Investment on information security is increasing — but so is the speed and variety of threat vectors in the enterprise — and these include determined attackers deploying the latest technologies.
The arms race scenario emerges from the results of the latest Global Information Security Survey conducted by CIO and CSO magazines in conjunction with PwC (PricewaterhouseCoopers).
"New models of information security strategies and practices are needed to be better prepared," says Colin Slater, security and technology partner at PwC New Zealand.
This also means realising that safeguarding everything to the same threat level is no longer possible, he says. "Businesses need to identify and prioritise what's most important to them and focus their resources on protecting that."
The survey, now on its 11th year, interviewed more than 9600 business, security and IT executives — with 49 respondents from New Zealand.
The latest survey found the number of security incidents detected in the past 12 months has increased by 25 per cent over last year, while the average financial costs of incidents are up 18 per cent.
Security investment is strong — average security budgets have increased 85 per cent over last year, and at 4.3 per cent. Asia Pacific reports the highest IS budget as a per cent of overall IT spending.
Respondents are optimistic on future information security spend, with 60 per cent stating their security budget will increase over the next 12 months. However, average financial losses due to security incidents are up 28 per cent over last year. Insiders, particularly current or former employees, are still the top source of security incidents. While many believe nation-states cause the most threats, only 4 per cent of respondents cited them, whereas 32 per cent pinpoint hackers as a source of outsider security incidents.
The top three obstacles to improving security are insufficient funding, business strategy alignment with security, and lack of leadership from the CEO or board.
"New Zealand businesses should pay heed to these global findings. We may be geographically isolated, but in this online and digitally connected world we're just as vulnerable to threats as businesses in the US, UK, Australia or China," says Slater.
"We can't afford to be naive to the risks we face as the costs and complexities of responding to attacks continue to rise."
It is not all bad news, says Slater. "It's great that there is a focus on security and privacy, which has been pushed by the public sector."
Slater says the Government CIO has been instrumental in raising awareness of information security issues, following a raft of privacy and security breaches in government agencies. "You talk to anyone who's running mobile or online services, they're getting asked different questions by their users now than they used to."
Sign up for CIO Asia eNewsletters.