It feels as though every day brings new national headlines about a cyberattack, an alarming trend that has piqued the interest and deep concern of plenty of U.S. organizations in both the public and private sectors. The latest iteration of an annual report, the “2014 U.S. State of Cybercrime Survey” [PDF], shows that these growing concerns have not necessarily translated into developing and deploying the proper defensive capabilities for preventing the next cybercrime disaster.
The report, which was cosponsored by PricewaterhouseCoopers, CSO Magazine, the U.S. Secret Service and the CERT Division of the Software Engineering Institute at Carnegie Mellon University, covers survey data from more than 500 executives from U.S. businesses, law enforcement and government agencies. The analysis concludes that despite some important efforts to build better cybersecurity regimes, organizations are still lagging behind the bad guys in tactical skills and technological capabilities.
One of the weaknesses identified by the report is a lack of strategic investment in cybersecurity measures. A mere 38 percent of respondents to the survey said that they have a methodology to prioritize cybersecurity investments based on risk to the business. The report emphasized that smart spending based on industry, geography, key assets and other factors is essential—there are no one-size-fits-all strategies to protect an enterprise from cybercrime.
The lack of strategic investment is not due to a lack of awareness. Fifty-nine percent of respondents said they were more concerned about cybersecurity this year than in the past. More than three in four respondents detected a security event over the last year, and 34 percent said they detected more security incidents in the last 12 months than in the previous year.
The report discusses a range of threats and incidents, but places a special focus on insider threats. According to the survey data, 28 percent of respondents said they were attacked by insiders, and almost 32 percent said these insider attacks were more costly or damaging than those perpetrated from the outside.
Charles Beard, a principal at PwC who specializes in cyberissues, told CorpCounsel.com that there are two different kinds of insider threats that companies face today: actual contractors, partners or employees; and outsiders who “portray themselves as bona-fide insiders.” The outsiders can compromise the ID-management system at an organization and gain access to sensitive information.
It’s interesting to note that although organizations seem aware of the danger posed by insider threats, only 49 percent of those surveyed said they had a plan to respond to them.
The report also emphasized the importance of collaboration in the fight against online bad guys. It pointed to data from another cybersecurity survey indicating that 82 percent of companies with high-performing security practices collaborated with others to gain knowledge about security and threat trends. The report suggested that companies participate in Information Technology-Information Sharing and Analysis Centers (IT-ISACs) forums. “Those forums typically are very helpful, and I think they also demonstrate a reasonable approach for the company to sort of advance their own awareness about what the threat environment looks like,” said Beard.
Another tool in an organization’s potential cybersecurity arsenal is the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST framework identifies practical steps that organizations can take to upgrade their cybersecurity. “It allows for a common language from the board to the data-center floor, which I think is helpful,” explained Beard. The PwC report outlines the rate of adoption for each of the framework’s criteria. Here, organizations did much better in some areas than others. Some 81 percent, for example, included cyberrisks in their enterprise risk-management programs, while only 8 percent said they implemented supply-chain risk management.