Shock Fall in Security Spending as Incidents Rise 48%

The number of reported “security incidents” worldwide rose 48% this year to reach over 40 million, but despite the growing risk and expense associated with data breaches, security spending dropped, according to PwC.

The consultancy’s Global State of Information Security Survey 2015 revealed that security incidents stood at 42.8 million as of May 2014 – the equivalent of 117,339 attacks each day. The CAGR of incidents has risen 66% since 2009.

Attacks are also getting more expensive to deal with. The report claimed that the estimated global average cost of a cybersecurity incident is now $2.7m – a 34% increase from the previous report in 2013.

Organizations reporting losses in excess of $20m rose to a whopping 92%.

Yet despite the obvious increased risk of attack and the rising costs, security budgets appear to be on the wane.

PwC said that globally budgets have dropped by 4%, and that as a percentage of the total IT budget, security has remained at 4% or less for the past five years.

“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” said PwC advisory principal Mark Lobel in a statement.

“It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents.”

Darren Anstee, director of solutions architects at Arbor Networks, expressed surprise at the drop in spending.

“Businesses need to look closely at the risks they face, and the potential costs associated to them, so the value of security spending is appreciated throughout the entire management chain all the way to board level,” he added.

“By investing in the appropriate solutions, training and processes organisations can minimize their risk, and reduce the longevity and cost of any breach.”

David Robinson, chief security officer at Fujitsu UK & Ireland, added that no organization can afford to make an error when it comes to cyber defense.

“If an organisation knows the value of what it has to protect, then it can make clear business decisions based on risk as to the value of commensurate investment needed,” he added. “A good way to start looking at this and understand the size of the issue is to get a Security Risk assessment.”

What’s Hot on Infosecurity Magazine?