Study: Security Incident Rates Increase as Security Budgets Drop
IT's security spending is not keeping up with the reported 42.8 million security incidents in PwC's enterprise survey.
According to a recent IT enterprise poll, security incidents have jumped 48 percent in the last year. And while the incidents have dramatically jumped up, enterprise security spending has dropped 4 percent since 2013.
The findings, published today in a report by IT consultant firm PwC titled "The Global State of Information Security Survey 2015," polled 9,700 CEOs CFOs and IT personnel from 154 countries over a period between March and May of this year. Those responding to the poll detected 42.8 million security incidents for the first half of the year in their enterprises, leading to an increased hit in the monetary losses department.
PwC's report found that those respondents reporting losses of more than $20 million has doubled since 2013 -- a statistic that the firm finds troubling. "It's not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year," said PwC's David Burg. "However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents."
The leading cause of security incidents come from the employees, according to the report. Just as the number of incidents has risen, so have the employee-responsiblebreaches, which increased from 31 percent last year to 35 percent this year. PwC found that insider threats end up being more costly than third party attackers and that the majority of enterprises lack an "insider threat" component to their security plans.
And going by slashed IT budges for security, it appears many enterprises won't be able to add an insider threat component. While the overall decline of 4 percent doesn't sound like a drastic reduction, breaking out the numbers based on enterprise sizes are much more alarming. Companies with revenue less than $100 million (small-sized enterprises) actually saw a reduction in IT security spending by 20 percent.
With the rise of attacks against businesses of all sizes, a reduction of spending will only result in incidents costing more in the end, said PwC. "Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today's advanced attacks," said PwC Security Advisor Mark Lobel. "It's critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents."
What shouldn't be a surprise is that with the decline in spending also comes with a lack of overall security focus. PwC's study found that many organizations saw a drop in updating or supplementing their existing security strategies with "code-detection tools, monitoring and analysis of security intelligence, and intrusion-detection tools."
The full report (PDF) can be downloaded here.