Despite a year of highly public and destructive cyberattacks, few organizations’ cybersecurity policies and processes are providing better protection than a year ago, according to a joint public and private study.
Significantly, the research found that the industries that have been most targeted by cyber criminals—including banking and finance—have been most likely to have boosted their cyber security defenses.
More than 500 executives from U.S. businesses, law enforcement services, and government agencies share their views in the 2015 U.S. State of Cybercrime Survey. The survey was a collaborative effort among PwC; CSO (an information community for chief security officers); the U.S. Secret Service; and the Software Engineering Institute CERT Division at Carnegie Mellon University. [CERT stands for “computer emergency response team.”]
Big jump in incidents
A record 79% of respondents said they detected a security incident in the past 12 months in this year’s survey. On average, respondents reported 163 security incidents per organization in the last 12 months, an increase from 135 the year before. Because many incidents go undetected, the real number is likely higher. Large organizations (those with 10,000 or more employees) detected 31 times more incidents than small organizations (fewer than 1,000 employees).
“2015 has been a watershed year for cyber crime. Headlines in 2015 make it clear that the threat is increasing, yet much more must be done to stem losses and damages,” says David Burg, global and U.S. cybersecurity leader, PwC. “High profile incidents teach us over and over again that no system is immune—and that speed to identify and respond is of the essence when it comes to combatting cyber threats and reducing the risk and associated damages.”
Nearly half (45%) of respondents said they increased information security spending over the year before. Respondents also indicated that industries that have been impacted by high-profile cyberattacks—including retail and consumer products, banking and finance, healthcare, and government—were more likely to have significantly boosted information security investments.
Yet Burg adds that keeping pace with today’s sophisticated adversaries is not simply a matter of hiking cybersecurity spending.
“Results of this year’s survey highlight opportunities and potential for information sharing across industries and regions,” says Burg. “Greater transparency and visibility into the threat landscape can lead to more action from corporate boards, rapid and informed decision-making, appropriate investments in spend and resources, and greater agility when responding to threats.”
As security incidents rise in frequency, so too has the level of concern about potential cybersecurity incidents, which increased considerably. Seventy-six percent of respondents said they were more concerned about cyber risks, up from 59% the prior year. Given an increased focus on preventing cyber crime, incidents should show a decline or at least improvement in certain areas such as the assessment of financial damages. However, 69% of enterprise organizations (those with 1,000-plus employees) still could not estimate the financial impact after detecting a security incident.
More collaboration needed
According to the survey data, one other noticeable area for improvement is the amount of collaboration between security professionals in the industry. Only 25% of respondents said they were involved in industry-specific Information Sharing and Analysis Centers (ISACs), virtually the same as the year before. [This would include the Financial Services ISAC.]
“One of the key takeaways from this year’s survey is the increased involvement from the government as a result of the continued climbing number of cyberattacks combined with organizations not moving to protect themselves fast enough,” says Bob Bragdon, vice-president and publisher, CSO. “With both government pressure and regulation, as well as the increased oversight by companies’ boards of directors, businesses have the opportunity to become much more collaborative in sharing information and raising the security protection standard even as cyber criminals continue to evolve and adapt quicker than organizations.”
The most frequently cited types of compromise are crimes committed by external threat actors, those who are not employees or third-party partners with trusted access to networks and data. Nearly one third (31%) of respondents said they had experienced a phishing attack in 2014. Distributed denial of service (DDoS) attacks are becoming increasingly potent and are one of the most frequent types of cybersecurity incidents, cited by 18% of survey respondents. Ransomware, a comparatively new type of cybercrime, is also becoming more sophisticated and commonplace.
“Over the past year, the Secret Service saw an increase in cyber-related activity involving capable networks of transnational criminals targeting U.S. citizens and financial institutions,” says Stuart Tryon, special agent in charge of the Criminal Investigative Division, Secret Service. “Currently, subjects in Eastern Europe control many of the internet web sites buying and selling illicitly obtained credit card data. The public and private sectors must continue to work collaboratively to share cybersecurity indicators and partner to conduct investigations in order to deter, disrupt and dismantle cybercrime networks.”
Focus on third party risks
Due diligence of the security capabilities and practices of third-parties has emerged as a core requirement in the past year, in part because of prominent breaches that began with attacks on business partners. This year, 62% of respondents said they evaluate the security risks of third-party partners and 57% said they do so for contractors, while only 42% of respondents consider supplier risks. Surprisingly, almost one in five (19%) of CEOs, COOs, and CFOs said they were not at all worried about any kind of supply chain risk. What’s more, only 16% of respondents said they evaluate third parties’ cybersecurity more than once a year—and 23% do not evaluate third-party security at all.
Cyberthreats are one of the most significant business risks facing organizations today. Despite the increase in both incidents and risks, only 30% of respondents said their chief information security officer (CISO) or chief security officer (CSO) makes quarterly security presentations to the board. One in four (26%) said their senior security executive presents once a year—and 28% said security leaders make no presentations at all.
Board oversight lagging
The National Association of Corporate Directors recommends oversight be a function of the full board. Yet, 30% of respondents said no board committee or members are engaged in cyber risks. At the other end of the spectrum, only 25% of respondents said their full board is involved in cyber risks.
As boards of directors are held accountable, it is necessary to treat cybersecurity as an overarching corporate risk issue rather than simply an IT risk. Many have yet to adopt this approach, however. Almost half (49%) of boards view cybersecurity as an IT risk, while 42% see cybersecurity through the lens of corporate governance.
“If an organization’s management—including boards of directors, senior executives, and all managers—does not establish and reinforce the business need for effective enterprise security, the organization’s desired state of security will not be articulated, achieved, or sustained,” says Julia Allen, a principal researcher on the CERT cyber risk management team. “To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.”
Given the finding that most boards do not see cybersecurity as a governance issue, PwC, CSO, the U.S. Secret Service, and the Software Engineering Institute CERT Division outlined seven reasons why cybersecurity must be considered a board governance issue:
• The impact of cybersecurity is systemic. Incidents can impact an organization’s global operations even when a risk point is thousands of miles away.
• The financial impact can be significant and include costly class-action lawsuits.
• As regulations evolve, compliance is becoming more challenging and increasingly costly.
• The Internet of Things has brought new threats that can cause extreme risks and tremendous physical damage.
• Cybersecurity insurance should be considered as a regulatory hedge against cyber risks. A risk committee should ask questions regarding coverage for directors’ and officers’ liability, commercial general liability prior acts, and property and casualty insurance.
• Adversaries such as nation-states and organized crime are working together to attack organizations for objectives like economic sabotage, theft of trade secrets, money laundering, terrorism, and military and intelligence operations.
• Cyberattacks can result in substantial financial losses and damage brand reputation by disrupting an organization’s strategic objectives, such as a planned merger or acquisition, the launch of a new product, or a business deal with a potential customer.