A survey of 1,900 executives at clients of the accountancy firm Ernst and Young found that almost all (96%) felt “unprepared” for a cyberattack – due to budget cuts and lack of skilled staff.
Constraints on budgets, at 69% and a perceived lack of skilled staff at 66% were the biggest barriers to good security, according to a report by IT Pro Portal.
“In addition to our survey, we interviewed a number of senior executives representing organizations that in EY’s experience demonstrate leading practices in addressing cyber risks,” the firm said in its study.
Awareness of the dangers does appear to be rising – 70% of organizations say that information security is now dealt with at the”highest level”, and nearly half (43%) of firms have increased IT security budgets, according to the report.
Mark Brown, the company’s director of information security, said, “This year’s results show that while businesses are faced with a rising number of security breaches, budget constraints and talent shortages mean that they fail to put in place those systems that match their needs.”
Two thirds of those surveyed felt that the number of security incidents their organization faced had grown by 5% or more in the past 12 months. Around a third – 28% – suggested that the problem stemmed partially from a lack of awareness among executives, according to WorkPlace Law.
Ernst and Young said in its report, “As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless and often politically motivated.”
“Overall, 43% of survey respondents indicate that their budgets are on the rise. Within the government and public sectors, some respondents reported budget increases, but a majority indicate that their budgets have stayed the same as last year. Small businesses with a turnover of less than US$10m or businesses located in rapid-growth markets report the highest increases as a percentage of their budgets.”
The report’s conclusion, though, suggests more needs to be done, “Despite the efforts organizations have made over the course of the last 12 months to improve their information security programs, much more still needs to be done.Only 23% of respondents rated security awareness and training as their number one or two priority; 32% ranked it last. The only security area rated a lower priority by more respondents was threat and vulnerability management, an activity for which 31% of respondents had no program; this is surprising, as without it organizations have little visibility into where the cyber threats are and where a cyber attack may be coming from.”
Author Rob Waugh, We Live Security