Cybercrime is outwitting, outpacing security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://tech.fortune.cnn.com/2014/05/28/cybercrime-is-outwitting-outpacing-security/

Cybersecurity is no longer just an afterthought; it's a core part of any
successful business strategy. Yet in the battle to secure cyberspace --
where cybercriminals are becoming ever more adept at looting precious data
-- many U.S. organizations are not wisely defending themselves.

According to a new report from PricewaterhouseCoopers, most U.S.
organizations are not prioritizing their security spending or appraising
their digital assets. Of the more than 500 U.S. businesses, government
agencies, and law enforcement services that responded to the survey, only
38 percent said they strategically invest in cybersecurity based on risk
and impact to business. And just 17 percent reported taking steps to
identify which business data are most important.

"Our respondents in the survey continue to fail to adequately allocate
resources necessary to address the cybersecurity risks that we see out
there in the marketplace. It's disappointing," said David Burg, Global and
U.S. Advisory Cybersecurity Leader at PwC, which partnered with
CSOmagazine, the Software Engineering Institute at Carnegie Mellon
University, and the U.S. Secret Service on the survey. "Unfortunately,
we've seen this pattern manifest for a number of years."

PwC's findings are consistent with a survey it conducted last year that
found an identical 17 percent of respondents who reported classifying the
business value of data. (The earlier survey was far broader and collected
responses from more than 9,600 senior leaders across the globe. It was also
the first time the question was added to the smaller, U.S.-centric survey.)

"There's a real large gap that needs to be filled in terms of companies all
around the world -- not just in the U.S. -- taking the time necessary to
actually have a smart cybersecurity strategy, and then to execute that
strategy," Burg said.

In the latest survey, more than three quarters of respondents reported a
security incident in the past year, and the number of security incidents
detected over that period averaged 135 per organization. Just over
one-third of respondents said that the frequency of security events has
increased since last year. Fourteen percent reported losing more money to
cybercrime in the last year, estimated at an annual average of $415,000.

Perhaps most surprising: 67 percent of respondents who detected a security
incident were unable to estimate how much it cost. Given the frequency of
high-profile data breaches at Target (TGT), eBay (EBAY), and other large
companies this year, it is perhaps unsurprising that three-fifths of
respondents reported being more concerned about cyber threats this year
than last.

"The increasing sophistication of cyber criminals and their ability to
circumvent security technologies indicates the need for a radically
different approach to cybersecurity," said Ed Lowery, Special Agent in
Charge for the Criminal Investigative Division of the U.S. Secret Service,
in the survey's press release. "A balanced approach that, in addition to
using effective cybersecurity technologies, develops the people, processes,
and effective partnerships in order to strategically counter cybersecurity
threats."

Other findings from this year's survey include a lack of attention to the
security practices of contractors, supply chain partners and other
third-party business partners. Less than half of the group surveyed
reported having a process for evaluating third parties before they launch
business operations, and fewer than a third included security provisions in
contracts with external vendors and suppliers.

Despite acknowledging that they spend 76 percent less on security incidents
when employees are properly trained, less than half of respondents admitted
that they do not offer security training to new hires. And though
respondents acknowledged the rapid adoption of mobile technologies, "We
don't see investment in security or security capability really following
that," Burg said.

Burg called the current state of affairs "a strategic lagging problem" --
meaning that senior executives are aware of security issues but need more
time to execute the necessary changes within their organizations.

"This is a business transformation exercise," Burg said. "Transformation
takes time, and its takes focus, and it takes commitment, and it all begins
at the top of the house."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!