Cyber security budgets continue to shrink even as the frequency and cost of security breaches continues to increase, according to a new global study from PwC in collaboration with CIO and CSO magazines.
The number of reported information security incidents surged 48 percent, to 42.8 million, this year, according to “The Global State of Information Security Survey 2015.” That equates to an average of 117,339 cyber security incidents per day.
Survey results show that detected cyber security incidents have been surging since 2009, increasing 66 percent year-over-year. The cost of cyber attacks has been rising along with their increased frequency. The global average reported financial loss from cyber security incidents was $2.7 million – up 34 percent from 2013. The number of organizations reporting large losses – in excess of $20 million – nearly doubled.
“It’s not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year,” David Burg, PwC’s Global and US Advisory Cybersecurity Leader, was quoted in a news release. “However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents.”
Cyber Security Spending
Organizations spent less on cyber security in 2013 despite the growing frequency and costs of cyber security incidents, however. Globally, information security budgets dropped four percent year-over-year. Furthermore, the percentage of IT budgets allocated to information security has stalled at four percent or less for the past five years, the report authors highlight.
“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” explained Mark Lobel, PwC Advisory principal focused on information security. “It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents.”
Larger companies – those with gross annual revenues of $1 billion or more – detect more cyber security incidents than smaller companies, PwC, CIO and CSO researchers found. Overall, large companies detected 14 percent more incidents this year than last. Medium-sized organizations – those with annual revenues of $100 million to $1 billion – saw a 64 percent increase in the number of cyber security incidents detected.
The researchers found that financial losses associated with cyber security incidents also vary widely with organization size. “Large companies have been more likely targets for threat actors since they offer more valuable information, and thus detect more incidents,” CSO publisher Bob Bragdon was quoted as saying.
“However, as large companies implement more effective security measures, threat actors are increasing their assaults on middle-tier companies. Unfortunately, these organizations may not yet have security practices in place to match the efficiency of large companies.”
Cause of Cyber Attack
Though they “unwittingly compromise data through loss of mobile devices or targeted phishing schemes,” insiders are the most-cited culprits of cyber crime, the report authors note. According to survey results, cyber security incidents caused by current employees rose 10 percent this year. Those attributed to current and former service providers, consultants and contractors increased 15 percent and 17 percent, respectively.
“Many organizations often handle the consequences of insider cyber crime internally instead of involving law enforcement or legal charges,” Bragdon commented. “In doing so, they may leave other organizations vulnerable if they hire these employees in the future.”
Though newsworthy and significant, high-profile cyber security attacks by nation-states, organized crime and competitors are among the least frequent. That said, they are the fastest growing cyber threat.
Survey results show that the number of survey respondents who reported a cyber attack by nation-states surged 86 percent in 2014. Moreover, the report authors pointed out, “those incidents are also most likely under-reported.” In addition, the researchers found “a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.”
A critical factor in prevention and detection of cyber attacks – top-down commitment and communication – is often missing, according to the survey results. Forty-nine percent of survey respondents said their organization “has a cross-organizational team that convenes regularly to discuss, coordinate, and communicate information security issues.
“Given today’s interconnected business ecosystem, it is just as important to establish policies and processes regarding third parties that interact with the business,” PwC, CIO and CSO state. “Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organizations must remain vigilant and agile in the face of a constantly evolving landscape,” PwC’s Burg cautioned.
“Organizations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritizes an organization’s most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organization.”