Cybersecurity incidents around the world are becoming both more common and more costly for the targeted companies.
These days, it seems like hardly a day goes by without news reports of yet another data breach or other cybersecurity incident. To a significant extent, this trend is certainly due to the fact that media outlets, and the population at large, now appreciate how serious these events can be and are therefore more cybersecurity incidents are being reported. However, this alone does not explain data breaches’ upward trajectory. The fact of the matter is that cyberattacks are increasingly common and companies are suffering major damage as a result.
“Cybersecurity incidents are becoming both more common and more costly.”
Recently, PricewaterhouseCoopers’ latest Global State of Information Security Survey highlighted the scope and extent of this trend. According to this report, cybersecurity incidents around the world are becoming both more common and more costly for the targeted companies. This suggests that firms of all kinds should increase their investment in cybersecurity initiatives, including employee security awareness training efforts.
An alarming trend
The PwC survey, involving responses from nearly 10,000 C-level executives and IT decision-makers from around the globe, revealed in stark terms just how big a problem cybersecurity has become for companies of all kinds. According to PwC, 2014 saw 42.8 million cybersecurity-related incidents – a 48 percent increase over 2013. Over the past six years, these incidents have experienced a 66 percent compound annual growth rate.
At the same time, the cost per breach is also rising. Among large enterprises, defined as companies with more than $1 billion in revenue, the average cost per incident reached $5.9 million in 2014, up from $3.9 million the year before. The number of respondents whose companies experienced data security losses of $20 million or more nearly doubled between 2013 and 2014.
An unsatisfactory response
Somewhat surprisingly, the PwC survey also found that despite the rise in cybersecurity failures, many companies have actually decreased their focus and investment in this area. In 2014, the average information security budget among respondents’ organizations stood at $4.1 million. The year before, though, businesses spent an average of $4.3 million on these efforts. As the report noted, last year’s drop represents the end of a three-year trend toward growing information security budgets.
Furthermore, the report found that most companies’ Boards of Directors are not involved with cybersecurity, despite how much of an impact these incidents can have on organizations’ reputations and bottom lines.
One of the most significant of the report’s findings is the role that employees often play in the realm of cybersecurity incidents.
“[I]nsiders – current and former employees, in particular – have become the most-cited culprits of cybercrime,” the report stated.
However, this does not suggest a sudden rash of malevolent workers committing espionage. As PwC explained, many of these cases represent incidents in which workers inadvertently exposed sensitive corporate data or fell victim to phishing schemes. The report also noted that approximately one-third of respondents said insider-based cyberincidents were more damaging than cyberattacks originating outside the company. Despite this, many firms have not established insider-threat programs specifically to account for these problems.
As the PwC study makes clear, cybersecurity is now a virtually universal concern. Businesses of all kinds cannot afford to ignore or downplay the threats they face, as cyberattacks are becoming increasingly common and damaging. And while last year saw a dip in cybersecurity spending among survey respondents, it seems very unlikely that this downward trend will continue. The cybersecurity landscape is simply too risky – enterprises will have no choice but to adopt preventative measures in order to remain safe and competitive.
The question is how organizations should go about improving their cybersecurity capabilities. Ultimately, the best approach must be comprehensive in nature. It’s not possible for a company to become and remain fully secure in the coming years by focusing on only one aspect of data protection.
Furthermore, it’s imperative for firms to make employee information security awareness campaigns a high-level priority. By embracing these efforts, organizations can provide their workers with the knowledge and skills they need to avoid cybersecurity-related mistakes, such as falling victim to phishing schemes or failing to use suitably strong passwords. By cutting down on risks in these areas via recurring, focused employee training, companies around the world will be far less likely to experience a devastating breach in the coming months and years.