More than a third of global organisations don't have a real-time grasp of cybersecurity threats, which are a growing menace as recent headlines show, a report says.

Over a third of global organisations don't have “real-time insight” on cyber risks, which is needed to combat rising threats, according to a new report by EY which encourages firms to embrace cybersecurity as a competitive edge.

The report, Get Ahead of Cybercrime, surveyed 1,825 organisations – from asset management, banking and capital markets, to aerospace and defence, among others – in 60 countries. It found that many firms are lacking the agility, budget and skills to mitigate known vulnerabilities and ramp up their cybersecurity overall.

More telling, 43 per cent of respondents said their firm's total information security budget will stay roughly the same over the next 12 months – despite intensifying threats – which is only a slight improvement on 2013 when 46 per cent said budgets would not change.

Indeed, cybercrime is a global, multi-sector threat. But the issue is arguably one of the most pronounced in the financial services arena, and in particular wealth management, today.

While EY's report considered a range of industries globally, its findings are in line with those stemming from the 2013 FOX Family Office Benchmarking: Technology in the Family Office study, for example, which revealed that security worries – applicable both to data itself and how it is communicated – are now mentioned just as often as the issue of technology integration.

Meanwhile, only this week was the White House computer network reportedly hit by what appears to have been a sustained cyberattack, leading to part of the system being taken offline. Bloomberg has since reported - citing two American officials - that US cybersecurity specialists suspect that Russian government or criminal hackers were responsible. At JP Morgan, some 76 million accounts have been affected by a hacking attack, that bank has disclosed.

Obstacles
Over half (53 per cent) of those surveyed said a lack of skilled resources was one of the main obstacles challenging their information security programme, with just 5 per cent saying they have a threat intelligence team with dedicated analysts.

And prudence in this respect has not improved, either: in 2013, 50 per cent cited a lack of skilled resources and 4 per cent said they had a threat intelligence team with dedicated analysts.

Specifically, “careless or unaware employees” emerged as the top vulnerability companies face, with 38 per cent of respondents saying it is their first priority while “outdated information security controls or architecture” and “cloud computing use” are second and third respectively, at 35 and 17 per cent. Meanwhile, “stealing financial information”, “disrupting or defacing the organisation” and “stealing intellectual property or data” were underlined as the top three threats, with 28, 25 and 25 per cent, respectively, ranking it as their main priority.

In its report, EY encourages organisations to embrace cybersecurity as a core competitive capability, adding: “This requires keeping the organisation in a constant state of readiness, anticipating where new threats may arise and shedding the 'victim' mindset of operating in a perpetual state of anxiety.”

“Beyond internal threats, organisations also need to think broadly about their business ecosystem and how relationships with third parties and vendors can impact their security posture,” added Marcus Rübsamen, EY’s information security leader for Switzerland.

“It’s only by reaching an advanced stage of cybersecurity readiness that an organization can start to reap the real benefits of its cybersecurity investments,” Rübsamen said.

EY strongly believes that addressing cyber threats/risks should be perceived as a “core business issue”, meaning a firm's leadership should have a decision process that enables “quick preventative action”.

With that said, there is no point having such a process in place if it is rarely tested, EY said. Organisations should also closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.