Key findings from the 2013 US State of Cybercrime Survey
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Key findings from the 2013 US
State of Cybercrime Survey
June, 2013
Cyberthreats have
become so persistent, the
attacks so pervasive, that
organizations—and their
leaders—have essentially
become inured to what
cybersecurity and US
Government officials call
an ever-increasing threat.
When organizations fall
victim to cyberattacks,
only then do they realize
the time to take action
was yesterday.
Co-Sponsored by:
• The Software
Engineering Institute
CERT® Program at
Carnegie Mellon
University
• CSO Magazine
• United States
Secret ServiceExecutive Summary
This year’s cybercrime survey The entities that collaborated collaboration, expanding the use
highlights what many in government on preparing and analyzing this of mobile devices, moving the
and the cybersecurity industry have year’s survey saw the emergence of storage of information to the cloud,
known for years: The cybercrime threat three themes: digitizing sensitive information,
environment has become increasingly moving to smart grid technologies,
pervasive and hostile—and actions 1. Leaders do not know who and embracing workforce
to stem the tide of attacks have had is responsible for their mobility alternatives—without
limited effect. We must accept that organization’s cybersecurity, nor first considering the impact these
cyberattacks are now a routine part are security experts effectively technological innovations have on
of doing business in today’s uncertain communicating on cyberthreats, their cybersecurity profiles.
world, and they likely will be a part of cyberattacks, and defensive
doing business going forward. technologies. If organizations The news, however, is not entirely
fail to identify who is in charge, grim. In our view, most of these
The survey results tell us that many they will be left with identifying cybersecurity challenges can be
organizational leaders do not know or who is to blame in the wake of addressed internally. The majority of
appreciate what they are up against, crippling attacks. attacks (roughly 80%) rely on exploits
lack a clear, real-time understanding that companies can readily defend
of the nature of today’s cyber-threats 2. Many leaders underestimate their against, if they focus their attention on
and those who pose these risks, cyber-adversaries’ capabilities fundamental cybersecurity education,
and have made little headway in and the strategic financial, properly maintained IT infrastructure,
developing strategies to defend reputational, and regulatory risks and effective monitoring.
against both internal and external they pose. Despite indications
cyber-adversaries. that the Securities and Exchange In addition, the right cybersecurity
Commission (“SEC”), Congress, strategy, awareness of the threat
The survey also tells us that we and the White House appreciate the environment, and a solid asset
collectively have a long way to go threat, many companies still have identification and protection program
in coming to terms with the extent not adequately grasped the degree can help entities manage another
of the threat, its short- and long- to which failure to address the 15% of attacks. The final 5% of
term implications, and what actions digital threat environment may have attacks emanate from sophisticated—
should be taken to curtail the multi- wider repercussions. and often nation state-sponsored
faceted impact. adversaries—who threaten our
3. Leaders are unknowingly national security, and should be
increasing their digital attack faced in strong collaboration with
vulnerabilities by adopting social government agencies.
PwC 1What makes this survey different?
This is the first year that PwC has Additionally, we have placed special
partnered with CSO Magazine and emphasis on the unique cybersecurity
the other co-sponsors to conduct challenges posed by the insider threat.
and evaluate the 2013 US State of
Cybercrime Survey. Together, we CSO Magazine and its partners
have applied our deep experience in Carnegie Mellon University’s Software
data analytics to dig into the layers of Engineering Institute (“CMU SEI”)
data and identify central concepts we and the United States Secret Service
see as vital to organizations that are (“USSS”) have again participated in
attempting to make sense of current this effort.
and future cyberthreats and attacks.
We have brought the issue into focus We have also brought to bear our
by going beyond the statistics and experience in identifying security- and
focusing on the factors that can impact cyber- trends by drawing on results
an organization’s cybersecurity stance, from PwC’s annual Global CEO Survey
such as by considering: and annual Global State of Information
Security Survey.
• Strategy and execution of the
cybersecurity program;
• Understanding changes in the threat
environment;
• Identifying key organizational assets
in need of protection; and
• Spreading that protection beyond
the walls of the entity to encompass
the enterprise ecosystem.
2 Key findings from the 2013 US State of Cybercrime SurveyKey findings from the 2013 US State of Cybercrime Survey
In this 11th survey of cybercrime In reviewing the survey data from One goal of this paper is to drive an
trends, over 500 US executives, the past three years, we found little urgent call to action, to appreciate the
security experts, and others from the movement in key indicators. When need to bridge a gap that exists today
public and private sectors provided we compare this with the almost daily among those who do not perceive
their views on the state of cybercrime: reports of cyber-breaches against cybersecurity as a strategic business
who the internal and external threat public and private organizations issue and those who do, and to
actors are, what they are after, how in the United States and globally, increase awareness as to the strategic
well public-private collaboration we are struck by the possibility implications of the cyber concerns we,
supports cybersecurity, and what that the threats have become so as a collective, face.
