PricewaterhouseCoopers did a survey of 9,700 executives from around the world and came to a mind-boggling, and very disconcerting conclusion. Cyber security breaches have hit 177,339 per day.
That’s PER DAY!
The results were put into a report titled The Global State of Information Security Survey 2015, a Worldwide Survey by CIO, CSO and PwC. It says since the first of the year, the number of incidents has jumped 48%. Put to numbers that’s 42.8 million. Those are incidents and not the number of identifications, credit card numbers, social security numbers, addresses, etc. stolen.
It gets worse. From 2009 to today the growth rate in incidents is at 66%.
The survey’s report says: “These numbers are by no means definitive, however, they represent only the total incidents detected and reported.” More on that in a bit.
Here are some statistics:
- Businesses with $1 billion a year or more in income saw 44% more incidents than last year.
- Those with $100 million in income or less saw 5% fewer incidents.
- Losses of $20 million or more have risen 92% this year.
The report indicates this is good news for small companies but possibly bad news for consumers. “The reasons are not immediately clear, but one explanation [why] may be that small companies are investing less in information security, which may leave them both incapable of detecting incidents, and a more tempting target to cyber adversaries.”
On a global scale the average reported loss is $2.7 million. That’s up 34% from 2013.
You’d think with the huge financial costs of a data breach that companies — of any size — would be all over technology to improve security. But it’s not. PwC’s report said spending on security actually fell 4% this year and is still 4% or less of the information technology budgets for most companies.
PwC’s David Berg said, “Cyber risks will never be completely eliminated, and with the rising tide of cybercrime, organizations must remain vigilant and agile in the face of a constantly evolving landscape. Organizations must shift from security that focuses on prevention and controls, to a risk-based approach that prioritizes an organization's most valuable assets and its most relevant threats. Investing in robust internal security awareness policies and processes will be critical to the ongoing success of any organization.”
That said, in spite of all efforts to prevent breaches, speakers at the recent National Risk Retention Association conference said it’s not if a breach will happen to a company — it’s when.
And that goes for large companies and small.
One of the many panelists Ryan Johnson of Alvarez & Marshal said companies must be prepared and have their ducks in a row so they can better respond when it — finally — happens. “It's getting your incident response policy lined up, it's having counsel lined up, it's having a third party expert lined up so that when it happens, you follow your process. … Preferably that expert and that council know enough about your organization that it's not starting from zero when they get the phone call,” he said.
Sources: Insurance Business America, Business Insurance, Insurance Network News