Security Incidents Continue to Rise in Cost and Frequency While Budgets Decrease, according to PwC, CIO and CSO’s The Global State of Information Security® Survey 2015
Impact extends to C-suite and boardroom as large companies detect greater number of and more costly incidents; Insider incidents and high-profile crimes increasing
NEW YORK, NY and FRAMINGHAM, MA, September 30, 2014 – PwC US, in conjunction with CIO magazine and CSO, today released The Global State of Information Security® Survey 2015. According to the survey, the number of reported security incidents rose 48 percent this year to 42.8 million – which is the equivalent of 117,339 attacks per day. The survey data also indicates that the compound annual growth rate (CAGR) of detected security incidents has increased 66 percent year over year since 2009.
“It’s not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year,” said David Burg, PwC’s Global and US Advisory Cybersecurity Leader. “However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents.”
As security incidents grow in frequency, the associated costs of managing and mitigating breaches are also increasing. Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million – a 34 percent increase over 2013. Big losses have been more common this year as organizations reporting financial hits in excess of $20 million rose 92 percent. While risk has become universal, the survey found that financial losses also vary widely by organizational size.
Despite elevated concerns, the survey found that global information security budgets actually decreased four percent when compared with 2013. In fact, security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years. “Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” explained Mark Lobel, PwC Advisory principal focused on information security. “It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents.”
Organizations of all sizes and industries are aware of the serious risks involved with cybersecurity; however, larger companies detect more incidents. Large organizations – with gross annual revenues of $1 billion or more – detected 44 percent more incidents this year. Comparatively, medium-sized organizations – with revenues of $100 million to $1 billion – witnessed a 64 percent increase in the number of incidents detected.
“Large companies have been a more likely target for threat actors since they offer more valuable information, and thus detect more incidents,” said Bob Bragdon, publisher of CSO. “However, as large companies implement more effective security measures, threat actors are increasing their assaults on middle-tier companies. Unfortunately, these organizations may not yet have security practices in place to match the efficiency of large companies.”
Insiders have become the most-cited culprits of cybercrime – but in many cases, they unwittingly compromise data through loss of mobile devices or targeted phishing schemes. Respondents said incidents caused by current employees increased 10 percent, while those attributed to current and former service providers, consultants and contractors rose 15 percent and 17 percent, respectively. “Many organizations often handle the consequences of insider cybercrime internally instead of involving law enforcement or legal charges. In doing so, they may leave other organizations vulnerable if they hire these employees in the future,” added Bragdon.
Meanwhile, high profile attacks by nation-states, organized crime and competitors are among the least frequent incidents, yet are among the fastest-growing cyber threats. This year, respondents who reported a compromise by nation-states increased 86 percent – and these incidents are also most likely under-reported. The survey also found a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organizations. Only 49 percent of respondents say their organization has a cross-organization team that regularly convenes to discuss, coordinate, and communicate information security issues.
PwC notes that it is critical for companies to focus on rapid detection of security intrusions and having an effective, timely response. Given today’s interconnected business ecosystem, it is just as important to establish policies and processes regarding third parties that interact with the business.
“Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organizations must remain vigilant and agile in the face of a constantly evolving landscape,” said PwC’s Burg. “Organizations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritizes an organization’s most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organization.”
To download a copy of the 2015 Global State of Information Security Survey and learn more about PwC’s capabilities, visit: http://pwc.to/GSISS15
NOTE TO EDITORS
Proper citation of the study is “The Global State of Information Security® Survey 2015, a worldwide survey by CIO, CSO and PwC.” Source must include CIO, CSO and PwC. Survey results will also be covered in depth on CIO.com and CSOonline.com in October.
The Global State of Information Security® Survey 2015 is a worldwide study by PwC, CIO and CSO. It was conducted online from March 27, 2014 to May 25, 2014. Readers of CIO and CSO and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 154 countries. Thirty-five percent of respondents are from North America, 34 percent from Europe, 14 percent from Asia Pacific, 13 percent from South America, and four percent from the Middle East and Africa. The margin of error is less than one percent.
About CIO and CSO
CIO is the premier content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise. The award-winning CIO portfolio—CIO.com, CIO magazine (launched in 1987), CIO executive programs, CIO marketing services, CIO Forum on LinkedIn and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience. CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events, and research company. Company information is available at www.idgenterprise.com.
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning Web site (CSOonline.com), executive conferences, marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
About PwC’s Advisory Practice
PwC’s Advisory professionals across consulting, deals and forensics create value for our clients by helping them address their most complex business issues, from strategy through execution. We understand our clients’ industries and unique business challenges, and look across the entire organization—focusing on strategy, structure, people, process and technology—to help clients build their next competitive advantage. Our firm’s global network of assurance, tax and advisory professionals means that we can bring the right skills and capabilities to help our clients achieve success anywhere around the world. See www.pwc.com/us/consulting for more information or follow us @PwCAdvisory.
About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 157 countries with more than 184,000 people. We’re committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US. Gain customized access to our insights by downloading our thought leadership app: PwC’s 365™ Advancing business thinking every day.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.