Almost one-third of Irish organisations experienced between one and five large security breaches last year at an average cost of €41,875, but only 60pc say they’re partially ready to respond to an incident and have no specialist systems in place to detect when they occur.
The figures are from Deloitte’s first Irish Information Security and Cybercrime Survey. Launched this morning, the research is intended to be the first of an annual series for Ireland. To some extent it picks up the baton from the security professionals group ISSA Ireland and UCD, which released two cybercrime surveys in 2006 and 2008.
More than two-thirds of respondents (68pc) said they took no further action after discovering an internal or external breach. “That means they found an issue and decided to do nothing,” said Jared Carstensen, manager of Deloitte’s Enterprise Risk Services group.
The most common reaction to a breach is to amend security policies, 39pc of respondents said. However, the survey found just 46pc of organisations obtain signed acceptance from their users around security policies and standards.
The corollary is that more than half of Irish firms don’t ask their staff to adhere to a security policy, Carstensen said. “When it comes to policies, it means we’ve been doing this for years, and this survey says we’ve not been doing this well enough.”
Other findings include half of respondents saying they don’t plan to hire more IT security professionals despite increasing levels of cybercrime attacks.
Just 44pc of those polled said their board has an “average” understanding of information security risks. Colm McDonnell, a partner with Deloitte’s Enterprise Risk Services division, said information security and related activities are not always well aligned with risks as perceived by the business.
The survey is intended to help by putting a monetary figure on the extent of possible losses. “It’s important to have some business case benchmarking to support your case and educate the board,” McDonnell said.
At a briefing to launch the report, Carstensen said the 54pc of organisations claiming not to have experienced breaches in the past 12 months may not be an accurate reflection of what’s really happening. “That’s a statistic I would challenge … perhaps the mechanism wasn’t there to detect and report an incident,” he said.
What’s more, the estimated cost figure probably understates the issue as it doesn’t include lost data, damage to reputation or the man-hours involved in investigating and fixing a breach.
Dan Webb, a security adviser with EMC, pointed out that the investigation into the high-profile breach at its RSA subsidiary is still ongoing, some 15 months after the incident was first discovered in March 2011.
McDonnell said next year’s survey might take a different approach and look at the cost of an information breach as a percentage of an organisation’s revenue. This would make it easier for IT security professionals to make a case to senior management for more budget or bodies to tackle cybercrime problems.
Other research from Deloitte has found security spending in Ireland is “way down” when compared to global averages, McDonnell said. “In Ireland, there’s been a very low spend in this space, and the faltering economy has left us very far behind.”
That’s reflected in the survey, with just 20pc of organisations saying they invest in technology following a data-breach incident.
Deloitte polled more than 60 organisations in Ireland, comprising financial services firms, multinationals, public-sector agencies, manufacturing, IT and insurance companies.