PwC - Cybersecurity Incidents More Frequent and Costly, but Budgets Decline

fr en

PwC, CIO and CSO Global State of Information Security® Survey 2015 shows impact extends to C-suite and boardroom, with insider incidents and high-profile crimes increasing

<< Back
  • GSIS2015

It’s not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year. However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents. The number of undetected or unreported incidents is also significant,

Vincent Villers, partner, Cybersecurity and Information Security Leader at PwC Luxembourg

The number of reported information security incidents around the world rose 48 percent to 42.8 million, the equivalent of 117,339 attacks per day in 2013, according to The Global State of Information Security® Survey 2015, released today by PwC, in conjunction with CIO and CSO magazines. Detected security incidents have increased 66 percent year-over-year since 2009, the survey data indicates.

“It’s not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year. However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents. The number of undetected or unreported incidents is also significant,” explained Vincent Villers, partner, Cybersecurity and Information Security Leader at PwC Luxembourg.

The rising costs of security incidents
As security incidents become more frequent, the associated costs of managing and mitigating breaches are also increasing. Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million – a 34 percent increase over 2013. Big losses have been more common this year as organizations reporting financial hits in excess of $20 million nearly doubled.

But despite elevated concerns, the survey found that global information security budgets actually decreased four percent compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years.

“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks. It’s critical to have a strong governance and security management system, based on technologies that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents,” said Vincent Villers.

Organizations of all sizes and industries are aware of the serious risks involved with cybersecurity; however, larger companies detect more incidents. Large organizations – with gross annual revenues of $1 billion or more – detected 44 percent more incidents this year. Medium-sized organizations – with revenues of $100 million to $1 billion – witnessed a 64 percent increase in the number of incidents detected. And while risk has become universal, the survey found that financial losses also vary widely by organizational size.

“Large companies have been more likely targets for threat actors since they offer more valuable information, and thus detect more incidents. However, as large companies implement more effective security measures, threat actors are increasing their assaults on middle-tier companies. Unfortunately, these organizations may not yet have security practices in place to match the efficiency of large companies,” added Vincent Villers.

Increased incidents caused by insiders
Insiders have become the most-cited culprits of cybercrime – but in many cases, they unwittingly compromise data through loss of mobile devices or targeted phishing schemes. Respondents said incidents caused by current employees increased 10 percent, while those attributed to current and former service providers, consultants and contractors rose 15 percent and 17 percent, respectively.

“Organizations often handle the consequences of insider cybercrime internally instead of involving law enforcement or legal charges. In doing so, they may leave other organizations vulnerable if they hire these employees in the future. Regulations exist and institutions, such as the CIRCL (Computer Incident Response Center Luxembourg) are here to help companies, in confidentiality. These figures prove a company must raise awareness amongst its employees and inform them on a regular basis of the latest threats,” said Ludovic Raymond, Cybersecurity and Information Security senior manager at PwC Luxembourg

Meanwhile, high profile attacks by nation-states, organized crime and competitors are among the least frequent incidents, yet the fastest-growing cyber threats. This year, respondents who reported a cyber-attack by nation-states increased 86 percent – and those incidents are also most likely under-reported. The survey also found a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.

Communicate on information security issues
Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organizations. Only 49 percent of respondents say their organization has a cross-organizational team that regularly convenes to discuss, coordinate, and communicate information security issues.

PwC notes that it is critical for companies to focus on rapid detection of security intrusions and to have an effective, timely response. Given today’s interconnected business ecosystem, it is just as important to establish policies and processes regarding third parties that interact with the business.

“Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organizations must remain vigilant and agile in the face of a constantly evolving landscape. Organizations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritizes an organization’s most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organization,” concluded Vincent Villers.

To download a copy of the 2015 Global State of Information Security Survey and learn more about PwC’s capabilities, visit: www.pwc.lu

Back to top  | << Back

Communiqués liés

pwc logo
28/03/2024

Luxembourg's competitiveness: are we still in the race? Seiz...

The 17th Journée de l’Economie took place on 26 March 2024 at the Luxembourg ...

PwC Luxembourg
Wasilewski Didier 2024
28/03/2024 Personnalités

Didier Wasilewski rejoint la direction générale du groupe ...

Didier Wasilewski, Senior Executive d'artelis s.a. et directeur commercial de lo...

Artelis S.A.
Chris Allen - Group CEO Quintet Private Bank
28/03/2024

Le bénéfice net 2023 de Quintet s’élève à 46,9 millio...

Quintet Private Bank, opérant à travers l'Europe et le Royaume-Uni, a annoncé...

Quintet Private Bank
Old town Zurich
28/03/2024

Immobilier de luxe en Suisse – Cela ne marche pas tout seu...

En 2023, le segment du luxe n’a pas été épargné par la hausse des taux dâ€...

UBS Luxembourg
 62A0290 sm
26/03/2024

DLA Piper relocates to iconic Nova Building at the heart of ...

Global law firm DLA Piper will move on 2 April to its new Luxembourg home, the i...

DLA Piper
500 dim250--035-edit-sized-4

Goodyear inaugure son nouveau centre de simulation à Colmar...

Goodyear Tire & Rubber Company a officiellement inauguré aujourd'hui son centre...

Goodyear

Il n'y a aucun résultat pour votre recherche

We use cookies to ensure the best experience on our website. By accepting you agree the use of cookies. OK Learn more