technologies are best able to defend persistent, the attacks so pervasive,
and protect against cyberattacks. that organizations—and their Our in-depth analysis of the survey
leaders—have essentially become results identified four critical
The frog in the pot of inured to what cybersecurity and US areas that have the most impact
hot water government officials call “an ever- on organizational responses
increasing threat.” to cybercrime:
There were no significant changes
in C-Suite threat awareness, no 1) Understanding ecosystem-
Many senior executives have become
spikes in spending on cyber-defense, wide risks;
the proverbial “frog in the pot of
no breakthroughs in the use of
hot water”—unaware of the ever
technology to combat cybercrime, and 2) Integrating threat intelligence and
increasingly hostile environment.
no significant change in the ability of information-sharing into proactive
When the pot boils over and
organizations to measure the impact defense programs;
their organization falls victim to
of both cybercrimes committed by
cyberattacks, only then do they realize
insiders and those caused by external 3) Identifying and mitigating
the time to take action was yesterday.
cyberattacks. (See Figure 1). cybercrime committed by
Or as Ira Winkler, the president of
trusted insiders; and
the Information Systems Security
Association (“ISSA”), put it, “We 4) Understanding and using
Figure 1: Do you have a hear about wake-up calls, but people cybersecurity technology effectively.
methodology that helps you keep hitting the snooze button.”1
determine the effectiveness of your Perhaps part of the problem, to Gaining a better understanding
organization’s security programs continue the analogy, is the failure on of these areas, combined with a
based on clear measures? many companies’ part to appreciate strong grasp of a continuously
the strategic need to measure the organization’s threat environment
temperature of the water in which and an appreciation of its sensitive
22% one sits. assets, should give senior executives
Don’t know/not sure
40%
No
a stronger basis for an adaptive
Yes
1 http://www.reuters.com/article/2013/05/16/ cybersecurity strategy. The technical
38% us-cyber-summit-congress-
idUSBRE94F06V20130516
debt built up over the years, and the
vulnerabilities created as a results,
must also be acknowledged. (See
Technical Debt on page 16)
PwC 3Understanding risks across Figure 2: Percentage of responding CIOs (including CTOs) indicating
the ecosystem “Don’t Know” or “Not Sure”
In the cyber-arena, what you don’t
know can hurt both you and everything
your organization touches. Advances 22% When compared with the prior 12 months, how have monetary
in technology have interconnected responded: losses as a result of cybersecurity events in your organization
Don’t know/ changed?
businesses to partners, suppliers,
Not sure
customers, government entities,
and even competitors. Cybercrime is
an equal-opportunity event—it can 22% When considering the financial losses or costs to your company
responded: from those targeted attacks aimed at your company, has the
affect every entity across a company’s financial loss or cost increased or decreased when compared to
Don’t know/
business ecosystem. Not sure the prior 12 months?
As a result, the entity’s leaders should
develop a thorough cybersecurity 21%
responded: Which of the following proactive activities and techniques are
plan that encompasses all aspects of you using to counter advanced persistent threats?
Don’t know/
their global business ecosystem. Yet a Not sure
significant number of respondents to
this year’s survey answered ‘unknown’
or ‘I don’t know’ to important survey
21%
responded: Which of the following groups posed the greatest cyber security
questions. Of particular concern, Don’t know/ threat to your organization during the past 12 months?
we noted that those who identified Not sure
themselves as Chief Information
Officers (“CIOs”) or Chief Technology 21%
Officers (“CTOs”) often were responded: In general, what causes of electronic crimes were more costly or
unfamiliar with key cornerstones Don’t know/ damaging to your organization?
of a strong cybersecurity program. Not sure
(See Figure 2)
17% What was your organization’s approximate annual budget for
responded:
security products, systems, services and/or staff for each of the
Don’t know/ following areas during the last 12 months?
Not applicable
17% Please indicate all of the cybercrimes committed against your
responded: organization during the past 12 months, along with the source(s)
Don’t know of these cybercrimes to the best of your knowledge.
16% If you were to find it necessary to seek government assistance
responded: with cybercrime or a cyber security-related event, which
Don’t know organization(s) would you contact immediately?
4 Key findings from the 2013 US State of Cybercrime SurveySome survey respondents might not all organizations in an ecosystem have Although supply chain risk
be in a position to have access to to have the same strategy, tools, and management is a capability identified
cybersecurity strategy and response technologies—but it does mean that by respondents as something they
information, or might not be individual organizations should have use to address cyber-risk, only 22% of
directly involved in the company’s some confidence that their partners respondents actually conduct incident
insider threat or law enforcement aren’t passing on increased cyberrisks response planning with their third
liaison processes. But in our view, through the ecosystem web. party supply chain. (See Figure 3)
cybersecurity is everyone’s business— Additionally only 20% of respondents
employees, contractors, consultants, Companies grappling with evaluate the security of third parties
and senior executives should all have cybersecurity should be prepared to more than once a year. (See Figure 4)
at a minimum, a basic understanding address two types of supply chains:
of how the company protects people
and information from cyberattacks. 1. The IT supply chain, which includes
the software and hardware used Figure 3: Do you conduct incident
The good news from this year’s to support corporate networks and response planning with your third-
survey? A strong strategy to protect operations; and party supply chain?
