Today, most organisations realise that cybersecurity has become a persistent, all-encompassing business risk. But as the frequency and costs of security incidents continue to rise, our survey found that many organisations have not updated critical information security processes, technologies, and employee training needs.
In some cases, it appears that information security programmes have weakened due to inadequate investments in information security. At the same time, the financial costs of investigating and mitigating incidents grow year over year.
Compromises by insiders—current and former employees, as well as third parties with trusted network access—continue to rise, but many organisations have not implemented processes and technologies to address internal incidents. No matter how secure an organisation’s network and data, it will be open to compromise if third parties do not employ equivalent security and privacy safeguards. Another worrisome finding is a diminished commitment to employee training and awareness programmes.
Find out what basic security safeguards businesses can implement to manage today’s elevated threats.
The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% from 2013. Taking a longer view, our survey data shows the compound annual growth rate (CAGR) of detected security incidents has increased 66% year over year since 2009.
These numbers are by no means definitive, however; they represent only the total incidents detected and reported. It’s important to note that many organisations are unaware of attacks, while others do not report detected incidents for strategic reasons or because the attack is being investigated as a matter of national security.
The annual financial costs of investigating and mitigating security incidents increased substantially this year, particularly among large organisations. It’s also worth noting that the number of respondents reporting losses of $20 million or more almost doubled over 2013.
The rise in security incidents would account for some of this increase in financial losses, of course. But another explanation might be that today’s more sophisticated compromises often extend beyond IT to other areas of the business, and financial losses may now include remediation of more customer impacts and not just operational disruptions.
This year, survey respondents pointed the finger at employees more than any other threat actors, making them the most-cited culprits of security incidents.
Employees are not the only source of insider threats, however. A growing number of respondents attribute incidents to third parties with trusted access to networks and data, including current and former service providers, consultants, and contractors.
The jump in insider incidents may carry serious implications because crimes caused by internal actors are often more costly or damaging than compromises perpetrated by external groups. When organisations overlook the threats residing inside their ecosystems, the effects can be devastating. Yet many companies do not have an insider-threat programme in place, and are therefore not prepared to prevent, detect, and respond to internal threats.
Information security spending is not keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks. In fact, investments in information security budgets declined 4% over 2013.
Small organisations, in particular, are not spending on security: Companies with revenues less than $100 million reduced security investments by 20% over 2013. Medium-size organisations (revenues of $100 million to $1 billion) and large companies (revenues greater than $1 billion) report a modest 5% increase in security spending.
Regardless of company size, security spending as a percentage of total IT budget has remained very low, and shows no signs of increasing.
As security risks rise, organisations should seek to implement the necessary processes and technologies to prevent, protect, detect, and respond to elevated threats.
Among prevention and protection safeguards, areas to consider strengthening include due diligence of third-party providers, employee security awareness and training programmes, and technologies such as patch-management tools, intrusion-prevention tools, and privileged user access. It is worrisome that implementation of these key safeguards has declined over 2013.
We also found notable regressions in detection and response processes and technologies, including malicious code-detection tools, monitoring and analysis of security intelligence, and intrusion-detection tools.
And despite the media attention following a series of high-profile retailer breaches, many organisations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents say their Board actively participates in the overall security strategy and 36% say the Board is involved in security policies. In the wake of yet another massive retailer breach, Boards are starting to ask more questions about cybersecurity readiness.
While we found significant declines in many security practices over the past year, we also identified gains in some important areas.
Organisations are beginning to understand the strategic value of external collaboration to improve security and threat intelligence. This year, 55% of respondents say they collaborate with others to improve security. Larger companies, which often have more mature security programmes, are more likely to collaborate than smaller organisations. Security executives tell us that collaboration with entities like Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies can be a very valuable risk-awareness tool.
Respondents also are taking steps to improve mobile-device security programmes. More than half (54%) of respondents say they have implemented a mobile security strategy, and 47% say they employ mobile-device management (MDM) or mobile-application management (MAM) solutions.
Adoption of cyber insurance as a tool to help manage security risks continues to rise. More than half (51%) of respondents say they have purchased cybersecurity insurance. And among those that have done so, many are taking steps to enhance their security posture in order to lower their insurance premium.