Businesses failing to fight IT security threats, but the biggest problem is staff, PwC survey shows

Information technology hackers can still get the better of businesses, with companies around the world failing to keep a step ahead of information security threats, new research has found.

And it is not just anonymous external hackers that businesses need to worry about, but their staff, with the biggest internal risk to a company’s IT security identified as its people.

The PwC Global State of Information Security Survey 2014 interviewed 9600 business leaders across 215 countries. It found that 30% reported the biggest internal IT security risk was current employees. Twenty seven per cent said it was former employees, and many noted that a lack of mechanisms to respond to internal incidents was an issue.

External to the business, one third of respondents identified hackers as the most likely source of IT security threats.

The report found that despite a forecast increase of 51% in security investment, security incidents have risen by 25% in the last 12 months. The issue is costing more money, with the average financial loss associated with the security incidents has also increased by 18%.

In a worrying figure for business owners, since 2011, the number of respondents reporting losses of $10 million or more doubled.

The pharmaceutical sector was the most prominent industry reporting losses of $10 million or more, at 20%, while financial services and technology sectors were at 9% and industrial products at 8%.

PwC head of cyber services Steve Ingram said efforts to detect threats and protect data have increased in the past year.

“But the pace of digital change is fast and many organisations are still relying on yesterday’s strategies to fight today’s threats.”

Despite the threats, it found that confidence in their organisation’s security activities had improved. It reported that 74% of respondents were confident about the effectiveness of their organisation’s activities, with chief executives most confident at 84%, and chief financial officers less confident at 76%.

Cloud computing is opening businesses up to hacking exposure. While usage of cloud computing is up by 47%, the survey found less than one fifth of organisations have a policy governing its use.

In Australia, spending on IT security is forecast to increase by 46% in the next 12 months.

Ingram told SmartCompany that in many ways Australian businesses are role models for excellent IT security practices. But business owners still need to be more vigilant.

“In the old days you’d put up a firewall and you’d be OK,” he says.

“In the modern world you can’t rely on that. You can’t tackle it the old ways.”

Ingram says just like people protect their phone and passport to a greater degree than their TVs, business owners need to scrutinise the essential elements that need to be protected in their business.

For example, sensitive information could be customer data or details of mergers and acquisitions. Business owners need to understand exactly how well these elements are protected, and not to rely on simply outsourcing their IT security.

In 2014, he predicts IT security will become an increasingly front-of-mind issue for CEOs and directors, and he expects more businesses to have a security threat contingency plan put in place.