The U.S. state of cybercrime takes another step back

When it comes to cybercrime, it seems no enterprise goes unscathed. There are more breaches happening, the associated costs are rising, and business leadership grows increasingly concerned that information security remains a challenge that is out of control. Those are the headline findings of the 2014 U.S. State of Cybercrime Survey, an annual survey by CSO Magazine with help from the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC.

The 12th survey of cybercrime trends, released this week, found on average, the number of security incidents detected by enterprises reached 135 per organization. Unfortunately, more than two thirds of organizations that detected breaches are unable to place a cost on the incidents, and for those that could the average loss totaled $415,000.

"Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," said Ed Lowery, special agent in charge, criminal investigative division, at the U.S. Secret Service in a release.

Bob Bragdon, vice president and publisher, CSO says things are getting worse despite efforts in the right direction. "Things continue to get worse despite the investment in people, processes and technologies to counter cyber threats," he says. Bragdon cites the fact that companies still do not strategically invest in security, so that they are protecting their most valuable assets, such as intellectual property and trade secrets.

[Related: The sorry state of cybercrime]

Another challenge: security isn't keeping up with tech innovation. "Cybersecurity for disruptive technologies remains inadequate when considering Bring Your Own Device (BYOD), cloud, Software Defined Networking (SDN) are always put it in place first and then secured later," Bragdon says.

The survey identified eight common deficiencies, where spending and efforts do lag:

" Most organizations do not take a strategic approach to cybersecurity spending.

" Organizations do not assess security capabilities of third-party providers.

" Supply chain risks are not understood or adequately assessed

" Security for mobile devices is inadequate and has elevated risks

" Cyber risks are not sufficiently assessed

" Organizations do not collaborate to share intelligence on threats and responses

" Insider threats are not sufficiently addressed

" Employee training and awareness is very effective at deterring and responding to incidents, yet it is lacking at most organizations.

The survey also found more than a third said that the number of security incidents detected increased over the previous year. So it's no surprise that more than 59% of respondents said that they were more concerned about cybersecurity threats this year than in the past. CEOs are certainly concerned. PwC's Annual Global CEO Survey 2014 found 69% of US respondents worried about the impact of cyber threats to their growth. Costs to Target, for instance, could go well into the hundreds of millions, with some estimates over $1 billion. Final costs won't be tallied until the lawsuits are done, to be sure, and it's unclear how much cyber security insurance will ultimately cover.

[2013 results detailed in Why business is losing the war against cybercrime]

One of the findings of the survey is that enterprises don't share enough intelligence on threats and responses. That may be starting to change, at least in the retail sector. Following numerous high-profile attacks, the retail industry is now looking at ways to effectively share cyber security information, including the establishment of a Merchant and Retail Industry Information Sharing and Analysis Center (ISAC). Essentially, ISACs provide a way to gather and share information about attacks and attack trends that target a particular industry. There are many ISACs already in place, primarily in the critical infrastructures including power, water, financial services and more than a dozen others.

"Working in the financial sector I see the value of ISACs," says Ken Swick, technical information security officer at Citi Group. The types of threats one sector may be worried about can be different from another. By sharing this information between peers it allows for potentially proactive measures that can be taken before more institutions see a threat," Swick says.

While average number of security incidents detected was 135 per organization, this does not account for incidents that go undetected, a potentially significant number given the 3,000 companies mentioned above that were unaware of cyber intrusions until notified by the FBI. Why such a poor showing? Because many enterprises aren't running mature information security programs, many agree.

"Primarily, they are just running compliance programs," says Javvad Malik, security Analyst at The 451 Group.

Bragdon agrees, and says "compliance-based security programs will not deliver effective cybersecurity, particularly in the post-perimeter enterprise, but businesses continue to focus on compliance."

Not surprisingly, organizations that suffered a breach take their security programs more seriously, are also more likely to have an information security department that is in charge of responding to incidents. The study also found that large organizations are more apt to use up-to-date security controls, such as malware analysis, threat subscription services, and threat modeling to address overall cybersecurity risks. Is there room for hope of improvement in the immediate future? Not a lot.

"I am hopeful that the level of awareness driven to the Board and senior management by the likes of Target and the initiatives of the World Economic Forum will lock the concerns of cyber risk into the operating environment of most businesses. But as an old boss of mine was fond of saying, hope is for children,' " Bragdon says.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwaredata protection

More about Carnegie Mellon University AustraliaCSOFBIMellonPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place