€135,000 is the average cost of a cybercrime incident to Irish organisations
Annual Deloitte Information Security and Cybercrime Survey
6 August 2013 - The average cost of a cybercrime incident for Irish organisations over the past year was €135,000. The Deloitte 2013 Irish Information Security and Cybercrime survey, in association with EMC, released today, also shows that cybercrime costs Irish organisations, on average, 2.7% of annual turnover.
In terms of the remediation and clean-up costs associated with security incidents and cybercrime, the average cost of a large security incident stood at €29,954.
In addition to the costs associated with cybercrime, the number of security breaches experienced by organisations is also significant. 40% of respondents stated that their organisation has experienced at least one security breach, which they know of, in the past 12 months. 21% have experienced between one and five breaches, while 7% of respondents stated that their organisation had experienced more than 20 breaches. Over a quarter (28%) are unsure of how many security breaches their organisation experienced in the past 12 months.
45% of those surveyed indicated that their organisation identified over 40% of serious incidents, down from last year’s figure of 58%. In line with last year’s findings, the most common method of breaching security in organisations is hacking – 19% of respondents cited this as the main cause. Other common methods of attack include Denial of Service/Distributed Denial of Service (14%) and malware (12%).
Evolving technical/technological threats were identified by 30% of respondents as the biggest information security challenge within their organisation. While employees were identified as the biggest challenge last year, this year they were second on the list, as identified by 24% of respondents. Lack of funding (13%) was the third biggest challenge. 55% of respondents indicated that all users in their organisation had provided signed acceptance and adherence to security policies, up from 46% last year.
In terms of the effectiveness of the information security function within their organisations, 58% of respondents rated their activities as “good” or “very effective”. 21% considered their activities to be “average” and “predominantly reactive”. Just 7% considered their activities to be “very effective”.
Colm McDonnell, Partner, Enterprise Risk Services, Deloitte, noted:
“A third of respondents indicated that their organisation has identified preventing cybercrime as a priority, yet just the same number of respondents believe that information security efforts are well aligned with the organisation’s overall risk strategy. This suggests that there may be a disconnect between cybercrime prevention efforts and its wider impact on the business. The results show that cybercrime attacks are becoming more common and indeed more costly. While written employee acceptance has risen, it is still below best practice levels. A proactive approach that is both planned and sustained is of critical importance for Irish organisations in protecting themselves against this omnipresent threat.”
In terms of investment in cybercrime prevention within their organisations, 44% of respondents indicated that there is limited funding available, while a further 14% believed there to be insufficient funding. Encouragingly, 44% are currently recruiting or plan to take on staff over the next one to two years, an increase of 20% on the 2012 findings. Similar to last year’s findings, the main motivation for investment in advanced security technologies, and information security in general, is compliance and reporting, as identified by 45% of respondents.
Jason Ward, Director for Ireland, Scotland and UK North, EMC commented:
“The survey results show that Irish IT organisations are in a constant state of compromise from cybercriminals, which is having a severe effect on their bottom line. Irish businesses need to be better prepared and defend themselves from attack through intelligence-driven information security, collecting reliable cyber security data and researching prospective cyber adversaries to better understand risk and learn how to protect themselves.
The results also indicate that employees remain one of the biggest challenges. With the majority of business today conducted online, staff are now the security perimeter and education, knowledge and training is key to ensure they can identify normal and abnormal system behaviour in the IT environment. With the advent of Big Data analytics we can capture massive amounts of diverse and rapidly changing security-relevant data – including network packets, logs, and asset information – and pivot on terabytes of data in real time, executing forensic investigations that once took days in just minutes.”
The survey also investigated areas which can pose additional security risks. With regards to mobile devices, 79% of respondents said their organisation supports corporate mobile devices only, with 31% also permitting the use of employee purchased mobile devices. Half of respondents said that their organisation has implemented specialist technologies to increase mobile security. However 31% indicated that no additional technologies are used to support mobile devices.
In terms of cloud based services which are being used by 60% of respondents, two fifths believe that privacy and data protection are the biggest risks associated with the cloud.
About the survey
The survey was conducted in the second quarter of 2013 and respondents included information security leaders of multinationals, Irish organisations and subsidiaries. These organisations operate across a range of industries including financial services, the public sector, manufacturing, IT, semi-state and insurance.