The rate of cyberattacks targeting businesses continues to rise, yet according to EY, two thirds of organisations are still treating cybersecurity as an afterthought.

In the EY Global Information Security Survey published today, the professional services giant found that only 36% of businesses using technology involved their own security teams when planning new business initiatives.

The rest bring their cybersecurity experts in at a later stage, often when the project’s technology has been fully formulated. This forces infosecurity workers to bolt on security solutions, rather than integrating them into the project’s overall structure, which can result in greater numbers of vulnerabilities.

The survey, which includes the responses of almost 1,300 cybersecurity leaders from organisations across the world, suggests that businesses are still not thinking about security as an integral part of technology projects.

“Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model,” said Kris Lovejoy, EY global cybersecurity leader, advisory.

“If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design.”

Enterprise cyberattacks are on the rise

Notably, the survey also highlighted what cybersecurity professionals already know: that cyberattacks against businesses are on the rise, making this a mindset in need of urgent change.

EY’s survey found that almost 60% of organisations report a rise in disruptive attacks over the past year.

It also highlighted an increase in attacks from activists, climbing to 21% of attacks, up from 12% in the previous year. This puts them at only slightly lower than the leading perpetrator type, organised crime groups, which are responsible for 23% of attacks.

Beyond an afterthought: Changing mindsets about cybersecurity

The research also highlighted strains between cybersecurity teams and other parts of the business, which may go some way to explaining why the issue has not been upgraded from an afterthought for most businesses.

For example, 74% of respondents said that the relationship between cybersecurity and marketing teams was at the absolute best neutral, although often mistrustful or non-existent.

Similar concerns also exist with research and development teams, at 64%, and lines of business teams, at 59%. Finance – the department responsible for issuing cybersecurity teams with their much-needed budgets – also saw strain in 57% of cases.

“As companies undergo transformation, what’s needed is to build relationships of trust across every function of the organisation, starting at the board level so that cybersecurity is established as a key value enabler,” said Lovejoy.

“Boards, senior management teams, CISOs and leaders throughout the business must collaborate to position cybersecurity at the heart of business transformation and innovation.”


Read more: Carrefour CTO: “No usable cybersecurity, no business”