Information Security: New Survey Shows Worrisome Trends
With the constant barrage of security breach stories in the news, you would think that companies would be concerned – and spending more on their information security.
But that’s not the case, according to the 2015 Global State of Information Security Survey (GSISS).
The survey found that despite the fact there are more cyber threats and information breach incidents than ever, information security spending actually decreased in 2014.
The average budget was $4.1 million, which is a 4% decrease compared to 2013. In fact, security spending was just 3.8% of the overall IT budget.
The annual survey was conducted by PwC, a professional services network, the CIO Magazine, and the CSO Magazine. More than 9,700 security, IT, and business executive professionals from more than 154 countries participated.
The total number of reported security incidents was 42.8 million, a 48% increase compared to the previous year – and a startling 117,339 incoming attacks every day.
The larger organizations in the survey had 44% more incidents in 2014 while medium sized organizations saw a 64% increase in the number of incidents that were detected. (This may be because large organizations in general have better computer security in place.)
But all these numbers add up to an average financial loss from cyber security incidents of $2.7 million, which is a 34% increase from 2013.
At the same time, the number of survey respondents reporting losses of $20 million or more almost doubled over 2013.
A risk-based approach to information security is recommended with processes that integrate predictive, preventive, detective, and incident-response capabilities. Here is a safeguards’ checklist.
- Elevate information security to the Board level. While effective security awareness requires top down commitment and communications, less than half (42%) of respondents say their Board is involved in the overall security strategy. Create a culture of security that starts at the top and includes a cross organizational team that coordinates and communicates information security issues.
- Strengthen due diligence of third-party providers to ensure information security risks are known and managed. Incidents attributed to current and former service providers, consultants, and contractors rose 15 to 17%. (The survey showed a 64% increase in security incidents attributed to competitors too.)
- Provide on-going security awareness and employee training programs. The survey showed that insiders are now the most cited culprits of cyber crime. (Here’s more information on occupational fraud.) Breach incidents caused by current employees increased 10%. While data breaches are often accidental – employees lose mobile devices or are taken in by phishing scams – information security training will be beneficial.
- Develop better mobile device security. More than half of respondents already have; 47% say they use mobile device management solutions.
- Utilize advanced protection technologies. These include patch-management software, an intrusion prevention system, and user access control.
- Research cyber security insurance. More than half of respondents have purchased it as a way to help manage security risk. Enhancing security posture can help lower the insurance premium.
- Collaborate with others to improve security. Over half – 55% – of survey respondents work with Information Sharing and Analysis Centers, industry associations, government agencies, and other entities. Suppliers such as a reliable document destruction service can be helpful too.
Learn more about information security services for your workplace.