PwC Reports Growing Cyber Security Issues

The number of reported information security incidents around the world rose 48 percent to 42.8 million, the equivalent of 117,339 attacks per day, in 2013, according to The Global State of Information Security Survey 2015, released yesterday [Oct 2] by PwC.

A spokesperson said, “The survey was discussed at the ISACA Bermuda chapter’s annual cybersecurity conference today at the Royal Hamilton Amateur Dinghy Club, featuring guest speaker Kristen Hayduk, Advisory Security Manager for PwC US. Ms. Hayduk discussed several steps companies can take toward a strategic security programme, including identifying your most valuable information assets.

“Detected security incidents have increased 66 percent year over year since 2009, the survey data indicates. And employees have become the most-cited culprits of cybercrime – but in many cases, they unwittingly compromise data through loss of mobile devices or targeted phishing schemes.”

“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” explained Garth Calow, PwC Bermuda Advisory leader. “It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimise the impact of these incidents.”

“But despite elevated concerns, the survey found that global information security budgets actually decreased four percent compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years.”

Matt Britten, PwC Bermuda managing director, Risk & Controls, said, “Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organisations must remain vigilant and agile in the face of a constantly evolving landscape.

“Organisations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritises an organisation’s most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organisation.”

“Over the past 12 months, virtually every industry sector across the globe has been hit by some type of cyber threat. As the survey notes, assaults on major retailers reached epic levels in the past year, resulting in the theft of hundreds of millions of customer payment card records, a rash of litigation, and a rush to adopt a new payment card standard in the US.

“In the UK, payroll information and bank account numbers of 100,000 employees of a supermarket chain were stolen by a company insider and published online.

“As security incidents become more frequent, the associated costs of managing and mitigating breaches are also increasing.
Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million – a 34 percent increase over 2013. Big losses have been more common this year as organizations reporting financial hits in excess of $20 million rose nearly doubled.”

Kristen Hayduk, Advisory Security Manager for PwC US and Matt Britten, PwC Bermuda managing director, Risk & Controls

“Organisations of all sizes and industries are aware of the serious risks involved with cybersecurity; however, larger companies detect more incidents. Large organizations – with gross annual revenues of $1 billion or more – detected 44 percent more incidents this year. Medium-sized organisations – with revenues of $100 million to $1 billion – witnessed a 64 percent increase in the number of incidents detected.”

“Large companies have been more likely targets for threat actors since they offer more valuable information, and thus detect more incidents,” said Bob Bragdon, publisher of CSO. “However, as large companies implement more effective security measures, threat actors are increasing their assaults on middle-tier companies.

“Unfortunately, these organizations may not yet have security practices in place to match the efficiency of large companies.”

“Respondents said incidents caused by current employees increased 10 percent, while those attributed to current and former service providers, consultants and contractors rose 15 percent and 17 percent, respectively. Many organisations often handle the consequences of insider cybercrime internally instead of involving law enforcement or legal charges.

“In doing so, they may leave other organisations vulnerable if they hire these employees in the future.

“Meanwhile, high profile attacks by nation-states, organised crime and competitors are among the least frequent incidents, yet the fastest-growing cyber threats. This year, respondents who reported a cyber-attack by nation-states increased 86 percent – and those incidents are also most likely under-reported.

“The survey also found a striking 64 percent increase in security incidents attributed to competitors, some of whom may be backed by nation-states.

“Effective security awareness requires top-down commitment and communication, a tactic that the survey finds is often lacking across organisations. Only 49 percent of respondents say their organization has a cross-organization team that regularly convenes to discuss, coordinate, and communicate information security issues.

“PwC notes that it is critical for companies to focus on rapid detection of security intrusions and having an effective, timely response. Given today’s interconnected business ecosystem, it is just as important to establish policies and processes regarding third parties that interact with the business.

“To download a copy of the 2015 Global State of Information Security Survey and learn more about PwC’s capabilities, visit the PwC website.”

#BermudaBusiness #CyberSecurity

Category: All, Business, technology