More than two-thirds (67%) of UK firms say cyber security concerns prevent them from adopting new technologies such as cloud computing and the internet of things (IoT), which are considered as posing the greatest cyber security risks, according to a report by EY based on a survey of 175 senior executives.
This is despite the fact that 83% of the surveyed organisations feel there is industry pressure to display good levels of cyber security, and 76% believe that having a cyber secure brand is important for competitive advantage, the EY Cybersecurity for competitive advantages report shows.
“There is pressure for companies to compete in the technology arms race, but cyber security fears are sometimes thwarting adoption in important areas such as cloud computing, blockchain, artificial intelligence and IoT,” said Mike Maddison, advisory cyber security leader for Europe at EY.
“This is illustrated in the concerns of our survey respondents, with 42% of technology and business leaders saying they feel that they are behind their competitors in the adoption of new technology.”
In recent years, Maddison said the rate and pace of technological advances, regulatory change, cyber attacks and data breaches have moved cyber security rapidly up the corporate agenda.
“Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organisations need to start thinking differently about cyber security. Business leaders need to make the leap from seeing cyber security as only a protective measure, to it also being a strategic value driver,” he said.
The report also shows that across many organisations, chief information officers (CIOs) and wider board member views around cyber security are not yet aligned.
Business leaders such as the CEO, CFO and COO tend to be less confident about their organisation’s cyber security than those with direct responsibility for IT and technology such as the CIO and chief information security officer (CISO).
In addition, technology leaders are more likely to believe it is important for competitive advantage to have a cyber-secure brand (82%), compared with only 68% of business leaders.
More than half (57%) of business leaders and exactly half (50%) of technology leaders cite a lack of business sponsorship as the biggest barrier to improving their organisation’s cyber security.
Views differ further on how to secure and embed that engagement, the report said, with technology leaders more likely to focus on accountability, while business leaders are more interested in strategy, with 64% believing the biggest gains would come from making cyber security more of a strategic priority.
A majority (58%) suggest that giving an individual board member overall responsibility for cyber security would have the greatest impact.
According to the survey, cyber security maturity levels vary significantly across sectors. The perceived value of cyber security was higher in the sectors with more direct interaction with consumers and where higher levels of personal data are held.
Respondents from the technology, media and telecoms (TMT) sector had the highest levels of board awareness, the largest investments in cyber security planned and the fewest concerns around cyber security as a barrier to adopting new technology to grow their business. In addition, 96% said they believe their boards know how to quantify cyber security risks, and 80% have a board member with direct expertise in cyber security.
Survey respondents from the retail sector were unanimous in their belief that a cyber secure brand is important for competitive advantage. Evidence of this is that 80% of the retailers surveyed plan to increase cyber security spending by between 15%-25% during 2019.
Respondents from infrastructure companies are investing less money in cyber security than other sectors, the survey shows, with 60% of infrastructure sector respondents investing 5% or less of their total IT budget in cyber security, and 56% not planning to increase spending during 2019.
“One route to a sharper cyber security focus is to strengthen responsibility,” said Maddison. “According to our survey, more than half (57%) of organisations do not have a board member with direct expertise in cyber security, and nearly two-thirds (67%) do not think one is needed.
“Although direct board expertise in cyber security may not be needed, board-level understanding of the risks to the business is needed for a stronger cyber security posture. In addition, for more than half (53%) of organisations surveyed, a lack of business ownership is seen as the biggest barrier to improving their cyber security,” he said.