Are we all getting a little weary of stories about major data breaches at giant retailers or health care providers? A new survey released at the end of September sheds some interesting light on the state of information security. Considering the ever-growing threat of cybercrime, some of the findings in the survey are perhaps surprising, or at least puzzling—most notably that while security incidents are on the rise, IT security spending has fallen.
The Global State of Information Security Survey 2015, produced by PwC, in conjunction with CIO and CSO magazines, notes that globally detected information security incidents rose 48 percent over the past year. Meanwhile, IT security spending overall is down 4 percent. There are several reasons suggested for this mismatch, such as that IT budgets were already in place before the current rise in threats, that previous years saw increases in security spending, and that current security spending might be targeted on the most important data.
What is clear from the survey is that the cost of data breaches to organizations is also on the rise. Estimated losses from cybersecurity incidents rose 34 percent to an average of $2.7 million per incident. In addition, data breaches with large financial losses in excess of $20 million also rose sharply, almost doubling from the previous year’s survey. As reported in the survey results, “Financial impact may include decreased revenues, disruption of business systems, regulatory penalties, and erosion of customers.”
We’ve probably all read about or seen on the news stories of major data breaches and the results. The Target data breach from last year has been reported to have cost the company $148 million, including consulting and legal fees and credit monitoring services offered to customers. The company is still struggling with sluggish stock prices and sales in store, and some analysts suggest that the long-term cost to the retail chain will be much higher.
More recently, Home Depot’s data breach hit the newswires. This incident was ongoing for at least four months, with customer credit card information from stores being stolen and leaving the corporate network—all without the company’s IT department ever knowing. While it’s too soon to estimate a cost for this breach to Home Depot, numerous lawsuits have been filed already, which will drive up the amount in legal fees and potential settlements.
So, are the hackers really that good, or are the companies being hit really that bad? With the continuing coverage going to this topic, it seems unlikely that IT departments are unaware of the risks to their environments. In the consumer sector, it’s been reported that there’s a fatigue factor; that is, hearing so much about data breaches has caused consumers to stop caring, to not be concerned, because eventually any place can be breached.
A recent article in the Washington Post looks at the Home Depot breach as well as JP Morgan and says that neither organization seems to be suffering the expected reputational hit as a result of their security failures. Customers ultimately prefer the ease of shopping or doing business with known institutions. Part of the reason could be the incorrect assumption that “lightning never strikes twice”—so if an organization has been hit, their security will be much better, although that isn’t necessarily true. Add to that the generally correct belief that it’s the credit card companies that are going to bear the costs of stolen card numbers anyway, and consumers have little reason to fear shopping where they choose.
So in considering why IT organizations continue to have exposure to these breaches through know vulnerabilities, I have to ask: Does some of that fatigue factor spill over into the IT environment as well? Do IT pros feel it’s inevitable that their systems will be compromised by some form of cyber attack? Or are security professional hamstringed by small budgets, too many projects, and lack of C-level support or understanding of what the real issues and solutions are?
The Global State of Information Security Survey includes a lot of interesting data that makes it well worth the read. Cyber attacks hit all sizes of business and business verticals, and come from traditional hackers/hacktivists as well as organized crime and foreign states—not to mention the internal threats, which can be malicious or accidental. Although data security isn’t only an IT issue, IT will be held accountable, so it’s worth the effort to investigate the options for hardening your environment before a breach occurs, and institute regular auditing and change management procedures that will help identify any problems as soon as they crop up.