Information security incidents continue to rise in cost and frequency while budgets decrease, according to a new study by PwC, CIO and CSO.
The report, “The Global State of Information Security Survey 2015, a Worldwide Survey by CIO, CSO and PwC,” says the number of reported security incidents increased 48 percent this year to 42.8 million, which equates to 117,339 attacks per day.
The survey of 9,700 business and technology executives worldwide, conducted online from March to May 2014, shows that the compound annual growth rate of detected security incidents has risen 66 percent year over year since 2009.
“It’s not surprising that reported security breach incidents and the associated financial impact continue to rise year-over-year,” David Burg, PwC’s global and U.S. advisory cybersecurity leader, said in a statement. “However, the actual magnitude of these breaches is much higher when considering the nature of detection and reporting of these incidents.”
As security incidents grow in frequency, the associated costs of managing and mitigating those breaches are also increasing, the report says. Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million, a 34 percent jump over 2013.
Big losses have been more common this year as organizations reporting financial hits of more than $20 million rose 92 percent. While risk has become universal, the survey shows that financial losses also vary widely by organizational size.
Despite elevated concerns about security, the survey also finds that global information security budgets actually decreased 4 percent when compared with 2013. Security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years.
“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” Mark Lobel, PwC advisory principal focused on information security, said in a statement. “It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents.”