With the release of the 2015 Cyberthreat Defense Report last week this number nerd took some time to review and collate some of the IT Security statistics and numbers that have piqued his interest or curiosity over the last few months.

From protecting user data against the growing number of threats to ensuring the continuity of the business, IT Security is an essential element in any organization IT infrastructure. As IT professionals being able to benchmark against our peers, assess a threat, or just having some understanding of why a security project is important to the business is key. So I have created this list of 84 important, fascinating and quite honestly in some cases scary statistics and numbers to help you demonstrate the importance of having good security tools and processes in place, and provide you insight into where the next great threat may come.

Security Incidents & Breaches

• 71% were affected by a successful cyberattack in 2014, but only 52% expect to fall victim again in 2015.¹
• Security incidents grew 66% CAGR.⁹
• Europe saw 41% more detected incidents, compared to 2013.⁹
• Automotive firms report a 32% increase in detected incidents.⁹
• Security incidents soared 60% in healthcare.⁹
• Power and utility companies detected 527% more incidents in 2014, over 2013.⁹
• Technology companies reported 17% fewer security incidents in 2014.⁹
• 21% of IS professionals report having been subject to an APT attack.⁶
• 66% of IS professionals feel it is likely that they will be subjected to an APT attack.⁶
• 12% of US healthcare report that their organization has had at least one known case of medical identity theft reported by a patient in the prior 12 months.⁵
• 19% of US Healthcare report that they had a security breach in the last year.⁵
• 25% of respondents reported having either a case of medical identity theft or a security breach in the last 12 months.⁵

Cost of Security Breaches

• The average cost of a corporate data breach increased 15 percent in the last year to $3.5 million.¹⁰
• Security incidents caused downtime of more than 8 hours for 31% of impacted organizations.⁹
• The involvement of business continuity management reduced the cost of data breach by an average of almost $9 per record.¹⁰
• 54% report that electronic crimes by outsiders were more costly or damaging.⁴
• Each lost or stolen record containing sensitive and confidential information costs a consolidated average of $145.10¹⁰
• North America saw a 7% decrease in financial loss attributed to security events.⁹
• Companies in the U.S. and Germany paid the most at $246 and $215 per compromised record, respectively.¹⁰
• Financial services organizations saw the financial losses from incidents jump 24%.⁹
• The cost of a security breach leapt 282% in healthcare.⁹
• Companies that said they have a strong security posture were able to reduce the cost by as much as $14 per record.¹⁰

IT Security Budgets

• 62% of IT security budgets are expected to rise in 2015.¹
• 70% of respondents are spending greater than 5% of their IT budgets on security.¹
• The average 2014 information security budget in North America was $4.6M (up from $4.5 in 2013).⁹
• The average 2014 information security budget in South America was $3.5M (down from $4.6 in 2013).⁹
• The average 2014 information security budget in Europe was $3.4M (up from $3.0M in 2013).⁹
• Europe reports a 12% increase in security spending.⁹
• The average 2014 information security budget in Asia Pacific was $4.5M (down from $5.1M in 2013).⁹
• Information security represented 6.9% of industrial product companies’ total IT budget.⁹

Attack Surface & Methods

• When looking at the number of breaches per asset category, servers have typically been on top – that is where the data is stored – but user devices have been growing over time.²
• Mobile devices (smartphones and tablets) are perceived as IT security’s weakest link, closely followed by social media applications.¹
• The majority of users (58%) operate 3-4 devices on a daily basis.⁷
• 59% of respondents experienced an increase in mobile threats over the past year.¹
• 66% of sensitive data is stored upon on-site servers.⁸
• 89% of US healthcare make patient data available to patients, surrogates and/or designated others.⁵
• 43% of US healthcare share data with patients via a health website or web portal.⁵
• 92% of IS professionals believe APTs represent a credible threat to national security and economic stability.⁶
• 92% of IS professionals believe that social network use increases likelihood of a successful APT attack.⁶
• 88% on IS professionals think that BYOD combined with rooting or jailbreaking makes a successful APT attack more likely.⁶
• More than 1 in 4 IS professionals believe the highest risk from APTs is loss of personal information of employee or customer.⁶
• 63% of users admit to forgetting a password, or had a password compromised, in their professional life.⁷
• 92% of 100,000 analyzed incidents can be categorized by just 9 basic patterns.²
• Countries in the Arabian region and Germany had more data breaches caused by malicious or criminal attacks.¹⁰
• India had the most data breaches caused by a system glitch or business process failure.¹⁰

