Security Spending Continues to Run a Step Behind the Threats
Security professionals are being hammered by a powerful combination of forces: As IT systems get more difficult to defend--more open, mobile and shared--cyber-threats are also evolving to more swiftly penetrate enterprise defenses.
Wed, October 16, 2013
CSO — Security professionals are being hammered by a powerful combination of forces: As IT systems get more difficult to defend--more open, mobile and shared--cyber-threats are also evolving to more swiftly penetrate enterprise defenses.
That is one of the core findings of the 11th annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CSO. The survey also found that despite many of the more than 9,600 execs surveyed saying that their organizations have increased IT security spending, the number of attacks they're enduring and the costs of those attacks keeps rising. And not only are attacks increasing, but so are the costs per incident, with the average losses per incident up 23 percent year over year. The number of those reporting losses of greater than 10 million per incident is up 75 percent from just two years ago.
An Abundance of (Over)confidence
Despite those setbacks, this year's survey reveals an unexpectedly high level of confidence in the robustness of respondents' security efforts. A whopping 84 percent of CEOs and 82 percent of CIOs believe their programs are effective in their current state. Even CISOs, a traditionally cautious bunch, are only slightly less sure, with 78 percent expressing confidence.
This optimism is maintained despite the fact that the number of security incidents detected has risen considerably year over year: from 2,989 reported in 2012 to 3,741 in 2013. A full 18 percent of respondents report not knowing the number of incidents they detected.
This isn't to say that enterprises aren't taking many of the right steps to protect their data--they are. The survey shows that even those enterprises that haven't been taking adequate precautions plan to do a better job in the future. Many report they'll soon be setting minimum security standards for external partners, customers and suppliers, as well as instituting employee security awareness training programs.
Not surprisingly, many security practitioners disagree with this year's survey respondents about the overall state of IT security. "The bad guys basically go where they want to go and do what they want to do, and they're not being stopped. Maybe for every one organization that's effectively stopping attacks, there are 100 that are being breached," estimates Eric Cowperthwaite, CISO of Providence Health and Services.
When those breaches do occur, the impact remains high: 35 percent of respondents report that employee records were compromised, 31 percent report customer records were compromised or unavailable, and 29 percent say internal records were lost or damaged. Also significant: reports of lost or damaged internal records this year jumped 100 percent from last year.