Small firms may be ‘incapable of detecting’ cyber security incidents: report

The cost of managing and mitigating information technology security breaches is increasing with the average financial losses for large firms participating in a survey at $5.9 million in 2014, PriceWaterhouseCoopers LLP suggested in a report released Tuesday.

The Global State of Information Security Survey 2015 was compiled in conjunction with CXO Media Inc.’s CIO and CSO magazines, which cover information technology. It was based on responses to a survey of more than 9,700 chief executive officers, chief financial officers, chief information officers, chief information security officers, chief security officers, vice presidents and directors of IT and security practices.

Respondents were asked to provide the number of detected security incidents in 2014 and 2013 and PwC broke it down by company size. Respondents from large companies (with annual revenue of more than $1 billion) reported

13,138 incidents in 2014, up 44% from 9,155 in 2013. All figures are in U.S. dollars.

“Threat actors often target large organizations because they typically offer a rich trove of information — including trade-strategy documents, intellectual property related to product design, and large volumes of consumer data — that can be exploited, sold, or used for economic or military gain,” according to the report. “Larger companies also typically have more mature security processes and technologies in place, which allows them to uncover more incidents.”

Respondents from medium-sized companies (with annual revenue between $100 million and $1 billion) reported 4,227 incidents in 2014, up from 2,581 in 2013. Respondents from companies with less than $100 million in annual revenues reported 1,091 detected incidents in 2014, down from 1,151 in 2013.

“One explanation may be that small companies are investing less in information security, which may leave them both incapable of detecting incidents and a more tempting target to cyber adversaries,” PwC said.

PwC got responses from professionals in 154 countries and 35% of respondents were in North America.

Worldwide, the “annual estimated reported average financial loss attributed to cybersecurity incidents” was $2.7 million, up 34% from 2013, PwC reported.

Average financial losses for large firms were $5.9 million in 2014, up from $3.9 million in 2013. Mid-sized firms reported their average financial loss was $1.3 million in 2014, up from $1 million in 2013. Respondents from small firms reported losses of $410,000 in 2014, down from $650,000 in 2013.

“Financial impact may include decreased revenues, disruption of business systems, regulatory penalties, and erosion of customers,” PwC stated. “Non-financial impact may include reputational damage, the pirating of products, diversion of research and development information, impacts to innovation, stolen product designs or prototypes, theft of business and manufacturing processes, as well as loss of sensitive information such as M&A plans and corporate strategy.”

Despite the results, “the survey found that global information security budgets actually decreased four percent compared with 2013,” according to the report. “Security spending as a percentage of IT budget has remained stalled at 4 percent or less for the past five years.”