The cybersecurity programs currently operating in both the public and private sector in the United States are no match for their opponents in cybercrime, according to a new survey from PricewaterhouseCoopers (PwC).
“Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect. Particularly worrisome are attacks by tremendously skilled threat actors that attempt to steal highly sensitive—and often very valuable—intellectual property, private communications, and other strategic assets and information,” stated PwC in its report, called “The U.S. State of Cybercrime.”
PwC highlighted recent attacks including the “most powerful” distributed denial of service (DDoS) assault ever encountered, as well as malware, phishing, network interruption, and spyware. Cybercriminals have begun to show cooperative tendencies that has increased frequency and effectiveness of attacks, the firm warned, citing congressional testimony from William Noonan, deputy special agent in charge for the U.S. Secret Service Criminal Investigative Division.
U.S. organizations, particularly those with excellent security practices, have begun collaborating with others to expand their knowledge of trends in cyber threats. Another recent PwC survey found that 82% of respondents are sharing their experiences with other security executives via such tools as the Information Sharing and Analysis Centers (ISACs) forums.
“The increasing level of collaboration among cyber criminals allows them to compartmentalize their operations, greatly increasing the sophistication of their criminal endeavors and allowing for development of expert specialization,” Noonan recently told a U.S. House of Representatives subcommittee. “These specialties raise the complexity of investigating these cases, as well as the level of potential harm to companies and individuals.”
Sixty-nine percent of the executives responding to PwC’s recent Global CEO Survey expressed concerns that cyber threats would negatively affect their business growth. Fifty-nine percent of respondents to the State of Cybercrime survey are more worried now than in the past – primarily because the possible costs of a security incident are hard to define.
“When we asked about monetary losses attributed to cybercrime, 14% of respondents reported losses have mounted in the past year—but the costs of these incidents remain largely unknown,” explained PwC. “That’s because more than two-thirds (67%) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was approximately $415,000.”
The average number of detected security incidents in 2013 was 135 per organization in the survey of 3,000 companies, according to the report. Additionally, there are likely to be many more intrusions that go unnoticed, PwC said.
While hackers tend to be the most significant source of breaches (72 percent), PwC found that inside jobs against companies, usually by current and former employees, service providers or contractors, do occur (28 percent) and can be even more problematic. Insiders typically know where to hit a company the hardest, presenting the risk of loss of proprietary information, reputational harm, system disruption and loss of revenue.
“Almost one-third (32%) say insider crimes are more costly or damaging than incidents perpetrated by outsiders,” said PwC. “The larger the business, the more likely it is to consider insiders a threat; larger businesses also are more likely to recognize that insider incidents can be more costly and damaging. Despite this, however, only 49% of all respondents have a plan for responding to insider threats.”
Additionally, only 31 percent of respondents said they address security provisions in contracts with vendors and suppliers.
Nation-states and organized crime rings are less likely to be the source of attacks (7 percent and 8 percent, respectively), but larger businesses usually worry more about loss of intellectual property to these risks, according to the survey.
Security experience across industries varies widely, the survey revealed. The insurance industry posted the highest response rate for zero security incidents at 38 percent. Government fared the worst, with only 16 percent of respondents reporting no incidents. Healthcare organizations followed insurance at 30 percent; information and telecom industries came in at 28 percent. Banking and finance reported no incidents at 20 percent of respondents, but also had the highest response rate (36 percent) for instances of financial fraud.
As with anything, PwC reported that experience with a security incident greatly awareness of and resources devoted to cybersecurity. Businesses in highly regulated industries also tend to have more established programs. The more an organization spends on security correlates directly to the number of incidents detected.
“This year, banking and finance respondents spent as much as $2,500 per employee (median) on cybersecurity, while retail and consumer products businesses invested up to $400 per employee (median) and education respondents invested a maximum of $200 per employee (median),” said PwC.
However, the survey recommended against simply throwing money at the problem, expecting it to evaporate. Instead, organizations should be evaluating their risk and spending strategically, as well as following the National Institute for Standards and Technology’s (NIST) cybersecurity framework, released in February. The report also emphasized the need for security awareness training for all employees.
“Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are all but inevitable,” concluded PwC.