Statistics Pertaining to Cyber Security Law

  • The PwC survey revealed a few important statistics about what the majority of companies are practicing:
    § 58% of global companies have an overall security strategy
    § 53% have employee security-awareness and training programs
    § 52% have security standards for third-parties
    § 54% have a CISO in charge of security
    § 49% conduct threat assessments
    § 48% actively monitor and analyze security intelligence

Source:  PricewaterhouseCooper Data Explorer

  • On the other end of the spectrum, a KPMG study on global CEOs of companies with more than $500 million in revenue revealed that 50% of CEOs do not feel prepared for a cyber attack

Source :KPMG Global CEO Outlook Infographic

  • A 2015 study from the Ponemon Institute found cyber crime costshave risen 19% in just one year. Last year, a hack and its consequences globally cost companies an average of $7.7 million.

Source: Ponemon Cybersecurity Report

  • A PricewaterhouseCoopers (PwC) survey found that, in 2015, nearly 20% of global companies implemented a cybersecurity budget between $1 million and $4.9 million.

Source: PricewaterhouseCooper Data Explorer

  • Investments in cybersecurity firms have grown wildly in recent years. In the first half of 2015 alone, investors poured $1.2 billion into cybersecurity start -ups.

Source: Cybersecurity Business Report – CSOOnline.com

  • It was estimated at year’s end,about $77 billion in investments would end up in the cybersecurity sector.

Source: Cyber security investing grows, resilient to market turmoil – Fortune.com

  • One report indicates the cybersecurity market will be worth as much as $170 billion by 2020.

Source: Cybersecurity Press Release – Marketsandmarkets.com

  • Cyber security incidents have surged 38% since 2014.

Source: Global State of Information Security Survey- PricewaterhouseCooper

  •  Malicious cyber attacks cost US $300 B to US $ 1Trillion a year!

Source: The Economic Impact of Cybercrime and Cyber Espionage – mcafee report

  • Data breaches average $154 per record, while the average cost per data breach has reached $3.79MM.

Source: Ponemon: Data breach costs now average $154 per record – CSOOnline.com

  • Attackers often have more than 200 days before being discovered.

Source : MTrends – Mandiant Report

  •  Privilege misuse is #3 out of nine attack patterns found in 96% of all breaches, according to the 2015 Verizon Data Breach Investigations Report.

Source: Verizon 2015 Data Breach Investigations Report Finds Cyberthreats Are Increasing in Sophistication – Verizon

  •  While deal makers are generally aware of the effect that cyber security risks can have on a pending M&A deal, 78 percent “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”

Source: On the hunt for merger or acquisition? Make sure your target is secure – CSOOnline.com

  • Asked which stage of an attack is the most difficult to mitigate: 61 percent of IT security executives cited privileged account takeover; versus 44 percent in 2014 .

Source: Cyberark Global Survey Press Release

  • 80 percent of board members say that cyber security is discussed at most or all board meetings,yet, two-thirds of CIOs and CISOs say senior leaders in their organization don’t view cyber security as a strategic priority.

Source: Cybersecurity is a topic of discussion at most board meetings – CSOOnline.com

  • Despite almost daily reports revealing the contrary, 44% of organizations still believe they can keep attackers off their network entirely.

Source: Cyberark Global Advanced Threat Landscape Survey

  • Types of Threats
    Breaking cybersecurity down into the types of attacks threatening a company, the statistics show two major trends:
    1. Insider threats
    2. Outside threats
    An insider threat is an attack or theft of data carried out by an employee of the company. TheSANS 2015 Survey on Insider Threats showed 74% of CISOs are concerned about employees stealing information.

Source: The PwC survey reported that 34% of incidents in 2015 resulted from attacks by current employees and 28% were conducted by former employees.

