Cyber-security attacks against companies increased 48% last year but spending on information security actually fell 4% during the same period, with small companies in particular cutting their budgets, according to PwC in its latest Global State of Information Security Survey.
The drop in security spending followed three straight years of increases. Security budgets at companies with less than $100 million in revenue fell by an average of 20%, while at medium and large businesses they edged up by 5%.
“There is a misconception out there that the security spend is this colossal block,” David Burg, leader of cyber security at PwC, told the Financial Times. “But it really is not. A lot of executives don’t have that level of awareness.”
The survey, which polled almost 10,000 executives and IT directors, also found that regardless of company size, security spending as a percentage of total IT budget has stalled at 3.8% and shows no signs of increasing.
“The entire issue of cyber security is so daunting, particularly for small companies that don’t have the appropriately skilled people,” cyber security attorney Lisa Sotto told PwC.
Recent high-profile hacker attacks on Target, Home Depot and JPMorgan have highlighted the vulnerability of U.S. corporations. In 2013, PwC reports, the number of reported security incidents increased 48% to 42.8 million, the equivalent of almost 120,000 attacks a day, and the average cost of managing and mitigating breaches rose more than a third to $2.7 million per incident.
Nevertheless, the average information security budget declined this year to $4.1 million, from $4.3 million in 2013.
PwC suggested one explanation for the drop was that companies were hard-pressed to continue security investments at the accelerated pace of 2012 to 2013. Other variables could be a reluctance to increase spending during the economic recovery and strategic optimization of spending.
“I think we are heading toward a paradigm shift in the way we spend on information security,” a Brazilian information security officer told PwC, noting big spending projects that lock down all data are no longer viewed as effective.
As far as small companies, PwC said, the rising risks, coupled with an overabundance of security solutions, may have resulted in “analysis paralysis.”
Source: Financial Times Businesses spend less on cyber security despite rise in attacks