The number of reported information security incidents around the world rose 48% to 42.8 million, the equivalent of 117,339 attacks per day in 2014, according to The Global State of Information Security® Survey 2015, a worldwide survey by CIO, CSO and PwC. The survey also indicated that the compound annual growth rate (CAGR) of detected security incidents increased 66% year over year since 2009. This rate of increase has outpaced the combined corresponding growth of the global Gross Domestic Product (GDP) and smartphone adoption.
With today's growing sophistication of security breaches, it's estimated that as many as 71% of compromises go undetected.1 Salim Hasham, Partner and National Cyber Security Leader, PwC, says "The rate of growth isn't surprising. This is only the tip of the iceberg when it comes to an organization's ability to detect cyber incidents or even quantifying true losses."
Mr. Hasham continues, "The underlying issue lies with the under investment in the capability to go beyond trying to just protect critical digital assets towards a need to establish the ability to identify incidents as a better indicator."
What's going on in Canada?
The survey found a reduced detection rate of 15% when it comes to identifying information security incidents in Canada, compared to 2013. The number of reported incidents dropped by 22% for large organizations and 21% for medium organizations.
However, the detection rates in small Canadian organizations have increased by 311% over 2013. "This improvement is critical for Canada overall, given the proportion of our economy served by this sector, and the fact that many of our large and medium sized organizations is serviced by smaller ones. This helps to address an increasing avenue of attack in the supply chain process," says Mr. Hasham.
Cost of cybercrime
The estimated global cost of cybercrime for incidents reported this year is more than $23 billion. These only account for the detected security incidents. The survey indicated that the global cost of security compromises is ultimately unknowable because many attacks are not reported and the value of certain kinds of information (e.g. intellectual property and trade secrets) is very difficult to ascertain.
The World Bank estimated that loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually.2 Big losses have been more common this year as organizations reporting financial hits of $20 million or more increased 92% globally and 27% in Canada over 2013.
In Canada, small organizations increased their spending on information security (IS) by 21%, compared to 2013 and detected 311% more incidents over 2013. They correspondingly improved their ability to quantify their financial losses, which are reported to have increased by over 15%.
Medium companies reported a 21% decrease in detected incidents despite a 74% increase in IS budget, compared to the previous year. Their estimated total for financial losses due to all security incidents, however, dropped by 81% – further reinforcing the false perception that things are improving.
This is equally true for large Canadian organizations where the rate of detected incidents fell 22% since 2013, with a corresponding IS budget reduction of 26% and the estimated total for financial losses as a result of all security incidents dropping by 82%.
Thieves inside and out
The top tree most cited sources of security incidents, both globally and in Canada, are: current employees (35% in Canada and globally); former employees (33% in Canada and 30% globally); hackers (26% in Canada and 24% globally). In Canada, threats from former employees and from current service providers jumped by 32% over 2013.
In terms of external sources of incidents in Canada, reported incidents caused by hackers decreased 26% over 2013, while incidents stemming from information brokers increased 78% (vs. 54% globally) and threats from activists (organizations and hacktivists) increased 62% over 2013.
High- profile attacks by nation-states, organized crime and competitors are among the least frequent incidents, yet are also among the fastest-growing cyber threats. This year, reported compromises by nation- states increased 86% globally (vs. nine per cent in Canada). In Canada, there was a 46% increase in security incidents attributed to competitors (vs. 64% globally), some of whom may be backed by nation-states.
"It's important to understand that threats are never unidirectional. They're becoming a blend of technology, people and processes – insiders and outsiders, direct and through supply chain. Simply having technology based defences to protection information will not provide adequate protection," says Mr. Hasham.
Intelligent investment is needed
Organizations need to understand that cyber risks will never be completely eliminated but will continually evolve in sophistication and organizations must remain vigilant and agile in the face a constantly evolving landscape.
PwC's Cyber Security practice's Risk Assurance Leader, David Craig, says "It's critical for executive management to enable processes that fully integrate predictive, preventive, detective and timely incident-response capabilities to reduce the impact of inevitable security incidents. Investing in robust internal security awareness practices, including established procedures for third party providers, is essential in the current threat environment. Boards must trust that management is doing this work, but verify through active reviews. Overseeing an incident response exercise would be a good use of time."
"Overall, the increased detection of incidents should be expected, but it should also be used to drive management's quantification of the threat environment and potential losses. This should drive their direction, attention and investment," concludes Mr. Craig.