 |
| Eight ways your company is vulnerable to cyber-attacks. Credit: Security image via Shutterstock |
As cybercriminals grow more and more sophisticated, businesses are struggling to keep up.
The number of cybercrime incidents and the monetary losses associated with them continue to rise, but most U.S. organizations' cybersecurity practices aren't evolving as fast as necessary, according to a new study from PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service.
The research found that more than three-quarters of executives and security experts reported a security event in the past 12 months, with more than one-third saying the number of security incidents increased over the last year.
The actual costs, however, remain largely unknown, as 67 percent of those who did detect a security incident were not able to estimate the financial costs. Those who were able to make these estimates projected annual losses of $415,000.
Bob Bragdon, vice president and publisher of CSO, said a company's size correlates with how it confronts important elements of cybersecurity.
"For larger companies, insiders remain the greatest risk for cybersecurity, while outsiders pose more of a risk for smaller companies," Bragdon said. "Large companies with over a thousand employees have entire IT security departments, focused solely on these issues, compared to smaller businesses [that don’t have the same luxury]."
Regardless of size, Bragdon said developing threat-specific policies that include detection, monitoring, analytics and investigation for responding to insider threats is critical.
"However, experience breeds caution," he said. "The companies that have experienced a security event have developed more-mature practices and become more cautious than those who have not."
The research revealed a number of areas that are holding U.S. organizations back from fully protecting themselves. The key cybersecurity deficiencies include:
- Most organizations do not take a strategic approach to cybersecurity spending.
- Organizations do not assess security capabilities of third-party providers.
- Supply chain risks are not understood or adequately assessed.
- Security for mobile devices is inadequate and has elevated risks.
- Cyber risks are not sufficiently assessed.
- Organizations do not collaborate to share intelligence on threats and responses.
- Insider threats are not sufficiently addressed.
- Employee training and awareness is very effective at deterring and responding to incidents, yet this measure is lacking at most organizations.
The increased attempts by cybercriminals to infiltrate systems via third parties causes particular concern. Despite this year's high-profile cases, the research shows that only 44 percent of companies have a process for evaluating third parties before the launch of business operations.
Randy Trzeciak, technical manager of the Insider Threat Center at CERT, said third-party and supply chain partners should be held to the same cybersecurity standard that companies set for themselves, if not a higher standard.
"In particular, compliance should be mandated in contracts," Trzeciak said. "Carefully assessing risks associated with partners and determining incident response plans are also essential elements."
David Burg, head of PwC's Global and U.S. Advisory Cybersecurity, said the severity of cyber threats will continue to intensify as criminals evolve and sharpen their skills and techniques.
"If history — and responses to this survey — are a guide, more organizations will fall victim to more costly cybercrime in the coming year," Burg said. "Organizations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are inevitable."
The study was based on surveys of more than 500 U.S. executives, security experts, and others from the private and public sectors.
No comments:
Post a Comment