Source: 74 Percent of IT Security Pros Worry About Insider Threats – esecurityplanet.com

  • Outside threats come in many forms, but are often perpetrated by hackers, organized crime outfits, activists or other parties. The majority of attacks – nearly 80%, are from external parties. They accomplish hacks within minutes using one of several different methods, includingphishing, credential theft, RAM scraping or spyware.

Source: Verizon Data Breach Investigation Report

Here are some of the most pressing cyber security statistics to take into consideration .

  • 98% of tested web apps are vulnerable to attack
    Trustwave’s 2015 Global Security Report found that a staggering 98% of tested web applications were vulnerable to attack. Web apps are everywhere now, and it is essential that updates and patches are installed so that known vulnerabilities are addressed.

Source: Trustwave Global Security Report

  • 90% of large organisations reported suffering a security breach
    The Department of Business, Innovation & Skills’ 2015 Information Security Breaches Survey was published at the beginning of June and was stuffed full of disturbing statistics. The report highlights how cyber attacks affect nearly every organisation, with 90% of large and 74% of small organisations suffering a breach in 2014.

Source : Information Security Breaches Survey – PrcewaterhouseCooper

  • 75% of directors are not involved in the review of cyber security risks
    Research undertaken by PwC for their 2015 Global State of Information Security Survey found that only 25% of directors are actively involved in reviewing security and privacy risks. Shocking behaviour.
    93% of DPA breaches are caused by human error
    People: the weakest link in the cyber security chain. The Information Commissioner’s Office reported that 93% of incidents it investigated in Q4 of 2014-15 were caused by human error.
    Online banking fraud increases 48% year-on-year
    Figures published in the first quarter of 2015 by Financial Fraud Action UK (FFA UK) found that losses from online banking fraud rose by 48% in 2014, costing £60.4 million. FFA UK identified a total of 53,192 individual incidents.

Source: Financial Fraud Action Report

According to the FFA, “A key driver behind increasing levels of fraud continues to be fraudsters tricking customers into revealing personal and financial information, normally over the telephone.”

  • 144% increase in successful cyber attacks on businesses
    CYREN’s 2015 Cyberthreat Yearbook report begins: “Enterprises of all sizes are now besieged by cybercrime at an alarming rate”. It found that successful cyber attacks on businesses of all sizes increased by 144% over a four-year period, adding further weight to the argument that organisations should now aim for cyber resilience: the ability to not only repel but also respond to a cyber attack.

Source: Cyren Security Yearbook

 

Five Most audacious Cyber Attacks are:-
• Exigent — It sounds like something out of a movie, but it’s true — in December 2000, military contractor Exigent, Inc. was the victim of a cyber attack in which a portion of the source code for a program controlling US Navy satellite and missile guidance systems was stolen.
• Operation Aurora — Even Google is not immune to cyber attacks, as evidenced by a politically motivated security breach orchestrated in 2009 by Chinese hackers. Dubbed “Operation Aurora,” the hackers infiltrated Google’s internal network, stealing intellectual property and — it has been alleged — using the service to spy on human rights activists.
• PlayStation networks — Gamers will remember the April, 2011 hack against Sony’s PlayStation network, in which 77 million accounts and 12 million credit card numbers were potentially compromised. As a result, the network was down for over a month, resulting in considerable financial losses for Sony.
• Epsilon security breach — In 2011, a security breach affecting the Internet marketing company, Epsilon, resulted in the theft of the names and email addresses of millions of customers across the world. Customers of over 100 of the world’s largest corporations — including JPMorgan Chase, Citibank, TiVo and Target — had their information leaked, a loss estimated at over $4 billion.
• Operation “Get Rich or Die Trying” — For a more than three year period beginning in 2005, American hacker Albert Gonzalez, along with accomplices in Russia and the Ukraine, pulled off what has been called the largest cyber crime of all time, stealing more than 170 million credit card and ATM numbers. Total losses were estimated at more than $300 million. In 2010, Gonzalez was sentenced to 20 years in prison.
What the above list demonstrates is that no one organization or industry is safe. Whether it’s financial records, intellectual property or customer contact information, there are thieves out there that want access to your private data. Just look at the numbers:
• $110 billion — estimated worldwide cost of cyber crime per year
• 15 million — number of Americans who will have their identities stolen in a given year
• 1.5 million — victims of cyber crime per day
• 73 — percentage of Americans who admitted to encountering an attempted crime on the internet
Security Incidents and Breaches

