The war on information security is worsening: organisations are now defending yesterday, while their adversaries are exploiting the threats of tomorrow.
This is the alarming finding from The Global State of Information Security Survey 2014 , released today by PwC and conducted in conjunction with CIO and CSO magazines.
The study is based on a global survey survey of more than 9600 business, security and IT executives - with 49 respondents from New Zealand.
PwC security and technology partner Colin Slater says, “Businesses are being outpaced and outsmarted by determined attackers who are deploying the latest technologies to cause harm.
“Encouragingly, organisations are spending more and recognise the importance of information security, yet need to stop fighting security battles of today with the tools and strategies of yesterday to increase their effectiveness.”
This year’s survey found the number of security incidents detected in the past 12 months has increased by 25 percent over last year, while the average financial costs of incidents are up 18 percent.
Asia Pacific remains the pacesetter in security spending and practices.
Security investment is strong, according to the survey findings. Average security budgets have increased 85 percent over last year, and at 4.3 percent, Asia Pacific reports the highest IS budget as a percent of overall IT spending.
Respondents are optimistic on the future IS spend, with 60 percent stating their security budget will increase over the next 12 months.
However, average financial losses due to security incidents are up 28 percent over last year.
Respondents say the top three obstacles to improving security are: insufficient capital funding, a lack of vision on how future business needs will impact security, and a lack of leadership from the CEO or board.
“Surprisingly, CEOs were most likely to name themselves as the greatest obstacle to improving their organisations information security practices, with the majority of CFOs in agreement,” says Slater.
Most respondents cite insiders, particularly current or former employees, as a source of security incidents. While many believe nation-states cause the most threats, only 4 percent of respondents cited them, whereas 32 percent pinpoint hackers as a source of outsider security incidents.
“New Zealand businesses should pay heed to these global findings. We may be geographically isolated, but in this online and digitally connected world we’re just as vulnerable to threats as businesses in the US, UK, Australia or China.
“We can’t afford to be naive to the risks we face as the costs and complexities of responding to attacks continue to rise. Looking at the recent public sector focus, The Government CIO has been instrumental in establishing a stronger understanding of the relative issues. We can look at this approach as something to elevate the thinking and help us get at least onto the curve of understanding these risks,” says Slater.
Alarmingly it was found financial losses are accelerating sharply among those that report a high-dollar value impact: respondents who reported losses of US$10 million-plus have increased by more than 50 percent since 2011.
“New models of information security strategies and practices are needed to be better prepared. This also means coming to the realisation that safeguarding everything to the same threat level is no longer possible. Businesses need to identify and prioritise what’s most important to them and focus their resources on protecting that,” says Slater.
PwC recommends organisations rethink their security strategy so that it is integrated with business needs and prioritised by business leaders.
“Eighty percent of respondents told us their information security spend is aligned to business objectives. It suggests business leaders are beginning to understand how IT security impacts their bottom line. But business leaders need to go a step further and create a culture of security awareness throughout their organisations to increase knowledge and vigilance. Collaboration, with those inside and even outside your business, is becoming a key weapon in fighting back.”
As in the previous two years, the report cites the security risk of the adoption of mobile technology tools such as smartphones, tablets and cloud services.
Efforts to implement mobile security programs continue to trail the increasing use of mobile devices, while of the 4 percent of respondents who use cloud computing, only 18 percent say they have policies for governing its use.
“Technology and how we use it is constantly evolving. We need to find the optimal point between being afraid to adopt new technologies that will increase our competitive positions, and seriously addressing security implications,” says Slater.
Follow CIO New Zealand on Twitter: @cio_nz