Over two-thirds (67%) of British companies feel that cyber security concerns prevent them from adopting new technology to grow their business faster. That’s according to a new report from EY based on a survey of 175 C-Suite executives at UK-based organisations. Cloud computing and the Internet of Things (IoT) are the two technologies perceived to pose the greatest cyber security risks.
Mike Maddison, EMEIA cyber security advisory leader at EY, observed: “There’ pressure for companies to compete in the technology arms race, but cyber security fears are sometimes thwarting adoption in important areas such as cloud computing, blockchain, Artificial Intelligence and the IoT. This is illustrated in the concerns of our survey respondents, as 42% of technology and business leaders feel that they’re lagging behind their competitors in the adoption of new technology.”
Maddison continued: “In recent years, the rate and pace of technological advances, regulatory change, cyber attacks and data breaches have moved cyber security rapidly up the corporate agenda. Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organisations need to start thinking differently about cyber security. Business leaders need to make the leap from seeing cyber security as only a protective measure to it also being a strategic value driver.”
Furthermore, 83% of the surveyed organisations feel there’s industry pressure to display good levels of cyber security. More than three-quarters (76%) believe that having a cyber secure brand is now important for helping to build competitive advantage.
Divisions at Board level
The report finds that, across many organisations, the views of Chief Information Officers and those of other Board members around cyber security are not yet aligned. Business leaders such as the CEO, the CFO and the COO tend to be less confident about their organisation’s cyber security posture than those with direct responsibility for IT and technology such as the CIO and Chief Information Security Officer.
In addition, technology leaders are more likely to believe it’s important for competitive advantage to have a cyber-secure brand (82%) compared to only 68% of business leaders.
More than half (57%) of business leaders and exactly half (50%) of technology leaders cite a lack of business sponsorship as the biggest barrier to improving their organisation’s cyber security. Views differ further on how to secure and embed that engagement. Technology leaders are more likely to focus on accountability. A majority (58%) suggest that giving an individual Board member overall responsibility for cyber security would have the greatest impact. Meanwhile, business leaders are more interested in strategy, with 64% believing the biggest gains would come from making cyber security more of a strategic priority.
Levels vary across sectors
According to the survey, cyber security maturity levels vary significantly across sectors. The perceived value of cyber security is higher in the sectors with more direct interaction with consumers and where higher levels of personal data are held.
Respondents from the technology, media and telecoms sector had the highest levels of Board awareness, the largest planned investments in cyber security and the fewest concerns around cyber security as a barrier to adopting new technology to grow their business. In addition, 96% said they believe their Boards know how to quantify cyber security risks and 80% have a Board member with direct expertise in cyber security.
Survey respondents from the retail sector were unanimous in their belief that a cyber secure brand is important for competitive advantage. Evidence of this is that 80% of the retailers surveyed plan to increase their cyber security spending by between 15% and 25% over 2019.
Respondents from infrastructure companies are investing less money in cyber security than other sectors. Some 60% of infrastructure sector respondents invest 5% or less of their total IT budget in cyber security, with 56% not planning to raise spending during 2019.
Lack of accountability
One route to a sharper cyber security focus is to strengthen responsibility. According to EY’s survey, more than half (57%) of organisations don’t have a Board member with direct expertise in cyber security, and nearly two-thirds (67%) don’t believe one is needed.
On that note, Mike Maddison concluded: “Although direct Board expertise in cyber security may not be needed, Board-level understanding of the risks posed to the business is needed for a stronger cyber security posture. In addition, for more than half (53%) of those organisations surveyed, a lack of business ownership is seen as the biggest barrier to improving cyber security.”