Cybercrime Incidents, Associated Financial Costs Surge While Organizations Still Unprepared to Battle Threats According to 2014 US State of Cybercrime Survey from PwC and CSO
Report finds 8 key cybersecurity deficiencies and what organizations can do to combat them
NEW YORK, May 28, 2014–PwC US and CSO magazine today released the 2014 U.S.State of Cybercrime Survey, an annual survey of cybercrime trends which reveals that while the number of cybercrime incidents and the monetary losses associated with them continue to rise, most U.S. organizations’ cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries. According to the report, only 38 percent of companies have a methodology to prioritize security investments based on risk and impact to business strategy. The survey is a collaborative effort with PwC, CSO magazine, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service.
“Cyber criminals evolve their tactics very rapidly, and the repercussions of cybercrime are overwhelming for any single organization to combat alone. It’s imperative that private and public organizations collaborate to combat cybercrime and gain intelligence about security threats and how to respond to them. A united response will prove to be an indispensable tool in advancing the state of cybersecurity,” said David Burg, PwC’s Global and U.S. Advisory Cybersecurity Leader.
The U.S. Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage and weapons of mass destruction1. U.S. business leaders in particular are increasingly worried about cybercrime—much more than their global counterparts. PwC’s Annual Global CEO Survey 2014 found 69% of U.S. respondents reported they were worried about the impact of cyber threats to their growth prospects, compared with 49% of global CEOs.
The Cybercrime survey finds that the average number of security incidents detected over the past year was 135 per organization. Fourteen percent of respondents reported that monetary losses attributed to cybercrime have increased. The actual costs, however, remain largely unknown as more than two-thirds (67 percent) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was projected to be $415,000.
Eight Major Cybersecurity Deficiencies
The survey revealed the following key cybersecurity deficiencies:
- Most organizations do not take a strategic approach to cybersecurity spending
- Organizations do not assess security capabilities of third-party providers
- Supply chain risks are not understood or adequately assessed
- Security for mobile devices is inadequate and has elevated risks
- Cyber risks are not sufficiently assessed
- Organizations do not collaborate to share intelligence on threats and responses
- Insider threats are not sufficiently addressed
- Employee training and awareness is very effective at deterring and responding to incidents, yet it is lacking at most organizations
To combat these deficiencies, PwC recommends that organizations can: invest in people and processes, in addition to technologies; hold third parties to the same or higher standards; assess risks associated with supply chain partners; ensure that mobile security practices keep pace with adoption and use of mobile devices; perform cyber risk assessments regularly; take advantage of information sharing internally and externally to gain intelligence on fast-evolving cyber risks; develop threat-specific policies; and, enhance training and create workforce messaging to boost cybersecurity awareness across the organization.
“Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize,” said Ed Lowery, Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service. “The increasing sophistication of cyber criminals and their ability to circumvent security technologies indicates the need for a radically different approach to cybersecurity: A balanced approach that, in addition to using effective cybersecurity technologies, develops the people, processes, and effective partnerships in order to strategically counter cybersecurity threats.”
Security Incidents on the Rise
This year, three in four (77 percent) respondents to the survey reported a security event in the past 12 months, and more than a third (34 percent) said the number of security incidents increased over the previous year. Additionally, 59 percent of respondents reported that they were more concerned about cybersecurity threats this year than they were the year before.
“There is a correlation between company size and how they confront important elements of cybersecurity,” said Bob Bragdon, vice president and publisher, CSO. “For larger companies, insiders remain the greatest risk for cybersecurity, while outsiders pose more of a risk for smaller companies. Large companies with over a thousand employees have entire IT security departments, focused solely on these issues, compared to smaller businesses. Regardless of size, developing threat-specific policies that include detection, monitoring, analytics and investigation for responding to insider threats is critical. However, experience breeds caution – the companies that have experienced a security event have developed more mature practices and become more cautious than those who have not.”
In particular, many recent incidents with payment-card heists have proved threat actors are increasingly attempting to infiltrate systems via third parties, yet only 44 percent of companies have a process for evaluating third parties before the launch of business operations.
“Third-party and supply chain partners should be held to the same, if not higher, cybersecurity standard that companies set for themselves,” said Randy Trzeciak, technical manager of the Insider Threat Center at CERT. “In particular, compliance should be mandated in contracts. Carefully assessing risks associated with partners and determining incident response plans are also essential elements.”
“The severity of cyber threats will continue to intensify as threat actors evolve and sharpen their skills and techniques. If history—and responses to this survey—are a guide, more organizations will fall victim to more costly cybercrime in the coming year,” commented Burg. “Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are inevitable.”
For the full survey report, please visit: http://www.pwc.com/us/en/increasing-it- effectiveness/publications/2014-us-state-of-cybercrime.jhtml
PwC’s cybersecurity consulting professionals help organizations understand the complex cyber challenges they face today. PwC provides strategies for clients to adapt and respond to risks, and prioritize and protect the most crucial assets to their business strategy and goals. For more information on PwC’s cybersecurity point of view, visit: www.pwc.com/cybersecurity.
The 2014 U.S. State of Cybercrime Survey was conducted by CSO magazine in collaboration with PwC, the U.S. Secret Service and the CERT Division of the Software Engineering Institute at Carnegie Mellon University. Over 500 US executives, security experts, and others from the private and public sectors responded to the survey questions.
Note to Editors: References to the 2014 State of Cybercrime Survey must reference PwC, CSO magazine, the U.S. Secret Service and the CERT Division of the Software Engineering Institute at Carnegie Mellon University.
About CSO Magazine
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning web site (CSOonline.com), publication, executive conferences, marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.
About the United States Secret Service
The U.S. Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865. As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial and cybercrimes. As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service, through their Electronic Crimes Task Forces, has established successful partnerships in law enforcement, business and academic communities – across the country and around the world – in order to effectively combat financial and cybercrimes. More information can be found at: www.secretservice.gov.
About the Software Engineering Institute and the CERT Division
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University in Pittsburgh, PA. The SEI helps organizations make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. The CERT Division serves as a center of enterprise and network security research, analysis, and training within the SEI. For more information, visit the CERT website at http://www.cert.org and the SEI website at http://www.sei.cmu.edu.
About PwC’s Advisory Practice
PwC’s Advisory professionals across consulting, deals and forensics create value for our clients by helping them address their most complex business issues, from strategy through execution. We understand our clients’ industries and unique business challenges, and look across the entire organization—focusing on strategy, structure, people, process and technology—to help clients build their next competitive advantage. Our firm’s global network of assurance, tax and advisory professionals means that we can bring the right skills and capabilities to help our clients achieve success anywhere around the world. See www.pwc.com/us/consulting for more information or follow us @PwCAdvisory.
About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 157 countries with more than 184,000 people. We’re committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US. Gain customized access to our insights by downloading our thought leadership app: PwC’s 365™ Advancing business thinking every day.
1 Director of National Intelligence, Worldwide Threat Assessment of the US Intelligence Committee, January, 2014
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
# # #