There remains a worrying gap between talk about the need to beat hackers and what is actually happening on the ground in countries around the world, a study shows.

An EY survey of 1,200 firms around the world finds that the overwhelming majority of them – 87 per cent – say they need to increase cyber-security tools by as much as half (50 per cent) to thwart hackers but only a small slice of them – 12 per cent – are actually planning to boost spending by more than a quarter. 

This outcome of lots of talk but not yet not a great deal of action is a cause for concern, particularly given the rising number of big attacks such as that recently hit Equifax, the credit reporting firm, in the US, Yahoo!, JP Morgan, and a host of other organizations. The scale of problems is vast. In the US alone, for example, some $3 billion was lost in 2016, touching 22,000 victims, as a result of hacks on business emails, as heard in a recent conference hosted by this news organisation. 

While cyber-security breaches can wrong-foot the savviest firms, the survey findings include the points that careless or uninformed staff are considered by 77 per cent of those surveyed to be the main weak spot that attackers exploit. Other high causes of vulnerability are criminal gangs (56 per cent) and staff who deliberately try to hurt a firm (47 per cent). 

“Companies that do not take cyber-security seriously are playing with fire,” Reto Aeberhardt, responsible for cyber-security transformation at EY in Switzerland, said. 

The greatest threats, as far as survey respondents were concerned, were malware or phishing attacks – malicious software that is delivered in order to con users into passing on useful data, including passwords, addresses and other information.

The findings come from EY’s Global Information Security Survey 2017-18.

Among other findings, only 12 per cent of respondents thought they would be likely to catch sophisticated hackers, and 44 per cent of respondents said they wouldn’t be able to spot such a raid. Of those surveyed, 38 per cent still have no identity and access management system that governs how IT systems’ access is controlled. Some 35 per cent of respondents don’t have defined data protection measures.
Almost half – 45 per cent – of firms said they haven’t set up a security operations centre, neither in their own company nor at an external provider. Less than a quarter – 24 per cent – of respondents have a management member directly responsible for cyber-security.