the ecosystem starts with sensible
IT security policies and processes. 2. The more traditional supply chain
For cybersecurity to work across an that encompasses the parts and
22% 26%
ecosystem, all players need to know not services that are integrated into the Don’t know/not sure
only what the policies and processes entity’s customer offerings, be they No
are, but also why they need to adhere physical products, data or services. Yes
52%
to them. In questions related to IT
In today’s interconnected ecosystem,
security processes, it appears that a
both of these supply chain avenues are
solid majority of IT staff and IT leaders
often direct freeways to compromise
understand the policies and processes
company assets. Not all companies Figure 4: On average, how often do
in place to protect corporate data. you evaluate the security of third-
recognize that supply chain vendors
and business partners such as joint parties with which you share data
The issue of establishing, or network access?
communicating, and effectively ventures, strategic partnerships, and
evaluating cybersecurity policies franchisees can have lower—even non-
and practices extends beyond existent—cybersecurity policies and
practices, a situation that can increase Don’t know/not sure
organizational boundaries. Because 22% 23%
More than 1×/year
of the interconnected nature of the cybercrime risks across any entity that
1×/year or less
ecosystem and today’s reliance on partner or supplier touches. And those
20% We don’t typically
global supply chains, organizations who do recognize the risk often fail 35% evaluate third parties
must integrate their vendors and to understand what mitigation steps
suppliers into their cybersecurity should be taken.
strategy. This does not mean that
PwC 5Previous PwC surveys support the view and how they operate. Many C-Suite that will likely be of interest to your
that the supply chain is a potential executives have neither adequate adversaries. Such awareness can
weak link in cybersecurity—both in the knowledge of who the most serious also help make more efficient the
United States and globally. In the PwC threat actors are, nor (logically organizations’ assessment of their
2013 Global CEO Survey, the inability given the foregoing) do they have vulnerabilities to cyberattacks from the
to protect intellectual property (“IP”) a cybersecurity strategy to defend most likely threat actors.
and customer data in the corporate against them. Despite all the talk
supply chain was a concern for 36% about cybercrime and cybersecurity, We asked survey respondents which
of corporate leaders in the United awareness of the threat environment is type of proactive tools they used to
States. Companies often struggle to get not increasing. counter the Advanced Persistent
their suppliers to comply with privacy Threat (“APT”), a commonly used term
policies—a baseline indicator of data ‘Threat awareness’—the ability to define remote attacks employed
protection capabilities. to understand cyberthreat actors’ by sophisticated threat actors, often
capabilities, motivations, and nation states or their intelligence
This is especially true for industries objectives—should be one of your services. Only 21% of respondents said
able to easily understand the tangible organizations’ starting points for they used threat modeling, a relatively
information types that are at risk, developing an adaptive cybersecurity inexpensive tool that organizations
such as those industries focused on strategy, providing the contextual can adapt to their particular threat
protecting personally identifiable background against which environment and asset protection
information (“PII”), such as financial organizations can identify key assets requirements. (See Figure 5)
services, and those that are affected
by the Health Insurance Portability
and Accountability Act (“HIPAA”) Figure 5: Which of the following proactive activities and techniques are
protected data, as well as those that you using to counter advanced persistent threats?
manage Payment Card Industry
(“PCI”) information. Yet fewer than
Malware analysis 51%
one-third of all industry respondents to
Inspection of outbound traffic 41%
PwC’s 2013 Global State of Information
Security Survey required third parties Rogue device scanning 34%
to comply with privacy policies. Analysis and geolocation of IP traffic 31%
Subscription services 30%
Threat intelligence and Deep packet inspection 27%
information-sharing Examining external footprint 27%
Don’t know/not sure 25%
Threat Intelligence
Threat modeling 21%
While US cyberthreat anecdotes have
Document watermarking/tagging 9%
become almost routine (keeping
the media focused on this issue)
the barrage of alarms has not
significantly raised survey respondents’
understanding of who these cyber
adversaries are, what they target,
6 Key findings from the 2013 US State of Cybercrime SurveyThe majority of survey participants
Figure 6: Which of the following groups posed the greatest cybersecurity
cited malware analysis and inspection
threat to your organization during the past 12 months?
of outbound traffic as a tool they
currently have in place. While these Hackers
technologies are effective in identifying 22% How CSOs (including CISOs) compare:
intrusions and potential losses, if they Current employees & former employees 1: Hackers
are installed in the right place, they 21% 2: Foreign nation states
are after-the-fact techniques that can Foreign nation-states 3: Current and former employees
help organizations proactively only if (e.g. China, Russia, North Korea)
11%
the results are incorporated into an
Activists/activist organizations/hactivists How CIOs (including CTOs) compare:
adaptive and forward-looking threat
5% 1: Current and former employees
modeling strategy. As a result, these
Organized crime 2: Hackers
entities can be vulnerable to APTs 4% 3: Organized crime
seeking to access sensitive information
All respondents
surreptitiously over an extended period
of time.
