Cybercrime Continues to Plague Organizations as Concerns over Security Breaches Increase
The 2018 U.S. State of Cybercrime Survey helps organizations compare their security practices and breaches during National Cybersecurity Awareness Month
Boston, Mass. – October 22, 2018 – Cybersecurity continues to increase in importance for organizations as breaches impact businesses across various industries. In fact, 66% of organizations reported they are more concerned about cybersecurity threats than they were just one year ago. Given the frequency of cyberattacks and potential consequences involved, organizations must take the necessary security measures and properly train their employees.
The U.S. State of Cybercrime Survey is conducted annually to evaluate trends in the frequency and impact of cybercrime incidents, cybersecurity threats, and information security spending (click to tweet). This year’s study coincides with National Cybersecurity Awareness Month, an annual initiative to ensure every American has the resources needed to stay safer and more secure online, while increasing the resiliency of the nation during cyberthreats. The 2018 research was a collaborative effort between CSO, the CERT Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service, and KnowBe4.
Prevalence & Impact of Security Threats
The threat of cyberattacks has become a top priority for organizations in recent years, and all signs point to this continuing. Forty-one percent of respondents reported the frequency of cybersecurity events increased in 2017. In particular, enterprise organizations are being hit the hardest by cybersecurity events. While SMBs experienced an average of 24 cybersecurity events this past year, this number increased to 195.9 for enterprise organizations. A major issue for companies is that threat detection continues to take longer, thus preventing organizations from taking swift action to eliminate the threat. Thirty-five percent of organizations indicated it takes longer than a month to identify intrusions on their network, which is up from 28% last year.
In addition to putting both company and customer information in danger, security breaches have resulted in significant monetary loss for the affected organizations. Overall, 23% of organizations reported their monetary losses increased in 2017, which is up from 13% in 2016. Again, enterprise organizations are being impacted the most with estimated financial losses at an average of $642K, compared to $34K for SMBs.
“Organizations must take a more proactive approach to cybersecurity,” said Bob Bragdon, SVP and publisher of CSO. “There is too much at stake for companies to be complacent while failing to take the proper steps to protect themselves from cyberattacks. Organizations need to invest in the right talent and technologies, and continually train their employees on security best practices.”
IT Investments & Strategies to Address Cyberthreats
As cybersecurity threats increase, organizations are taking notice and allocating their budgets accordingly. Fifty-nine percent of organizations have increased their cybersecurity budgets from 2017, compared to 48% the previous year. Specifically, budgets are being allocated to implementing new technologies (46%), conducting audits and assessments (34%), and adding new skills and capabilities (32%).
It is important to note that 80% of enterprises have a methodology in place to help determine the effectiveness of their organization’s security programs, and 37% use it more than once a year. Firewalls prove to be the most effective security technology (86%), followed by spam filtering (80%), access controls (76%), and strong authentication (75%).
Though the importance of effective security programs cannot be understated, it is also crucial that organizations are prepared to respond to a breach if one is to occur. “Despite investments in sophisticated security technology, some organizations may still fall victim to a breach,” said Christopher Leone, Assistant to the Special Agent in Charge – Criminal Investigative Division, U.S. Secret Service. “In these instances, it is critical that organizations have a plan in place to limit the extent of the attack. Additionally, a practiced relationship with law enforcement may clear obstacles to allow for a more effective investigation to ultimately hold criminal parties accountable.”
Seventy-eight percent of enterprise organizations have a formal incident response plan while this number decreases to 53% for SMBs. Still, over a fourth (26%) of organizations do not have a plan for responding to security incidents – an alarming statistic given the serious consequences involved in the event of a cyberattack. Financial organizations appear to be taking greater initiative as 85% reported they have a formal incident response plan in place, and 69% of them test it at least once a year.
