With high-profile security breach disclosures becoming an almost every-day occurrence, you’d think that most businesses would be taking cyber security seriously by now. Sadly, that’s just not the case, a new study has revealed.
In reality, incidents of cybercrime and their associated financial costs are on the rise, yet organisations are still unprepared to deal with these threats, according to the 2014 U.S. State of Cybercrime Survey, a joint effort from business consulting firm PwC, the U.S. Secret Service, Carnegie Mellon University’s CERT Division, and CSO magazine. The study of more than 500 U.S. executives and security experts found that just 38 percent of companies have a risk- and impact-based strategy to prioritise security investments.
Organisations are also failing when it comes to shoring up threats posed by mobile devices, third-party providers, supply chains, and insiders. Even worse, most aren’t collaborating to share cyber-threat intelligence or educating their employees about the risks.
So how widespread is the problem, exactly? The study found that 77 percent of businesses suffered a security event in the past 12 months, and 34 percent of respondents said the number of these incidents has increased over the past year. On average, businesses detected 135 security incidents in the last 12 months. Fifty-nine percent of respondents said they were more concerned with security threats this year than they were the year before
Moreover, the actual cost of such events often remains a mystery. More than two-thirds (67 percent) of those who detected a security incident could not estimate the financial costs. Among those who could, the average monetary loss was pegged at $415,000.
Experts don’t expect the problem to get any better, either.
“The severity of cyber threats will continue to intensify as threat actors evolve and sharpen their skills and techniques,” David Burg, PwC’s cybersecurity advisory leader, said in a statement. “If history — and responses to this survey — are a guide, more organizations will fall victim to more costly cybercrime in the coming year. Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are inevitable.”