching an advanced stage of cybersecurity readiness that an organisation can start to reap the real benefits of its cybersecurity investments. By putting the building blocks in place and ensuring that the program is able to adapt to change, companies can start to get ahead of cybercrime, adding capabilities before they are needed and preparing for threats before they arise."
He said the report included the following recommendations:
- Leadership should address cyber threats/risks as a core business issue, and put in place a dynamic decision process that enables quick preventative action.
- Understanding the threat landscape: Organisations should have a comprehensive, yet targeted, awareness of the wider threat landscape and how it relates to the organisation, and invest in cyber threat intelligence.
- Knowing your 'crown jewels': There should be a common understanding across the organisation of the assets that are of greatest value to the business, and how they can be prioritised and protected.
- Focusing on incident and crisis response: Organisations should regularly test the organisation's capabilities.
- Learning and evolving: Cybersecurity forensics is a critical piece of the puzzle. Organisations should closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.
Sign up for CIO Asia eNewsletters.