Organisations unprepared for 'inevitable' cyber attacks, claims EY

Despite awareness of rising security threats, most organisations still unprepared for cyber attacks

More than one-third of organisations are completely unprepared for a cyber attack, a report by consultants EY has claimed.

The annual Get Ahead of Cybercrime security survey also suggests that many organisations lack the budget and skills required to fully protect themselves against cyber crime.

That's despite more than two-thirds of the 1,825 organisations surveyed believing that information security represents an area that will become increasingly important.

However, despite awareness of the increased number and range of cyber threats, more than two-fifths (43 per cent) said that their organisation was not planning to increase the cyber security budget in the near future.

Overall, the survey suggests that organisations need to do a better job of anticipating cyber attacks in an environment where it is no longer possible to prevent all cyber breaches, especially given the increased sophistication of computer hackers and other cyber criminals.

"Cyber attacks have the potential to be far-reaching - not only financially, but also in terms of brand and reputation damage, the loss of competitive advantage and regulatory non-compliance," said Mark Brown, executive director of cyber security and resilience at EY.

"Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cyber criminals into more formidable adversaries," he continued, before going on to argue that some organisations aren't even taking basic steps to address the issue of cyber crime.

"Too many organisations still fall short in mastering the foundational components of cyber security. The UK government has attempted to fill this void by introducing the Cyber Essential Scheme.

"However, today's findings highlight that organisations are not taking the basic steps, such as setting up a security operations centre or putting in place an incident response plan, and this continues to be a major cause for concern," Brown said.

Ken Allan, EY's global information security leader, added that cyber security is something that should be considered in all areas of the business.

"Beyond internal threats, organisations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can affect their security posture," he said.

"It's only by reaching an advanced stage of cyber security readiness that an organisation can start to reap the real benefits of its cyber security investments," Allan continued.

"By putting the building blocks in place and ensuring that the program is able to adapt to change, companies can start to get ahead of cyber crime, adding capabilities before they are needed and preparing for threats before they arise," he concluded.

Earlier this year, EY argued that the end of Windows XP support was leaving organisations "asleep at the wheel" and vulnerable to hackers.