Indian enterprises have reduced the average security spending to $4 million in 2014 from $4.8 million in 2013, said PwC.
The decrease in security spending is despite 100 percent increase in the average cost of a security incident to $414 in 2014 and 20 percent increase in the average losses.
PwC’s State of the Information Security Survey – India 2015 said that current and former employees have been cited by respondents to the survey as the most common causes of incidents.
HIGHLIGHTS OF THE PwC REPORT
Rising year-on-year incident cost:
The PwC report said there’s been a 20 percent increase in the average losses as a consequence of security breaches and the average cost per incident increased from $194 to $414. However, there’s been a decline in the average security budgets as compared to the last year. Rise in the average cost of incidents is primarily a consequence of sophisticated compromises, often extending beyond IT to other areas of the business.
Insiders remain the most common causes of incidents: Current and former employees have been cited by respondents as the most common causes of incidents. Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from third parties is largely responsible.
Challenges to effective cyber security:
Almost 37 percent respondents cited board level leadership as an obstacle in enhancing overall strategic effectiveness of the organization. The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the major areas of concern for organizations today.
The lack of board level involvement in key areas of security – 49 percent respondents believe that their board is involved in defining the security budget, moreover, 39 percent believe that their board actively participates in reviewing current security and privacy risks – indicates that organizations have not elevated information security to a board level issue.
Employee and Customer records continue to be the top targets of cyber attacks:
The breach of employee (45 percent) and customer records (42 percent) remained the most cited impacts of cyber-attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization.
Lack on focus on the human parameter:
Employee training and awareness is a fundamental component of every program, as the weakest link in the security chain is often the human resource. The problem mostly lies in the way organizations engage with their employees and the communication programmes they employ to generate awareness.
50 percent respondents say that they have a cross- organizational team that regularly convenes to discuss, coordinate and communicate information security issues. Further, only 54 percent have an employee security awareness training programme, down from last year’s 56 percent.