Now, more than ever, organisations need to protect themselves from the threat of cybercrime, writes Colm McDonnell, Partner, Enterprise Risk Services, Deloitte.
The findings of the first annual Deloitte Irish Information Security and Cybercrime survey, in association with EMC, highlight just how stark the threat of cybercrime is to Irish organisations. In fact, the survey shows that 32 per cent of respondents experienced between one and five security breaches in the last year. What’s more, 42 per cent of respondents suffered a loss of productivity as a result of cybercrime attacks.
Survey results show that hacking was the most common method used to breach security in organisations, as identified by 38 per cent of respondents. Other common causes of attacks included privilege misuse, physical attacks and malware. Half of all respondents identified employees and their activities as the biggest challenge in information security.
In terms of efforts to combat these threats, just over half of respondents feel they have an information security programme that functions adequately. Forty per cent of respondents indicated that security risks are regularly assessed in their organisations and that strong security practises are in place. Encouragingly, just three per cent indicated that they handle incidents in a purely reactive manner. However, just 12 per cent of respondents would describe their organisation as a frontrunner in terms of information security.
Technical threats or attacks (29%) were identified by respondents as challenges being faced by organisations, which could suggest that employee knowledge of information security and procedures is insufficient. In fact, only 60 per cent of respondents indicated that users receive regular awareness training. Interestingly, 68 per cent of respondents noted that, following internal or external breaches, no action was taken. Furthermore, only four per cent of incidents led to a successful prosecution.
Interestingly, just 45 per cent of respondents indicated that cybercrime was a priority in terms of risk to the organisation. Given that the survey results show that the average cost of a large cybercrime incident for a business is €41,875 and the business outage that this can cause, we believe more organisations should be giving this a higher priority status.
There were mixed responses in terms of the level of funding made available to the information security function. While 48 per cent of respondents believe the function receives adequate funding in their organisation, a similar number, 46 per cent, indicated that they received inadequate funding to counter the threat.
While respecting the difficulties in budgets, organisations need to continually challenge themselves and carry out thorough assessments to determine if information security is being properly addressed.
The reality is that Irish organisations have never faced such a myriad of advanced technological threats and attacks on their digital and critical assets. Irish organisations need to ensure that their efforts in this area are aligned sufficiently with other business efforts and risk management practises.