Survey says enterprises are stepping up their security game

To fight threats today, more enterprises are increasing their information security spending, collaborating more on threat intelligence efforts, and they also are turning to cybersecurity insurance policies in larger numbers.

If all you read are all of the headlines (and there are too many, to be sure) you’d be convinced enterprises are losing the never-ending battle to secure their networks.

Perhaps they are.

And to help turn the momentum, more enterprises are doing more to bolster their security defenses. They are increasing their information security spending, collaborating more on threat intelligence efforts, and turning to cybersecurity insurance policies in larger numbers, according to a global security survey released today.

The most recent Global State of Information Security Survey, based on responses from 10,000 IT and security decision-makers in 127 nations, produced by PwC US in conjunction with CIO magazine and CSO also reported that their information security spending is up from last year, while financial losses from cyber attacks has decreased from $2.7 million in 2014 to $2.5 million this year.

giss chart2015

The survey also found that enterprises are improving in their ability to detect breaches that are underway. In fact, enterprises reported a 38 percent increase in detected incidents, this year over last year. They are also seeing more intellectual property theft, which jumped 56 percent over the previous year. Another interesting finding: while both current and previous employees constituted the bulk of attacks aimed at these enterprises, there have been a noticeable surge in breaches attributed to current and former partners and suppliers. Data breaches attributed to them are up to 59 percent this year, from 46 percent in 2014.

+ ALSO ON CSO: Profiling an insider +

Although it’s nearly a decade in the making, the enterprise move to cloud platforms is creating tremendous change in how enterprises use, manage, and protect their applications and data. The research firm IDC expects public cloud spending alone to hit $70 billion this year.

“We are looking at a completely new paradigm for security. When you add always on, always connected and couple all of that with the fact that we no longer are keeping data in our own premises. It completely changes how we have to do security,” says Tyler Shields, a security analyst at Forrester Research.

Also with 69 percent of respondents using cloud-based security services, the cloud has matured, without a doubt, as an established delivery method of security controls and services: real-time monitoring and analytics (56%), authentication (55%), identity and access management (48%), threat intelligence (47%), and end-point protection (44%).

“The only way to effectively perform security in this new environment is to do it at cloud scale. That means you have to actually be able to capture data, analyze data, analyze security related metadata and data, and then make decisions on based on it and enforce your security controls; because to do anything less means that they'll never be able to keep up with the pace of the movement of the data,” says Shields.

Enterprises share intelligence together, or get breached individually

The increase in cyberattacks, especially from nation states targeting critical infrastructure, government agencies, and corporate intellectual property are all fueling the motivation for more cybersecurity information sharing. Earlier this year, President Barak Obama signed Executive Order -- Promoting Private Sector Cybersecurity Information Sharing to promote sharing information security threats within the private sector and between the federal government and the private sector.

“It will encourage more companies and industries to set up organizations -- hubs -- so you can share information with each other.  It will call for a common set of standards, including protections for privacy and civil liberties, so that government can share threat information with these hubs more easily. And it can help make it easier for companies to get the classified cybersecurity threat information that they need to protect their companies,” President Obama said at the Cybersecurity and Consumer Protection Summit at Stanford University.

Our survey found, interestingly, when it comes to providing those data sharing standards and methods, among the organizations that don’t collaborate, they reported that it was that lack of sharing processes and standards that were holding them back. The executive order hopes to change that with the creation of Information Sharing and Analysis Organizations (ISAO) that are broader in scope than the current and industry-specific Information Sharing and Analysis Centers (ISAC). The ISAOs will include cybersecurity sharing among specific industries as well as for specific geographies and security events as needed.

“Without effective information sharing, there is no way to know what is actually going on. We can never know if the grid is under attack, or what to do if it is. We can never know if it is just our own problem [within a single organization] or something broader,” said Chris Blask, director of Webster University's Cyberspace Research Institute.

Cyber insurance gains some momentum

If the busy history of data security breaches has taught us anything about cybersecurity, it’s that enterprise security efforts certainly reduces the frequency of cyber attacks. And they may also mitigate the damage done by thieves and attackers, more often than not. But data breaches are bound to happen. Enter cyber insurance. While cyber insurance has been around for decades, and hasn’t managed to grow into more than a small niche: the idea is finally starting to take hold. Cybersecurity insurance is one of the fastest-growing segments in insurance. PwC forecasts the global cyber insurance market growth from 2.5 billion this year to $7.5 billion by 2020.

This year’s survey found that 59 percent of respondents have purchased some level of cyber insurance. Currently, such policies commonly cover data destruction, denial of service attacks, theft and extortion; they also may include incident response and remediation, investigation and cybersecurity audit expenses, other areas of coverage include privacy notifications, crisis management, forensic investigations, data restoration and business interruption.

Blask contends that cybersecurity insurance can, over time, help enterprises better manage cybersecurity risks. “One of the wonderful things about insurance is it can determine what's good enough (security), and the actuarial process will provide the math to help determine what protective measures work and how effective they are. From the insurance perspective, they need to know what [level of risk] they're getting into. That's the entire conversation in insurance right now: how to make better decisions on the cyber security risks they're accepting transfer of,” Blask says.

Use of security frameworks paying off

The survey also found that the long-term investment enterprises have made into security frameworks such as ISO 27001 and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework are paying off. Benefits respondents cited include: the ability to better and more quickly detect and mitigate security incidents (47%), better able to identify and prioritize risks (49%), sensitive data is more secure (45%), and a better understanding gaps in policy (37%).  

In the end, all of these security efforts are about helping the enterprise to use technology to be more efficient and succeed. “Enterprises are looking for ways to be more agile, grow, and embrace the cloud more securely,” said Jim Reavis, executive director of the Cloud Security Alliance.

The survey found that a big part of moving forward securely is the use of security data analytics. A sizable 59 percent of respondents are using security data analytics to some extent, and many are citing improvements such as better understanding of external threats (61 percent), better understanding of internal threats (49 percent), and a better understanding of user behavior (39 percent).

“I view security as a collection of security metadata, analysis of that metadata, and enforcement of policy,“ said Shields. “Right now we're at the stage where we're increasing our collection of metadata. Drastically. We're working on ways to get at continuous scans of our web applications so that we have that data always coming in. We can continually assess every endpoint on our traditional network and we can continually assess security enforcement or security metadata from our cloud providers,” he added.

“The next step for improvement is how we improve the analysis. That will be through automation, machine learning, and artificial intelligence,” Shields says.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOForrester ResearchISOStanford UniversityTechnologyWebster

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts