PwC US and CSO magazine released the 2013 State of Cybercrime Survey, which reveals that while cybercrime threats are on the rise, current attempts to counter them remain largely unsuccessful. According to the report, organizations have made little progress in developing ways to defend themselves against both internal and external cyber opponents. Over 500 U.S. executives, security experts, and others from the private and public sectors were surveyed on their views on the state of cybercrime. The survey is a collaborative effort with PwC, CSO magazine, the U.S. Secret Service, the Software Engineering Institute CERT® Program at Carnegie Mellon University, and the FBI.
Although the survey did confirm that attacks continue to range from targeted and sophisticated to fairly simple exploits of vulnerabilities created by years of underinvestment in security programs, technologies, and processes, PwC believes the cybersecurity challenge can – and must -- be met. In many cases companies can be successful in mitigating these attacks with a thorough cybersecurity strategy that is aligned to the business strategy and includes vigilant and proactive awareness of the threat environment, a strong asset identification and protection program and is supported by proactive monitoring and enhanced incident response processes. Attacks that are most severe, often from nation-states, should be faced in conjunction with government agencies.
For the second year in a row, respondents identified insider crimes (33.73 percent) as likely to cause more damage to an organization than external attacks (31.34 percent). The study found that:
"The potential threat from insiders cannot be underestimated or dismissed as inconsequential," said Ed Lowry, Special Agent in Charge, Criminal Investigative Division, U.S. Secret Service. "In the current environment, any business model must include a comprehensive cyber security plan that addresses both physical and IT systems security threats. This plan should include education, training, and awareness of all employees and redundant auditing procedures that will help mitigate a single point of failure vulnerability."
Seventeen percent of respondents who had suffered an insider attack did not know what the consequences entailed;
Thirty-three percent of respondents had no formalized insider threat response plan;
Twice as many respondents indicated "non-malicious insiders" cause more sensitive data loss than malicious inside actors; and
Of those who did know what the insider threat handling procedures were, the majority reported that the cases were handled in-house, without legal action or law enforcement involvement
"We must consistently get past the privacy and liability issues that arise in the private sector reporting cyber intrusions to the government," said FBI Executive Assistant Director Richard McFeely. "When that happens, we have seen recent notable examples of the power of private sector and government coming together to counter our cyber adversaries."
For the full survey report, please visit: www.pwc.com/cybersecurity.