False sense of security – Detection of information security breaches drop in Canada
TORONTO, Nov. 27, 2014 /CNW/ - The number of reported information security incidents around the world rose 48% to 42.8 million, the equivalent of 117,339 attacks per day in 2014, according to The Global State of Information Security® Survey 2015, a worldwide survey by CIO, CSO and PwC. The survey also indicated that the compound annual growth rate (CAGR) of detected security incidents increased 66% year over year since 2009. This rate of increase has outpaced the combined corresponding growth of the global Gross Domestic Product (GDP) and smartphone adoption.
With today's growing sophistication of security breaches, it's estimated that as many as 71% of compromises go undetected.1 Salim Hasham, Partner and National Cyber Security Leader, PwC, says "The rate of growth isn't surprising. This is only the tip of the iceberg when it comes to an organization's ability to detect cyber incidents or even quantifying true losses."
Mr. Hasham continues, "The underlying issue lies with the under investment in the capability to go beyond trying to just protect critical digital assets towards a need to establish the ability to identify incidents as a better indicator."
What's going on in Canada?
The survey found a reduced detection rate of 15% when it comes to identifying information security incidents in Canada, compared to 2013. The number of reported incidents dropped by 22% for large organizations and 21% for medium organizations.
However, the detection rates in small Canadian organizations have increased by 311% over 2013. "This improvement is critical for Canada overall, given the proportion of our economy served by this sector, and the fact that many of our large and medium sized organizations is serviced by smaller ones. This helps to address an increasing avenue of attack in the supply chain process," says Mr. Hasham.
Cost of cybercrime
The estimated global cost of cybercrime for incidents reported this year is more than $23 billion. These only account for the detected security incidents. The survey indicated that the global cost of security compromises is ultimately unknowable because many attacks are not reported and the value of certain kinds of information (e.g. intellectual property and trade secrets) is very difficult to ascertain.
The World Bank estimated that loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually.2 Big losses have been more common this year as organizations reporting financial hits of $20 million or more increased 92% globally and 27% in Canada over 2013.
In Canada, small organizations increased their spending on information security (IS) by 21%, compared to 2013 and detected 311% more incidents over 2013. They correspondingly improved their ability to quantify their financial losses, which are reported to have increased by over 15%.
Medium companies reported a 21% decrease in detected incidents despite a 74% increase in IS budget, compared to the previous year. Their estimated total for financial losses due to all security incidents, however, dropped by 81% – further reinforcing the false perception that things are improving.
This is equally true for large Canadian organizations where the rate of detected incidents fell 22% since 2013, with a corresponding IS budget reduction of 26% and the estimated total for financial losses as a result of all security incidents dropping by 82%.
Thieves inside and out
The top tree most cited sources of security incidents, both globally and in Canada, are: current employees (35% in Canada and globally); former employees (33% in Canada and 30% globally); hackers (26% in Canada and 24% globally). In Canada, threats from former employees and from current service providers jumped by 32% over 2013.
In terms of external sources of incidents in Canada, reported incidents caused by hackers decreased 26% over 2013, while incidents stemming from information brokers increased 78% (vs. 54% globally) and threats from activists (organizations and hacktivists) increased 62% over 2013.
High- profile attacks by nation-states, organized crime and competitors are among the least frequent incidents, yet are also among the fastest-growing cyber threats. This year, reported compromises by nation- states increased 86% globally (vs. nine per cent in Canada). In Canada, there was a 46% increase in security incidents attributed to competitors (vs. 64% globally), some of whom may be backed by nation-states.
"It's important to understand that threats are never unidirectional. They're becoming a blend of technology, people and processes – insiders and outsiders, direct and through supply chain. Simply having technology based defences to protection information will not provide adequate protection," says Mr. Hasham.
Intelligent investment is needed
Organizations need to understand that cyber risks will never be completely eliminated but will continually evolve in sophistication and organizations must remain vigilant and agile in the face a constantly evolving landscape.
PwC's Cyber Security practice's Risk Assurance Leader, David Craig, says "It's critical for executive management to enable processes that fully integrate predictive, preventive, detective and timely incident-response capabilities to reduce the impact of inevitable security incidents. Investing in robust internal security awareness practices, including established procedures for third party providers, is essential in the current threat environment. Boards must trust that management is doing this work, but verify through active reviews. Overseeing an incident response exercise would be a good use of time."
"Overall, the increased detection of incidents should be expected, but it should also be used to drive management's quantification of the threat environment and potential losses. This should drive their direction, attention and investment," concludes Mr. Craig.
To access the full report, visit http://www.pwc.com/ca/security-survey .
The Global State of Information Security® Survey 2015 is a worldwide study by PwC, CIO and CSO. It was conducted online from March 27, 2014 to May 25, 2014. Readers of CIO and CSO and clients of PwC from around the globe were invited via e-mail to take the survey. The results discussed in this report are based on responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 154 countries. Thirty-five percent of respondents are from North America, 34 percent from Europe, 14 percent from Asia Pacific, 13 percent from South America, and four percent from the Middle East and Africa. The margin of error is less than one percent.
About CIO and CSO
CIO is the premier content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise. The award-winning CIO portfolio—CIO.com, CIO magazine (launched in 1987), CIO executive programs, CIO marketing services, CIO Forum on LinkedIn and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT's role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience. CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world's leading media, events, and research company. Company information is available at www.idgenterprise.com.
CSO is the premier content and community resource for security decision-makers leading "business risk management" efforts within their organization. For more than a decade, CSO's award-winning Web site (CSOonline.com), executive conferences, marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations' employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world's leading media, events and research company. Company information is available at www.idgenterprise.com.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
About PwC Canada
PwC Canada helps organizations and individuals create the value they're looking for. More than 5,800 partners and staff in offices across the country are committed to delivering quality in assurance, tax, consulting and deals services. PwC Canada is a member of the PwC network of firms with more than 195,000 people in 157 countries. Find out more by visiting us at www.pwc.com/ca.
© 2014 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved.
PwC refers to the Canadian member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
SOURCE: PwC Management Services LP