And when it comes to new threat vectors like mobile or cloud, technology adoption rates far outstrip security implementations.
PwC’s Global State of Information Security Survey 2013 reveals that the majority of respondents are very or somewhat confident their organizations have instilled effective information security behaviors into their culture (68%), and are very or somewhat confident their information security activities are effective (more than 70%). Yet, while nearly half of respondents (42%) view their organization as a "front-runner" in information security strategy and execution, the survey finds that only 8% actually qualify as true information security leaders.
"Security models of the past decade are no longer effective. Today's rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance," said Mark Lobel, a principal in PwC's Advisory practice. "Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats."
Unfortunately, the money to play that new game may not be there. Despite an increase in the number of respondents reporting 50 or more security incidents (13%), fewer than half (45%) expect an increase in their budgets in the next 12 months – down from 51% and 52% in 2011 and 2010, respectively.
The economy, as ever, is wreaking havoc on business viability and pushing information security concerns far down the list. Accordingly, the survey shows that there is a decreasing deployment of basic information security and privacy tools. Among the categories taking a hit are malicious code detection tools for spyware and adware, down to 71% after topping out at 84% in 2008, and intrusion detection tools, once in use by nearly two-thirds of respondents and now used by just over half.
In today's world of "big data," the survey also finds that most organizations are keeping looser tabs on their data today than in years past. While more than 80% say protecting customer and employee data is important, far fewer understand what that data entails and where it is stored. Less than 35% of respondents said they have an accurate inventory of employee and customer personal data, and only 31% reported they had an accurate accounting of locations and jurisdictions of stored data.
“The decreased deployment of security and privacy tools is like playing a championship game with amateur sports equipment," said Lobel. "Intruders are exploiting business ecosystems, leaving reputational, financial and competitive damage in their wake. Today's information security leaders must acknowledge that playing the game at a higher level is required to achieve effective security. The very survival of the business demands that they understand, prepare for, and quickly respond to security threats."
Overall, technology adoption is moving faster than security. PwC has found that 88% of consumers use a personal mobile device for both personal and work purposes, yet only 45% of companies have a security strategy to address personal devices in the workplace, and just 37% have malware protection for mobile devices.
Despite an increase in the number of respondents reporting safeguards in place for mobile, social media, cloud computing, and policies covering the use of employee-owned devices, only 44% report having a mobile security strategy and less than 40% have strategies for the cloud and social media.
Geographically, Asia has the fewest respondents who expect a decrease in security budgets this year. Roughly 60% of Asia respondents expect to see an increase over the next 12 months. That's down from 74% in 2011, but still among the highest of any region. As for keeping up with new challenges, Asia rates highly for mobile security initiatives and cloud security strategy. North America, meanwhile, ties Asia for the lead in cloud security strategy and leads in mobile and social media security, PwC said.
Responses from North American firms also indicate that they are the least likely to outsource security functions. Further responses indicate North American organizations are the best at staying on plan when it comes to IT projects.