Cyber crime is big business. Companies are reporting a growing number of cyber attacks – many of them aimed at their intellectual property – and are spending more on information security measures as a result.
The financial sector is renowned for taking a progressive approach to cyber security. And its reputation is underlined by the figures quoted in the Global State of Information Security Survey 2016 published by professional services network PwC.
Survey respondents from the financial sector detected three percent fewer cyber attacks in 2015 than in the previous year, and their financial losses fell by 12% over the same period. And thanks to supporting measures such as security training for employees, only one in three (34%) security incidents in the financial sector were attributable to current employees in 2015, compared with 44% in 2014. Nevertheless, cases of intellectual property theft shot up by 183%.
Internet crime is a growth industry
“Cyber criminals are becoming more industrialized and more organized,” explains Derk Fischer, a partner with PwC in Germany responsible for the delivery of cyber security assessment and consulting services. “What we’re seeing is the emergence of a new kind of ‘industry sector’ that thrives on the complex connectivity that characterizes the Internet.”
According to PwC’s study, the number of security incidents across all industries rose by 38% in 2015. That’s the biggest increase in the 12 years since the global study was first published.
Intellectual property is high on the list of the cyber criminals’ favored targets. Cyber thefts of this kind, say the analysts at PwC, have increased by 56%. And it is precisely the sector that we assume to be one of the best protected – the financial industry – that has borne the brunt of this particular brand of criminal activity, recording a 183% increase in intellectual property thefts in 2015.
Fischer interprets the figures as a sure sign that the attackers’ activities are far from random. And whether they’re selling email addresses, carrying out systematic DDoS (distributed denial-of-service) attacks, or stealing industrial secrets, the cyber criminals have payment methods such as the bitcoins digital currency at their disposal to help them keep their illegal transactions both anonymous and secure, says Fischer.
Businesses see IT security as a competitive factor
What the PwC study also shows is that companies are becoming increasingly alert to cyber threats. While 10 years ago information security was seen chiefly as an IT topic, it has now been elevated to the status of a boardroom issue ‒ not least because of its relevance in areas that are key to business success, including digitalization, collaboration, cloud, and Industry 4.0. Businesses are now treating IT security as a key competitive factor. Almost all the companies surveyed (91%) have implemented an information security management process in alignment with the ISO 27001 IT security standard, and security budgets increased by 24% across all industries over the period covered by the study (2014/2015).
Key factor: data analytics
Organizations are looking closely at data analytics as a weapon in the fight against cyber criminals. “Analyzing Big Data enables you to spot when something untoward happens, trigger countermeasures, and neutralize any resulting issues,” says Fischer, who describes the current market for suitable Big Data analytics solutions as highly disparate.
SAP Enterprise Threat Detections, for example, focuses on identifying external attacks as they are happening. The solution’s pattern recognition functionality filters out anomalies such as suspicious discrepancies between a user’s past and current behavior – perhaps as the result of a hacking attack.
“The future of cyber security lies in combining solutions for pattern-based recognition of security breaches and for analyzing large volumes of current runtime data, including network activity,” says Fischer.
The PwC study shows that enterprises are becoming increasingly convinced of the value of data-driven analysis. Almost all (86%) of the organizations surveyed in 2015 stated that they have successful provisions for pinpointing weak spots in their systems. In 2014, that figure was closer to one-third. In terms of their expectations of data-driven analysis, the companies surveyed around the world expect to gain a better understanding of external dangers (61%), internal dangers (49%), and user behavior (41%).
Majority open to “security as a service”
Although the survey participants patently recognize the value of data-driven analytics, there is less clarity among decision-makers about how exactly to achieve better cyber security. Many companies, particularly small and midsize enterprises, report that the cost factor alone is enough to prevent them from setting up an internal security operating center devoted solely to dealing with cyber incidents. Which is why 69% of the survey respondents already use cloud-based cyber security services. The most frequently adopted service is real-time monitoring, which focuses on detecting and analyzing cyber attacks as they are taking place. Security expert Fischer is convinced that, as time passes, more and more companies will be looking to buy a greater range of cloud-based cyber security services.
There is clearly still a long way to go ‒ in all sectors of industry. And although ISO 27001 provides specifications for IT security, Fischer is quick to point out that currently only 20-30% of companies actually implement them in their entirety. Rapid product development cycles mean that companies concentrate on getting their systems up and running fast – sometimes to the detriment of important security aspects.
“Cyber resilience,” or the ability to return to normal operations after a cyber attack, says Fischer, “has still not entered the enterprise mindset of most companies to anything like a sufficient degree.” This is having an impact on the development of the Internet of Things.
“Although the Internet of Things is still in its infancy, the front-runners would be well advised to incorporate trust-building security features into their products right from the design and development phase. Because adding them at a later date is at best expensive and at worst impossible,” says Fischer.
Nevertheless, the central message of the study is that companies are taking the threat of cyber crime seriously. Even the retail industry is arming itself heavily to fend off attacks on customer data: In 2015, its average security spend increased by 67% over the previous year. The retail sector registered a 154% increase in detected cyber attacks between 2014 and 2015 and a 159% rise in financial losses over the same period.
For strategic insights on gaining competitive differentiation in this dynamic new environment, read The Digital Economy: Disruption, Transformation, Opportunity.