The report examines the cybersecurity concerns and solutions of almost 1,200 C-level leaders from the world’s largest and most recognised organisations.
“The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organisations,” said EY global advisory cybersecurity leader Paul van Kessel.
While increased hyper-connectivity and new technology created “huge” opportunities, van Kessel warned that they also created new risks and vulnerabilities for organisations.
“As organisations transform into the digital age, they must examine their digital ecosystem from every angle to protect their business today, tomorrow and far into the future,” he said.
Results from the survey showed organisations were continuing to increase their spending on cybersecurity, with nine in 10 anticipating higher budgets this year.
Additionally, 87% said they required up to 50% more funding to provide a stronger response to mounting cyber threats. However, only 12% expected to receive an increase of more than 25% to their cybersecurity budget.
More than three quarters of respondents (76%) said attacks that caused harm were likely to prompt increases in cybersecurity funding.
Contrastingly, 64% said attacks that did not cause harm were unlikely to result in any increases to the budget, despite the effects of an attack not being immediately obvious.
The survey found that cybersecurity budgets were higher in organisations that reported on cybersecurity to the board and audit committee at least twice a year and placed dedicated business line security officers in key lines of business.
According to the survey, 64% of organisations perceived malware (up 12% since 2016) and phishing (up 13%) as the threats that had increased their risk exposure the most over the past year.
An increasing amount of respondents (60% compared to 55% in 2016) noted that carelessness or unawareness among employees was the main cause placing them at risk of an attack, while the majority believed that poor user awareness and behaviour was the most likely source of one (77%).
The sophistication of cybersecurity systems in the event of an advanced attack was a source for concern for many organisations, with three quarters (75%) rating the maturity of their vulnerability identification as “very low to moderate”.
A further 12% said they had not put a formal breach detection program in place, while over a third (35%) described their data protection policies as “ad-hoc or non-existent” and 38% said they had no identity and access program.
Almost half of organisations (48%) were found to not have a Security Operations Centre in place, which would provide a centralised, structured and co-ordinated hub for all cybersecurity activities.
“We believe that in the future, businesses will collaborate and work with each other to share knowledge to help increase cyber resiliency,” said van Kessel.
“It is imperative, therefore, that organisations move beyond thinking about cybersecurity as an IT issue, and focus on good cybersecurity governance and security-by-design.”
Last month, PwC’s Global State of Information Security Survey found organisations in the UK were ill-prepared for cyber attacks, with almost one in five (17%) not preparing for an attack despite an increase in their frequency and severity.
Earlier this year, Deloitte suffered a cyber attack, which compromised the details of major clients, including US government departments and blue chip companies.