According to PricewaterhouseCoopers (PwC), telecom executives are “overconfident in the effectiveness of their information security practices.” That’s the interpretation of the data from the 2012 Global State of Information Security Survey, which gathered the responses of more than 640 respondents in the telecommunications industry.
The survey was conducted by PwC, CIO Magazine and CSO Magazine reached more than 9,600 execs from 138 countries. 647 of the more than 9,600 respondents identified themselves as members of the telecommunications industry.
The results of the survey are a bit mixed. On the one hand, respondents reported increased efforts to deal with security issues. In 2010, the same survey showed that 24% of the respondents didn’t know how many security incidents occurred in the past year. In 2011, that was down to 8%. According to the survey, financial losses due to security breaches are down 28%.
In 2011, 84% of telecom companies are deploying tools to detect malicious code, up from 73% in 2010. This year, 66% of respondents report using intrusion-detection tools – up from 56% last year. In virtually every category, the security safeguards being deployed have been beefed up. If respondents are to be believed, telecoms are taking security more seriously this year.
Overconfidence
Despite increased attention, PwC’s Mark Lobel says that companies are overconfident. Why? There’s a drastic increase in security incidents reported this year as well. In 2007, 25% of the respondents reported between one and nine incidents. Fast-forward to 2011, and that jumps to 45%. In 2007, only 5% reported 50 or more incidents – in 2011 it leaps to 15% reporting 50 or more security events.
System exploits are up 36% year over year. Network exploits are up 13% compared with 2010, and “human” exploits (social engineering) is up by 35%.
Surprisingly, disgruntled employees and ex-employees are not the biggest source of attacks. In fact, employees attacks have dropped by 3% according to the survey, and ex-employee incidents are only up by 4%. What’s drastically up are attacks by “hackers” (22%) and partners/suppliers (36%).
Even though Lobel says that telecoms are overconfident, the situation is improving. In 2009, Lobel says that 87% of respondents were “confident” or “very confident” that their security activities were effective. This year, it’s down to three out of four (75%).
How can these folks justify their confidence levels? Lobel says ongoing regular testing is the key. How often do you test, and what kind of monitoring controls do you have in place? The more frequent the testing, the more confidence is warranted. Bi-annual or annual testing is not enough.
For more on the PwC study, check out the survey data online.