Information Sharing of ISACs is particularly low and has
In fact, CIOs and Chief Security A sensible approach to public-private not increased appreciably over the
Officers (“CSOs”) do not agree on what partnerships should be a cornerstone past three years, with the exception
constitutes the most significant threat of any cybersecurity strategy. And of the banking and finance industry,
to their operations. When asked in the those who take advantage of available the survey showed. (See Figure 7)
survey to name the top threats facing government sources of cyber- As we noted in our September 2012
their organization this year, CSOs, intelligence can gain a fuller picture ZoomLens article on cybersecurity2,
including Chief Information Security of both the threats and the leading the Financial Services- ISAC (“FS-
Officers (“CISOs”) pointed to hackers practices for defending against them. ISAC”) is often praised for its work
(26%) and foreign nation-states President Obama, in his February 2013 in bringing public and private
(23%). CIOs, including CTOs, however, Executive Order on Cybersecurity, sector counterparts together, but
were more concerned about insiders designated the Department of with the myriad number of public-
(27%)—current or former employees- Homeland Security (“DHS”) as the private information sharing groups
but only 6% were concerned about focal point for intelligence-sharing available, companies are often unable
nation-states. (See Figure 6) This lack with the private sector. to determine what government
of consensus, which likely contributes agencies to engage and what to expect
to a lack of action at the C-suite and While DHS coordinates the process from them.
board level, reflects differences in by which Information Sharing and
the threat landscape from industry- Analysis Centers (“ISACs”) engage
to-industry, or varying perspectives with key sectors of the US critical 2 http://www.pwc.com/us/en/forensic-services/
assets/zoomlens-cybersecurity.pdf
according to job responsibilities: the infrastructure, awareness and use
old but often true adage that “where
you stand depends on where you
sit” applies.
PwC 7While open-source information
Figure 7: Does your organization Figure 8: Please identify all
can provide threat context to a
participate in any Information sources you monitor to keep up
Sharing and Analysis Center cybersecurity strategy, these sources with current with trends, threats,
(ISAC) activities (http://www. vary greatly in quality, accuracy, vulnerabilities, technology,
isaccouncil.org/), if available in timeliness. At a 2011 conference on and warnings
your industry sector? APT sponsored by RSA, attendees
observed that, “…attackers seem to Cyber security websites and emails
2011 share intelligence more effectively 71%
31% than legitimate enterprises do.”3 Subscription-based services (free)
49% 63%
Organizations should have a robust,
20% Peers
multi-source information collection
57%
2012 and analysis strategy, drawing on
Print publications or websites
24% a variety of external and internal 50%
48% data sources and integrating new
28% Government websites and emails
information on both emerging threats (other than DHS)
2013 and innovative technologies to create 47%
21% an agile cyberdefense. Subscription-based services (paid)
57% 33%
22% A cybersecurity strategy is the Industrial trade associations
cornerstone of protecting sensitive 27%
Don’t know No Yes
business assets, yet nearly 30% of DHS
24%
companies surveyed (see Figure 9)
do not have a plan. And, of those that Information Sharing and Analysis Centers
How company leaders get their (ISACS)
information on threats might be part do, half fail to test it. Companies that 23%
of the problem. Even though reporting understand what their key corporate Other
on the severity and complexity of the assets are and then develop and 16%
threat has grown over the past few constantly update their cybersecurity None
years, security and business executives strategy based upon new intelligence 9%
are increasingly turning to publicly- to protect their assets will likely find
available sources of information, themselves in a stronger position to
such as free Internet websites, as defend against cyberattacks.
their sources of information. Smaller
numbers turn to subscription services,
3 http://www.rsa.com/innovation/docs/APT_
industry colleagues, and the US findings.pdf
Government for information.
(See Figure 8)
8 Key findings from the 2013 US State of Cybercrime SurveyFigure 9: Does your organization
Additionally, many of the companies Cybercrime from within:
who lack or fail to test a cybersecurity Examining the insider
have a formalized plan outlining
policies and procedures for plan are likely the same ones threat
reporting and responding to who report they don’t know what
The Insider Threat
cybersecurity events committed government agency to contact when a
against your organization? cybercrime is suspected. Interestingly, Insiders from anywhere within the
there are differences between business ecosystem can wreak havoc.
Yes, and we test it at least once per year industries regarding which agencies The Software Engineering Institute
26% are the top choices for such support. CERT® Program at Carnegie Mellon
Yes, but we do not test it at least once per year While many reach out to the FBI or the University notes in its Common
26% USSS, several industries still rely on Sense Guide to Mitigating Insider
Don’t know/not sure local law enforcement for support. Threats,5 “…contractors, consultants,
19% outsourced service providers, and
No plan currently, but intend to have one The study reveals that the number of other business partners should be
within the next 12 months
companies that reach out to the United considered as potential insider threats
17%
States Computer Emergency Readiness in an enterprise risk assessment.”
