Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Companies Not Keeping Pace with Growing Cybercrime Threats: Survey

Cybercrime is on the rise, and most organizations remain unsuccessful at thwarting the attacks, according to the latest cybercrime survey.

Cybercrime is on the rise, and most organizations remain unsuccessful at thwarting the attacks, according to the latest cybercrime survey.

Organizations have made little progress developing defenses against both internal and external attackers, according to the 2013 State of Cybercrime Survey from PwC and CSO Magazine released Thursday. More worryingly, organizations seem unaware of the potential fallout from insider crimes.

Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective. Attacks are on the rise partly because organizations now have a bigger attack surface, a natural consequence of doing business in a more interconnected and interdependent landscape. While public perception tends to focus on the headlines focusing on successful attacks from nation-states, insiders pose just as great a security risk to organizations, according to the survey.

“The potential threat from insiders cannot be underestimated or dismissed as inconsequential,” said Ed Lowry, Special Agent in Charge at the U.S. Secret Service’s Criminal Investigative Division.

Respondents were just as likely to say insider crimes would cause more damage to the organizations as external attacks. In fact, a few more respondents were concerned about internal attacks, at 34 percent, than those worried about external attacks, at 31 percent, according to the study.

Insiders aren’t always malicious. As the survey found, twice as many respondents acknowledged that “non-malicious insiders” caused more sensitive data loss than malicious inside actors. A good example of non-malicious insiders is the employee who accidentally lost an unencrypted USB drive or laptop containing sensitive data.

“One of the key elements in defending against insider attacks is employee training and awareness,” said David Burg, a principal consultant in PwC’s U.S. Advisory practice focused on cyber-security.

The survey also found that 17 percent of respondents who had suffered an insider attack did not know what the consequences were for the incident. About a third had no formalized insider threat response plan. Of those who did know what the insider threat handling procedures were, the majority reported that the cases were handled in-house, without legal action or law enforcement involvement

Advertisement. Scroll to continue reading.

Organizations should cooperate with government agencies when faced with the severe attacks, such as those from nation-states, PwC said.

Organizations should have a comprehensive cyber-security plan that addresses both physical and IT systems security threats, the survey said. The plan needs to have components addressing education, training, and awareness of all employees and redundant auditing procedures to help mitigate vulnerabilities.

“Today’s organizations are not taking the necessary steps to mitigate the risk of cybercrime, even in the face of increasingly serious and frequent threats,” said Burg.

Even though the current gap is the result of years of organizations underinvesting in security programs, technologies, and processes, it is still possible to meet the cyber-security challenge, according to PwC.

Organizations with vigilant and proactive awareness of the threat environment, a strong asset identification and protection program, and proactive monitoring and enhanced incident response processes can successfully mitigate the attacks, PwC said. Cyber-security strategy needs to be aligned with the organization’s business strategy.

“Cybersecurity is a business imperative, and senior executives and Boards need to understand the challenges, educate their employees to raise awareness and increase vigilance, and apply cyber threat intelligence to help abate risks from sophisticated threat actors,” Burg said.

Over 500 senior executives, security experts, and managers from both the public and private sectors in the U.S. answered survey questions between March and April as part of this year’s Cybercrime survey.

The annual cybercrime survey is a collaborative effort between PwC, CSO, the U.S. Secret Service, the Software Engineering Institute CERT Program at Carnegie Mellon University, and the Federal Bureau of Investigation.

The full survey report is available online.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.