Key findings from the 2013 US State of Cybercrime Survey

 
CONTINUE READING
Key findings from the 2013 US State of Cybercrime Survey
Key findings from the 2013 US
                             State of Cybercrime Survey

June, 2013

Cyberthreats have
become so persistent, the
attacks so pervasive, that
organizations—and their
leaders—have essentially
become inured to what
cybersecurity and US
Government officials call
an ever-increasing threat.
When organizations fall
victim to cyberattacks,
only then do they realize
the time to take action
was yesterday.

Co-Sponsored by:
• The Software
  Engineering Institute
  CERT® Program at
  Carnegie Mellon
  University
• CSO Magazine
• United States
  Secret Service
Executive Summary

This year’s cybercrime survey              The entities that collaborated             collaboration, expanding the use
highlights what many in government         on preparing and analyzing this            of mobile devices, moving the
and the cybersecurity industry have        year’s survey saw the emergence of         storage of information to the cloud,
known for years: The cybercrime threat     three themes:                              digitizing sensitive information,
environment has become increasingly                                                   moving to smart grid technologies,
pervasive and hostile—and actions          1. Leaders do not know who                 and embracing workforce
to stem the tide of attacks have had          is responsible for their                mobility alternatives—without
limited effect. We must accept that           organization’s cybersecurity, nor       first considering the impact these
cyberattacks are now a routine part           are security experts effectively        technological innovations have on
of doing business in today’s uncertain        communicating on cyberthreats,          their cybersecurity profiles.
world, and they likely will be a part of      cyberattacks, and defensive
doing business going forward.                 technologies. If organizations        The news, however, is not entirely
                                              fail to identify who is in charge,    grim. In our view, most of these
The survey results tell us that many          they will be left with identifying    cybersecurity challenges can be
organizational leaders do not know or         who is to blame in the wake of        addressed internally. The majority of
appreciate what they are up against,          crippling attacks.                    attacks (roughly 80%) rely on exploits
lack a clear, real-time understanding                                               that companies can readily defend
of the nature of today’s cyber-threats     2. Many leaders underestimate their      against, if they focus their attention on
and those who pose these risks,               cyber-adversaries’ capabilities       fundamental cybersecurity education,
and have made little headway in               and the strategic financial,          properly maintained IT infrastructure,
developing strategies to defend               reputational, and regulatory risks    and effective monitoring.
against both internal and external            they pose. Despite indications
cyber-adversaries.                            that the Securities and Exchange      In addition, the right cybersecurity
                                              Commission (“SEC”), Congress,         strategy, awareness of the threat
The survey also tells us that we              and the White House appreciate the    environment, and a solid asset
collectively have a long way to go            threat, many companies still have     identification and protection program
in coming to terms with the extent            not adequately grasped the degree     can help entities manage another
of the threat, its short- and long-           to which failure to address the       15% of attacks. The final 5% of
term implications, and what actions           digital threat environment may have   attacks emanate from sophisticated—
should be taken to curtail the multi-         wider repercussions.                  and often nation state-sponsored
faceted impact.                                                                     adversaries—who threaten our
                                           3. Leaders are unknowingly               national security, and should be
                                              increasing their digital attack       faced in strong collaboration with
                                              vulnerabilities by adopting social    government agencies.

                                                                                                               PwC              1
What makes this survey different?

This is the first year that PwC has               Additionally, we have placed special
partnered with CSO Magazine and                   emphasis on the unique cybersecurity
the other co-sponsors to conduct                  challenges posed by the insider threat.
and evaluate the 2013 US State of
Cybercrime Survey. Together, we                   CSO Magazine and its partners
have applied our deep experience in               Carnegie Mellon University’s Software
data analytics to dig into the layers of          Engineering Institute (“CMU SEI”)
data and identify central concepts we             and the United States Secret Service
see as vital to organizations that are            (“USSS”) have again participated in
attempting to make sense of current               this effort.
and future cyberthreats and attacks.
We have brought the issue into focus              We have also brought to bear our
by going beyond the statistics and                experience in identifying security- and
focusing on the factors that can impact           cyber- trends by drawing on results
an organization’s cybersecurity stance,           from PwC’s annual Global CEO Survey
such as by considering:                           and annual Global State of Information
                                                  Security Survey.
• Strategy and execution of the
  cybersecurity program;

• Understanding changes in the threat
  environment;

• Identifying key organizational assets
  in need of protection; and

• Spreading that protection beyond
  the walls of the entity to encompass
  the enterprise ecosystem.

2         Key findings from the 2013 US State of Cybercrime Survey
Key findings from the 2013 US State of Cybercrime Survey

In this 11th survey of cybercrime         In reviewing the survey data from              One goal of this paper is to drive an
trends, over 500 US executives,           the past three years, we found little          urgent call to action, to appreciate the
security experts, and others from the     movement in key indicators. When               need to bridge a gap that exists today
public and private sectors provided       we compare this with the almost daily          among those who do not perceive
their views on the state of cybercrime:   reports of cyber-breaches against              cybersecurity as a strategic business
who the internal and external threat      public and private organizations               issue and those who do, and to
actors are, what they are after, how      in the United States and globally,             increase awareness as to the strategic
well public-private collaboration         we are struck by the possibility               implications of the cyber concerns we,
supports cybersecurity, and what          that the threats have become so                as a collective, face.
technologies are best able to defend      persistent, the attacks so pervasive,
and protect against cyberattacks.         that organizations—and their                   Our in-depth analysis of the survey
                                          leaders—have essentially become                results identified four critical
The frog in the pot of                    inured to what cybersecurity and US            areas that have the most impact
hot water                                 government officials call “an ever-            on organizational responses
                                          increasing threat.”                            to cybercrime:
There were no significant changes
in C-Suite threat awareness, no                                                          1) Understanding ecosystem-
                                          Many senior executives have become
spikes in spending on cyber-defense,                                                        wide risks;
                                          the proverbial “frog in the pot of
no breakthroughs in the use of
                                          hot water”—unaware of the ever
technology to combat cybercrime, and                                                     2) Integrating threat intelligence and
                                          increasingly hostile environment.
no significant change in the ability of                                                     information-sharing into proactive
                                          When the pot boils over and
organizations to measure the impact                                                         defense programs;
                                          their organization falls victim to
of both cybercrimes committed by
                                          cyberattacks, only then do they realize
insiders and those caused by external                                                    3) Identifying and mitigating
                                          the time to take action was yesterday.
cyberattacks. (See Figure 1).                                                               cybercrime committed by
                                          Or as Ira Winkler, the president of
                                                                                            trusted insiders; and
                                          the Information Systems Security
                                          Association (“ISSA”), put it, “We              4) Understanding and using
Figure 1: Do you have a                   hear about wake-up calls, but people              cybersecurity technology effectively.
methodology that helps you                keep hitting the snooze button.”1
determine the effectiveness of your       Perhaps part of the problem, to                Gaining a better understanding
organization’s security programs          continue the analogy, is the failure on        of these areas, combined with a
based on clear measures?                  many companies’ part to appreciate             strong grasp of a continuously
                                          the strategic need to measure the              organization’s threat environment
                                          temperature of the water in which              and an appreciation of its sensitive
          22%                             one sits.                                      assets, should give senior executives
                    Don’t know/not sure
 40%
                    No
                                                                                         a stronger basis for an adaptive
                    Yes
                                          1 http://www.reuters.com/article/2013/05/16/   cybersecurity strategy. The technical
          38%                               us-cyber-summit-congress-
                                            idUSBRE94F06V20130516
                                                                                         debt built up over the years, and the
                                                                                         vulnerabilities created as a results,
                                                                                         must also be acknowledged. (See
                                                                                         Technical Debt on page 16)

                                                                                                                   PwC            3
Understanding risks across                        Figure 2: Percentage of responding CIOs (including CTOs) indicating
the ecosystem                                     “Don’t Know” or “Not Sure”
In the cyber-arena, what you don’t
know can hurt both you and everything
your organization touches. Advances                      22%         When compared with the prior 12 months, how have monetary
in technology have interconnected                      responded:    losses as a result of cybersecurity events in your organization
                                                      Don’t know/    changed?
businesses to partners, suppliers,
                                                       Not sure
customers, government entities,
and even competitors. Cybercrime is
an equal-opportunity event—it can                        22%         When considering the financial losses or costs to your company
                                                       responded:    from those targeted attacks aimed at your company, has the
affect every entity across a company’s                               financial loss or cost increased or decreased when compared to
                                                      Don’t know/
business ecosystem.                                    Not sure      the prior 12 months?

As a result, the entity’s leaders should
develop a thorough cybersecurity                         21%
                                                       responded:    Which of the following proactive activities and techniques are
plan that encompasses all aspects of                                 you using to counter advanced persistent threats?
                                                      Don’t know/
their global business ecosystem. Yet a                 Not sure
significant number of respondents to
this year’s survey answered ‘unknown’
or ‘I don’t know’ to important survey
                                                         21%
                                                       responded:    Which of the following groups posed the greatest cyber security
questions. Of particular concern,                     Don’t know/    threat to your organization during the past 12 months?
we noted that those who identified                     Not sure
themselves as Chief Information
Officers (“CIOs”) or Chief Technology                    21%
Officers (“CTOs”) often were                           responded:    In general, what causes of electronic crimes were more costly or
unfamiliar with key cornerstones                      Don’t know/    damaging to your organization?
of a strong cybersecurity program.                     Not sure
(See Figure 2)
                                                         17%         What was your organization’s approximate annual budget for
                                                       responded:
                                                                     security products, systems, services and/or staff for each of the
                                                     Don’t know/     following areas during the last 12 months?
                                                    Not applicable

                                                         17%         Please indicate all of the cybercrimes committed against your
                                                       responded:    organization during the past 12 months, along with the source(s)
                                                      Don’t know     of these cybercrimes to the best of your knowledge.

                                                         16%         If you were to find it necessary to seek government assistance
                                                       responded:    with cybercrime or a cyber security-related event, which
                                                      Don’t know     organization(s) would you contact immediately?

4         Key findings from the 2013 US State of Cybercrime Survey
Some survey respondents might not           all organizations in an ecosystem have     Although supply chain risk
be in a position to have access to          to have the same strategy, tools, and      management is a capability identified
cybersecurity strategy and response         technologies—but it does mean that         by respondents as something they
information, or might not be                individual organizations should have       use to address cyber-risk, only 22% of
directly involved in the company’s          some confidence that their partners        respondents actually conduct incident
insider threat or law enforcement           aren’t passing on increased cyberrisks     response planning with their third
liaison processes. But in our view,         through the ecosystem web.                 party supply chain. (See Figure 3)
cybersecurity is everyone’s business—                                                  Additionally only 20% of respondents
employees, contractors, consultants,        Companies grappling with                   evaluate the security of third parties
and senior executives should all have       cybersecurity should be prepared to        more than once a year. (See Figure 4)
at a minimum, a basic understanding         address two types of supply chains:
of how the company protects people
and information from cyberattacks.          1. The IT supply chain, which includes
                                               the software and hardware used          Figure 3: Do you conduct incident
The good news from this year’s                 to support corporate networks and       response planning with your third-
survey? A strong strategy to protect           operations; and                         party supply chain?
the ecosystem starts with sensible
IT security policies and processes.         2. The more traditional supply chain
For cybersecurity to work across an            that encompasses the parts and
                                                                                         22%         26%
ecosystem, all players need to know not        services that are integrated into the                       Don’t know/not sure

only what the policies and processes           entity’s customer offerings, be they                        No

are, but also why they need to adhere          physical products, data or services.                        Yes
                                                                                               52%
to them. In questions related to IT
                                            In today’s interconnected ecosystem,
security processes, it appears that a
                                            both of these supply chain avenues are
solid majority of IT staff and IT leaders
                                            often direct freeways to compromise
understand the policies and processes
                                            company assets. Not all companies          Figure 4: On average, how often do
in place to protect corporate data.                                                    you evaluate the security of third-
                                            recognize that supply chain vendors
                                            and business partners such as joint        parties with which you share data
The issue of establishing,                                                             or network access?
communicating, and effectively              ventures, strategic partnerships, and
evaluating cybersecurity policies           franchisees can have lower—even non-
and practices extends beyond                existent—cybersecurity policies and
                                            practices, a situation that can increase                       Don’t know/not sure
organizational boundaries. Because                                                       22%     23%
                                                                                                           More than 1×/year
of the interconnected nature of the         cybercrime risks across any entity that
                                                                                                           1×/year or less
ecosystem and today’s reliance on           partner or supplier touches. And those
                                                                                                     20%   We don’t typically
global supply chains, organizations         who do recognize the risk often fail           35%             evaluate third parties
must integrate their vendors and            to understand what mitigation steps
suppliers into their cybersecurity          should be taken.
strategy. This does not mean that

                                                                                                                 PwC                5
Previous PwC surveys support the view             and how they operate. Many C-Suite                  that will likely be of interest to your
that the supply chain is a potential              executives have neither adequate                    adversaries. Such awareness can
weak link in cybersecurity—both in the            knowledge of who the most serious                   also help make more efficient the
United States and globally. In the PwC            threat actors are, nor (logically                   organizations’ assessment of their
2013 Global CEO Survey, the inability             given the foregoing) do they have                   vulnerabilities to cyberattacks from the
to protect intellectual property (“IP”)           a cybersecurity strategy to defend                  most likely threat actors.
and customer data in the corporate                against them. Despite all the talk
supply chain was a concern for 36%                about cybercrime and cybersecurity,                 We asked survey respondents which
of corporate leaders in the United                awareness of the threat environment is              type of proactive tools they used to
States. Companies often struggle to get           not increasing.                                     counter the Advanced Persistent
their suppliers to comply with privacy                                                                Threat (“APT”), a commonly used term
policies—a baseline indicator of data             ‘Threat awareness’—the ability                      to define remote attacks employed
protection capabilities.                          to understand cyberthreat actors’                   by sophisticated threat actors, often
                                                  capabilities, motivations, and                      nation states or their intelligence
This is especially true for industries            objectives—should be one of your                    services. Only 21% of respondents said
able to easily understand the tangible            organizations’ starting points for                  they used threat modeling, a relatively
information types that are at risk,               developing an adaptive cybersecurity                inexpensive tool that organizations
such as those industries focused on               strategy, providing the contextual                  can adapt to their particular threat
protecting personally identifiable                background against which                            environment and asset protection
information (“PII”), such as financial            organizations can identify key assets               requirements. (See Figure 5)
services, and those that are affected
by the Health Insurance Portability
and Accountability Act (“HIPAA”)                  Figure 5: Which of the following proactive activities and techniques are
protected data, as well as those that             you using to counter advanced persistent threats?
manage Payment Card Industry
(“PCI”) information. Yet fewer than
                                                                                 Malware analysis                                          51%
one-third of all industry respondents to
                                                                     Inspection of outbound traffic                                  41%
PwC’s 2013 Global State of Information
Security Survey required third parties                                     Rogue device scanning                               34%

to comply with privacy policies.                            Analysis and geolocation of IP traffic                          31%
                                                                             Subscription services                        30%
Threat intelligence and                                                   Deep packet inspection                         27%
information-sharing                                                   Examining external footprint                       27%
                                                                              Don’t know/not sure                     25%
Threat Intelligence
                                                                                  Threat modeling                  21%
While US cyberthreat anecdotes have
                                                                Document watermarking/tagging             9%
become almost routine (keeping
the media focused on this issue)
the barrage of alarms has not
significantly raised survey respondents’
understanding of who these cyber
adversaries are, what they target,

6         Key findings from the 2013 US State of Cybercrime Survey
The majority of survey participants
                                            Figure 6: Which of the following groups posed the greatest cybersecurity
cited malware analysis and inspection
                                            threat to your organization during the past 12 months?
of outbound traffic as a tool they
currently have in place. While these        Hackers
technologies are effective in identifying                                                  22%     How CSOs (including CISOs) compare:
intrusions and potential losses, if they    Current employees & former employees                   1: Hackers
are installed in the right place, they                                                    21%      2: Foreign nation states
are after-the-fact techniques that can      Foreign nation-states                                  3: Current and former employees
help organizations proactively only if      (e.g. China, Russia, North Korea)
                                                                  11%
the results are incorporated into an
                                            Activists/activist organizations/hactivists            How CIOs (including CTOs) compare:
adaptive and forward-looking threat
                                                       5%                                          1: Current and former employees
modeling strategy. As a result, these
                                            Organized crime                                        2: Hackers
entities can be vulnerable to APTs                  4%                                             3: Organized crime
seeking to access sensitive information
                                            All respondents
surreptitiously over an extended period
of time.
                                            Information Sharing                                  of ISACs is particularly low and has
In fact, CIOs and Chief Security            A sensible approach to public-private                not increased appreciably over the
Officers (“CSOs”) do not agree on what      partnerships should be a cornerstone                 past three years, with the exception
constitutes the most significant threat     of any cybersecurity strategy. And                   of the banking and finance industry,
to their operations. When asked in the      those who take advantage of available                the survey showed. (See Figure 7)
survey to name the top threats facing       government sources of cyber-                         As we noted in our September 2012
their organization this year, CSOs,         intelligence can gain a fuller picture               ZoomLens article on cybersecurity2,
including Chief Information Security        of both the threats and the leading                  the Financial Services- ISAC (“FS-
Officers (“CISOs”) pointed to hackers       practices for defending against them.                ISAC”) is often praised for its work
(26%) and foreign nation-states             President Obama, in his February 2013                in bringing public and private
(23%). CIOs, including CTOs, however,       Executive Order on Cybersecurity,                    sector counterparts together, but
were more concerned about insiders          designated the Department of                         with the myriad number of public-
(27%)—current or former employees-          Homeland Security (“DHS”) as the                     private information sharing groups
but only 6% were concerned about            focal point for intelligence-sharing                 available, companies are often unable
nation-states. (See Figure 6) This lack     with the private sector.                             to determine what government
of consensus, which likely contributes                                                           agencies to engage and what to expect
to a lack of action at the C-suite and      While DHS coordinates the process                    from them.
board level, reflects differences in        by which Information Sharing and
the threat landscape from industry-         Analysis Centers (“ISACs”) engage
to-industry, or varying perspectives        with key sectors of the US critical                  2 http://www.pwc.com/us/en/forensic-services/
                                                                                                   assets/zoomlens-cybersecurity.pdf
according to job responsibilities: the      infrastructure, awareness and use
old but often true adage that “where
you stand depends on where you
sit” applies.

                                                                                                                                 PwC             7
While open-source information
Figure 7: Does your organization                                                               Figure 8: Please identify all
                                                   can provide threat context to a
participate in any Information                                                                 sources you monitor to keep up
Sharing and Analysis Center                        cybersecurity strategy, these sources       with current with trends, threats,
(ISAC) activities (http://www.                     vary greatly in quality, accuracy,          vulnerabilities, technology,
isaccouncil.org/), if available in                 timeliness. At a 2011 conference on         and warnings
your industry sector?                              APT sponsored by RSA, attendees
                                                   observed that, “…attackers seem to          Cyber security websites and emails
2011                                               share intelligence more effectively                                                      71%

                      31%                          than legitimate enterprises do.”3           Subscription-based services (free)
                                   49%                                                                                                63%
                                                   Organizations should have a robust,
             20%                                                                               Peers
                                                   multi-source information collection
                                                                                                                                  57%
2012                                               and analysis strategy, drawing on
                                                                                               Print publications or websites
                 24%                               a variety of external and internal                                           50%
                                  48%              data sources and integrating new
                    28%                                                                        Government websites and emails
                                                   information on both emerging threats        (other than DHS)
2013                                               and innovative technologies to create                                47%

              21%                                  an agile cyberdefense.                      Subscription-based services (paid)
                                         57%                                                                     33%
               22%                                 A cybersecurity strategy is the             Industrial trade associations
                                                   cornerstone of protecting sensitive                           27%
       Don’t know            No            Yes
                                                   business assets, yet nearly 30% of          DHS
                                                                                                                  24%
                                                   companies surveyed (see Figure 9)
                                                   do not have a plan. And, of those that      Information Sharing and Analysis Centers
How company leaders get their                                                                  (ISACS)
information on threats might be part               do, half fail to test it. Companies that                  23%
of the problem. Even though reporting              understand what their key corporate         Other
on the severity and complexity of the              assets are and then develop and                          16%

threat has grown over the past few                 constantly update their cybersecurity       None
years, security and business executives            strategy based upon new intelligence                9%

are increasingly turning to publicly-              to protect their assets will likely find
available sources of information,                  themselves in a stronger position to
such as free Internet websites, as                 defend against cyberattacks.
their sources of information. Smaller
numbers turn to subscription services,
                                                   3 http://www.rsa.com/innovation/docs/APT_
industry colleagues, and the US                      findings.pdf
Government for information.
(See Figure 8)

8          Key findings from the 2013 US State of Cybercrime Survey
Figure 9: Does your organization
                                                    Additionally, many of the companies                  Cybercrime from within:
                                                    who lack or fail to test a cybersecurity             Examining the insider
have a formalized plan outlining
policies and procedures for                         plan are likely the same ones                        threat
reporting and responding to                         who report they don’t know what
                                                                                                         The Insider Threat
cybersecurity events committed                      government agency to contact when a
against your organization?                          cybercrime is suspected. Interestingly,              Insiders from anywhere within the
                                                    there are differences between                        business ecosystem can wreak havoc.
Yes, and we test it at least once per year          industries regarding which agencies                  The Software Engineering Institute
                                              26%   are the top choices for such support.                CERT® Program at Carnegie Mellon
Yes, but we do not test it at least once per year   While many reach out to the FBI or the               University notes in its Common
                                            26%     USSS, several industries still rely on               Sense Guide to Mitigating Insider
Don’t know/not sure                                 local law enforcement for support.                   Threats,5 “…contractors, consultants,
                                19%                                                                      outsourced service providers, and
No plan currently, but intend to have one           The study reveals that the number of                 other business partners should be
within the next 12 months
                                                    companies that reach out to the United               considered as potential insider threats
                             17%
                                                    States Computer Emergency Readiness                  in an enterprise risk assessment.”
No plans at this time or in the near future
                     12%
                                                    Team (“US- CERT”) remains quite low,
                                                    an indicator that many organizations                 The threat of trusted organizational
                                                    are unaware of the robust cybercrime-                insiders committing cybercrime
                                                    related information US-CERT makes                    has received less media and public
                                                    available to the US private sector on a              attention than other cyberthreats. And
                                                    regular basis.                                       we see little shifting of respondent
                                                                                                         attitudes, despite a recent high-profile
                                                    Deciding who within the government                   FBI campaign to raise awareness
                                                    can best help your organization                      of instances of insiders stealing
                                                    depends on your corporate experience,                trade secrets.
                                                    industry-specific considerations, the
                                                    identity of likely threat actors, and                Still, highly publicized research
                                                    the severity of the suspected crime.                 from Carnegie Mellon University
                                                    As a retired senior FBI cyber-official               cited the significant damage insiders
                                                    recently stated, “The government                     have done to both private and public
                                                    is…sharing information as fast as we                 organizations. While most of the
                                                    can get it.” The official continued,                 media cybercrime reporting has
                                                    however, by saying that “when the                    been on remote network attacks over
                                                    government does provide information                  the Internet, survey results show
                                                    on a cybercrime, the agency hoped the                that among respondents answering
                                                    company had already contemplated                     insider-related questions, insiders
                                                    the potential for a cyberattack and has              were deemed more likely to be the
                                                    developed a response plan.”4 As noted                sources of cyberattacks. For the second
                                                    above, our survey showed that most                   year in a row, a greater number of
                                                    do not.                                              respondents identified insider crimes
                                                                                                         (34%) as causing more damage to an
                                                                                                         organization than external attacks
                                                                                                         (31%). (See Figure 10)
                                                    4 http://www.ctlawtribune.com/PubArticleCT.jsp?id=
                                                      1202601094171&slreturn=20130503094156
                                                                                                         5 http://www.sei.cmu.edu/reports/12tr012.pdf p. 27.

                                                                                                                                          PwC              9
Many information security tools                As we previously noted, what you
Figure 10: In general, electronic
                                                       focus on access and authentication.            don’t know can hurt both you and
crimes were more costly or
damaging to your organization                          However, these tools are less effective        everything your organization touches.
when caused by:                                        against insiders such as employees,            Similar to our ecosystem findings, the
                                                       contractors, and third parties who             ‘don’t know’ answers related to the
                                                       have been granted legitimate access            Insider Threat are concerning. Just as
                                                       to sensitive data and systems. (See            more than one-third of respondents
     35%    28%                 31%         35%
                                                       Figure 11) These insiders are likely to        said ‘don’t know’ when asked whether
                                                       be one step ahead of external threat           insiders or external actors could cause
                                                       actors because they tend to already            their organization more damage, the
        37%                          34%               know what the company’s crown                  most popular answer to questions
        2012                         2013              jewels are: those assets that drive cash       about the sources of cybercrime and
                                                       flows, competitive advantage, and              the mechanisms insiders used was
     Don’t know/not sure                               shareholder value. They also know              also ‘don’t know’. Twenty four percent
     Insider: Current or former employee,              where they reside on the networks              of respondents who had suffered an
     service provider or contractor                    and how to gain access to them for             insider attack did not know what the
     Outsider: Someone who has never had               the purposes of theft, disclosure,             attack’s consequences were; 33% of
     authorized access to an organization’s
     systems or networks                               or destruction.                                respondents had no formalized insider

                                                       Figure 11: Please indicate all mechanisms used by insiders in committing
                                                       cybercrimes against your organization in the past 12 months

                                                                          Top 10 attack mechanisms reported by those who responded they
                                                                          experienced an attack conducted by an insider (excluding “don’t know”)
                                                                                17%   Laptops
                                                                                16%   Compromised an account
                                                                                16%   Copied information to mobile device (e.g., USB drive, iPod, CD)
                                                                                16%   Remote access
                                                                                15%   Used their own account
                                                                                15%   Social engineering
                                                                                14%   Downloaded information to home computer
                                                                                13%   Stole information by sending it out via email
                                                                                12%   Stole information by downloading it to another computer
                                                                                11%   Rootkit or hacking tool

                                                       Respondents indicated 29% of events they experienced during the past 12
                                                       months were known or suspected to have been conducted by Insiders.

10             Key findings from the 2013 US State of Cybercrime Survey
threat response plan (See Figure 12);
                                         Figure 12: Does your organization           Figure 13: How effective is
and, many were uncertain as to how
                                         have a formalized plan for                  your organization in reporting
their company handled investigating      responding to insider security              managing and intervening in
potential insider threat cases. (See     events committed against your               cyber threats with internal
Figure 13) Of those who did know         organization?                               employees?
what the insider threat handling
procedures were, the majority
reported that the cases were handled                  17%                                 21%     25%       Minimally
                                                                  Don’t know
in-house, absent legal action or law        50%                                                             Moderately
                                                                  No
enforcement involvement.                                 33%                            18%                 Extremely
                                                                  Yes
                                                                                                 36%        Don’t know
It remains unclear whether this
stems from conscious decision
making regarding the handling of         • Be capable of responding to               Our experience suggests that the lack
insider cases or if it reflects a lack     them; and                                 of centralized collection and analysis
of understanding about how law                                                       of corporate data in these insider
enforcement agencies can support         • Be capable of effectively                 cases is a primary contributor to this
such investigations. It seems likely,      mitigating them.                          general lack of knowledge. Pertinent
however, that many organizations                                                     information is often held in separate
are not sufficiently incorporating the   To detect and manage the insider            repositories owned by HR, legal,
potential damage insiders can cause to   threat, the entity will need information    information security, and physical
corporate assets, business operations    and tools across a range of functions,      security. In addition, the legal and
and reputations in deciding whether to   including IT, information security,         personnel implications of insider cases,
pursue prosecution.                      physical security, HR, and legal, which     along with training and awareness
                                         often handles privacy and internal          issues, indicates the importance
Insider Threat Management                investigation issues. Yet, the survey       of developing an insider threat
                                         indicates only 14% of respondents           management program, anchored by
While some companies seem to be          handle the insider threat using             an interdepartmental team comprising
aware of the damage insiders can         an interdepartmental team.                  representatives from IT, information
cause, the survey shows that many        (See Figure 14)                             security, physical security, legal,
respondents are not taking the threat
                                                                                     and HR, including training and
seriously enough, nor doing a good
                                                                                     ethics officers.
enough job of responding to it.          Figure 14: Who is responsible for
                                         responding to insider attacks in
                                                                                     While significant technology advances
A strong, enterprise-wide insider        your organization?
                                                                                     in recent years enable security
threat risk mitigation program is
                                                                                     teams to identify and investigate
needed to:                               IT department
                                                                               42%   potential insider threats quickly,
                                                                                     non-technical collaboration among
• Recognize the risks posed by           Information security department
                                                                       30%           primary stakeholders is often pivotal
  insider threats;
                                         Interdepartmental team dedicated            in stopping a smart and motivated
• Be capable of detecting them;          to insider threat                           insider. Data from The Software
                                                           14%                       Engineering Institute CERT® Program
                                         We do not have a response mechanism         at Carnegie Mellon University Insider
                                         for insider security events
                                                       12%
                                                                                     Threat Database, a repository of
                                         Physical security department                reported insider threat cases involving
                                            2%                                       theft of IP using IT, IT sabotage, or

                                                                                                               PwC         11
fraud using IT, shows that 27% of the                early warning signs such as poor work      technologies. But a closer look at the
incidents in the database were detected              performance, issues with colleagues,       data reveals that organizations are not
by non-technical means. As an FBI                    disciplinary action, or living beyond      faring as well in assessing exactly what
insider threat analyst explained this                their means; these are signs that          these technologies are supposed to be
at the February 2013 RSA conference,                 employees and managers will notice,        doing to protect their information—
“…the risk from insider threats is not               not IT security tools. This underscores    and how effective they are at actually
a technical problem, but a people-                   the importance of training and             doing that job.
centric problem. So you have to look                 awareness as a critical element of an
for a people-centric solution. People                insider threat management program,         In another sign that attitudes about
are multidimensional, so what you                    one that is integrated with current        cybersecurity have shifted little over
have to do is take a multidisciplinary               information security training and          the years, respondents this year
approach.”6                                          awareness, ethics training programs        continue to generally feel the same
                                                     and the ombudsman process. This            about the overall effectiveness of
Another important element in                         requires the participation of corporate    technologies, regardless of the number
defending against insider attacks                    functions: not just IT and information     of reported attacks per year their
is also likely one of the most cost-                 security, but also human resources,        organization experienced—this was
effective: employee training and                     legal and physical security.               true for both IT professionals and non-IT
awareness. Twice as many survey                                                                 professionals, who in theory should be
respondents indicated ‘unintentional                 Breach consequences:                       more familiar with the effectiveness of
insiders’—those whose actions are                    Effective defense and                      the technologies. This probably points
not malicious—cause more sensitive                   organizational resilience                  to a lack of understanding about how
data loss than those of malicious                                                               specific technologies relate to different
inside actors.                                       Many of the survey questions focus         types of attacks and limited capabilities
                                                     on the technologies organizations          for assessing the effectiveness of
In responding to questions on                        use to prevent and investigate cyber       one specific technology or a range of
perceived threats posed by insiders,                 breaches, to improve organizational        technologies. (See Figure 15)
the majority pointed to lost laptops                 resilience once an attack compromises
and related devices, victims of social               information systems, and to improve        Interestingly, when a breach does
engineering, or violations of policies on            overall organizational cybersecurity       occur, companies reported no
attaching thumb drives or peripherals.               capabilities. Entities can find            significant correlation between a
Moreover, fellow employees and                       themselves in a constant cycle of attack   targeted attack and financial loss.
managers are in the best position to                 and defend. As novel attack vectors        The ratio of targeted attacks to
notice and report, and thus prevent                  and methods enter the ecosystem,           non-targeted attacks as identified
damage caused by unintentional                       the security industry develops new         by respondents remains the same,
insiders, if they know what to look for              technologies and techniques to             regardless of whether the attack
and where to report it.                              counteract these methods.                  resulted in a financial loss. We had
                                                                                                expected to see more targeted attacks
Employee training and awareness                      The result is a long list of technology    associated with financial losses. In
can be equally effective in mitigating               classifications that are used to defend    fact, 96% reported cyber-related losses
malicious insider risks and damage.                  against every manner and type of           of less than US$1 million over the
These cases often can be heralded by                 attack. Respondents appear to be           past year.
                                                     enthusiastic adopters of a variety of
6 http://www.darkreading.com/insider-threat/5-       defensive, investigative, and mitigation
  lessons-from-the-fbi-insider-threat-pr/240149745

12           Key findings from the 2013 US State of Cybercrime Survey
Figure 15: Effective rating of technologies for respondents experiencing…

                                                     Greater than 50 attacks
               Multi-factor/Strong authentication                                                                               3.32
                            One-time passwords                                                                                  3.28
                                         Firewalls                                                                             3.25
                                       Encryption                                                                             3.24
                                       Biometrics                                                                             3.22
                       Role-based authentication                                                                             3.21
                  Wireless encryption/protection                                                                             3.21
                                 Access controls                                                                             3.18
               Electronic access control systems                                                                            3.18
                                Network IDS/IPS                                                                             3.16
Policy-based network connections & enforcement                                                                             3.15
              Network-based policy enforcement                                                                             3.14
                   Network access control (NAC)                                                                            3.13
                        Network-based anti-virus                                                                          3.11
                                    Spam filtering                                                                        3.10
    Network-based monitoring/forensics/esm tool                                                                          3.10
                             Host-based firewalls                                                                        3.09
             Application configuration monitoring                                                                        3.07
                             Rights management                                                                          3.04
 Host-based configuration mgmt./change control                                                                          3.04
                                                     Less than 50 attacks
                                        Firewalls                                                                                   3.42
               Multi-factor/Strong authentication                                                                                  3.36
                                      Encryption                                                                                  3.34
                                 Access controls                                                                                 3.27
                  Wireless encryption/protection                                                                                3.24
                   Network access control (NAC)                                                                                3.20
                        Network-based anti-virus                                                                               3.19
                            Host-based anti-virus                                                                             3.18
               Electronic access control systems                                                                              3.17
                                   Spam filtering                                                                             3.17
                       Role-based authentication                                                                              3.16
              Network-based policy enforcement                                                                               3.15
Policy-based network connections & enforcement                                                                               3.14
                    Identity management system                                                                               3.13
                             Rights management                                                                              3.13
                                Network IDS/IPS                                                                             3.13
                             Host-based firewalls                                                                           3.12
                                      Biometrics                                                                            3.12
                             Complex passwords                                                                              3.12
                 Host-based policy-enforcement                                                                              3.10
                                                     0%             20%                40%          60%               80%                  100%

     Weighted average             Not at all effective (1)        Not very effective (2)     Somewhat effective (3)           Very effective (4)

                                                                                                                               PwC           13
Still, some government officials,                    has been victimized…calculation of                      an overall decrease in the number of
including NSA Director General                       losses is challenging and can produce                   cyberevents over the previous year.
Keith Alexander wrote in 2012 that                   ambiguous results.”9                                    About one-third reported an increase
“the ongoing cyber- thefts from                                                                              in events. And while reported losses
the networks of public and private                   Another possibility: more sophisticated                 still appear low, only 5% had been
organizations, including Fortune 500                 cyberattacks targeting IP might                         able to reduce their monetary losses
companies, represent the greatest                    be going undetected by detection                        from cyber events, with 19% stating
transfer of wealth in human history.”7               technologies. According to the retired                  that their monetary losses have
                                                     senior FBI cyber official, “What                        actually increased.
Similarly, the FBI estimates that all IP             happens with the FBI is right now,
theft costs US businesses billions of                approximately 60 percent of the time,                   Given this environment, it is hard to be
dollars a year.8 The recently released               we are going out and telling a company                  optimistic about the future trajectory
report by the Commission on the Theft                that they have been intruded upon.”10                   of information security. Clearly many
of American Intellectual Property,                   The survey, like many others that try                   companies have a poor understanding
a private advisory panel headed by                   to build cybercrime awareness and                       of how their technologies are deployed
former DNI Dennis Blair and former US                understanding, covers several types of                  and how to properly gauge the
Ambassador Jon Huntsman, found that                  cybercrime: denial of service attacks,                  effectiveness of those deployments.
IP theft was growing and costing the                 credit card information thefts, website                 From an organizational resilience
United States more than $300 billion                 defacement, as well as IP thefts.                       standpoint, things also appear to be
each year.                                                                                                   trending in the wrong direction, as
                                                     These latter attacks are designed to                    the number of successful events and
This discrepancy between public                      be less observable, longer lasting, and                 monetary losses are both rising.
statements on loss estimates and what                often sophisticated enough to avoid
organizations themselves estimate as                 detection by current private sector
losses is striking.                                  cybersecurity technologies. Our view                    Figure 16: When compared with
                                                     is that the 40% that are not notified                   the prior 12 months, cybersecurity
So why the disconnect? One                           are perhaps the most serious and                        events in your organization have:
explanation: organizations that                      significant thefts that are managed by
have identified and even mitigated                   a broader national security umbrella.                   Increased by more than 30%
a cyberattack targeting IP still                                                                                                                  5%
might lack an effective means of                     Losing ground?                                          Increased by 16%–30%
assessing what exactly has been                      From an organizational resiliency                                                            9%
stolen. According to a 2011 report on                standpoint, companies appear to be                      Increased by 1%–15%
economic and industrial espionage                                                                                                                19%
                                                     losing ground in combating attacks.
in cyberspace published by the Office                Although 90% of respondents reported                    Remained the same
                                                                                                                                                 42%
of the National Counterintelligence                  fifty or fewer attacks in the past year,
Executive (“ONCIX”), “Even in those                                                                          Decreased by 1%–15%
                                                     only 9% of respondents reported
                                                                                                                                                  5%
cases where a company recognizes it
                                                                                                             Decreased by 16%–30%
7 http://www.nsa.gov/research/tnw/tnw194/article2.   9 http://www.ncix.gov/publications/reports/fecie_all/                                        2%
  shtml                                                 Foreign_Economic_Collection_2011.pdf
8 http://www.fbi.gov/about-us/investigate/white_     10 http://www.abajournal.com/news/article/what_
                                                                                                             Decreased by more than 30%
  collar/ipr/ipr                                        law_firms_should_know_about_cyber_attacks_                                                2%
                                                        and_the_fbi/                                         Don’t know/not sure
                                                                                                                                                 16%

14           Key findings from the 2013 US State of Cybercrime Survey
A deeper dive into our data               organization’s information security       • Security budgets should be allocated
can help you protect yours                department. Businesses are becoming         in line with business strategy.
                                          intimately involved in ever-changing
With this year’s survey, we took a                                                  • Organizations should put in place
                                          global ecosystems through activities
deeper dive into the data to explore                                                  mechanisms to engage their entire
                                          such as global M&As, strategic
what it means for protecting US public                                                ecosystem in security prevention
                                          partnerships with foreign competitors,
and private sector organizations                                                      and response.
                                          and joint ventures that expose their
amid increasing cybersecurity risks.
                                          most sensitive IP. More and more of
Ignorance is far from bliss. Ignoring                                               Perhaps most importantly,
                                          their data is less and less protected.
these threats will not keep the pot                                                 organizations will be hard-pressed to
from boiling over.                        At the same time, security budgets are    manage cyber-related threats if they
                                          misaligned to respond to yesterday’s      fail to understand their adversaries.
Adversaries are more targeted and                                                   Get to know how your business model
                                          threats while companies are spending
efficient than ever. A growing number                                               can unintentionally open your entity’s
                                          less on ‘tried and true’ security
of nation states are getting into the                                               cyber-doors to those who will likely
                                          technologies—without understanding
cyberattack game. Organized crime                                                   overstay their welcome while making
                                          how effectively they are, or are not,
groups have advanced from small-scale                                               off with precious jewels.
                                          in combating emerging cyberthreats.
monetary theft to large-scale multi-
                                          Meanwhile, business units are now
country simultaneous heists. Hactivists                                             For the most part, the business world
                                          working with new technologies
are working with sympathizers within                                                tends to underestimate cyberthreats.
                                          without understanding the security
organizations to gain better access.                                                Neither corporate boards nor business
                                          consequences as they plan strategies
                                          for using social media; using public/     unit leaders are paying enough
Many entities are now conducting                                                    attention to the negative business
                                          private cloud services; and allowing
operations in unsafe regions around                                                 implications. According to PwC’s
                                          employees to use personal devices.
the world. And not just through                                                     Global CEO Survey, one-third of
customer locations. This includes                                                   CEOs don’t think a cyberattack would
                                          • The C-suite and board should
places where they’re conducting                                                     negatively impact their business. Yet
                                            get directly involved with their
product development and innovation                                                  61% of consumers11 would stop using
                                            organization’s cybersecurity if they
work, working with third parties                                                    a company’s product or services after a
                                            have not already done so.
who have the organization’s crown                                                   breach. Think about it.
jewels but aren’t subject to their        • The C-suite, technology, and
security policies.                          security leadership should
                                                                                    11 http://www.pwc.com/us/en/industry/
                                            establish a cross functional steering      entertainment-media/assets/pwc-consumer-
Lines of business departments are
                                            committee to foster collaboration          privacy-and-information-sharing.pdf
using technologies and software
                                            and alignment.
that haven’t been reviewed by the

                                                                                                                   PwC            15
Paying off the technical debt
 Many organizations across the industry spectrum are suffering from substantive technology debt. It has been estimated
 this debt will soon exceed $1T. In effect, companies are spending their IT budgets on emerging business technologies
 while allowing their IT infrastructure to age and atrophy to the point that systems can’t support basic data security
 functions. This is similar to a lack of funding to physical infrastructure in the US, such as roads, bridges, and other
 transportation infrastructure.

 Annual spending in information technology does not appear to be keeping up with emerging threats. Technology’s
 influence has grown rapidly, with many corporations adopting mobile solutions, social media, alternative workplace
 solutions, collaborative product innovation, digitized healthcare, and tele-medicine. This is happening amid a
 corresponding increase in regulatory controls associated with privacy controls, health information controls, financial
 data controls, intellectual property protection, and financial statement controls, and more. It’s also happening at a time
 of increased awareness of cyber-campaigns targeting specific industries and organizations, and by adversaries who
 move from on-line industrial espionage to acts of destruction.

 In the face of such intense demand and regulatory oversight, how is it that IT budgets are flat or declining?

 Just as corporations should consider how much financial debt they are willing to take on and still maintain a credit
 rating worthy of its brand, they also should consider how much technical debt they’re willing to take on in the face of
 increasing regulation, disclosure requirements, and consumer trust concerns. Technical debt, however, is not on the
 balance sheets and therefore the entity’s leadership lacks the transparency required of management and boards to
 consider the risks associated with that debt.

 It’s not unusual for organizations to face trade-offs between the desire to keep pace with new technology-enabled
 services and the need to sustain existing services. Yet many executives remain in the dark about the infrastructure that
 can deliver emerging technology-fueled services. Still, the need to understand some fundamental technology issues
 should not be overlooked. Ask and consider:

 1. How old are the firewalls that regulate what goes into and out of the corporate network?
 2. Do they contain known vulnerabilities that our adversaries are exploiting?
 3. What aspects of the identity-management system governing the role-based access are foundational to our
    control environment?
 4. Is it current technology with a secure operating system and hardware, or did we choose the lowest cost alternative
    with known security issues?
 5. Are the enterprise applications and their underlying databases current, or have we deferred maintenance and
    upgrades because they were highly customized, rendering the path to upgrade too costly to consider in our current
    economic climate?
 6. Are the routers and switches that move data within our networks current, or have they been provided by a
    manufacturer that has installed ‘back doors’ into that equipment, allowing a copy of all corporate traffic to be taken
    without our knowledge?
 7. Do we have known security vulnerabilities in key databases that we can’t remediate because the applications that
    depend on those databases can’t be modified?

 While it’s nothing new for businesses to defer maintenance and other basic technology needs as upgrades, security
 patches, and replacements, or to move to current generation technology. What is new is that adversaries have raised
 the risk for many corporations.

 Cyber adversaries often exploit vulnerabilities (both known and unknown) in the technology ‘stack’ that underpins
 most businesses today. In the current environment, it’s all too easy to amass substantive technical debt by deferring
 merger integrations, letting enterprise system upgrades lag, and expanding IT-enabled services—without making
 corresponding investments in the security infrastructure. This can open a toehold for cyber-adversaries who are
 hungry for system and data access to your valuable data assets.

16       Key findings from the 2013 US State of Cybercrime Survey
About PwC’s Cybersecurity Practice
As a part of the largest professional services Firm in the World, PwC has market leading strategic, technical, forensic,
business process, and industry knowledge and experience. PwC’s Cybersecurity consulting practice helps organizations
understand, adapt and respond to dynamic cyber challenges and accelerating risks inherent to their business ecosystem.
We enable our clients to preserve and protect their competitive advantage and shareholder value by prioritizing and
protecting the most valuable assets fundamental to their business strategy. For more information on PwC’s cybersecurity
point of view, visit: www.pwc.com/cybersecurity.

About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network
of firms in 158 countries with more than 180,000 people. We’re committed to delivering quality in assurance, tax and
advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US.

                                                                                                             PwC           17
www.pwc.com

To have a deeper conversation about how this subject may affect
your business, please contact:

David Burg                                                 Gary Loveland
Principal, PwC                                             Principal, PwC
703 918 1067                                               949 437 5380
david.b.burg@us.pwc.com                                    gary.loveland@us.pwc.com

Michael Compton                                            Joseph Nocera
Principal, PwC                                             Principal, PwC
313 394 3535                                               312 298 2745
michael.d.compton@us.pwc.com                               joseph.nocera@us.pwc.com

Peter Harries                                              David Roath
Principal, PwC                                             Partner, PwC
213 356 6760                                               646 471 5876
peter.harries@us.pwc.com                                   david.roath@us.pwc.com

John D Hunt
Principal, PwC
703 918 3767
john.d.hunt@us.pwc.com

© 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the
PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. LA-13-0317 SL/JM
You can also read