The past year has been tough for enterprise security teams. Attacks like Petya and NotPetya suggest that the impact scale is increasing dramatically. The recent leak of government-developed malware and hoarded vulnerabilities has given cybercriminals greater capabilities. IT is struggling to keep pace with the flow of important security software patches and updates, and the continued adoption of new technologies like the internet of things (IoT) creates new vulnerabilities to contend with.
All this has driven many companies to do some soul searching about how they address cybercrime threats, according to a new survey from CSO. Its results provide insight into not only the nature and scope of the threats that U.S. businesses face, but exactly how those businesses are responding.
The 2017 U.S. State of Cybercrime survey is conducted annually by CSO in partnership with the US Secret Service and CERT at the Software Engineering Institute at Carnegie Mellon University. This year’s survey is sponsored by Forcepoint. Of the 510 respondents, 70 percent were at the vice president level or higher across all industries and the public sector, including the 35 percent in corporate management. The average IT security budget of the companies represented is $11 million.
Getting more serious about security
Security is getting more mindshare at the corporate level and more resources, even if in some cases the gains are incremental. Twenty percent of CSOs/CISOs now report to the board of directors on a monthly basis, up from 17 percent last year. Yet 61 percent of the boards still see security as an IT issue rather than a corporate governance issue. That number is barely down from last year’s 63 percent.
Companies are spending more on IT security, with an average budget increase of 7.5 percent. Ten percent of respondents reported an increase of more than 20 percent. The bulk of that money is being spent on new technologies (40 percent), but companies are paying for knowledge, too, in the form of audits and assessments (34 percent), adding new skills (33 percent), and knowledge sharing (15 percent). Respondents said they were investing in redesigning their cybersecurity strategy (25 percent) and processes (17 percent) as well.
Speaking of cybersecurity strategy, an amazing 35 percent of respondents said that a cyber response plan was not part of it. The good news is that 19 percent planned to implement a plan within the next year.
The greater emphasis on and investment in addressing threats has given companies more confidence in their security capabilities, even as they adopt new technologies such as mobile, cloud and IoT. Seventy-six percent believe they have the expertise to address those threats. This is despite a jump from 64 percent to 74 percent of those who say they are more concerned about security than they were a year ago.
Security events declining, but not the impact
Respondents estimated that the number of security events at their company dropped 8.2 percent in the past 12 months, from an average of about 161 to 148 incidents. Despite the drop in the number of events, 68 percent reported that their losses were the same or higher than the previous year. The number of businesses that experienced no losses dropped from 36 percent to 30 percent.
Although the overall number of events declined, events that resulted in a loss or damage rose. In the past 12 months, 14 percent of the respondents reported disruption to their own critical systems, up from 10 percent in the prior 12 months. Ten percent reported loss of confidential or proprietary information, a rise from 7 percent previously. Incidents that damaged a company’s reputation or caused disruption that affected customers and partners both fell to 4 percent each.
If you’ve been following cyberattack reports, the types of cybercrime on the rise will not surprise you. Thirty-six percent of respondents say they were impacted by a phishing attack, up from 26 percent the previous year. Ransomware attacks also rose, from 14 percent to 17 percent. Financial fraud jumped to 12 percent from 7 percent.
The State of Cybercrime survey results show that most companies are raising the bar in their efforts to to prevent or minimize damage from attacks. It also reveals that too many companies are not keeping pace with the threat environment or their peers’ cybersecurity standards. They can catch up by focusing on the following:
- Accept that security is not just an IT issue. More CSOs/CISOs are reporting to boards of directors for a reason: An effective cybersecurity strategy starts at the top and should include all areas of the company. More frequent reporting on security issues to senior management and the formation of a risk committee that includes people from all areas of the company are good first steps.
- Invest in your security staff. This means making sure they have the resources and training to stay atop the latest threats. Participating in organizations that share knowledge of threats and their countermeasures is also important.
- Increase your field of vision into threats. Outsider threats were seen as most damaging by 39 percent of the respondents. Once a breach from an outsider occurred, it took an average of about 92 days to detect it. It’s wise, then, to assess the effectiveness of your intrusion detection tools and processes.
- Develop an ongoing security awareness training program for employees. Twenty-eight percent of security incidents from insiders were the result of negligence or accident. Considering the rate at which attacks that depend on deception are evolving, employees need regular, ongoing training.
- Evaluate the cybersecurity capability of your supply chain and partners. Cybercriminals often target smaller companies as a way to access the data of the larger companies they do business with because they assume them to be softer targets. Make sure those companies aren’t the weak link in your system.
- Test, test and test again. Only a little more than half the respondents (53 percent) said they had a methodology to test the effectiveness of their security programs. Testing should be a given, and not just once a year. The threat landscape demands commitment to a regular testing schedule.