No plans at this time or in the near future
12%
Team (“US- CERT”) remains quite low,
an indicator that many organizations The threat of trusted organizational
are unaware of the robust cybercrime- insiders committing cybercrime
related information US-CERT makes has received less media and public
available to the US private sector on a attention than other cyberthreats. And
regular basis. we see little shifting of respondent
attitudes, despite a recent high-profile
Deciding who within the government FBI campaign to raise awareness
can best help your organization of instances of insiders stealing
depends on your corporate experience, trade secrets.
industry-specific considerations, the
identity of likely threat actors, and Still, highly publicized research
the severity of the suspected crime. from Carnegie Mellon University
As a retired senior FBI cyber-official cited the significant damage insiders
recently stated, “The government have done to both private and public
is…sharing information as fast as we organizations. While most of the
can get it.” The official continued, media cybercrime reporting has
however, by saying that “when the been on remote network attacks over
government does provide information the Internet, survey results show
on a cybercrime, the agency hoped the that among respondents answering
company had already contemplated insider-related questions, insiders
the potential for a cyberattack and has were deemed more likely to be the
developed a response plan.”4 As noted sources of cyberattacks. For the second
above, our survey showed that most year in a row, a greater number of
do not. respondents identified insider crimes
(34%) as causing more damage to an
organization than external attacks
(31%). (See Figure 10)
4 http://www.ctlawtribune.com/PubArticleCT.jsp?id=
1202601094171&slreturn=20130503094156
5 http://www.sei.cmu.edu/reports/12tr012.pdf p. 27.
PwC 9Many information security tools As we previously noted, what you
Figure 10: In general, electronic
focus on access and authentication. don’t know can hurt both you and
crimes were more costly or
damaging to your organization However, these tools are less effective everything your organization touches.
when caused by: against insiders such as employees, Similar to our ecosystem findings, the
contractors, and third parties who ‘don’t know’ answers related to the
have been granted legitimate access Insider Threat are concerning. Just as
to sensitive data and systems. (See more than one-third of respondents
35% 28% 31% 35%
Figure 11) These insiders are likely to said ‘don’t know’ when asked whether
be one step ahead of external threat insiders or external actors could cause
actors because they tend to already their organization more damage, the
37% 34% know what the company’s crown most popular answer to questions
2012 2013 jewels are: those assets that drive cash about the sources of cybercrime and
flows, competitive advantage, and the mechanisms insiders used was
Don’t know/not sure shareholder value. They also know also ‘don’t know’. Twenty four percent
Insider: Current or former employee, where they reside on the networks of respondents who had suffered an
service provider or contractor and how to gain access to them for insider attack did not know what the
Outsider: Someone who has never had the purposes of theft, disclosure, attack’s consequences were; 33% of
authorized access to an organization’s
systems or networks or destruction. respondents had no formalized insider
Figure 11: Please indicate all mechanisms used by insiders in committing
cybercrimes against your organization in the past 12 months
Top 10 attack mechanisms reported by those who responded they
experienced an attack conducted by an insider (excluding “don’t know”)
17% Laptops
16% Compromised an account
16% Copied information to mobile device (e.g., USB drive, iPod, CD)
16% Remote access
15% Used their own account
15% Social engineering
14% Downloaded information to home computer
13% Stole information by sending it out via email
12% Stole information by downloading it to another computer
11% Rootkit or hacking tool
Respondents indicated 29% of events they experienced during the past 12
months were known or suspected to have been conducted by Insiders.
10 Key findings from the 2013 US State of Cybercrime Surveythreat response plan (See Figure 12);
Figure 12: Does your organization Figure 13: How effective is
and, many were uncertain as to how
have a formalized plan for your organization in reporting
their company handled investigating responding to insider security managing and intervening in
potential insider threat cases. (See events committed against your cyber threats with internal
Figure 13) Of those who did know organization? employees?
what the insider threat handling
procedures were, the majority
reported that the cases were handled 17% 21% 25% Minimally
Don’t know
in-house, absent legal action or law 50% Moderately
No
enforcement involvement. 33% 18% Extremely
Yes
36% Don’t know
It remains unclear whether this
stems from conscious decision
making regarding the handling of • Be capable of responding to Our experience suggests that the lack
insider cases or if it reflects a lack them; and of centralized collection and analysis
of understanding about how law of corporate data in these insider
enforcement agencies can support • Be capable of effectively cases is a primary contributor to this
such investigations. It seems likely, mitigating them. general lack of knowledge. Pertinent
however, that many organizations information is often held in separate
are not sufficiently incorporating the To detect and manage the insider repositories owned by HR, legal,
potential damage insiders can cause to threat, the entity will need information information security, and physical
corporate assets, business operations and tools across a range of functions, security. In addition, the legal and
and reputations in deciding whether to including IT, information security, personnel implications of insider cases,
pursue prosecution. physical security, HR, and legal, which along with training and awareness
often handles privacy and internal issues, indicates the importance
Insider Threat Management investigation issues. Yet, the survey of developing an insider threat
indicates only 14% of respondents management program, anchored by
While some companies seem to be handle the insider threat using an interdepartmental team comprising
aware of the damage insiders can an interdepartmental team. representatives from IT, information
cause, the survey shows that many (See Figure 14) security, physical security, legal,
respondents are not taking the threat
and HR, including training and
seriously enough, nor doing a good
ethics officers.
enough job of responding to it. Figure 14: Who is responsible for
responding to insider attacks in
While significant technology advances
A strong, enterprise-wide insider your organization?
