Despite increased security threats, a recent report from PriceWaterhouse Coopers found that average information security budgets for businesses dropped slightly this year, after rising steadily in the last three years.
“Strategic security spending demands that businesses identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks,” said Mark Lobel, PwC advisory principal for information security. “It’s critical to fund processes that fully integrate predictive, preventive, detective and incident-response capabilities to minimize the impact of these incidents.”
Digging deeper into the data, PwC noted that the drop can be attributed to companies with less than $100 million in revenue that said they had cut investments in IT security by 20% since 2013. Mid-sized and larger businesses reported upping spending by 5%. PwC expressed concern at the lower investment from smaller companies, arguably those that have fewer resources to deal with security breaches. There could also be another explanation, the study added.
“In 2013, organizations reported very significant increases in spending over 2012, expanding IT investments by 40% and security spending by an even more substantial 51%. It could be that this year’s respondents were hard-pressed to continue investments at that accelerated pace,” PwC commented. The study also suggested that companies are unwilling to risk their fragile economic recoveries just yet, or they’re reaching a state of “fatigue” on security issues.
The risk exists and must be addressed, PwC asserted. Large organizations – with gross annual revenues of $1 billion or more – reported detection of 44 percent more incidents in 2014. Medium-sized organizations – with revenues of $100 million to $1 billion – saw an even bigger increase in incidents, at 64 percent. Financial losses also vary for companies based on size.
“Large companies have been more likely targets for threat actors since they offer more valuable information, and thus detect more incidents,” said Bob Bragdon, publisher of CSO, a sponsor of the study. “However, as large companies implement more effective security measures, threat actors are increasing their assaults on middle-tier companies. Unfortunately, these organizations may not yet have security practices in place to match the efficiency of large companies.”
The research shows decreases in spending across most industries, but particularly in the areas of aerospace and defense; technology; automotive; and retail and consumer products. PwC commented that there may be an opportunity to improve organizational understanding and spending by making clear the value of preparation, as well as communicating the need more effectively to boards of directors – just 40 percent of respondents said their boards are involved in the security budget process, suggesting that funding might not be a priority.
“We also believe many organizations struggle to understand how much to spend on security and how to determine the return on investments of their security outlay. In part, that’s because there is no definitive data on current security risks to help inform a security spending strategy,” PwC said.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
