Despite a surge in both the number of detected cybersecurity incidents and the financial costs associated with such breaches, a new report shows that U.S. organizations lack the necessary defenses to effectively counter evolving cybersecurity threats.
The 2014 U.S. State of Cybercrime Survey outlines significant shortcomings that leave organizations lagging behind their criminal counterparts. PricewaterhouseCoopers, CSO Magazine, the U.S. Secret Service and the CERT Division of the Software Engineering Institute at Carnegie Mellon University co-sponsored the survey.
Below are some of the survey’s key findings based on data collected from more than 500 executives from U.S. businesses, law enforcement and government agencies.
Heightened Concern about Cybersecurity Threats
Organizations are clearly aware of the security threats posed by technology, with 59% of respondents indicating they are more concerned about cybersecurity this year than in the past. This may be in response to an increase in information-security incidents — both in the headlines and experienced first-hand. More than three in four respondents have experienced a data breach in the last year; 34 % have detected more security incidents in the last 12 months than in the previous year.
Organizations not Properly Prioritizing and Investing in Cybersecurity
While organizations have serious concerns about cybercrime threats, 38% of respondents omit a key step in implementing an effective cybersecurity program by not prioritizing cybersecurity investments based on their individual risk. In particular, many organizations are not properly investing in the people and processes that would allow them to rapidly respond to and mitigate incidents. Researchers noted that organizations should carefully allocate their spending based on their particular industry, geography, key assets and other factors, and design cybersecurity programs with enough flexibility and agility to enable a quick response to evolving and multiplying threats. Consequently, organizations should place emphasis not only on preventing attacks, but detecting and responding to them to minimize their impact.
Insider Threats not Adequately Addressed
Some 28% of respondents reported attacks by insiders, and 32% indicated that these were more costly and damaging than outside attacks. Yet less than half (49%) of those surveyed have a plan in place to safeguard against and respond to attacks from employees and other inside sources.
Collaboration and NIST Cybersecurity Framework Can Enhance Effectiveness
The report highlights two ways organizations can more effectively deal with cybercriminals: collaboration and the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework. The report illustrates the value of collaboration by pointing to data from a separate cybersecurity survey in which 82% of companies with high-performing security practices actively worked with others to increase their knowledge about security measures and threat trends. Additionally, while highlighting the benefits of the NIST framework's voluntary, proactive risk-management approach to managing and mitigating cybersecurity risks, the report found that the vast majority of respondents' cybersecurity programs fell far short of NIST's standards.
The report concludes by urging organizations to adopt the NIST framework to help improve their cybersecurity programs and possibly stem regulatory violations and other liability. Whatever the approach, organizations need to implement information security training as an important step in safeguarding against criminals and their evolving techniques and methods.