PricewaterhouseCoopers, the global professional services group, recently completed and released their Global State of Information Security Survey for 2015.  The survey contains responses from over 9,700 security, IT, and business executives across several sectors and from around the world.  It provides some valuable insights into the scope of threats, the mindsets of business leaders, and the steps being taken to address and mitigate risks.

The headline finding was the 48% growth of detected security incidents in 2014 to a grand total of 42.8 million.  That’s an average of 117,339 incidents per day.  Despite this number, global spending on security fell 4% from 2013. 

The report notes that these incident figures are self-reported and only include attacks that were discovered.  Some firms might conceal the actual number of attacks to prevent reputational damage and potential legal and regulatory consequences.  It’s also certain that there remain a large number of attacks that go undetected.

Unsurprisingly, the number of detected attacks on large organizations (gross annual revenues of $1 billion or more) is much larger than the number on medium and small-sized organizations.  Large organizations present more enticing targets and typically have larger IT budgets allowing a greater capability to detect attacks.  To that end, the report also found that investment in security measures varies by organization size, with medium and large organizations increasing spending by modest amounts in 2014 and small organizations spending less than in 2013.

The authors correctly note that the drop in spending by small organizations presents a major problem since many large organizations contract with small ones.  Further, the study finds that only 50% of organizations perform risk assessments on third party vendors and only 50% conducted an inventory of all third parties that handled personal data of customers and employees.  This is even more troubling when taking into account that 18% of all attacks in 2014 were attributed to current service providers, consultants, and contractors, and 15% to former.

Overall, the study found that insiders pose the largest threat to security, with 35% of incidents in 2014 attributed to current employees and 30% to former employees.  The next largest sources , according to the study, were hackers and competitors at 24%.  The threat from competitors seems to be increasing as the number of attacks attributed to them grew by 64% over 2013, with the main source of growth being in China, where 47% of all attacks were attributed to competitors.

The information security risk faced by the modern business is growing at a rapid rate.  Cybersecurity is an issue that affects all companies, regardless of industry.  While the full extent of the risks may be difficult to determine, reports such as this one serve as a valuable reminder that in order to protect vital business interests, companies need to invest in strategies and technologies to minimize their exposure to information security risks.