While the number of cybercrime incidents and the monetary losses associated with them continue to rise, most U.S. organizations’ cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries, according to a recent survey.
The survey looks at businesses in general, but banks should take heed, particularly in how it may relate to the third parties they contract with.
According to the report, only 38% of companies have a methodology to prioritize security investments based on risk and impact to business strategy. The survey is a collaborative effort with PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service.
“Cyber criminals evolve their tactics very rapidly, and the repercussions of cybercrime are overwhelming for any single organization to combat alone. It’s imperative that private and public organizations collaborate to combat cybercrime and gain intelligence about security threats and how to respond to them. A united response will prove to be an indispensable tool in advancing the state of cybersecurity,” says David Burg, PwC’s Global and U.S. Advisory Cybersecurity Leader.
The U.S. Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction. U.S. business leaders in particular are increasingly worried about cybercrime—much more than their global counterparts. PwC’s Annual Global CEO Survey 2014 found 69% of U.S. respondents reported they were worried about the impact of cyber threats to their growth prospects, compared with 49% of global CEOs.
The cybercrime survey finds that the average number of security incidents detected over the past year was 135 per organization. Fourteen percent of respondents reported that monetary losses attributed to cybercrime have increased. The actual costs, however, remain largely unknown as more than two-thirds (67%) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was projected to be $415,000.
The survey revealed the following key cybersecurity deficiencies:
- Most organizations do not take a strategic approach to cybersecurity spending.
- Organizations do not assess security capabilities of third-party providers.
- Supply chain risks are not understood or adequately assessed.
- Security for mobile devices is inadequate and has elevated risks.
- Cyber risks are not sufficiently assessed.
- Organizations do not collaborate to share intelligence on threats and responses.
- Insider threats are not sufficiently addressed.
- Employee training and awareness is very effective at deterring and responding to incidents, yet it is lacking at most organizations.
To combat these deficiencies, PwC recommends that organizations can: invest in people and processes, in addition to technologies; hold third parties to the same or higher standards; assess risks associated with supply chain partners; ensure that mobile security practices keep pace with adoption and use of mobile devices; perform cyber risk assessments regularly; take advantage of information sharing internally and externally to gain intelligence on fast-evolving cyber risks; develop threat-specific policies; and, enhance training and create workforce messaging to boost cybersecurity awareness across the organization.
“Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize,” says Ed Lowery, special agent in charge, Criminal Investigative Division, U.S. Secret Service. “The increasing sophistication of cyber criminals and their ability to circumvent security technologies indicates the need for a radically different approach to cybersecurity: A balanced approach that, in addition to using effective cybersecurity technologies, develops the people, processes, and effective partnerships in order to strategically counter cybersecurity threats.”
This year, three in four (77%) respondents to the survey reported a security event in the past 12 months, and more than a third (34%) said the number of security incidents increased over the previous year. Additionally, 59% of respondents reported that they were more concerned about cybersecurity threats this year than they were the year before.
“There is a correlation between company size and how they confront important elements of cybersecurity,” says Bob Bragdon, vice president and publisher, CSO. “For larger companies, insiders remain the greatest risk for cybersecurity, while outsiders pose more of a risk for smaller companies. Large companies with over 1,000 employees have entire IT security departments, focused solely on these issues, compared to smaller businesses. Regardless of size, developing threat-specific policies that include detection, monitoring, analytics, and investigation for responding to insider threats is critical. However, experience breeds caution—the companies that have experienced a security event have developed more mature practices and become more cautious than those who have not.”
In particular, many recent incidents with payment-card heists have proved threat actors are increasingly attempting to infiltrate systems via third parties, yet only 44% of companies have a process for evaluating third parties before the launch of business operations.
“Third-party and supply chain partners should be held to the same, if not higher, cybersecurity standard that companies set for themselves,” says Randy Trzeciak, technical manager of the Insider Threat Center at CERT. “In particular, compliance should be mandated in contracts. Carefully assessing risks associated with partners and determining incident response plans are also essential elements.”
“The severity of cyber threats will continue to intensify as threat actors evolve and sharpen their skills and techniques. If history—and responses to this survey—are a guide, more organizations will fall victim to more costly cybercrime in the coming year,” says Burg. “Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are inevitable.”