October: A month to measure cyber defenses

This month marks the 12th annual National Cyber Security Awareness month, officially proclaimed by President Obama and led by the National Cyber Security Alliance and the Department of Homeland Security.

As usual on such occasions, a plethora of studies about how aware Americans are about cyber security come out. Unfortunately, and as usual, the news is not good.

The only encouraging data show that financial services, including banks, have ramped up their cyber defenses and abilities to deal with breaches. The majority of data indicate that banks’ customers, both commercial and retail, fail miserably.

Reading the sad roll of exposure

Here’s a quick rundown of said studies:

Kaspersky Lab—In September the company did an online test of more than 18,000 people who make payments or bank online. It found that only 51% check if a website is authentic before entering their financial details, and 29% do not take any precautions while making an online purchase.

“These figures reinforce what has long been observed—many users still are not only endangering themselves and their money but also the banking and payment system businesses they use,” says Ross Hogan, global head of the Fraud Prevention Division at Kaspersky Lab.

AT&T—Its research estimates that businesses suffered nearly 43 million known security incidents in 2014, up 48% from the year before. Nevertheless, it found that nearly 75% of businesses do not involve their full board of directors in cyber security oversight, and that roughly 78% of all employees do not follow the security policies set forth by their employer.

“Every company either has been breached or will be breached,” says Ralph de la Vega, president and CEO, AT&T Mobile and Business Solutions. “Keeping a business protected should be a company-wide priority. Every employee, contractor, and administrator is responsible for keeping security top of mind.”

DomainTools—A survey by this cyber threat intelligence company sponsored by Osterman Research Inc. found that 23% of corporations surveyed had no insight on which channel a breach occurred, and nearly 50% do not currently have a threat intelligence solution.

TransUnion—Roughly half of all millennials say they are extremely or very concerned about cyber crime, but 86% admit storing bank account information on their phones, and 84% check financial accounts while connected to public wi-fi. Nearly two thirds of millennials report not locking their devices with passwords. Baby boomers do a little better—while only a third say they are concerned about identity theft, at least half take basic precautions to protect themselves, such as not storing credentials on mobile devices or checking financial accounts on unprotected wi-fi.

“Cybercriminals don’t care about your age; they just want access to your identity and credit,” says Ken Chaplin, senior vice-president at TransUnion.

Marsh—Less than one third of companies responding to this insurance brokerage’s poll said their key stakeholders have been identified and understand their roles regarding cyber risk. Such stakeholders include: board, CEO, vendors, operations, customers, CFO, communications, legal, human resources, compliance, IT, and risk manager.

“The results are another red flag, signaling that many companies have yet to develop a comprehensive cyber risk management strategy,” the study concludes.

Protiviti—One in three companies still lacks policies for its information security, data encryption, and data classification, according to its latest survey.

“Companies appear intent on addressing data security issues, but are these intentions translating into effective policies and actions to secure organizations’ most valuable data? The results are mixed, at best,” says Cal Slemp, managing director at Protiviti.

More voices will add to solutions

It’s still early in this cyber security awareness month so, no doubt, more such gloomy surveys will emerge. Make no mistake: this is an excellent bandwagon to jump on. The more awareness, the better.

“While NCSA and its many partners work year round to create awareness around the safe and secure use of the internet, National Cyber Security Awareness Month unites everyone in a concentrated effort to promote a culture of cyber security in everything we do,” says Jacqueline Beauchere, chief online safety officer of Microsoft and chair of NCSA’s board of directors.

And there are less gloomy statistics to report. NCSA’s own, global survey finds that 82% of young adults believe that keeping the internet safe and secure is a shared responsibility.

For that matter, the Financial Services Roundtable, along with the Georgia Tech Information Security Center, Palo Alto Networks, and Forbes, solicited responses from board members or senior level representatives from Forbes Global 2000 companies. It found that cyber security is now a boardroom-level issue for 63% of these companies, up from 33% when last polled in 2012.

The study also found that the financial services industry is one of the leaders in such improvements, going up to 64%, from 38% in 2012.

The report “clearly reflects a sea change from the attention boards were paying to cyber security issues in the 2008, 2010, and 2012 surveys,” says Jody Westby, author of the series of reports. “This report shows that, for the first time, directors and officers understand they have a fiduciary duty to protect the digital assets of their companies and are paying more than cursory attention to cyber risks; it is a welcome change that will help protect shareholders and customers.”

In another example about how corporate America is starting to take cyber security more seriously, CTIA—The Wireless Association announced an update to what’s known in that industry as the Smartphone Anti-Theft Voluntary Commitment, signed on to by network operators, device manufacturers, and operating system companies.

This pledge already had encouraged free preloading of baseline anti-theft tools on wireless devices, and applies to devices manufactured after July 2015. The update adds that, for devices manufactured after July 2016, authorized users will have available an option to enable or disable the anti-theft solution at any time that the smartphone is connected.

Banking trades and banks tackle cyber risk

The banking industry, of course, is all over National Cyber Security Awareness Month.

“Now, more than ever, consumers must remain alert to the possibility of their personal credit and financial security being compromised,” says ICBA Chairman Jack Hartings, president and CEO, The Peoples Bank Co, Coldwater, Ohio. “Community banks often serve as the first line of defense in ensuring their customers’ financial information is not being used improperly.”

ABA, as well, announced it will offer a series of consumer tips throughout the month to promote online safety awareness.

And OCC encourages banks and thrifts to discuss cyber attacks when they occur, not only with their regulators and law enforcement, but through the industry by participating in the Financial Services Information Sharing and Analysis Center.

“Such collaborative communication protects the safety and soundness of the individual institution and the broader federal banking system,” says Comptroller of the Currency Thomas Curry.

So, as usual, there is gloom and doom to report. Hopefully, though, maybe—just maybe—progress might be seen in the cyber war.

Sources used for this article include:

ABA Offers Resources For Cybersecurity Awareness Month

Are Your CEO And Board Ready? AT&T'S Cybersecurity Insights Report Helps Executives Prepare For Cyber Attacks

CTIA And Participating Wireless Companies Announce New Effort To Help Consumers Combat Stolen Smartphones And Protect Personal Information

New Cybersecurity Research Underscores Dangerous Gaps In Awareness Of Cyber-Threats For Enterprises

FSR, Palo Alto Networks & Forbes-Supported Study Finds Dramatic Increase In Corporate Boards Addressing Cyber Risks

ICBA Encourages Consumers To Protect Their Data During Cyber Security Awareness Month

Nearly A Third Of Users Do Nothing To Protect Online Payments

Have You Identified All Of Your Cyber Risk Stakeholders?

National Cyber Security Awareness Month Kicks Off As Growing Global Coalition Urges Internet Users Everywhere To STOP. THINK. CONNECT.

OCC Highlights National Cybersecurity Awareness Month

One in Three Companies Lack Policies for Information Security, Data Encryption and Classification, According to Protiviti’s 2015 IT Security and Privacy Survey

Cyber Slackers: Millennials Lax With Cyber Security