Cyber-attacks soar in wake of pandemic

Changes to working practices leave businesses ever more exposed

As business have adopted to new ways of working, the COVID-19 pandemic has exposed them to more and increasingly sophisticated cyber-attacks and brought underfunded cyber defences into the spotlight. This is according to the EY Global Information Security Survey 2021 (GISS), which surveyed more than 1,000 cybersecurity leaders at organisations worldwide. It found that more than half (56%) say that businesses have sidestepped cyber processes to facilitate new requirements around remote or flexible working.

At the same time, cyber leaders state they have never been as concerned as they are now about their ability to manage the cyber threat (43%) with more than three in four (77%) warning that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months (compared to 59% in the previous year’s GISS).

“The speed of change that businesses have had to adopt to this past year came with a heavy price,” says Kris Lovejoy, EY global consulting cybersecurity leader. “The need to rapidly transform to survive meant that security was often overlooked. The risks of simply moving on, especially as businesses look to maintain some of these working practices in the post-COVID-19 era, without addressing these cyber gaps, are very real and increasingly urgent. Recent ransomware events only serve to underscore how critical immediate action is.”

Despite the growing threat of cyber-attacks, cybersecurity budgets remain low, relative to overall IT spend, according to this year’s GISS. While respondents’ organisations had average revenues of US$11b in the last financial year, the average spend on cybersecurity was just $5.28m. Almost four in ten respondents (39%) warn that their organisation’s budget is below what is required to manage the new challenges that have arisen in the last 12 months. The same percentage say that cybersecurity expenses are not factored adequately into the cost of strategic investments, such as an IT supply chain transformation.

At the same time, more than one-third (36%) say it is only a matter of time until their organisations suffer a major breach that could have been avoided had there been more appropriate investment in cybersecurity defences.

Lovejoy adds: “The impact of underfunding and budget restrictions will be acutely felt as disruptive events become more frequent and more sophisticated. Just like safety and security are part and parcel of any physical product development process, it can no longer be an afterthought in the development of digital products and services. Like night follows day, failure to introduce security in digital products and services will lead to an increase in the number of successful cybersecurity breaches.

The essential relationships between cybersecurity leaders and other functions in the business, lack positivity and strength, according to the 2021 GISS. Responding cyber leaders (41%) describe their relationship with the marketing function as negative, while 28% say their relationship with business owners is poor. As a result, while 36% of respondents in 2020 were confident that cybersecurity teams were being consulted at the planning stage of new business initiatives, this figure has fallen to 19% in 2021. Just 25% think senior business leaders would describe their organisation’s cybersecurity function as commercially minded.