The year since our previous Global Information Security Survey won't go down as one of the better years for information security. In fact, it may go down as one of the most grueling.
The payment card breaches hitting Target and Home Depot have been massive and the number of victims tallied in the hundreds of millions. The data breach bleed doesn't seem to ever let up. Most recently, nationwide sandwich shop Jimmy John's issued a breach notification. It's certainly not only payment cards that are getting hit hard, either. Healthcare services provider Community Health Systems Inc. reported theft of 4.5 million patient records over this past summer.
CSOs and their security teams were also forced to contend with many serious software vulnerabilities throughout the year. For instance, just last week, the news of the Shellshock vulnerability, the name given to a flaw found within the very widely used GNU Project's shell known as Bash, put many enterprises on notice. Because of the number of apps and devices that use Bash, the Shellshock vulnerability could very well surpass the year's previous most pressing vulnerability, Heartbleed, which was a flaw found in the way previous versions of OpenSSL encrypted data traffic between a client and a server. The attack vector in the Community Health Systems Inc. breach was attributed to Heartbleed.
With that as the backdrop of the 12th annual Global State of Information Security Survey 2015, conducted by PricewaterhouseCoopers and CSO, some of the results were to be expected, while others are quite surprising. For instance, if all of these attacks and high profile vulnerabilities have a bright side, it's that the board of directors at large companies continue to increase the amount of attention they pay to IT security. No surprise there. What is a surprise however is that IT security spending is down broadly by 4% year over year.
Respondents this year also say that they are detecting more breaches this year over last. The more than 9,700 security, IT, and business executives who participated in the survey reported that the number of incidents that they're detecting climbed to 42.8 million this year, an increase of 48%. According to the report authors, the compound annual growth rate of incidents detected annually increased 66% during the past six years.
The financial losses associated with those breaches are also (mostly) up, and trend (generally) by company size. Interestingly, small business reported that the cost of security related incidents is down 37% for them. Midsized organizations witnessed a more moderate bump, at 25%, while large companies experienced the largest increase. They're seeing a rise of 53% in security incident related costs. "Larger companies tend to have more regulatory costs associated with data breaches, and are liable to have more records compromised," says Mike Rothman, an analyst at the IT security market research firm Securosis. "I think that is driving a lot of the cost differential," he says.
Sign up for CIO Asia eNewsletters.