Firms’ security programs lag cyber criminals’ prowess, says survey
Cyber criminals are staying one step ahead of corporations. Not only is the number of incidents increasing, but the price tag as well, according to the recently released 2014 US state of cybercrime survey by PwC, CSO magazine, the US Secret Service and the CERT division of the Software Engineering Institute at Carnegie Mellon University.
Nearly 80 percent of the 500 respondents, who included US executives, said they had detected security events within their organizations in the past 12 months. ‘We’re not talking about a handful of events. The average number was 135 per organization,’ says David Burg, PwC’s global and US advisory cybersecurity leader.
The cost of the attacks, he notes, is largely unknown because two-thirds of respondents said they were unable to estimate the financial costs. However, those who could said they spent $415,000 on average to remediate cybersecurity incidents. ‘We believe the actual costs are much higher, because businesses often do not assess the full range of activities necessary to remediate a security incident,’ says Burg.
In 2014, 6.3 percent of those surveyed estimated that it took $1 million or more to clean up the mess caused by cyber criminals, up from 1.6 percent of respondents who said so in 2013.
‘Businesses should understand that the risk of cyber attack is no longer an if but a when. They should assume they will be compromised by cyber adversaries,’ says Burg.
Another unwelcome revelation is that threats are often home grown. Twenty-eight percent of those surveyed said they had been compromised by insiders or trusted business partners, including current and former employees, service providers and contractors.
‘Insider threats are often not addressed, and that’s a potentially serious security lapse because almost one-third of those surveyed say insider crimes are more costly or damaging than incidents perpetrated by outsiders like hackers,’ says Burg. Significantly, only 49 percent of participants said they have a formal plan for responding to insider incidents.
Equally startling is that increasingly organizations aren’t taking legal action against insiders who commit or are responsible for cyber crimes. In 2014, 75 percent of survey participants said they didn’t pursue legal redress, dramatically higher than 51 percent the previous year.
For all that mobile devices have transformed the work world, only 31 percent of those surveyed said their companies have a mobile security strategy, down from 33 percent in 2013, and just 36 percent have deployed mobile device management solutions, which are key to securing a fleet of smartphones and tables. What’s more, says Burg, only 38 percent of respondents said their organizations encrypt mobile devices, a critical part of ensuring mobile security.
‘While most organizations understand the vulnerabilities associated with mobile devices, they have not addressed these vulnerabilities, and that may increase the likelihood that cyber adversaries compromise data, systems and networks via attacks on employees’ mobile devices,’ says Burg.
The survey’s conclusions aren’t cause for hope, given that even as the risks and impacts of cyber crime keep rising ‘cybersecurity programs of most US organizations do not rival the persistence, tactical skills, and technological prowess of today’s sophisticated cyber adversaries,’ he says.
To wage a real fight, corporations must:
• invest strategically in cyber security, starting with resources to identify and classify their most valuable information assets and by determining where high-value assets are located across the company’s ecosystem and who has access to them;
• address critical shortcomings such as by strengthening their ability to ensure that third-party business partners and suppliers adhere to security policies;
• increase external collaboration on cybersecurity risks and responses with industry peers, law enforcement bodies and government agencies to boost intelligence on current threats and leading response tactics. A good place to start is by participating in industry Information Sharing and Analysis Centers (ISACs).
Companies must also enlist their boards’ help. ‘The board should ask IT and security leaders for ongoing updates on cybersecurity strategy, risk management, budgeting and privacy requirements’ and if necessary, request help to understand new and evolving cybersecurity technologies, says Burg. 'The board should ensure the organization has a chief security officer or chief information security officer to oversee the security program.'
Burg isn’t optimistic. ‘It’s very likely the number of detected security incidents will continue to rise, as will the cost to remediate them. Cyber security threats will continue to evolve and adversaries will become increasingly more sophisticated.’