Information Security

According to the Global State of Information Security® Survey 2015, the number of reported security incidents increased by 48% in 2014. Employees were the most cited culprits of these incidents. Surprisingly, information security budgets decreased slightly in 2014, and declines were also reported in fundamental security practices.

The survey was a worldwide study by PricewaterhouseCoopers (PwC), Chief Information Officer (CIO) magazine, and Chief Security Officer (CSO) magazine. The results were based on the responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT, and represented the security practices from more than 154 countries.

Thirty-five percent of respondents were from North America, 34% from Europe, 14% from Asia Pacific, 13% from South America, and 4% from the Middle East and Africa. An overview of the report is provided below. To see the full report, go to this PwC web page.

Incidents and Financial Impact Continue to Soar

According to the report, the total number of security incidents detected by respondents climbed to 42.8 million in 2014, an increase of 48% from 2013. The survey data showed the compound annual growth rate of detected security incidents has increased 66% year over year since 2009.

These numbers aren’t definitive since they represent only the total incidents detected and reported. It’s important to note that many organizations are unaware of attacks, while others do not report detected incidents for strategic reasons, or because the attack is being investigated as a matter of national security.

The annual financial costs of investigating and mitigating security incidents increased substantially last year, particularly among large organizations. Also, the number of respondents reporting losses of $20 million or more almost doubled over 2013.

The rise in security incidents would account for some of this increase in financial losses. But another explanation might be that today’s more sophisticated compromises often extend beyond IT to other areas of the business, and financial losses may now include remediation of more customer impacts and not just operational disruptions.

Employees are the Most-Cited Culprits of Incidents

The survey respondents pointed the finger at employees more than any other threat actors, making them the most-cited culprits of security incidents.

However, employees are not the only source of insider threats. A growing number of respondents attribute incidents to third parties with trusted access to networks and data, including current and former service providers, consultants, and contractors.

The jump in insider incidents may carry serious implications because crimes caused by internal actors are often more costly or damaging than compromises perpetrated by external groups. When organizations overlook the threats residing inside their systems, the effects can be devastating. Yet many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.

As Incidents Rise, Security Spending Falls

Information security spending is not keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks. In fact, investments in information security budgets declined 4% over 2013.

Small organizations, in particular, are not spending on security. Companies with revenues less than $100 million reduced security investments by 20% over 2013. Medium-size organizations (revenues of $100 million to $1 billion) and large companies (revenues greater than $1 billion) report a modest 5% increase in security spending.

Regardless of company size, security spending as a percentage of the total IT budget has remained very low, and shows no signs of increasing.

Declines in Fundamental Security Practices

As security risks rise, organizations should seek to implement the necessary processes and technologies to prevent, protect, detect, and respond to elevated threats.

Among prevention and protection safeguards, areas to consider strengthening include due diligence of third-party providers, employee security awareness and training programs, and technologies such as patch-management tools, intrusion-prevention tools, and privileged user access. It is a concern that implementation of these key safeguards has declined over 2013.

The study also found notable regressions in detection and response processes and technologies, including malicious code-detection tools, monitoring and analysis of security intelligence, and intrusion-detection tools.

And, despite the media attention following a series of high-profile retailer breaches, many organizations have not yet elevated information security to a Board-level discussion. Fewer than half of respondents say their Board actively participates in the overall security strategy and only a third say the Board is involved in security policies.

Gains in Some Security Initiatives

While the study found significant declines in many security practices over the past year, it also identified gains in some important areas.

Organizations are beginning to understand the strategic value of external collaboration to improve security and threat intelligence. This year, more than half of the respondents say they collaborate with others to improve security. Larger companies, which often have more mature security programs, are more likely to collaborate than smaller organizations.

Respondents also are taking steps to improve mobile-device security programs. More than half of respondents say they have implemented a mobile security strategy, and nearly half say they employ mobile-device management or mobile-application management solutions.

Adoption of cyber insurance as a tool to help manage security risks continues to rise. More than half of respondents say they have purchased cybersecurity insurance. And, among those that have done so, many are taking steps to enhance their security posture in order to lower their insurance premium.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.