Yet, Nearly Half Say They Haven’t Invested in Information Security in the Past Year
Cyber security remains a critical business challenge and a growing concern with a potentially devastating impact on company brands and bottom lines. Despite these damaging ramifications, many cybersecurity executives indicate that information protection may not be the strategic corporate imperative that it should be, according to a newly released report, the “Consumer Loss Barometer” by KPMG LLP, the audit, tax and advisory firm.
To view the report and videos, visit www.kpmg.com/us/consumerlossbarometer
In surveying 403 CIO, CISO, CTO and CIOs in the automotive, banking, technology and retail sectors, KPMG found that 81 percent of executives admitted their companies had been compromised by cyber-attacks in the past 24 months – ranging from malware, botnet to other attack vectors. Retail cyber executives reported the most breaches in the past 24 months, with 89% reporting yes, followed by automotive at 85% and banking and technology companies reporting 76%.
Despite these alarming admittances, less than half (49%) of these same executives said they have invested in information security in the past year. Banks appear to be most proactive when it comes to investments in information security, with 66% of execs reporting investments made, followed by technology at 62%, retail at 45% and automotive at 32%.
“Cyber-attacks are affecting nearly every single company we encounter, but we’re not seeing those attacks drive enough proactive business action as evidenced by the rate of investment made in information security,” said Greg Bell, KPMG Cyber US Leader. “We’re still seeing companies taking a passive or reactive approach toward cybersecurity, when in fact cyber should be a top-line business issue thought about and practiced company-wide.”
The report also found that some industries are more equipped to handle cyber-attacks because they have an executive whose sole responsibility is information security. Industry-wide, 69% of companies reported having a leader in place. However, there is a vast discrepancy -- 85% of both banks and technology companies reported having a leader with retail and automotive lagging at 58% and 45% respectively.
“There is a cyber-awareness maturity curve for industries that have been providing Internet-enabled products and services for longer periods of time, versus relatively new products like personalized shopping and connected cars,” said Bell. “Hackers go after the weakest systems, not often the most traditionally lucrative like banks. However, as products evolve to use more connectivity and data, companies can’t afford to get this wrong and let the maturity model hold them back.”
Security executives acknowledged the ramifications of a breach citing reputation (53%), financial loss (50%) and job security (49%) as the top concerns associated with falling victim to cyber-attacks.
Bell added “Consumers have so many options, so there isn’t much patience or loyalty for a company that is lax in its security.”
The Consumer Loss Barometer, a survey and report of 750 consumers and 403 CIO, CISO, CTO and CSOs, details how consumers of internet-enabled services would react in the event of a hack against key consumer industries (Financial Services, Technology, Automotive and Retail). The consumer data was then matched up to the reactions of the cybersecurity executives across those identified industries on how each is preparing for cyber-attacks.
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.KPMG International Cooperative (“KPMG International”) is a Swiss entity.
Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.