€135,000 is the average cost of a cybercrime incident

7 Aug 2013

Pictured: Colm McDonnell, Partner, Enterprise Risk Services, Deloitte, Jason Ward, Director for Ireland, Scotland and UK North, EMC and Jared Carstensen, Manager, Enterprise Risk Services, Deloitte

The average cost of a cybercrime incident for Irish organisations in the last year was €135,000, according to the Deloitte 2013 Irish Information Security and Cybercrime Survey in association with EMC. Cybercrime costs Irish firms on average 2.7pc of turnover.

The survey revealed that cloud-based services are being used by 60pc of respondents, however, two-fifths believe that privacy and data protection are the biggest risks associated with the cloud.

In terms of the remediation and clean-up costs associated with security incidents and cybercrime, the average cost of a large security incident stood at €29,954.

In addition to the costs associated with cybercrime, the number of security breaches experienced by organisations is also significant. Some 40pc of respondents stated that their organisation has experienced at least one security breach, which they know of, in the past 12 months.

Around 21pc have experienced between one and five breaches, while 7pc of respondents stated that their organisation had experienced more than 20 breaches. More than a quarter (28pc) are unsure of how many security breaches their organisation experienced in the past 12 months. Some 45pc of those surveyed indicated that their organisation identified more than 40pc of serious incidents, down from last year’s figure of 58pc.

“A third of respondents indicated that their organisation has identified preventing cybercrime as a priority, yet just the same number of respondents believe that information security efforts are well aligned with the organisation’s overall risk strategy,” said Colm McDonnell, partner, Enterprise Risk Services, Deloitte.

“This suggests that there may be a disconnect between cybercrime prevention efforts and its wider impact on the business. The results show that cybercrime attacks are becoming more common and indeed more costly. While written employee acceptance has risen, it is still below best-practice levels. A proactive approach that is both planned and sustained is of critical importance for Irish organisations in protecting themselves against this omnipresent threat.”

Hacking is the most common security threat

In line with last year’s findings, the most common method of breaching security in organisations is hacking – 19pc of respondents cited this as the main cause. Other common methods of attack include denial of service/distributed denial of service (14pc) and malware (12pc). Evolving technical/technological threats were identified by 30pc of respondents as the biggest information security challenge within their organisation.

While employees were identified as the biggest challenge last year, this year they were second on the list, as identified by 24pc of respondents. Lack of funding (13pc) was the third biggest challenge. Fifty-five per cent of respondents indicated that all users in their organisation had provided signed acceptance and adherence to security policies, up from 46pc last year.

In terms of the effectiveness of the information security function within their organisations, 58pc of respondents rated their activities as “good” or “very effective”. Some 21pc considered their activities to be “average” and “predominantly reactive”. Just 7pc considered their activities to be “very effective”.

Cybercrime prevention

In terms of investment in cybercrime prevention within their organisations, 44pc of respondents indicated that there is limited funding available, while a further 14pc believed there to be insufficient funding. Encouragingly, 44pc are currently recruiting or plan to take on staff over the next one to two years, an increase of 20pc on the 2012 findings.

Similar to last year’s findings, the main motivation for investment in advanced security technologies, and information security in general, is compliance and reporting, as identified by 45pc of respondents.

“The survey results show that Irish IT organisations are in a constant state of compromise from cyber-criminals, which is having a severe effect on their bottom line. Irish businesses need to be better prepared and defend themselves from attack through intelligence-driven information security, collecting reliable cybersecurity data and researching prospective cyberadversaries to better understand risk and learn how to protect themselves,” said Jason Ward, director for Ireland, Scotland and UK North, EMC.

“The results also indicate that employees remain one of the biggest challenges. With the majority of business today conducted online, staff are now the security perimeter and education, knowledge and training is key to ensure they can identify normal and abnormal system behaviour in the IT environment.

“With the advent of big data analytics we can capture massive amounts of diverse and rapidly changing security-relevant data – including network packets, logs, and asset information – and pivot on terabytes of data in real-time, executing forensic investigations that once took days in just minutes.”

The survey also investigated areas which can pose additional security risks. With regards to mobile devices, 79pc of respondents said their organisation supports corporate mobile devices only, with 31pc also permitting the use of employee-purchased mobile devices.

Half of respondents said their organisation has implemented specialist technologies to increase mobile security. However, 31pc indicated that no additional technologies are used to support mobile devices. In terms of cloud-based services which are being used by 60pc of respondents, two-fifths believe that privacy and data protection are the biggest risks associated with the cloud.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years