Price Waterhouse Coopers have just published a report about cybersecurity. Not about the attacks and threats themselves, but about how businesses are tackling the risks. Titled the Global State of Information Security Survey 2016, its key findings relate to measures such as external collaboration and cybersecurity insurance.
In summarising some of the main security strategies which companies are now adopting, the key ones identified are cloud-based cybersecurity, big data analytics, cybersecurity insurance, risk-based security framework and formal collaboration with others. The main point to take away from this element of the report is that corporate attitudes to cybersecurity are changing. No doubt thanks to the volume of highly-publicised breaches in the last twelve months, 91% are now adopting the risk-based approach, which amounts to acknowledging the likelihood of a breach and being prepared for it. This is evidenced in the finding that survey respondents have increased their information security budgets by an average of 24% in 2015. Around 50% are also investing in things such as employee awareness training, security standards for third parties, threat assessments and active monitoring of security intelligence.
A small amount of data regarding breaches taking place in 2015 was collected and showed that detected incidents rose by 38% compared to 2014 and that which of those incidents could be attributed to business partners increased by 22%. However, employees still remained the main human cause of breaches, with 84% of all incidents being attributed to them. The report also recognises ‘mergers and acquisitions’ as an emerging risk, highlighting nationality, industry and current security practices as the key factors to consider when incorporating other companies into security sensitive systems.
An element explored further than any other industry report is the use of cybersecurity insurance. The report boldly states ‘what can’t be protected can be insured’ and identifies it as one of the fastest-growing sectors in the insurance market. 59% of respondents confirmed they have cybersecurity insurance in place, covering things such as personal information, financial data, intellectual property, damage to brand reputation and the costs of incident response. The value of such policies is staggering; ranging from $10million to $100million dollars. However, if you consider the true cost of a large breach, particularly the damage to reputation and loss of business even $100million can be a paltry amount when it comes to the bigger corporations, such as Sony for example.
The most reassuring statistic in the report is that 91% of the companies surveyed are now using advanced authentication, benefiting customer confidence, compliance and of course, security. Unfortunately, little other information is given regarding the exact technological measures being put in place by the surveyed companies but we can at least be reassured that risk awareness and strategy are improving. It will be interesting to compare these findings to those presented in twelve months’ time. As we’ve seen in 2015, a lot can happen in cybersecurity in the space of a year.