Source: Cybercrime Facts – blackstratus.com

  • 71% were affected by a successful cyberattack in 2014, but only 52% expect to fall victim again in 2015
    Security incidents grew 66% CAGR .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Europe saw 41% more detected incidents, compared to 2013 .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Automotive firms report a 32% increase in detected incidents .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Securityincidents soared 60% in healthcare .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Power and utility companies detected 527% more incidents in 2014, over 2013 .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Technology companies reported 17% fewer security incidents in 2014 .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  21% of IS professionals report having been subject to an APT attack .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  66% of IS professionals feel it is likely that they will be subjected to an APT attack .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  12% of US healthcare report that their organization has had at least one known case of medical identity theft reported by a patient in the prior 12 months .

Source: 6th Annual HIMSS Security Survey

  •  19% of US Healthcare report that they had a security breach in the last year .

Source: 6th Annual HIMSS Security Survey

  •  25% of respondents reported having either a case of medical identity theft or a security breach in the last 12 months .

Source: 6th Annual HIMSS Security Survey

Cost of Security Breaches

  •  The average cost of a corporate data breach increased 15 percent in the last year to $3.5 million .

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

  •  Security incidents caused downtime of more than 8 hours for 31% of impacted organizations .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  The involvement of business continuity management reduced the cost of data breach by an average of almost $9 per record .

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

  •  54% report that electronic crimes by outsiders were more costly or damaging .

Source: CERT’s 2014 U.S. State of Cybercrime Survey

  •  Each lost or stolen record containing sensitive and confidential information costs a consolidated average of $145.10

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

  •  North America saw a 7% decrease in financial loss attributed to security events .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Companies in the U.S. and Germany paid the most at $246 and $215 per compromised record, respectively .

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

  •  Financial services organizations saw the financial losses from incidents jump 24% .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  The cost of a security breach leapt 282% in healthcare .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Companies that said they have a strong security posture were able to reduce the cost by as much as $14 per record .

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

IT Security Budgets

  •  62% of IT security budgets are expected to rise in 2015 .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  70% of respondents are spending greater than 5% of their IT budgets on security .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  The average 2014 information security budget in North America was $4.6M (up from $4.5 in 2013) .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  The average 2014 information security budget in South America was $3.5M (down from $4.6 in 2013) .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  The average 2014 information security budget in Europe was $3.4M (up from $3.0M in 2013) .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Europe reports a 12% increase in security spending .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  The average 2014 information security budget in Asia Pacific was $4.5M (down from $5.1M in 2013) .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Information security represented 6.9% of industrial product companies’ total IT budget .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

Attack Surface & Methods

 

 

  •  When looking at the number of breaches per asset category, servers have typically been on top that is where the data is stored – but user devices have been growing over time .

Source: Verizon’s 2014 Data Breach Investigations Report

  •  Mobile devices (smartphones and tablets) are perceived as IT security’s weakest link, closely followed by social media applications .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  The majority of users (58%) operate 3-4 devices on a daily basis .

Source: Password Security Survey Results

  •  59% of respondents experienced an increase in mobile threats over the past year .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  66% of sensitive data is stored upon on-site servers .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  89% of US healthcare make patient data available to patients, surrogates and/or designated others .

Source: 6th Annual HIMSS Security Survey

  •  43% of US healthcare share data with patients via a health website or web portal .

