The number of security incidents is rising, as are associated costs to clean them up.
Global corporate security budgets, meanwhile, seem to be hiding in the closet, just hoping it all goes away.
The news of this depressing state of affairs comes courtesy of PwC’s Global State of Information Security Survey 2015, carried out in conjunction with CIO and CSO magazines and released this week.
The findings: in a worldwide survey of almost 10,000 executives and IT directors in 154 countries, respondents reported a total number of detected security incidents of 42.8 million.
That’s up a whopping 48% from 2013.
Since 2009, the compound annual growth rate (CAGR) of detected security incidents has increased 66% year over year, PwC reports.
These numbers are on the low side, mind you, and reflect only those incidents that are detected.
Many organisations are unaware of attacks, while some incidents don’t get reported, either for strategic reasons or because the attacks are being investigated – sometimes as a matter of national security.
Even with numbers on the low side, this means that we’re seeing some 117,339 attacks coming in daily.
The costs of mop-ups are also blowing up – especially for large organisations.
The number of respondents who reported losses of $20 million or more to cover incident investigation and mitigation almost doubled from the 2013 figure, PwC says.
Why the inflation? Part of it, of course, is that there are far more incidents.
But PwC also suggests that the attacks are getting slicker, often extending beyond IT to other areas of the business, meaning that victimized organisations might now be stuck with the bill not just for whatever pain their operations suffered, but also for the pain inflicted on their customers as a result.
Well, if you’re at work, you can look to your right, then look to your left, and the chances that you’ll meet the gaze of a security threat are better than ever.
In fact, employees were the most-cited culprits for security incidents this year.
Survey respondents also pointed a finger at other insider threats, with a growing number attributing incidents to third parties with trusted access to networks and data, including current and former service providers, consultants, and contractors.
The FBI is nodding its head at this one: last month, the US Federal Bureau of Investigations put out a warning about employees with an axe to grind.
Those current or ex-employees are sticking it to their employers by destroying data, obtaining customer information, purchasing unauthorized goods through customer accounts, and similar, after remotely accessing company networks.
The FBI also reports the use of cloud storage tools such as Dropbox to steal trade secrets or proprietary software.
PwC says that the jump in insider incidents is particularly worrisome, given that such incidents can be costlier or more damaging than those caused by external factors.
Even though the results of insider threats can be devastating, PwC notes that many companies don’t have an insider threat programme and therefore aren’t prepared to prevent, detect or respond to internal threats.
That, in fact, is why Naked Security advises putting an incident-handling plan in place before a breach takes place, rather than after – a security necessity regardless of whether threats come from malicious insiders, insiders who make mistakes, or outsiders.
You would think that the increase in security incidents, plus the fact that the incidents are getting more expensive and causing more widely spread repercussions, would mean that boardrooms would be abuzz with the call for more money in security budgets.
Alas, there is not enough buzz. It’s more like crickets chirping in many boardrooms.
PwC survey respondents report that spending on information security isn’t keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks.
Not only is spending not keeping pace, it’s actually developed a limp: infosec budgets declined, on average, 4% over 2013.
Specifically, investments in these safeguards declined:
- Due diligence of third-party providers
- Employee security awareness and training
- Patch-management tools
- Intrusion prevention tools
- Privileged-user access
- Malicious code detection tools
- Monitoring and analysis of security intelligence
- Intrusion-detection tools
Of course, where there is no boardroom discussion on these matters, there’s scanty chance that there will be a healthy infosec budget.
In fact, fewer than half – 42% – of respondents said that their board is involved in security policies.
As the report notes, direction’s got to come from the top:
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organizations. Only 49% of respondents say their organization has a cross-organizational team that regularly convenes to discuss, coordinate, and communicate information security issues.
Those conversations should be happening now.
Are they happening in your organisation?
If not, why not?
Please do share your thoughts in the comments section below.