Insider Threat

• Insiders / contractors are the most likely perpetrators of security incidents reported in South America.⁹
• 57% of respondents consider employees the most likely source of an attack.³
• The majority of employees perpetrated their acts while in the office right under the noses of coworkers.²
• 72% of security incidents at financial services organizations involved a current or former employees.⁹
• Third parties with trusted access were responsible for 41% of the detected security incidents at financial services organizations.⁹
• 62% of security incidents at industrial product organizations involved a current or former employees.⁹
• 75% of Insider Intrusions are handled internally – without legal action or law enforcement.⁴
• Most crimes by trusted parties (insider and privileged users) are perpetrated for financial or personal gain.²
• The two most common insider threat scenarios involve perpetrators taking data to start their own competing company (30%), or to help secure employment with a rival (65%).²
• In US healthcare the top 3 perceived threat motivators were workers snooping on relatives/friends (80%), financial identity theft (66%), and identity theft (51%).⁵
• Only 23% of respondents are confident their organizations have made adequate investments to monitor the activities of privileged users.¹

Corporate Espionage, Activists, Hacktivists & Nation States

• Compromises attributed to competitors were highest in Asia Pacific.⁹
• Almost half (47%) of respondents from China point to competitors as the source of security incidents, higher than any other nation.⁹
• Automotive firms saw an 84% increase in security incidents from activists / hacktivists.⁹
• Attacks by nation-states jumped 80% at technology companies, explaining increase in IP theft perhaps.⁹

Policies & Procedures

• One in three companies do not have a written information security policy (WISP).⁸
• 77% of organizations have a password policy or standard.⁸
• 59% of organizations have a user (privileged) access policy.⁸
• 46% of organizations have an incidents response policy.⁸
• 34% of companies do not have a crisis response plan for a data breach or cyberattack event.⁸
• 49% of companies do not perform periodic “fire drills” to test IT Security event response plans.⁸
• 54% of US healthcare provider IT & IS professionals have tested their data breach response plan.⁵
• 1 in 3 organizations do not or do not know if third-party data access contracts / policies are in place.⁸
• 77% of IS professionals have not updated agreements with third parties for protection against APTs.⁶
• Less than 40% of organizations conduct full-network active vulnerability scans more than once per quarter.¹
• Only 20% of IT security professionals are confident their organizations have made adequate investments in educating users on how to avoid phishing attacks.¹

Current IT Security Methods

• On average US healthcare organizations have 11 types of technical security tools in place.⁵
• Nearly two thirds of organizations do not have well-defined and automated IAM programs.³
• 21% of US healthcare organizations are not using Disaster Recovery technology, of which 51.7% intend to purchase DR in the future.⁵
• 54% of US healthcare organizations do not have single sign-on implemented, of which 49.3% intend to purchase SSO in the future.⁵
• 60% of US healthcare organizations do not have two-factor authentication implemented.⁵

Current & Future Challenges / Concerns

• Phishing, malware, and zero-days give IT security the most headaches.¹
• 56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack.³
• Low security awareness among employees continues to be the greatest inhibitor to defending against cyberthreats, followed closely by lack of security budget.¹
• Healthcare industry cites access control and identity management for end users as their top challenge.⁹
• 37% say that real time insight on cyber risk is not available.³
• Attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade.²
• Inadvertent exposure of confidential data is the top concern with SaaS-based file sharing applications.¹
• BYOD initiatives are expected to nearly double in the coming year—from 30% to 59% of organizations.¹

I am sure many of you are reading this asking what about the number of records breached or what about that study by Gartner or Forrester that stated…. If you have data points of interest do drop it into a comment (with source) and share it with us all. Every bit helps.

Sources

¹2015 Cyberthreat Defense Report North America & Europe
²Verizon’s 2014 Data Breach Investigations Report
³Get ahead of cybercrime. EY’s Global Information Security Survey 2014
⁴CERT’s 2014 U.S. State of Cybercrime Survey
⁵6th Annual HIMSS Security Survey
⁶ISACA 2014 Advanced Persistent Threat Awareness Study
⁷Password Security Survey Results
⁸Bridging the Data Security Chasm. Assessing the Results of Protiviti’s 2014 IT Security and Privacy Survey
⁹The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO
¹⁰Insurance Journal’s Company Data Breach Now Costs $3.5M on Average