in recent years enable security
threat risk mitigation program is
teams to identify and investigate
needed to: IT department
42% potential insider threats quickly,
non-technical collaboration among
• Recognize the risks posed by Information security department
30% primary stakeholders is often pivotal
insider threats;
Interdepartmental team dedicated in stopping a smart and motivated
• Be capable of detecting them; to insider threat insider. Data from The Software
14% Engineering Institute CERT® Program
We do not have a response mechanism at Carnegie Mellon University Insider
for insider security events
12%
Threat Database, a repository of
Physical security department reported insider threat cases involving
2% theft of IP using IT, IT sabotage, or
PwC 11fraud using IT, shows that 27% of the early warning signs such as poor work technologies. But a closer look at the
incidents in the database were detected performance, issues with colleagues, data reveals that organizations are not
by non-technical means. As an FBI disciplinary action, or living beyond faring as well in assessing exactly what
insider threat analyst explained this their means; these are signs that these technologies are supposed to be
at the February 2013 RSA conference, employees and managers will notice, doing to protect their information—
“…the risk from insider threats is not not IT security tools. This underscores and how effective they are at actually
a technical problem, but a people- the importance of training and doing that job.
centric problem. So you have to look awareness as a critical element of an
for a people-centric solution. People insider threat management program, In another sign that attitudes about
are multidimensional, so what you one that is integrated with current cybersecurity have shifted little over
have to do is take a multidisciplinary information security training and the years, respondents this year
approach.”6 awareness, ethics training programs continue to generally feel the same
and the ombudsman process. This about the overall effectiveness of
Another important element in requires the participation of corporate technologies, regardless of the number
defending against insider attacks functions: not just IT and information of reported attacks per year their
is also likely one of the most cost- security, but also human resources, organization experienced—this was
effective: employee training and legal and physical security. true for both IT professionals and non-IT
awareness. Twice as many survey professionals, who in theory should be
respondents indicated ‘unintentional Breach consequences: more familiar with the effectiveness of
insiders’—those whose actions are Effective defense and the technologies. This probably points
not malicious—cause more sensitive organizational resilience to a lack of understanding about how
data loss than those of malicious specific technologies relate to different
inside actors. Many of the survey questions focus types of attacks and limited capabilities
on the technologies organizations for assessing the effectiveness of
In responding to questions on use to prevent and investigate cyber one specific technology or a range of
perceived threats posed by insiders, breaches, to improve organizational technologies. (See Figure 15)
the majority pointed to lost laptops resilience once an attack compromises
and related devices, victims of social information systems, and to improve Interestingly, when a breach does
engineering, or violations of policies on overall organizational cybersecurity occur, companies reported no
attaching thumb drives or peripherals. capabilities. Entities can find significant correlation between a
Moreover, fellow employees and themselves in a constant cycle of attack targeted attack and financial loss.
managers are in the best position to and defend. As novel attack vectors The ratio of targeted attacks to
notice and report, and thus prevent and methods enter the ecosystem, non-targeted attacks as identified
damage caused by unintentional the security industry develops new by respondents remains the same,
insiders, if they know what to look for technologies and techniques to regardless of whether the attack
and where to report it. counteract these methods. resulted in a financial loss. We had
expected to see more targeted attacks
Employee training and awareness The result is a long list of technology associated with financial losses. In
can be equally effective in mitigating classifications that are used to defend fact, 96% reported cyber-related losses
malicious insider risks and damage. against every manner and type of of less than US$1 million over the
These cases often can be heralded by attack. Respondents appear to be past year.
enthusiastic adopters of a variety of
6 http://www.darkreading.com/insider-threat/5- defensive, investigative, and mitigation
lessons-from-the-fbi-insider-threat-pr/240149745
12 Key findings from the 2013 US State of Cybercrime SurveyFigure 15: Effective rating of technologies for respondents experiencing…
Greater than 50 attacks
Multi-factor/Strong authentication 3.32
One-time passwords 3.28
Firewalls 3.25
Encryption 3.24
Biometrics 3.22
Role-based authentication 3.21
Wireless encryption/protection 3.21
Access controls 3.18
Electronic access control systems 3.18
Network IDS/IPS 3.16
Policy-based network connections & enforcement 3.15
Network-based policy enforcement 3.14
Network access control (NAC) 3.13
Network-based anti-virus 3.11
Spam filtering 3.10
Network-based monitoring/forensics/esm tool 3.10
Host-based firewalls 3.09
Application configuration monitoring 3.07
Rights management 3.04
Host-based configuration mgmt./change control 3.04
Less than 50 attacks
Firewalls 3.42
Multi-factor/Strong authentication 3.36
Encryption 3.34
Access controls 3.27
Wireless encryption/protection 3.24
Network access control (NAC) 3.20
Network-based anti-virus 3.19
Host-based anti-virus 3.18
Electronic access control systems 3.17
Spam filtering 3.17
Role-based authentication 3.16
Network-based policy enforcement 3.15
Policy-based network connections & enforcement 3.14
Identity management system 3.13
Rights management 3.13
Network IDS/IPS 3.13
Host-based firewalls 3.12
Biometrics 3.12
Complex passwords 3.12
Host-based policy-enforcement 3.10
0% 20% 40% 60% 80% 100%
Weighted average Not at all effective (1) Not very effective (2) Somewhat effective (3) Very effective (4)
PwC 13Still, some government officials, has been victimized…calculation of an overall decrease in the number of
including NSA Director General losses is challenging and can produce cyberevents over the previous year.
