PwC Urges Firms to Bolster Information Security as Risks Mount

  • Executives overestimate their companies’ cyber security levels.
  • Global security incidents rose by 25%, average financial losses up 18%.
  • Companies must improve the strength of their IT security technology to fight rising threats.
  • South America, Asia Pacific lead in security spending, practices, while Europe, US lag.
  • Threats advance faster than security.

BANGKOK, 16 January 2014 – Information technology security breaches rose 25% across the globe in the past year even as companies spent a record amount of money to stop them, according to The Global State of Information Security® 2014 by PwC in conjunction with CIO and CSO magazines.

Businesses must seek to ensure that they have robust information security safeguards in place to protect their operations as IT-related risks continue to rise despite a rise in overall security spending in the past year and increased confidence among executives in thwarting attacks.

Business leaders are overly optimistic about the strength of their security frameworks, the survey warned, adding adversaries are expected to outpace them unless companies actively update their security practices to keep pace with growing threats.

PwC’s 16th annual survey on The Global State of Information Security® 2014, which featured interviews with more than 9,600 top-ranking executives from 115 countries, found that the number of security incidents detected in the past 12 months rose 25% to 3,741. Average financial losses associated with security incidents also climbed 18% over the same period.

Average information security budgets totalled $4.3 million in 2013, a 51% jump from a year earlier. Despite this increase, however, security measures account for only 3.8% of the total IT spending.

Vilaiporn Taweelappontong, Partner at PwC Consulting (Thailand) Ltd, said the rise in global security incidents combined with outdated strategies that leave information technology systems vulnerable to attack are key challenges for companies.

“As security incidents in the world rise, so do the financial costs,” Vilaiporn said. “Many executives are still too optimistic about the strength of their information security systems. That leaves their businesses open to fraud and makes them less attractive to potential clients.”

“It’s also troubling to see that the number of companies that are unaware of security breaches has doubled over two years. This may be because they’re investing in outdated security solutions.”

According to the study, 74% of respondents believe their organisation’s security precautions are effective, with top executives even more optimistic. Thirty percent (30%) of respondents are from large organisations with more than $1 billion in revenue.

Optimism also runs high when half of respondents (50%) considered their organisation as ‘front-runners’ ahead of the pack in strategy and security practices, a 17% increase over last year. This means that they believe they have an effective strategy in place and are proactive in executing the information security plan.

However, the survey found that only 17% actually qualify as true information security leaders. PwC defines ‘leaders’ as companies that have an overall information security strategy; employ a chief information security officer (CISO) or equivalent in place; have measured and reviewed the effectiveness of their security in the last year; and understand exactly what types of security events have occurred.

While insiders, particularly current or former employees, are most likely to perpetrate security incidents, hackers (32%) lead the pack as a source of outsider security incidents, followed by competitors (14%), organised crime (12%), activist groups (10%), and terrorists (8%) among others.

Technologies move faster than security

As mobile devices, social media, and the cloud become commonplace both inside the enterprise and out, the survey found that the adoption of technology is moving faster than security.

Sira Intarakumthornchai, CEO for PwC Thailand, said that another key risk to data security is the surge in the use of smart phones, tablets, the “bring your own device” (BYOD) trend, and the proliferation of cloud computing.

Survey respondents indicate that efforts to implement mobile security programmes don’t show substantial gains over last year and continue to trail the increasing use of mobile devices.

“While the use of mobile devices has generated a massive flood of business data, but deployment of mobile security hasn’t actually kept pace with use,” Sira said.

According to the report, almost half (47%) of respondents use cloud computing, yet only 18% say they have policies governing cloud services. While most companies have implemented traditional security safeguards including VPNs, firewalls, encryption of desktop PCs, they’re less likely to have deployed tools that monitor data and networks to provide real-time intelligence about today’s risks.

Respondents say the top three obstacles to improving security in the long term include insufficient capital funding, inadequate understanding of how future business needs will impact security and a lack of leadership from the CEO, senior management and board members.

Looking at security spending outlook, the survey showed that nearly half of respondents expect security spending over the next 12 months will increase, up from 45% a year earlier.

Regionally, South America and Asia Pacific lead the world in security practices and performance. Sixty-six percent of South American and 60% of Asia-Pacific businesses expect to boost security spending over the next 12 months, while Europe and North America lag in many aspects.

“Asia-Pacific companies remain among the global leaders in security spending. Average budgets have increased 85% over last year, and our region spends the most on information security as a percentage of overall IT spending,” he said, citing the report.

Given today’s elevated threat landscape, it’s vital that Thai companies rethink security strategies so they are integrated with business needs and prioritised by top executives.

“Security models of the past will only take you so far,” Sira said. “We can’t defend future threats with yesterday’s strategies.”

Businesses should create a security culture that starts with top executives and cascades throughout the company and supply chain, Sira said. This involves engaging in public-private collaboration for enhanced threat intelligence.

“Today’s elevated risk landscape demands a new approach to security,” Sira said. “Otherwise Thai businesses will find themselves vulnerable to attack and risk entering the Asean Economic Community unprepared.”

-- END --

Notes to Editors:

Please reference the study as “The Global State of Information Security® Survey 2014, a worldwide survey by CIO, CSO and PwC.” Source line must include CIO magazine, CSO magazine and PwC. The coverage is available online at and Information about the survey is also available at

Survey Methodology

The Global State of Information Security® Survey 2014 is a worldwide study by PwC, CIO Magazine, and CSO Magazine. It was conducted online from 1 February to 1 April, 2013. Readers of CIO and CSO magazines and clients of PwC from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 9,600 executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice-presidents, and directors of IT and information security from 115 countries. Thirty-six percent of respondents were from North America, 26% from Europe, 21% from Asia Pacific, 16% from South America, and two percent (2%) from the Middle East and Africa. The margin of error is less than one percent.

About PwC’s Advisory Practice

PwC’s Advisory professionals across consulting, deals and forensics create value for our clients by helping them address their most complex business issues, from strategy through execution. We understand our clients’ industries and unique business challenges, and look across the entire organisation — focusing on strategy, structure, people, process and technology — to help clients build their next competitive advantage. Our firm’s global network of assurance, tax and advisory professionals means that we can bring the right skills and capabilities to help our clients achieve success anywhere around the world. See for more information.

About the PwC Network

PwC firms help organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at

About PwC Thailand

In Thailand, PwC has had a presence for more than 50 years. Our client base includes some of the largest Thai and multinational companies, as well as government institutions. We have more than 1,350 people working for our Bangkok-based office. Learn more about PwC Thailand by following us online: @PwC_TH and