Source: 6th Annual HIMSS Security Survey

  •  92% of IS professionals believe APTs represent a credible threat to national security and economic stability .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  92% of IS professionals believe that social network use increases likelihood of a successful APT attack .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  88% on IS professionals think that BYOD combined with rooting or jailbreaking makes a successful APT attack more likely .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  More than 1 in 4 IS professionals believe the highest risk from APTs is loss of personal information of employee or customer .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  63% of users admit to forgetting a password, or had a password compromised, in their professional life .

Source: Password Security Survey Results

  •  92% of 100,000 analyzed incidents can be categorized by just 9 basic patterns .

Source: Verizon’s 2014 Data Breach Investigations Report

  •  Countries in the Arabian region and Germany had more data breaches caused by malicious or criminal attacks .

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

  •  India had the most data breaches caused by a system glitch or business process failure .
    Corporate Espionage, Activists, Hacktivists & Nation States

Source: Insurance Journal’s Company Data Breach Now Costs $3.5M on Average

 

  •  Compromises attributed to competitors were highest in Asia Pacific .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Almost half (47%) of respondents from China point to competitors as the source of security incidents, higher than any other nation .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Automotive firms saw an 84% increase in security incidents from activists / hacktivists .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  Attacks by nation-states jumped 80% at technology companies, explaining increase in IP theft perhaps .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

Policies & Procedures

 

  •  One in three companies do not have a written information security policy (WISP) .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  77% of organizations have a password policy or standard .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  59% of organizations have a user (privileged) access policy .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  46% of organizations have an incidents response policy .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  34% of companies do not have a crisis response plan for a data breach or cyberattack event .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  49% of companies do not perform periodic “fire drills” to test IT Security event responses

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  54% of US healthcare provider IT & IS professionals have tested their data breach response plan .

Source: 6th Annual HIMSS Security Survey

  •  1 in 3 organizations do not or do not know if third-party data access contracts / policies are in place .

Source: Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey

  •  77% of IS professionals have not updated agreements with third parties for protection against APTs .

Source: SACA 2014 Advanced Persistent Threat Awareness Study

  •  Less than 40% of organizations conduct full-network active vulnerability scans more than once per quarter .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  Only 20% of IT security professionals are confident their organizations have made adequate investments in educating users on how to avoid phishing attacks .

Source: 2015 Cyberthreat Defense Report North America & Europe

Current IT Security Methods

  •  On average US healthcare organizations have 11 types of technical security tools in place .

Source: 6th Annual HIMSS Security Survey

  •  Nearly two thirds of organizations do not have well-defined and automated IAM programs .

Source: Get ahead of cybercrime. EY’s Global Information Security Survey 2014

  •  21% of US healthcare organizations are not using Disaster Recovery technology, of which 51.7% intend to purchase DR in the future .

Source: 6th Annual HIMSS Security Survey

  •  54% of US healthcare organizations do not have single sign-on implemented, of which 49.3% intend to purchase SSO in the future .

Source: 6th Annual HIMSS Security Survey

  •  60% of US healthcare organizations do not have two-factor authentication implemented .

Source: 6th Annual HIMSS Security Survey

Current & Future Challenges / Concerns

  •  Phishing, malware, and zero-days give IT security the most headaches .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack .

Source: Get ahead of cybercrime. EY’s Global Information Security Survey 2014

  •  Low security awareness among employees continues to be the greatest inhibitor to defending against cyberthreats, followed closely by lack of security budget .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  Healthcare industry cites access control and identity management for end users as their top challenge .

Source: The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

  •  37% say that real time insight on cyber risk is not available .

Source: Get ahead of cybercrime. EY’s Global Information Security Survey 2014

  •  Attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade .

Source: Verizon’s 2014 Data Breach Investigations Report

  •  Inadvertent exposure of confidential data is the top concern with SaaS-based file sharing applications .

Source: 2015 Cyberthreat Defense Report North America & Europe

  •  BYOD initiatives are expected to nearly double in the coming year—from 30% to 59% of organizations .

Source: 2015 Cyberthreat Defense Report North America & Europe