The 2014 U.S. State of Cybercrime Survey conducted by PwC, CSO magazine, CERT and the U.S. Secret Service has been released. The perceptions of the risks cybercrime poses to business over the past few years has shifted dramatically.
The survey has revealed that while the number of cybercrime incidents and the monetary losses associated with them continue to rise, most U.S. organizations’ cybersecurity capabilities do not rival the persistence and technological skills of their adversaries. Only 38 percent of companies in the report claimed to have a methodology to prioritize security investments based on risk and impact to business strategy.
The report reveals three general key findings with regards to inadequate security policies and implementation by organizations:
Most organizations still fail to address employee and insider vulnerabilities
Most organizations do no assess the security practices of third-party partners and supply chains
Continued failure across more organizations to invest in cybersecurity and align it with overall business strategy
In the report they highlight 8 specific cybersecurity issues that business should be concerned with along with an innovative infographic illustrating which parts of the business are involved.
1. Spending with a misaligned strategy isn’t smart
Strategy should be linked to business objectives, with allocation of resources tied to risks.
38% prioritize security investments based on risk and impact to business
17% classify the business value of data1
2. Business partners ﬂy under the security radar
Recent contractor data leaks and payment card heists have proved that adversaries
can and will infiltrate systems via third parties, but most organizations do not address third-party security.
44% have a process for evaluating third parties before launch of business operations
31% include security provisions in contracts with external vendors and suppliers
3. A missing link in the supply chain
Flow of data to supply chain partners continues to surge, yet they are not required to comply with privacy and security policies.
27% conduct incident-response planning with supply chain partners
8% have supply chain risk-management capability
4. Slow moves in mobile security
Mobile technologies and risks are proliferating but security efforts are not keeping up.
31% have a mobile security strategy
38% encrypt devices
36% employ mobile device management
5. Failing to assess for threats is risky business
Organizations typically include cyber risks in enterprise risk-management programs but do not regularly assess threats.
47% perform periodic risk assessments
24% have an objective third party assess their security program
6. It takes a team to beat a crook
External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others.
25% participate in Information Sharing and Analysis Centers (ISACs)
15% work with public law enforcement agencies
7. Got suspicious employee behavior?
Cybersecurity incidents carried out by employees have serious impact, yet are not addressed with the same rigor as external threats like hackers.
49% have a formal plan for responding to insider events
75% handle insider incidents internally without involving legal action or law enforcement
8. Untrained employees drain revenue
Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.
20% train on-site first responders to handle potential evidence
76% less is spent on security events when employees are trained, yet
54% do not provide security training for new hires
Image Source: PwC, CSO magazine, CIO magazine, The Global State of Information Security® Survey 2014, September 2013