One third of Irish companies experienced cybercrime breaches in last yearDOWNLOAD
Published 03 July 2012
Average cost of large cybercrime incident for businesses in Ireland approximately €40,000
Employees represent biggest challenges in information security
6 out of 10 organisations only feel partially equipped to deal with cybercrime
Pictured at the launch of the Deloitte Irish Information Security and Cybercrime survey, in association with EMC, are (from l-r): Dan Web, Strategic Alliances, EMC UK, Colm McDonnell, Partner, Enterprise Risk Services, Deloitte, Jason Ward, EMC Ireland Country Manager and Jared Carstensen, Manager, Enterprise Risk Services, Deloitte.
32% of respondents to the first annual Irish Information Security and Cybercrime survey have experienced between one and five security breaches in the last year. The survey, carried out by Deloitte, in association with EMC, also found that 42% of respondents suffered a loss of productivity as a result of cybercrime attacks. Just over half of respondents indicated that their organisation did not experience any security breaches in the past year.
Survey results show that hacking was the most common method used to breach security in organisations, as identified by 38% of respondents. Other common causes of attacks included privilege misuse, physical attacks and malware. Half of all respondents identified employees and their activities as the biggest challenge in information security.
The results also show that only 57% of respondents feel they have an information security programme that functions adequately. 40% of respondents indicated that security risks are regularly assessed in their organisations and that strong security practices are in place. Encouragingly, just 3% indicated that they handle incidents in a purely reactive manner. However, just 12% of respondents would describe their organisation as a frontrunner in terms of information security.
Technical threats or attacks (29%) were also identified by respondents as challenges being faced by organisations, which could suggest that employee knowledge of information security and procedures is insufficient. In fact, only 60% of respondents indicated that users receive regular awareness training. Interestingly, 68% of respondents noted that following internal or external breaches no action was taken. Furthermore, only 4% of incidents led to a successful prosecution.
Colm McDonnell Partner, Enterprise Risk Services, Deloitte commented: “Interestingly just 45% of respondents indicated that cybercrime was a priority in terms of risk to the organisation. Given that the survey results show that the average cost of a large cybercrime incident for a business is €41,875 and the business outage that this can cause, we believe more organisations should be giving this a higher priority status. The reality is that Irish organisations have never faced such a myriad of advanced technological threats and attacks on their digital and critical assets. Irish organisations need to ensure that their efforts in this area are aligned sufficiently with other business efforts and risk management practices.”
In terms of investment and plans for expansion within the information security function, half of respondents stated that they do not plan on taking on additional personnel over the next two years. When questioned on the availability of suitable staff, of the 26% who said they were actively recruiting, 21% indicated that they were finding it difficult to recruit suitably talented and experienced security professionals here in Ireland.
There were mixed responses in terms of the level of funding made available to the information security function. While 48% of respondents believe the function receives adequate funding in their organisation, a similar number, 46%, indicated that they received inadequate funding to counter the threat.
McDonnell commented: “While respecting the difficulties in budgets, organisations need to continually challenge themselves and carry out thorough assessments to determine if information security is being properly addressed.”
The main motivations for investment in information security efforts in Irish organisations are compliance and reporting, as identified by 45% of respondents, followed by the ability to demonstrate the effectiveness of the security programme (30%). The top security initiatives identified were information security training and awareness (23%), data protection (21%), regulatory and legislative compliance (21%) and cyber threat programmes (14%).
Jason Ward, Ireland Country Manager for cloud and Big Data multinational EMC, which owns global IT security company RSA, said: “The survey results show that today’s IT organisations are in a constant state of compromise from new threats that are persistent, dynamic and intelligent - and Irish businesses and public sector organisations must be better prepared to protect themselves from attacks that can cost money, time, information and productivity gains.
"Increasingly, the human firewall is being breached, with cyber criminals shifting their focus from technology to people in a bid to infiltrate organisations by exploiting our weaknesses. We need to defend ourselves from attack through intelligence-driven information security, collecting reliable cyber security data and researching prospective cyber adversaries to better understand risk and learn about why and how attacks occur. Organisations need to develop new skills in the IT team to produce and analyse intelligence and identify normal and abnormal system and end-user behaviour in the IT environment.”
With regards to mobile devices which bring additional challenges and risks associated, 87% of respondents said their company supported the use of corporate provided mobile devices. 31% also permit the use of employee purchased mobile devices. As a result of this increased demand for mobile devices, 61% of respondents said that their organisation had implemented specialist technologies to increase mobile security, while 16% indicated that additional in-house mechanisms had been implemented.
For full details of the Deloitte Irish Information Security and Cybercrime Survey, in association with EMC, please visit www.deloitte.com/ie/cybercrime-survey.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
The information contained in this press release is correct at the time of going to press.
Deloitte’s 1,200 people in Dublin, Cork and Limerick provide audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges.
Deloitte's approximately 182,000 professionals are committed to becoming the standard of excellence.