Information security budgets in Indian companies decline by 17% even as business loss from security breaches increases by 20%

Employee and customer records continue to be the top targets of cyber attacks.

New Delhi, October 20, 2014 – The average cost of a security incident for Indian companies has more than doubled from $194 in 2013 to $414 in 2014 and there has been a 20 per cent increase in the average losses as a consequence. However, even as information security breaches become more frequent and damaging, Indian companies have reduced the average security spending from $4.8 million in 2013 to $4 million in 2014.

As organisations move ahead and embrace new technologies without fully comprehending the implications, they are becoming susceptible to an array of cyber-security threats and these threats today have become increasingly complex. Even with the growing impact that cyber security incidents can have on the entire enterprise, boards of organisations remain oblivious and continue to treat cyber security as an IT problem. This was revealed in PwC’s ‘State of the Information Security Survey- India 2015’.

Current and former employees have been cited by respondents to the survey as the most common causes of incidents.

Sivarama Krishnan, executive director and leader - India Cyber Security, Governance Risk and Compliance Services, said, “Cyber security is no longer an issue that concerns only IT and security professionals. The impact has extended to the C-suite and boardroom. It is now a persistent business risk. Awareness and concern about such security incidents and threats are a priority for the consumers as well”.

“At the heart of organisational security is the ‘human parameter.’ Organisations in India need to increase engagement levels with employees to manage this better”, he added.

Some of the key findings of the survey are detailed below:

1. Rising year-on-year incident cost: There’s been a 20% increase in the average losses as a consequence of security breaches and the average cost per incident increased from $194 to $414. However, there’s been a decline in the average security budgets as compared to the last year. It seems counter-intuitive that, even though threats have become more frequent and damaging, organisations have not increased their security spending. Rise in the average cost of incidents is primarily a consequence of today’s more sophisticated compromises, often extending beyond IT to other areas of the business.
2. ‘Insiders’ remain the most common causes of incidents: Current and former employees have been cited by respondents as the most common causes of incidents. Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from third parties is largely responsible.
3. Challenges to effective cyber security: Almost 37% respondents cited board level leadership as an obstacle in enhancing overall strategic effectiveness of the organisation. The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the major areas of concern for organisations today. The lack of board level involvement in key areas of security - only 49% respondents believe that their board is involved in defining the security budget, moreover, only 39% believe that their board actively participates in reviewing current security and privacy risks – indicates that organisations have not elevated information security to a board level issue.
4. Employee and Customer records continue to be the top targets of cyber attacks: The breach of employee (45%) and customer records (42%) remained the most cited impacts of cyber-attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization.
5. Lack on focus on the ‘human parameter’: Employee training and awareness is a fundamental component of every programme, as the weakest link in the security chain is often the human resource. The problem mostly lies in the way organisations engage with their employees and the communication programmes they employ to generate awareness. Only 50% respondents say that they have a cross-organisational team that regularly convenes to discuss, coordinate and communicate information security issues. Further, only 54% have an employee security awareness training programme, down from last year’s 56%.

The future of cyber-security in India will involve a tripartite model wherein the government, the organisation and the individual work in tandem to secure information and information assets in a concerted unified manner. This will require enhanced collaboration and communication of security posture among individuals, executives and industry organisations, as well as potential future improvements in legal exposure and assistance in regulatory compliance.

Notes to the Editor:

About the Global Information Security Survey 2014

This survey was conducted as part of PwC’s Global State of Information Security Survey © 2015. The Indian edition of this survey is based on the responses from over 350 C-suite executives, vice presidents and directors of IT and information security, across 17 industries. The margin of error is less than 1% and all figures and graphics in this report have been sourced from survey results.

Respondents can be clubbed into the following four major industry verticals:

• CIPS (consumer, industrial products and services)
• TICE (technology, information, communications and entertainment)
• FS (financial services)
• Government and others

Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30% (approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base.

About PwC

PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bangalore, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.in

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.