Keith Alexander wrote in 2012 that ambiguous results.”9 About one-third reported an increase
“the ongoing cyber- thefts from in events. And while reported losses
the networks of public and private Another possibility: more sophisticated still appear low, only 5% had been
organizations, including Fortune 500 cyberattacks targeting IP might able to reduce their monetary losses
companies, represent the greatest be going undetected by detection from cyber events, with 19% stating
transfer of wealth in human history.”7 technologies. According to the retired that their monetary losses have
senior FBI cyber official, “What actually increased.
Similarly, the FBI estimates that all IP happens with the FBI is right now,
theft costs US businesses billions of approximately 60 percent of the time, Given this environment, it is hard to be
dollars a year.8 The recently released we are going out and telling a company optimistic about the future trajectory
report by the Commission on the Theft that they have been intruded upon.”10 of information security. Clearly many
of American Intellectual Property, The survey, like many others that try companies have a poor understanding
a private advisory panel headed by to build cybercrime awareness and of how their technologies are deployed
former DNI Dennis Blair and former US understanding, covers several types of and how to properly gauge the
Ambassador Jon Huntsman, found that cybercrime: denial of service attacks, effectiveness of those deployments.
IP theft was growing and costing the credit card information thefts, website From an organizational resilience
United States more than $300 billion defacement, as well as IP thefts. standpoint, things also appear to be
each year. trending in the wrong direction, as
These latter attacks are designed to the number of successful events and
This discrepancy between public be less observable, longer lasting, and monetary losses are both rising.
statements on loss estimates and what often sophisticated enough to avoid
organizations themselves estimate as detection by current private sector
losses is striking. cybersecurity technologies. Our view Figure 16: When compared with
is that the 40% that are not notified the prior 12 months, cybersecurity
So why the disconnect? One are perhaps the most serious and events in your organization have:
explanation: organizations that significant thefts that are managed by
have identified and even mitigated a broader national security umbrella. Increased by more than 30%
a cyberattack targeting IP still 5%
might lack an effective means of Losing ground? Increased by 16%–30%
assessing what exactly has been From an organizational resiliency 9%
stolen. According to a 2011 report on standpoint, companies appear to be Increased by 1%–15%
economic and industrial espionage 19%
losing ground in combating attacks.
in cyberspace published by the Office Although 90% of respondents reported Remained the same
42%
of the National Counterintelligence fifty or fewer attacks in the past year,
Executive (“ONCIX”), “Even in those Decreased by 1%–15%
only 9% of respondents reported
5%
cases where a company recognizes it
Decreased by 16%–30%
7 http://www.nsa.gov/research/tnw/tnw194/article2. 9 http://www.ncix.gov/publications/reports/fecie_all/ 2%
shtml Foreign_Economic_Collection_2011.pdf
8 http://www.fbi.gov/about-us/investigate/white_ 10 http://www.abajournal.com/news/article/what_
Decreased by more than 30%
collar/ipr/ipr law_firms_should_know_about_cyber_attacks_ 2%
and_the_fbi/ Don’t know/not sure
16%
14 Key findings from the 2013 US State of Cybercrime SurveyA deeper dive into our data organization’s information security • Security budgets should be allocated
can help you protect yours department. Businesses are becoming in line with business strategy.
intimately involved in ever-changing
With this year’s survey, we took a • Organizations should put in place
global ecosystems through activities
deeper dive into the data to explore mechanisms to engage their entire
such as global M&As, strategic
what it means for protecting US public ecosystem in security prevention
partnerships with foreign competitors,
and private sector organizations and response.
and joint ventures that expose their
amid increasing cybersecurity risks.
most sensitive IP. More and more of
Ignorance is far from bliss. Ignoring Perhaps most importantly,
their data is less and less protected.
these threats will not keep the pot organizations will be hard-pressed to
from boiling over. At the same time, security budgets are manage cyber-related threats if they
misaligned to respond to yesterday’s fail to understand their adversaries.
Adversaries are more targeted and Get to know how your business model
threats while companies are spending
efficient than ever. A growing number can unintentionally open your entity’s
less on ‘tried and true’ security
of nation states are getting into the cyber-doors to those who will likely
technologies—without understanding
cyberattack game. Organized crime overstay their welcome while making
how effectively they are, or are not,
groups have advanced from small-scale off with precious jewels.
in combating emerging cyberthreats.
monetary theft to large-scale multi-
Meanwhile, business units are now
country simultaneous heists. Hactivists For the most part, the business world
working with new technologies
are working with sympathizers within tends to underestimate cyberthreats.
without understanding the security
organizations to gain better access. Neither corporate boards nor business
consequences as they plan strategies
for using social media; using public/ unit leaders are paying enough
Many entities are now conducting attention to the negative business
private cloud services; and allowing
operations in unsafe regions around implications. According to PwC’s
employees to use personal devices.
