All of this makes the previous optimistic cybersecurity convictions in last year's Global State of Information Security Survey annual survey, covered in our story Security spending continues to run a step behind the threats, look overly hopeful in comparison. In last year's survey, a surprising 84 percent of CEOs and 82 percent of CIOs stated that they believed that their cybersecurity programs were currently effective. Even 78 percent of CISOs expressed confidence in their programs.
With record setting breaches and the confidence of many most certainly shattered, 2014 is certainly a year that will be noticed in the cybersecurity history books.
An infrastructure remains at risk, breach incidents and costs rise
It seems that the very applications that help to keep the Internet secure and running revealed a number of deep crinkles this year. In April, a significant security flaw dubbed "Heartbleed" became publicly known. The flaw resides within the OpenSSL cryptography library and makes it possible to steal data from vulnerable systems. That flaw was shortly followed in September by Shellshock, another large vulnerability. Shellshock, a set of flaws uncovered in the popular Unix Bash shell, makes it possible for attackers to execute commands of their choice on target systems. Another flaw, POODLE, resides within the dated SSL 3.0 protocol, and makes it easier to steal user cookies and then potentially use that advantage to conduct further attacks.
The relentless hammering of new software vulnerabilities, the increasing sophistication of attackers, and misplaced optimism from previous years are all taking their toll. The reality is that more enterprises saw even more encroachments onto their networks, with the number of detected incidents rising to 42.8 million this year. That's an increase of nearly 50 percent from the prior year. In fact, since 2009, the annual growth rate of detected incidents has risen 66 percent.
For larger enterprises, the financial losses associated with these incidents are also up. Large companies experienced a rise of 53 percent in related costs. Mike Rothman, an analyst at the IT security research firm Securosis, says the rise in costs largely come down to regulatory mandated expenses associated with breaches -- and larger enterprises tend to have many more records compromised than their small and midsized counterparts. Midsized organizations experienced a slower, but still a sizable, bump with a 25 percent increase in incident costs.
Security budgets flat, security analytics hot
Remarkably, IT security budgets are flat, even down in some areas, this past year. That result is causing some scratching of heads. "The drop in budget may not be an actual drop in real dollars, but an accounting shift," says Javvad Malik, an analyst at the 451 Group. That accounting shift could be related to enterprise refresh cycles, which would make the dip a temporary blip, or it could be due to the lower costs associated with cloud, virtualization, and employees increasingly bringing their own devices. "That's going be the long tail that's going to carry on for a number of years. We've seen a lot of investments move away from on-premise, and overall you may see a broad reduction of IT budgets," Malik says.
Sign up for CIO Asia eNewsletters.