87% of organisations have an insufficient cyber security budget – IT Governance Blog

Although organisations are devoting more resources to cyber security in order to tackle the growing threat of data breaches, 87% say they don’t have the budget to meet their needs, a new report has found.

According to the EY Global Information Security Survey 2018-19, organisations are forced to focus on the fundamentals of defence and neglect more advanced processes.

This is a worrying trend, as it could exacerbate the problem in the future. So, how can you address it?

The most important part of cyber security is identifying which assets are most important and where they are located. It’s only when you know what needs to be protected that you can build appropriate defences in line with your budget.

Unfortunately, EY believes that few organisations have a clear picture of this. This isn’t a surprise because, according to the survey, more than half of organisations don’t make protecting their organisation an integral part of business operations.

To rectify this, EY recommends that organisations ask:

• What are our most valuable information assets?
• What are our most obvious cyber security weaknesses?
• What are the threats we’re facing?
• Who are the potential threat actors?
• Have we already been breached or compromised?
• How does our protection compare with our competitors?
• What are our regulatory responsibilities, and do we comply with them?

That last point is crucial, not only because of the potential penalties for non-compliance but also because legal requirements can guide you towards effective security.

The GDPR (General Data Protection Regulation), for example, includes a comprehensive list of security and privacy best practices. Granted, it’s a complex piece of legislation, and meeting all of its requirements will take time and effort, but that’s the case however you approach cyber security.

Despite budgetary constraints, 77% of organisations say they are seeking to move beyond basic cyber security protections to fine-tune their capabilities.

Although this is good news, it might cause organisations to spread their resources too thinly. The basics – like staff awareness training and security testing – still need to be maintained, and as the threat of cyber crime continues to spiral, the cost of retaining your current level of protection grows.

EY suggests that the best approach might be to rethink your cyber security framework to look for more efficient ways of operating. There’s a good chance that, as organisations expand their defence capabilities, their practices will be duplicated or become outdated.

By making a short-term investment in updating your operations, you could reap the benefits for years to come.

You can assess the efficiency of your defences by asking:

• What is our cyber security strategy?
• What is our tolerance and appetite for risk?
• Are there any low-value activities we could do more quickly or cheaply?
• How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us?
• Where do we need to strengthen our capabilities?
• What can we stop doing?

EY also points to the emerging challenge of data breach notification. Many organisations don’t consider this part of their cyber security strategy, because it doesn’t help prevent incidents.

However, the sheer number of threats you face means you can’t rely on your ability to prevent breaches. With an effective system for identifying and disclosing incidents, you can reduce the costs that follow breaches, protect your reputation and meet your regulatory requirements. These are the same goals as your other cyber security strategies, so you should consider it part of your overall defence strategy.

EY’s final recommendation is to look for ways to integrate security practices within business processes from the outset of any new projects.

Security by design is a fundamental principle of the GDPR, and if your organisation is to follow suit, EY says you’ll need to focus on emerging technologies and customer experience. You should also ask:

• Is our entire supply chain secure?
• How do we design and build new channels that are secure by design?
• Where does cyber security fit into our digital transformation-enabled business model?
• Could strong privacy and data protection give us a competitive advantage?
• How focused on cyber security is our board as it pursues our digital ambitions?
• How are our most senior executives taking ownership of, and showing leadership on, cyber security?
• Do we have enough focus on cyber security in our entire ecosystem?

Many organisations now regard emerging technologies as a top priority when considering their cyber security budgets. In most cases, this simply means using the Cloud more, but EY suggests that organisations should also consider making use of robotic process automation, machine learning, artificial intelligence and the Internet of Things.

You must move forward

These three recommendations aren’t stepping stones towards security, warns EY. You can’t expect to progress from protection to optimisation to growth, because that belies the point; they must be addressed in unison as part of your overall cyber security strategy.

You must also accept that cyber security is a moving target, so there’s no need to focus too much on your security posture at any one moment in time. Instead, look for strategies that allow you to address the immediate future while remaining flexible enough to stay prepared for the long-term.

Anyone interested in finding appropriate solutions for their organisation should take a look at our range of products and services. Whether you’re looking for general advice or specific solutions geared towards legal and best practice compliance, we’re here to help.

Subscribe to the GRC Weekly for all the latest cyber security news and advice >>