2015 State of Cybercrime: Enterprise fight is stuck in stall

Cybercrime awareness has hit an all-time high but it isn't necessarily translating to action

The year of cybercrime since our most recent US State of Cybercrime Survey has been nothing less than stunning.

There were the Home Depot and JP Morgan Chase data breaches, the Sony Pictures fiasco, and most recently the devastating breach at the US Office of Personnel Management (OPM) that appears to be worse than first believed.

In the face of such a series of events, it's no surprise that cybercrime awareness has hit an all-time high. What is surprising, however, is that after years of effort and attention to information security, most organizations' ability to respond to cyberattacks have stalled. That fact is just one of the notable takeaways from our2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies. The survey is cosponsored by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service.

According to this year's survey, the number of respondents who reported being more concerned about information security risks spiked to 76%, up from 59% in the same survey one year ago. CEOs also have taken notice, with PwC's most recent Annual Global CEO Survey revealing that 87% of CEOs in the US fear that cyber attacks could disrupt economic growth.

A loose alignment and dangerous lack of visibility

With information security such a pressing issue, why has there been a persistent discord between business leaders and information security teams when it comes to building more attack resilient organizations? John Johnson, global security strategist at Moline, Ill.,-based heavy equipment maker John Deere, says that more boards are, in fact, increasingly recognizing gaps in their security programs and are demanding higher visibility and maturity for security within their organizations. Despite this, however, internal challenges remain. At the top of the list is executive hierarchy and reporting structure. "The problem is, as long as security reports up through the CIO, these [security] changes may not be timely and effective," says Johnson.

"Some organizations get it and move the CISO out from under the CIO, or create a dotted line reporting structure to the CEO. Others are biding their time until they suffer a breach and then they have to truly elevate the [CISO] role," Johnson adds.

The security-business alignment is loose everywhere, or not even in place among a sizable number of respondents. This year's survey revealed that 26% of respondents said their CISO makes only one security presentation to their board annually, while 28% do not make any kind of cybersecurity presentation whatsoever.

That lack of unity and communication wouldn't fly with Jay Leek, chief information security officer at New York City-based private equity and asset management firm The Blackstone Group. "I'm a believer in transparency in how we run our security programs to the extent we can be transparent. Not everything's confidential. Our five principles are protect, trusted adviser, transparent, awareness, and measure," says Leek.

"Our job is to protect the firm but, more importantly, I'm a trusted adviser to the business leaders in this firm. That's because they need to make informed risk-based decisions and I need to be there to help advise them to make a better decision at the time when they need to make it. We do this in a very transparent way to drive greater awareness to the firm," he adds.

A big part of those efforts, explains Leek, is helping executives understand the differences among cyber crime, cyber espionage, the insider threat, and hacktivist type organizations so they understand the motives behind each, and why the motive is important. "The new threat that we've seen surface over the past 18 to 24 months concerns destruction, retaliation, and disruption not stealing anything. It's important to understand this because these threats don't have to get in and get out; they just have to get in," he says.

Kenneth Swick, independent security consultant and recent information security officer at Citigroup, says that understanding and level of education are crucial for CEOs and boards, and when poor alignment exists, effective organizational security is a nonstarter. "The desire for a secure environment must flow from the C-Suite to the rest of the organization," says Swick.

In addition to the challenges of aligning proper information risk management with the needs of business leadership, the survey found that enterprises have stalled in their ability to see what attacks are underway within their systems, while too many organizations (25%) still don't understand the nature of the impact to their business from these attacks. According to the study, 28% of respondents victimized by a cybercrime couldn't determine if it was caused by internal or external attackers.

As might be expected, larger organizations, which presumably have more security resources in people and technology, detect more security breaches. The survey found that large enterprises spotted 31 times more incidents than their smaller counterparts.

How do enterprises and government agencies improve from here? Swick says it's time, finally, for organizations to get going in earnest on the very basics. They need to classify and prioritize their most business-critical assets, and put the tools in place to detect suspicious activity. Once that is complete, move out from the most critical business assets and throughout the organization as budget and resources allow. "This is a challenging area because it will take a lot of resources and potentially re-architecting your network to really do this right. You just can't walk into an environment and make this happen," he says.

Data breaches and budgets rise

While the number of respondents who have detected a security incident in the past 12 months has stalled at 79%, the average number of incidents detected per firm has increased 21% over the year before. The industries that suffered the largest jump in incidents this year include retail and consumer, education, government, and information and telecommunications.

Fortunately, all of the attention now being paid toward cybersecurity incidents is pushing security budgets up. In this year's survey, 45% of respondents reported that they have increased their budget this year over last.

The challenge going forward for those firms, says Ben Rothke, senior eGRC consultant The Nettitude Group, is keeping that budget once security teams get the increase they need, and then building long-term sustainable results. "Security is a journey, not a destination. If you show you can be effective and also run security like a business, you should impress management and be able to get the budget you need," he says.

Johnson would likely agree, and also stresses that the CISO needs to be a leader who can align the technical aspects of information security with governance and business risk management metrics that executives and the board need to understand. For those who are not this mature, it's not going to improve overnight. "You can't boil the ocean and you can't ever reach 100% security. The threats change and all you can do is try to develop an aligned plan and work on the highest priorities first. [By capturing] metrics and revisiting this plan as the business environment, regulations and threats change, you will hopefully keep your program on track and show that you are being effective," says Johnson.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksespionagesecurityOffice of Personnel ManagementHome DepotSony Picturessony

More about CitigroupCSODeereHome DepotJohn DeereJP MorganMellonMorganSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place