New Delhi: Even as Indian companies lose more money due to security breaches, enterprises have scaled down information security budgets by 17% in 2014 over the last year, PricewaterhouseCoopers LLP (PwC) said on Monday.

The average cost of a security incident for Indian companies has more than doubled from $194 (about Rs.11,902) in 2013 to $414 (about Rs.25,399) in 2014 and there has been a 20% increase in average losses as a consequence, the Global Information Security Survey 2014 said. On the other hand, Indian companies have reduced the average security spending from $4.8 million (Rs.294.5 million) in 2013 to $4 million (Rs.245.4 million) in 2014.

The survey is based on the responses from over 350 C-suite executives, vice-presidents and directors of IT (information technology) and information security, across 17 industries.

“Cyber security is no longer an issue that concerns only IT and security professionals. The impact has extended to the C-suite and boardroom. It is now a persistent business risk. Awareness and concern about such security incidents and threats are a priority for the consumers as well," said Sivarama Krishnan, executive director and leader, India Cyber Security, Governance Risk and Compliance Services. “At the heart of organisational security is the human parameter. Organisations in India need to increase engagement levels with employees to manage this better."

While employee and customer records continue to be the top targets of cyber attacks, insiders (current and former employees) remain the most common causes of incidents. “Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization," it said.

The lack of board-level involvement in key areas of security continues to be a major challenge for the Indian enterprises. Almost 37% of the respondents cited board-level leadership as an obstacle in enhancing overall strategic effectiveness of the organisation.

“The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the major areas of concern for organisations today," the survey said. “Only 49% respondents believe that their board is involved in defining the security budget; moreover, only 39% believe that their board actively participates in reviewing current security and privacy risks. It indicates that organisations have not elevated information security to a board level issue."