Execs overestimate cybersecurity levels

1 Oct, 2012

Many business leaders are far too optimistic about their companies' ability to deal with security issues and cyber attacks, warns a report published by PwC, the professional services firm.

PwC's 2013 Global State of Information Security Survey reveals that executives are confident that they're winning the high-stakes game of information security and believe their companies are leaders in information security. But PwC says that there is a marked discrepancy between this optimism and reality.

Rather it warns that the rise in global security incidents, diminished budgets and degrading security programs have left organisations to deal with security risks that are neither well understood nor consistently addressed.

"Security models of the past decade are no longer effective. Today's rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance," says Mark Lobel, principal in PwC's Advisory practice. "Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats."

Among the key findings in the report that was published last week by PwC US in conjunction with CIO and CSO magazines, the majority of respondents said they are 'very' or 'somewhat' confident their organisations have instilled effective information security behaviours into their culture (68 per cent), and are 'very' or 'somewhat' confident their information security activities are effective (more than 70 per cent).

Yet, while nearly half of respondents (42 per cent) view their organisation as a "frontrunner" in information security strategy and execution, the survey finds that only 8 per cent actually qualify as true information security leaders.

PwC defines "leaders" as companies that have a chief information security officer (or CISO equivalent) who reports to the organisation's top executives, have an overall information security strategy in place, have measured and reviewed the effectiveness of their security in the last year, and understand exactly what types of security events have occurred.

"Clearly, many executives have unfounded confidence in their security capabilities," said Bob Bragdon, publisher of CSO. "In order to strengthen security practices, organisations must embrace a new way of thinking in which information security is both a means to protect data as well as an opportunity to create value to the organisation. Security strategies and security spending must be well-aligned with business goals."

Despite an increase in the number of respondents reporting 50 or more security related incidents (13 per cent), fewer than half (45 per cent) expect an increase in their budgets in the next 12 months – down from 51 per cent and 52 per cent in 2011 and 2010, respectively.

In fact, the report shows that many companies actually decreased deployment of basic information security and privacy tools. Among the categories taking a hit were malicious code detection tools for spyware and adware, down to 71 per cent after topping out at 84 per cent in 2008, and intrusion detection tools, once in use by nearly two-thirds of respondents and now used by just over half.

"The decreased deployment of security and privacy tools is like playing a championship game with amateur sports equipment," says Mr Lobel. "Intruders are exploiting business ecosystems, leaving reputational, financial and competitive damage in their wake.

The survey also finds that most organisations are keeping looser tabs on their data today than in years past. While more than 80 per cent say protecting customer and employee data are important, far fewer understand what that data entails and where it is stored.

Fewer than 35 per cent of respondents said they have an accurate inventory of employee and customer personal data, and only 31 per cent reported they had an accurate accounting of locations and jurisdictions of stored data.

Finally, the study suggests that as mobile devices, social media, and the cloud become commonplace inside the enterprise and out, technology adoption is moving faster than security. PwC found that 88 per cent of consumers use a personal mobile device for both personal and work purposes, yet only 45 per cent of companies have a security strategy to address personal devices in the workplace and 37 per cent have malware protection for mobile devices.

More News From Financial Times