Cybercrime is on the rise, and most organizations remain unsuccessful at thwarting the attacks, according to the latest cybercrime survey.
Organizations have made little progress developing defenses against both internal and external attackers, according to the 2013 State of Cybercrime Survey from PwC and CSO Magazine released Thursday. More worryingly, organizations seem unaware of the potential fallout from insider crimes.
Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective. Attacks are on the rise partly because organizations now have a bigger attack surface, a natural consequence of doing business in a more interconnected and interdependent landscape. While public perception tends to focus on the headlines focusing on successful attacks from nation-states, insiders pose just as great a security risk to organizations, according to the survey.
"The potential threat from insiders cannot be underestimated or dismissed as inconsequential," said Ed Lowry, Special Agent in Charge at the U.S. Secret Service's Criminal Investigative Division.
Respondents were just as likely to say insider crimes would cause more damage to the organizations as external attacks. In fact, a few more respondents were concerned about internal attacks, at 34 percent, than those worried about external attacks, at 31 percent, according to the study.
Insiders aren't always malicious. As the survey found, twice as many respondents acknowledged that "non-malicious insiders" caused more sensitive data loss than malicious inside actors. A good example of non-malicious insiders is the employee who accidentally lost an unencrypted USB drive or laptop containing sensitive data.
"One of the key elements in defending against insider attacks is employee training and awareness," said David Burg, a principal consultant in PwC's U.S. Advisory practice focused on cyber-security.
The survey also found that 17 percent of respondents who had suffered an insider attack did not know what the consequences were for the incident. About a third had no formalized insider threat response plan. Of those who did know what the insider threat handling procedures were, the majority reported that the cases were handled in-house, without legal action or law enforcement involvement
Organizations should cooperate with government agencies when faced with the severe attacks, such as those from nation-states, PwC said.
Organizations should have a comprehensive cyber-security plan that addresses both physical and IT systems security threats, the survey said. The plan needs to have components addressing education, training, and awareness of all employees and redundant auditing procedures to help mitigate vulnerabilities.
"Today's organizations are not taking the necessary steps to mitigate the risk of cybercrime, even in the face of increasingly serious and frequent threats," said Burg.
Even though the current gap is the result of years of organizations underinvesting in security programs, technologies, and processes, it is still possible to meet the cyber-security challenge, according to PwC.
Organizations with vigilant and proactive awareness of the threat environment, a strong asset identification and protection program, and proactive monitoring and enhanced incident response processes can successfully mitigate the attacks, PwC said. Cyber-security strategy needs to be aligned with the organization's business strategy.
"Cybersecurity is a business imperative, and senior executives and Boards need to understand the challenges, educate their employees to raise awareness and increase vigilance, and apply cyber threat intelligence to help abate risks from sophisticated threat actors," Burg said.
Over 500 senior executives, security experts, and managers from both the public and private sectors in the U.S. answered survey questions between March and April as part of this year's Cybercrime survey.
The annual cybercrime survey is a collaborative effort between PwC, CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University, and the Federal Bureau of Investigation.
The full survey report is available online.