Cybersecurity Takes Center Stage yet Progress is Interrupted, finds 2015 U.S. State of Cybercrime Survey
Despite increase in reported incidents, few have solidified cybersecurity processes; Information sharing comes front and center
NEW YORK and FRAMINGHAM, Mass. July 16, 2015 – PwC US and IDG’s CSO release the 2015 U.S. State of Cybercrime Survey. The survey reveals that despite a year of highly public and destructive cyberattacks, few organizations’ cybersecurity policies and processes are providing better protection than a year ago. However, this year’s findings show government agencies and corporate board of directors are taking an increased role when it comes to cybersecurity practices. More than 500 executives from U.S. businesses, law enforcement services and government agencies share their views in the survey, which was a collaborative effort among PwC, CSO, the U.S. Secret Service, and the Software Engineering Institute CERT® Division at Carnegie Mellon University.
A record 79% of respondents said they detected a security incident in the past 12 months in this year’s survey. On average, respondents reported 163 security incidents per organization in the last 12 months, an increase from 135 in the year before; because many incidents go undetected, the real number is likely higher. Large organizations (those with 10,000 or more employees) detected 31 times more incidents than small organizations (fewer than 1,000 employees).
“2015 has been a watershed year for cybercrime. Headlines in 2015 make it clear that the threat is increasing, yet much more must be done to stem losses and damages. High profile incidents teach us over and over again that no system is immune – and that speed to identify and respond is of the essence when it comes to combatting cyber threats and reducing the risk and associated damages,” said David Burg, Global and U.S. Cybersecurity leader, PwC. “Keeping pace with today’s sophisticated adversaries is not simply a matter of an increase in cybersecurity spending. Results of this year’s survey highlight opportunities and potential for information sharing across industries and regions. Greater transparency and visibility into the threat landscape can lead to more action from corporate boards, rapid and informed decision-making, appropriate investments in spend and resources, and greater agility when responding to threats.”
As security incidents rise in frequency, so too has the level of concern about potential cybersecurity incidents, which increased considerably. Seventy-six percent said they were more concerned about cyber-risks, up from 59% the prior year. Given an increased focus on preventing cybercrime, incidents should show a decline or at least improvement in certain areas such as the assessment of financial damages, however, 69% of enterprise organizations (1,000+ employees) still could not estimate the financial impact after detecting a security incident. According to the survey data, one other noticeable area for improvement is the amount of collaboration between security professionals in the industry. Only 25% of respondents said they were involved in industry-specific Information Sharing and Analysis Centers (ISACs), virtually the same as the year before.
“One of the key takeaways from this year’s survey is the increased involvement from the government as a result of the continued climbing number of cyberattacks combined with organizations not moving to protect themselves fast enough,” said Bob Bragdon, Vice President and Publisher, CSO. “With both government pressure and regulation, as well as the increased oversight by companies’ boards of directors, businesses have the opportunity to become much more collaborative in sharing information and raising the security protection standard even as cybercriminals continue to evolve and adapt quicker than organizations.”
Outsiders Pose Increasing Threat to Organizations
The most frequently cited types of compromise are crimes committed by external threat actors, those who are not employees or third-party partners with trusted access to networks and data. Nearly one third (31%) of respondents said they had experienced a phishing attack in 2014. Distributed denial of service (DDoS) attacks are becoming increasingly potent and are one of the most frequent types of cybersecurity incidents, cited by 18% of survey respondents. Ransomware, a comparatively new type of cybercrime, is also becoming more sophisticated and commonplace.
“Over the past year, the Secret Service saw an increase in cyber-related activity involving capable networks of transnational criminals targeting U.S. citizens and financial institutions,” said Stuart Tryon, Special Agent in Charge of the Criminal Investigative Division, Secret Service. “Currently, subjects in Eastern Europe control many of the Internet web sites buying and selling illicitly obtained credit card data. The public and private sectors must continue to work collaboratively to share cybersecurity indicators and partner to conduct investigations in order to deter, disrupt and dismantle cybercrime networks.”
Frequent Types of Security Incidents
1. Viruses, worms, or other malicious code
3. Spyware implanted
4. Distributed denial of service (DDoS) attacks
Third-Party Risks Need More Attention From C-Suite
Due diligence of the security capabilities and practices of third-parties has emerged as a core requirement in the past year, in part because of prominent breaches that began with attacks on business partners. This year, 62% of respondents said they evaluate the security risks of third-party partners and 57% said they do so for contractors, while only 42% of respondents consider supplier risks. Surprisingly, almost one in five (19%) of CEOs, COOs and CFOs said they were not at all worried about any kind of supply chain risk. What’s more, only 16% of respondents said they evaluate third parties’ cybersecurity more than once a year—and 23% do not evaluate third-party security at all.
