Cybersecurity incidents more frequent and costly, but budgets decline: PwC, CIO and CSO Global State of Information Security Survey, 2015
Impact extends to C-suite and boardroom, insider incidents and high-profile crimes increasing
The number of reported information security incidents around the world rose 48 percent to 42.8 million, the equivalent of 117,339 attacks per day in 2013, according to The Global State of Information Security Survey 2015, released today by PwC in conjunction with CIO and CSO magazines. Detected security incidents have increased 66 percent year-on-year since 2009, the survey data indicates.
Louis Strydom, PwC Forensics Leader for Africa, says: “It’s not surprising that reported security breach incidents and associated financial impacts continue to rise year-on-year. However the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents.”
The results of the survey are based on responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 154 countries.
As security incidents become more frequent, the associated costs of managing and mitigating breaches are also increasing. Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million – a 34 percent increase over 2013. Big losses have been more common this year as organisations reporting financial hits in excess of $20 million nearly doubled.
But despite elevated concerns, the survey found that global information security budgets actually decreased four percent compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years.
“Strategic security spending demands that business identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” says Strydom. “It’s critical to fund processes that fully integrate predictive, preventative, detective and incident-response capabilities to minimise the impact of these incidents.”
PwC research shows that cybercrime is still the second most common type of economic crime reported by the financial services sector, after asset misappropriation – 38% in 2011 vs 39% in 2014 (this compares to only 16% in 2011 vs 17% in 2014 in other industries. Strydom comments further: “The landscape of cybercrime is also changing. Our cybersecurity experts have perceived an increase in cybercrime from Africa, which correlates with various government initiatives to roll out broadband in that region.” Furthermore, industry sources indicate that cybercriminals are relocating to South Africa from Europe as a result of increased cooperation between law enforcement agencies in the EU.
According to the State of Information Security Survey, organisations of all sizes and industries are aware of the serious risks involved with cybersecurity; however, larger companies detect more incidents. Large organisations with gross annual revenues of $1bn or more, detected 44 percent more incidents this year. And while risk has become universal, the survey found that financial losses also vary widely by organisational size.
“Large companies typically spend more on information security and have a more mature programme. As a result, they are more likely to have the processes and knowledge to accurately calculate financial losses,” adds Strydom.
Insiders have become the most-cited culprits of cybercrimes, but in many cases they unwittingly compromise data through loss of mobile devices or targeted phishing schemes. Respondents said incidents caused by current employees increased 10 percent, while those attributed to current and former services providers, consultants and contractors rose 15 percent and 17 percent, respectively. Strydom points out that many organisations often handle the consequences of cybercrime internally, instead of involving law enforcement or pursuing criminal charges. “In doing so they may leave other organisations vulnerable to risks because those that hire these individuals in the future have no way of assessing their threat potential.”
Meanwhile, high-profile attacks by nation-states, organised crime and competitors are among the least frequent incidents, yet the fastest growing cyber threats. This year, respondents who reported a cyber-attack by nation-states increased 86% - and those incidents are also most likely under-reported. The survey also found a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organisations. Only 49 percent of respondents say their organisation has a cross-organisational team that regularly convenes to discuss, coordinate, and communicate information security issues.
It is critical for companies to focus on the rapid detection of security intrusions and to have an effective, timely response. Given today’s interconnected business ecosystem, it is just as important to establish policies and processes regarding third parties that interact with the business.
Strydom concludes: “Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organisations must remain vigilant and agile in the face of a constantly evolving landscape.
“Organisations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritises an organisation’s most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organisation.”