The number of security incidents is rising, as are associated costs to clean them up.
Global corporate security budgets, meanwhile, seem to be hiding in the closet, just hoping it all goes away.
The news of this depressing state of affairs comes courtesy of PwC’s Global State of Information Security Survey 2015, carried out in conjunction with CIO and CSO magazines and released this week.
The findings: in a worldwide survey of almost 10,000 executives and IT directors in 154 countries, respondents reported a total number of detected security incidents of 42.8 million.
That’s up a whopping 48% from 2013.
Since 2009, the compound annual growth rate (CAGR) of detected security incidents has increased 66% year over year, PwC reports.
These numbers are on the low side, mind you, and reflect only those incidents that are detected.
Many organisations are unaware of attacks, while some incidents don’t get reported, either for strategic reasons or because the attacks are being investigated – sometimes as a matter of national security.
Even with numbers on the low side, this means that we’re seeing some 117,339 attacks coming in daily.
The costs of mop-ups are also blowing up – especially for large organisations.
The number of respondents who reported losses of $20 million or more to cover incident investigation and mitigation almost doubled from the 2013 figure, PwC says.
Why the inflation? Part of it, of course, is that there are far more incidents.
But PwC also suggests that the attacks are getting slicker, often extending beyond IT to other areas of the business, meaning that victimized organisations might now be stuck with the bill not just for whatever pain their operations suffered, but also for the pain inflicted on their customers as a result.
Who’s responsible?
Well, if you’re at work, you can look to your right, then look to your left, and the chances that you’ll meet the gaze of a security threat are better than ever.
In fact, employees were the most-cited culprits for security incidents this year.
Survey respondents also pointed a finger at other insider threats, with a growing number attributing incidents to third parties with trusted access to networks and data, including current and former service providers, consultants, and contractors.
The FBI is nodding its head at this one: last month, the US Federal Bureau of Investigations put out a warning about employees with an axe to grind.
Those current or ex-employees are sticking it to their employers by destroying data, obtaining customer information, purchasing unauthorized goods through customer accounts, and similar, after remotely accessing company networks.
The FBI also reports the use of cloud storage tools such as Dropbox to steal trade secrets or proprietary software.
PwC says that the jump in insider incidents is particularly worrisome, given that such incidents can be costlier or more damaging than those caused by external factors.
Even though the results of insider threats can be devastating, PwC notes that many companies don’t have an insider threat programme and therefore aren’t prepared to prevent, detect or respond to internal threats.
That, in fact, is why Naked Security advises putting an incident-handling plan in place before a breach takes place, rather than after – a security necessity regardless of whether threats come from malicious insiders, insiders who make mistakes, or outsiders.
You would think that the increase in security incidents, plus the fact that the incidents are getting more expensive and causing more widely spread repercussions, would mean that boardrooms would be abuzz with the call for more money in security budgets.
Alas, there is not enough buzz. It’s more like crickets chirping in many boardrooms.
PwC survey respondents report that spending on information security isn’t keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks.
Not only is spending not keeping pace, it’s actually developed a limp: infosec budgets declined, on average, 4% over 2013.
Specifically, investments in these safeguards declined:
- Due diligence of third-party providers
- Employee security awareness and training
- Patch-management tools
- Intrusion prevention tools
- Privileged-user access
- Malicious code detection tools
- Monitoring and analysis of security intelligence
- Intrusion-detection tools
Of course, where there is no boardroom discussion on these matters, there’s scanty chance that there will be a healthy infosec budget.
In fact, fewer than half – 42% – of respondents said that their board is involved in security policies.
As the report notes, direction’s got to come from the top:
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organizations. Only 49% of respondents say their organization has a cross-organizational team that regularly convenes to discuss, coordinate, and communicate information security issues.
Those conversations should be happening now.
Are they happening in your organisation?
If not, why not?
Please do share your thoughts in the comments section below.
The situation is unfortunate, but not really surprising. Corporate budgets are always tight. Competition requires tight budgets.
And security, what does it buy? From a cynical perspective, all it buys is the ability to continue to do business or a mitigation against possible risk. It provides no value to the bottom line. It’s a true cost, an out-of-pocket expense. And, the benefit is not in dollars. Well, not directly, anyhow.
The problem in many companies is that security is driven by budget, not by need. A chief financial officer (CFO) cannot justify a security budget increase based upon any reasonable cost/benefit analysis.
Well, except the benefit being that the company can stay in business.
This is why I am adamant that the chief security officer (CSO) needs to report to the chief executive officer (CEO), NOT the CFO. The goals of the CSO are diametrically opposed to those of the CFO. The CSO always needs money with no return on investment (ROI), whereas the CFO must always see a ROI for the money s/he spends.
The “we need security to stay in business” issue belongs to the CEO, not the CFO. They are the only people in the company in a position to make valid cost/benefit assessments.
NOTE: If the company has both a CSO and a chief information officer (CIO), the above holds as written. However, if there is no CSO, only a CIO, I would say that the situation needs to change. It makes sense that the CIO report through the CFO.
So, if my premises logic above are valid, the CSO should be split out, if that makes financial sense (i.e. larger companies). Alternately, the CIO could wear both hats, but then should answer to the CEO. In my opinion, the CSO job is more important in the modern world than the CIO job.
One thing that might change that is if (when?) people start taking their business to a competitor because you haven’t invested in security.
Sadly, in some countries there aren’t disclosure laws, so people don’t know about security incidents in the first place; in some there are no freedom of information laws, so people can’t find out even if they want to; and in others, low income consumers end up without much choice of where to take their business (e.g. banking) even if they are uneasy about what the company might do with their data.
Paul wrote “One thing that might change that is if (when?) people start taking their business to a competitor because you haven’t invested in security.”
Think so? I haven’t stopped shopping at Target, will continue to shop at Home Depot, am continuing to shop at Harbor Freight, etc. And I’m pretty security-conscious.
I did use the word “might.” Of course, Target and Home Depot probably are investing heavily in security right now 🙂
Unfortunately, EVERYBODY is going to have security breaches.
What I look for is a company’s reaction to a breach, plus what they did to allow it in the first place. No matter how stupid they were to get breached, if they’re taking the right steps to correct things, I’ll give them another chance.
But, I want to hear about them taking “the right steps” from the security trade press, not from their communications department. I want the pros to pass judgment. Otherwise, it’s just spin. 3 examples (the good, the bad, and the ugly, if you will):
Target has taken solid steps towards fixing the root issues. The only step I don’t really agree with is using the CIO as a scapegoat, but that’s just my opinion. They are the “good”.
Home Depot hasn’t announced specific steps they’re taking, but they have kept in touch with the security press. I’ll call this the “bad”, but what I mean is they’re not all the way there yet (they should be further along than where they are, IMO).
Adobe is the “ugly”. They’ve made a habit out of ignoring or spinning their breach. To date, I can’t recall a single positive step they’ve announced to correct the root issues. It almost seems like they have the attitude “if we ignore it, maybe it will go away”.
I found myself in the US recently, strolling round a main shopping area over several days, and saw lots of shops and other businesses whose names I’d previously only seen in breach notifications – Nordstrom, PFChangs etc. I found myself avoiding them without question, even though I had a pocketful of cash and no need to use a card.
I’d class myself as “pretty security-conscious” too, but wasn’t worried about fraud, just put off using certain businesses by their bad reputations.
Sadly i have been in the IT Security business for over 30 years and see the same corporate (and don’t leave out government organizations either as they are no different) behavior year after year. And the same articles bemoaning the failure of boards/CEO/everyone with budget control to properly fund security even after it smacks them with a cost an order of magnitude greater than a decades worth of good security funding.