Defending Against Outsider & Insider Attacks
Cybersecurity breaches can stem from both external and internal threats. Respondents reported that 75% of cyberattacks were caused by outsiders, while 25% were due to insiders. Hackers prove to be the greatest cyberthreat as 39% of respondents said cybercrimes caused by outsiders were the most costly for their organization. The most common outsider tactics leading to cybersecurity breaches include phishing (53%), malicious malware (50%), and spyware (45%).
While outsiders pose the most serious threat to organizations, insiders still create cause for concern. Most notably, innocent employees falling for phishing or attacker scams are considered the greatest insider risk (42%), followed by careless employees blending work and personal usage (26%). These insider incidents have led to compromised data such as customer records (61%), confidential records (trade secrets or intellectual property) (56%), and theft of personally identifiable information (49%).
“The increase of insider incidents further highlights the importance of security training,” said Randall Trzeciak, Director of the CERT National Insider Threat Center in the Software Engineering Institute at Carnegie Mellon University. “Many of these breaches might have been avoided if employees were properly educated. In some instances, the naivety of employees has led to phishing and attacker scams, resulting in compromised data and monetary losses.”
Security Awareness & Training
Based on the prevalence of cyberattacks, security awareness training should be a point of emphasis for organizations. The majority of employees do receive security training on an annual basis: once a year (29%), twice a year (15%), quarterly (15%), monthly (7%). Still, there is room for improvement, particularly at the C-level. Respondents reported that C-level executives are most in need of training to protect themselves from attacks (52%).
Security awareness training has proved to be a worthy investment for organizations as 66% said it has had a significant/reasonable impact on reducing the number of successful phishing attacks at their organization. Video-based security awareness trainings were reported to be the most popular (82%), followed by live, classroom or lecture style in-person training (77%), and phishing and social engineering behavior testing (76%).
Though security training is becoming more common for organizations, there needs to be greater value placed on cybersecurity from an overall standpoint. Breaches continue to make headlines and too many organizations have left themselves vulnerable to attacks. “The more advanced technology becomes, the more cybercriminals will go after the end user as a way in. Most malicious data breaches are a result of phishing” said Stu Sjouwerman, CEO, KnowBe4. “Employees are the weakest link in an organization, and the most effective way to manage the ongoing problem of social engineering is to train and phish your users.”
About the 2018 U.S. State of Cybercrime Survey
The 2018 U.S. State of Cybercrime Survey was conducted by CSO in collaboration with the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service, and KnowBe4. The goal of the survey is to gain insight into the frequency and impact of cyber incidents, organizational and partner defense tactics, and security spending trends. More than 500 U.S. security experts, business executives and others from the private and public sectors responded to the survey.
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning website (CSOonline.com), executive conferences, strategic marketing solutions and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience.
Based on editorial coverage and design, the Folio Eddie awards named CSOonline.com as the best B2B Technology Website in 2015 and 2016. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Communications, Inc. Company information is available at www.idg.com.
About Carnegie Mellon University Software Engineering Institute
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI works with organizations to make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more information, visit the SEI website at http://www.sei.cmu.edu. The CERT Division of the SEI is the world’s leading trusted authority dedicated to improving the security and resilience of computer systems and networks and a national asset in the field of cybersecurity.
Follow CERT Division of Carnegie Mellon University Software Engineering Institute on Twitter: @CERT_Division
Follow Carnegie Mellon University Software Engineering Institute on LinkedIn
Like Carnegie Mellon University Software Engineering Institute on Facebook
About U.S. Secret Service
The United States Secret Service is a federal law enforcement agency with headquarters in Washington, D.C., and more than 150 offices throughout the United States and abroad. Established in 1865 solely to suppress the counterfeiting of U.S. currency, today the Secret Service is mandated by Congress to carry out the integrated missions of protection and investigations. For more information on the U.S. Secret Service, please visit https://www.secretservice.gov/.
KnowBe4 is the world’s largest integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was being seriously neglected, KnowBe4 was created to help organizations manage the problem of social engineering through a comprehensive new-school awareness training approach. For more information on KnoBe4, please visit www.knowbe4.com.
IDG Communications, Inc.
IDG Communications, Inc.