In 2014, the PwC Information Security Survey showed that 81% of organisations surveyed had reported a breach. This year the number rose to 91%. Is it possible that we are heading into a world where 100% of organisations are breached as a standard statistic?
Many in the hacking community claim, given the number of breaches that stay undetected, we are already there.
One day we may look back on the previous PwC reports with fondness and reminisce the days where many of us could still view security incidents as a minor nuisance. But the 2015 threat report suggests that most of the organisations that exist in this new world of unavoidable compromise behave as if the old world still existed.
Status over Security
The survey highlights a number of areas where organisations may not be behaving as one would expect, reporting that businesses place reputational risk following a security breach as a priority.
One could reasonably expect that in the face of prevalent and increasing cyber threat, there would be a resulting increase in the number of businesses actively performing risk assessments to uncover what risks are relevant to them, and the potential business impact. However, the use of risk assessments has decreased from 80% in 2014 to 68% this year.
A factor that may contribute to this seeming irregularity, is that a significant number of security breaches are not publicly disclosed (86%), reducing or removing reputational impression. It may be sensible to predict that when mandatory disclosure arrives in 2017 following the proposed EU regulation, this picture will change.
However, one wonders just how the Data Protection Authorities will eloquently process the volume of reported breaches driven by mandatory reporting, if we extrapolate from current levels (1,814 reported to the ICO in 2014).
This is perhaps an example of how organisations make a judgment on the value of security that often prevents them from achieving secure outcomes. This behaviour may also be palpable with attitudes towards mobile.
Bring Your Own Device (BYOD)
There has been an increase BYOD programmes by businesses, even though BYOD introduces greater risk than substitute models such as CYOD (Choose Your Own Device). The number of large organisations restricting access to corporate owned devices reduced since 2014 from 44% to 34% in 2015.
A principal driver for BYOD has always been employee demand, and may be the correct choice for an organisation, but the PwC report shows the number of security breaches that originate from or involve mobile from 2014 to 2015 has doubled. The employee satisfaction trend is also evident when it comes to web site access control, with the number of organisations blocking access to inappropriate websites falling from 45% in 2014 to 37% in 2015.
So whilst cyber threat has increased, demonstrated by a shift from common malware to targeted attacks, the prevailing risk appetite of organisations is still a dominant factor behind the report’s trends. The vast majority of organisations place IT security as a high priority (92%), but just how high is the bar set. The report highlights that 28% of the worst security breaches occurred in part due to insufficient priority given by senior management – a fourfold increase from 2014!
If compromise is inevitable, perhaps a good measure for any business is whether their controls have been adequate enough to ensure that breaches are restricted to those deemed inevitable, whilst protecting the business from being the easier prey that the report highlights as being far too common.
For more information on Becrypt and their products, visit our website.
For further reading;