It should be no surprise amid the constant barrage of headlines about cybersecurity incidents that the number and cost of breaches is on the rise.
Security incidents cost businesses an average of $2.7 million each year, according to a survey by PwC. Despite the burgeoning threat, information security is an issue that receives little involvement from the board, and security budgets decreased in the last year.
The Global State of Information Security Survey 2015 was conducted by PwC, gathering responses from more than 9,700 security, IT, and business executives in 154 countries.
The research found that the number of detected information security incidents has risen 66% year over year since 2009. In the 2014 survey, the total number of security incidents detected by respondents grew to 42.8 million around the world, up 48% from 2013—an average of 117,339 per day.
The financial impact of breaches has also increased. The average reported loss from such incidents was up 34% in 2014 compared with the previous year. Furthermore, the number of organizations reporting losses greater than $20 million nearly doubled. As many incidents go undetected or unreported, the true scale of the problem is even greater.
The most frequent source of data breaches described by respondents came from inside the organization itself. The number of incidents attributed to current employees increased by 10% in 2014, and those involving third parties such as current or former contractors rose by 18%. However, the report notes that in some instances, data had been compromised accidentally by employees, for example as a result of a lost mobile device.
The fastest growing cyberthreats involve attacks by nation states, competitors, and organized crime, though these remain much less common. According to the findings, attacks by nation states were up 86% in 2014, with activity focusing mainly on the oil and gas, aerospace and defense, technology, and telecommunications sectors. Reports of security incidents attributed to competitors increased 64% compared with the previous year. Levels of theft by organized crime were particularly high in Malaysia, India, and Brazil.
Cybercriminals also appear to be switching their focus to medium-size firms as large companies bolster their data security. Larger companies (those with gross annual revenues in excess of $1 billion) said they had detected 44% more incidents than last year, while medium-size companies reported a 64% increase.
Despite the increasing frequency and severity of cyberattacks, the budgets allocated to information security have actually gone down by 4% in the last year. The proportion of the IT budget invested in security accounts for 2014 is just 4%. This figure has remained steady over the past five years, suggesting that investment is failing to keep pace with the evolving nature of the threat from cybercrime.
The subject of information security also appears to receive little attention from many boards. Just 42% of those surveyed said their board actively participated in security strategy, and 36% reported board involvement in security policies.
Of the firms represented in the survey, 49% have a dedicated cross-functional team that regularly discusses, coordinates, and communicates information security issues.
The report recommends that companies implement policies to address risks posed by any third parties that interact with the business. Focusing on the rapid detection of security intrusions, and coming up with an effective and timely response, should be a further priority.
“Organizations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritizes an organization’s most valuable assets and its most relevant threats,” David Burg, PwC’s Global and U.S. Advisory Cybersecurity leader, said in a news release.
Investment in cybersecurity should be targeted to tackle the
sophisticated nature of today’s attacks.
“It’s critical to fund processes that fully integrate predictive, preventive, detective, and incident-response capabilities to minimize the impact of these incidents,” Mark Lobel, a PwC advisory principal focused on information security, said in a news release.
Samantha White (
) is a JofA senior editor.