Execs Remain Confident on Security While All Is Not Well, Survey Shows
The people in charge of security at large companies and organizations appear to have a pretty high opinion of their abilities and their preparations for attacks by hackers and other security incidents, even if the evidence shows they’re fooling themselves.
According to a new survey out today by PwC Consulting, prepared in cooperation with the trade magazines CIO and CSO, the general mood among security executives around the world is optimistic. When asked about their security posture in the survey, nearly 70 percent said that they were “very confident” or “somewhat confident” that they have sufficient security policies and practices in place, and more than 70 percent said their policies are “effective.”
All this confidence rings a bit like Chip Diller from “Animal House” imploring the crowd at a parade to “remain calm, all is well,” while chaos erupted around them. The number of organizations who admitted they had suffered more than 50 security incidents in the prior year increased to 13 percent. That’s a slight increase from last year, but a lot higher than in previous years.
Perhaps their confidence stems from this: Only 7 percent of respondents said they had experienced a loss in shareholder value, and 14 percent saw a financial loss stemming from a security incident in the prior year. The financial loss number is down from 20 percent in the two prior years. But there’s a catch, PwC says: Most companies haven’t done the thorough analysis to determine whether they’re likely to experience a loss in value in the first place: Most haven’t considered whether or not a high-profile security breach might damage a brand.
And even though attacks are on the rise, fewer than half of those executives surveyed expected a boost in their security budgets for the coming year. Most of those — 86 percent — pointed to their bosses as the biggest obstacle to improving security.
The survey — its formal name is “The Global State of Information Security Survey 2013” — sought input from 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security in 128 countries.
Update: Today, it seems, is a day for security surveys. IBM’s X-Force security unit has just released its 2012 Mid-Year Trend and Risk Report, and the picture it paints would deflate a lot of that confidence found in the PwC report. The group monitors some 15 billion security events every day for its 4,000-odd clients in 130 countries.
What IBM sees is an increase in efforts to target individuals by directing them to a trusted Web address or site which has been injected with malicious code, and then use weaknesses in browser software to install malware on the target system. Lots of big-name Web sites are still vulnerable, IBM says.
Also, attacks using SQL injection — a technique in which attackers access a database via the Web site it is connected to — are on the rise. Big Blue has also noticed an uptick in attacks on mobile devices. Most people with smartphones are still vulnerable to attacks carried out via text message.
Maybe those overconfident-seeming execs should read this IBM report.