Cyberthreats a Board Governance Issue
Cyberthreats are one of the most significant business risks facing organizations today. Despite the increase in both incidents and risks, only 30% of respondents said their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes quarterly security presentations to the board. One in four (26%) said their senior security executive presents once a year – and 28% said security leaders make no presentations at all.
The National Association of Corporate Directors recommends oversight be a function of the full board. Yet, 30% of respondents said no Board committee or members are engaged in cyber risks. At the other end of the spectrum, only 25% of respondents said their full Board is involved in cyber risks.
As Boards of Directors are held accountable, it is necessary to treat cybersecurity as an overarching corporate risk issue rather than simply an IT risk. Many have yet to adopt this approach, however. Almost half (49%) of boards view cybersecurity as an IT risk, while 42% see cybersecurity through the lens of corporate governance.
“If an organization’s management—including boards of directors, senior executives, and all managers—does not establish and reinforce the business need for effective enterprise security, the organization’s desired state of security will not be articulated, achieved, or sustained,” said Julia Allen, a principal researcher on the CERT cyber risk management team. “To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.”
Given the finding that most boards do not see cybersecurity as a governance issue, PwC, CSO, the U.S. Secret Service, and the Software Engineering Institute CERT® Division outlined seven reasons why cybersecurity must be considered a board governance issue:
- The impact of cybersecurity is systemic. Incidents can impact an organization’s global operations even when a risk point is thousands of miles away.
- The financial impact can be significant and include costly class-action lawsuits.
- As regulations evolve, compliance is becoming more challenging and increasingly costly.
- The Internet of Things has brought new threats that can cause extreme risks and tremendous physical damage.
- Cybersecurity insurance should be considered as a regulatory hedge against cyber risks. A risk committee should ask questions regarding coverage for directors’ and officers’ liability, commercial general liability prior acts, and property and casualty insurance.
- Adversaries such as nation-states and organized crime are working together to attack organizations for objectives like economic sabotage, theft of trade secrets, money laundering, terrorism, and military and intelligence operations.
- Cyberattacks can result in substantial financial losses and damage brand reputation by disrupting an organization’s strategic objectives, such as a planned merger or acquisition, the launch of a new product, or a business deal with a potential customer.
Cybersecurity Receives Big Boost in Funding
Nearly half (45%) of respondents said they increased information security spending over the year before. Respondents also indicated that industries that have been impacted by high-profile cyberattacks – including retail and consumer products, banking and finance, healthcare, and government – were more likely to have significantly boosted information security investments. The survey also found a direct correlation for security investments by company size: Businesses with 10,000 or more employees were more likely to substantially increase information security spending. For instance, 20% of larger businesses said they raised security investments by 20% or more in 2014, while 12% of small companies did so.
Additional coverage on the 2015 U.S. State of Cybercrime Survey can be found at: http://www.csoonline.com
The 2015 US State of Cybercrime Survey was a collaborative effort among PwC, CSO, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service. More than 500 executives of U.S. businesses, law enforcement services, and government agencies contributed. The survey evaluates trends in the frequency and impact of cybercrime incidents, cybersecurity threats, information security spending, and the risks of third-party business partners in private and public organizations. The survey also assesses how businesses are adapting to evolving expectations of the information security function and the Board of Directors.
Note to Editors: References to the 2015 State of Cybercrime Survey must reference PwC, CSO, the U.S. Secret Service and the Software Engineering Institute CERT Division at Carnegie Mellon University.
CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning website (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.
About the United States Secret Service
The U.S. Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865. As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial and cybercrimes. As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service, through their Electronic Crimes Task Forces, has established successful partnerships in law enforcement, business and academic communities – across the country and around the world – in order to effectively combat financial and cybercrimes. More information can be found at: www.secretservice.gov.
About the Software Engineering Institute and the CERT Division
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI helps organizations make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more information, visit the SEI website at http://www.sei.cmu.edu. The CERT Division of the SEI is the world’s leading trusted authority dedicated to improving the security and resilience of computer systems and networks and a national asset in the field of cybersecurity. For more information, visit http://www.cert.org.
About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms, which has firms in 157 countries with more than 195,000 people. We’re committed to delivering quality in assurance, tax and advisory services. Find out more and tell us what matters to you by visiting us at www.pwc.com/US.
© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
# # #
Jo Anne Barrameda McCusker
For Secret Service: