Firms cut security spending despite breaches, says PwC survey

Information security budgets in Indian companies declined by 17 per cent even as business losses due to security breaches increased by 20 per cent in 2014.

According to a survey done by PricewaterhouseCoopers, the average cost due to security incidents for Indian companies more than doubled from $194 in 2013 to $414 in 2014.

However, at the same time, Indian companies have reduced the average spending to $4 million in 2014 from $4.8 million in the previous year.

“It seems counter-intuitive that even though threats have become more frequent and damaging, organisations have not increased their security spending.

"We also believe that many organisations struggle to understand how much to spend on security and how to determine the return-on-investment of their security outlay,” said the report.

“In part, that’s because there is no definitive data on current security risks to help inform a security spending strategy.”

The report was prepared as PwC’s State of the Information Security Survey, 2015.

The Indian edition of the survey was based on the responses from over 350 C-suite executives including vice-presidents and directors of IT and Information Security spanning across 17 industries.

The survey found that the total number of security incidents detected just by the respondents in 2014 was over one million this year, which translates to 2,800 attacks per day, every day.

However, it said, the total incidents could be much more.

What could be more alarming is that at least one in five respondents (22 per cent) in India claimed to have experienced security breaches caused by organised crime groups, much higher than the global average of 15 per cent.

Organised crime groups

are typically motivated by financial gain.

In-line with global trends, the survey found a two-fold increase in the number of respondents in India this year who said they have been compromised by nation-states.

“Given the ability of nation-state adversaries to carry out attacks without detection, we believe the volume of compromises is, in all probability, under-reported.”

The battle against nation-state crimes is compounded by the fact that timely sharing of cyber-threat intelligence is a challenge for most countries.

Only a few countries including the US, Canada, the UK, Australia and New Zealand have the ability to effectively share cyber-attack information with companies headquartered in their respective countries, it said.

While the respondents were unanimous with the fact that the current and former employees are the most common causes of security breaches, a whopping 40 per cent of them said even competitors are responsible for security incidents.

This, according to the report, is doubled from last year’s figure.

Despite the gravity of the security threat, interestingly enough almost 37 per cent of respondents cited board-level leadership as an obstacle in enhancing overall strategic effectiveness of the organisation.

“Cyber security is no longer an issue that concerns only IT and security professionals.

"The impact has extended to the C-suite and boardroom. It is now a persistent business risk.

"Awareness and concern about such security incidents and threats are a priority for the consumers as well,” said Sivarama Krishnan, executive director and leader, India Cyber Security, Governance Risk and Compliance Services.

“At the heart of organisational security is the ‘human parameter.’ Organisations in India need to increase engagement levels with employees to manage this better,” he added.