“It’s been a watershed year for cybercrime,” explains PricewaterhouseCoopers LLC in its 2015 report analyzing data from 500 executives across US businesses, law enforcement and government agencies. The survey and report, co-sponsored by PwC, CSO, Carnagie Mellon University and the United States Secret Service, provides a comprehensive analysis of trends in cybercrime and cyberthreats, as well as security spending and overall manage of these growing business risks.
This year, a record 79 percent of respondents detected a security incident during the past 12 months, with the actual number to be even higher as many incidents remain undetected. The report identified a number of trends in seven key areas, briefly summarized below, and overall indicates that while cybersecurity risks continue to increase, businesses and organizations must remain proactive and vigilant across a number of fronts to defend themselves in this new age of cyberwarfare.
- Cyberattacks are becoming more destructive: 1 billion data records were compromised last year, with attacks becoming increasingly public and prominent, with the New York Times devoting over 700 articles on data breaches, compared to 125 articles the previous year. Not only with the number of attacks continue to rise, the report concludes, but so will the sophistication and type: “As motives and means continue to evolve, so do the methods of attack,” noting “ransomware” is a new type of cybercrime, with 13 percent of respondents indicating they were victimized by attackers demanding a “ransom” for stolen data.
- Large companies and retailers boost security spending: One positive result identified by the report is the increase in spending by large firms in cybersecurity measures, with larger businesses more likely to spend considerably more, and have more mature security practices following consistent investment over a span of years.
- Board are concerned, but not always engaged: 28 percent of respondents indicated that the organization’s Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes no regular data security presentations to its Board of Directors, while 26 percent have annual presentations, and 30 percent quarterly. The report concludes these “statistics are alarming when viewed through a post-breach lens,” and may “lead regulators and plaintiff’s counsel to conclude the operational risk lacked preventative and deceive controls that…the Board is responsible for monitoring.”
- Information sharing is front and center: Over 40 percent of cyberattacks hit the “second organization” in less than one hour, with 75 percent spreading from victim to victim within 24-hours. Timely sharing of information is vitally important, and President Obama’s February 2015 executive order calling for the creation of Information Sharing Analysis Organizations (ISAOs) is “fueling the discussion” about the need for information sharing as a tool to identify threats, allow rapid notification, and encourage informed decision-making by partners joined against a common enemy—the cyberattacker. Even so, only 25 percent of respondents reported participation in any industry-specific Information Sharing and Analysis Centers (ISACs). The report concludes that the benefits of ISAOs over ISACs may increase participation, and that a unified framework platform and data standards will help move the process along.
- Lopsided investment in technology: While 47 percent of respondents identified adding new technology as a spending priority, only 15 percent addressed redesigning progresses, and 33 percent adding new skills and capabilities. The report suggests that such “lopsided” investment neglects the critical component of employee training and awareness in any security program. Indeed, only 50 percent of respondents conduct periodic security awareness and training programs. Despite significantly increased security spending, the report concludes that “implementing technologies without updating processes and providing employee training will not very likely realize the full value of their spending.”
- Third-party risks are not adequately addressed: As previously explained, a cybersecurity program is only as strong as its weakest link, which includes not only uneducated employees, but extends to third-party vendors, contractors, suppliers, procurements and non-security software. The report explains that, in the wake of “high-profile breaches that began with attacks on the systems of business partners,” regulators in the financial services industry are leading the charge for assessing third-party security, including the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to identify and manage risks. Survey results indicated that only 62 percent of respondents evaluate the security risks of third-party partners, and, more surprising, 19 percent of CEOs, CFOs and COOs “are not at all worried about any kind of supply-chain risk.”
- The strategic role of the CISO: Results indicate that the role of the Chief Information Security Officer continues “to evolve as cybercrime becomes a more prominent enterprise-wide risk,” and that the CISO’s place in an organization’s structure may depend on a range of factors, most obviously company size, but should adapt to the growing responsibilities associated with a comprehensive cybersecurity program. Regardless of structure, the report concludes that the CISO “should be a general manager” with “expertise not only in security but also risk management, corporate governance, and communications.”