While information security risks have evolved dramatically, security strategies, typically compliance-based and perimeter-oriented, have not kept pace. In other words, most organisations are now defending yesterday, even as their adversaries exploit the vulnerabilities of tomorrow.
Security threats have become an increasingly critical business risk to global organisations, according to the Global State of Information Security Survey 2014 published by PwC in conjunction with CIO and CSO magazines. The number of respondents who report losses of $10 million-plus increased by 51 per cent since 2011.
The 11th annual survey showed that executives are finally heeding the need to fund enhanced security activities and have substantially improved technology safeguards, processes, and strategies, with average security budgets rising 51 per cent over 2012. Almost half (49%) of the respondents trust that security spending over the next 12 months will continue to increase, up from 45 per cent last year. However, even though 74 per cent of the survey respondents believe their security activities are effective, security incidents have increased, as has the cost of breaches.
It seems that while many organisations have raised the bar on security, their adversaries have done better. Sophisticated intruders are bypassing outdated perimeter defences to perpetrate dynamic attacks that are highly targeted and difficult to detect. Well-researched phishing exploits are being used to target top executives, employee and customer data, compromising records that could potentially jeopardise an organisation’s most valuable relationships. These factors have combined to make information security progressively more complex and challenging. It has become a discipline that demands pioneering technologies and processes, a skill set based on counterintelligence techniques, and the unwavering support of top executives.
With this inevitable increase in the complexity of information security and the large amount of hot-button technologies like cloud-computing, mobility, and Bring Your Own Device (BYOD), which are being implemented before they are secured, the survey shows that the number of detected security incidents increased 25 per cent over the previous year.
While the use of mobile devices to share and transmit data continues to increase, deployment of mobile security policies to implement mobile security programs do not show significant gains over last year and in some cases are actually declining.
Non-tangible assets such as intellectual property (IP) have increased in value, making its appeal to cyber criminals more endearing. However, despite the increasing value of IP and the potential consequences of its loss, this year’s survey finds that many respondents do not adequately identify and safeguard their high-value information, and a mere 20 per cent have implemented procedures dedicated to protecting IP.
Survey results continue to show that, in some industries, policies to protect IP are actually declining.
Survey respondents identified most obstacles as being insufficient capital funding, inadequate understanding of how future business needs will impact information security, committed leadership, and a lack of effective security strategy.
The full report is accessible at www.pwc.com/gsiss2014.