the world. And not just through Global CEO Survey, one-third of
customer locations. This includes CEOs don’t think a cyberattack would
• The C-suite and board should
places where they’re conducting negatively impact their business. Yet
get directly involved with their
product development and innovation 61% of consumers11 would stop using
organization’s cybersecurity if they
work, working with third parties a company’s product or services after a
have not already done so.
who have the organization’s crown breach. Think about it.
jewels but aren’t subject to their • The C-suite, technology, and
security policies. security leadership should
11 http://www.pwc.com/us/en/industry/
establish a cross functional steering entertainment-media/assets/pwc-consumer-
Lines of business departments are
committee to foster collaboration privacy-and-information-sharing.pdf
using technologies and software
and alignment.
that haven’t been reviewed by the
PwC 15Paying off the technical debt
Many organizations across the industry spectrum are suffering from substantive technology debt. It has been estimated
this debt will soon exceed $1T. In effect, companies are spending their IT budgets on emerging business technologies
while allowing their IT infrastructure to age and atrophy to the point that systems can’t support basic data security
functions. This is similar to a lack of funding to physical infrastructure in the US, such as roads, bridges, and other
transportation infrastructure.
Annual spending in information technology does not appear to be keeping up with emerging threats. Technology’s
influence has grown rapidly, with many corporations adopting mobile solutions, social media, alternative workplace
solutions, collaborative product innovation, digitized healthcare, and tele-medicine. This is happening amid a
corresponding increase in regulatory controls associated with privacy controls, health information controls, financial
data controls, intellectual property protection, and financial statement controls, and more. It’s also happening at a time
of increased awareness of cyber-campaigns targeting specific industries and organizations, and by adversaries who
move from on-line industrial espionage to acts of destruction.
In the face of such intense demand and regulatory oversight, how is it that IT budgets are flat or declining?
Just as corporations should consider how much financial debt they are willing to take on and still maintain a credit
rating worthy of its brand, they also should consider how much technical debt they’re willing to take on in the face of
increasing regulation, disclosure requirements, and consumer trust concerns. Technical debt, however, is not on the
balance sheets and therefore the entity’s leadership lacks the transparency required of management and boards to
consider the risks associated with that debt.
It’s not unusual for organizations to face trade-offs between the desire to keep pace with new technology-enabled
services and the need to sustain existing services. Yet many executives remain in the dark about the infrastructure that
can deliver emerging technology-fueled services. Still, the need to understand some fundamental technology issues
should not be overlooked. Ask and consider:
1. How old are the firewalls that regulate what goes into and out of the corporate network?
2. Do they contain known vulnerabilities that our adversaries are exploiting?
3. What aspects of the identity-management system governing the role-based access are foundational to our
control environment?
4. Is it current technology with a secure operating system and hardware, or did we choose the lowest cost alternative
with known security issues?
5. Are the enterprise applications and their underlying databases current, or have we deferred maintenance and
upgrades because they were highly customized, rendering the path to upgrade too costly to consider in our current
economic climate?
6. Are the routers and switches that move data within our networks current, or have they been provided by a
manufacturer that has installed ‘back doors’ into that equipment, allowing a copy of all corporate traffic to be taken
without our knowledge?
7. Do we have known security vulnerabilities in key databases that we can’t remediate because the applications that
depend on those databases can’t be modified?
While it’s nothing new for businesses to defer maintenance and other basic technology needs as upgrades, security
patches, and replacements, or to move to current generation technology. What is new is that adversaries have raised
the risk for many corporations.
Cyber adversaries often exploit vulnerabilities (both known and unknown) in the technology ‘stack’ that underpins
most businesses today. In the current environment, it’s all too easy to amass substantive technical debt by deferring
merger integrations, letting enterprise system upgrades lag, and expanding IT-enabled services—without making
corresponding investments in the security infrastructure. This can open a toehold for cyber-adversaries who are
hungry for system and data access to your valuable data assets.
16 Key findings from the 2013 US State of Cybercrime SurveyAbout PwC’s Cybersecurity Practice
As a part of the largest professional services Firm in the World, PwC has market leading strategic, technical, forensic,
business process, and industry knowledge and experience. PwC’s Cybersecurity consulting practice helps organizations
understand, adapt and respond to dynamic cyber challenges and accelerating risks inherent to their business ecosystem.
We enable our clients to preserve and protect their competitive advantage and shareholder value by prioritizing and
protecting the most valuable assets fundamental to their business strategy. For more information on PwC’s cybersecurity
point of view, visit: www.pwc.com/cybersecurity.
About PwC US
PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network
of firms in 158 countries with more than 180,000 people. We’re committed to delivering quality in assurance, tax and
advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US.
PwC 17www.pwc.com To have a deeper conversation about how this subject may affect your business, please contact: David Burg Gary Loveland Principal, PwC Principal, PwC 703 918 1067 949 437 5380 david.b.burg@us.pwc.com gary.loveland@us.pwc.com Michael Compton Joseph Nocera Principal, PwC Principal, PwC 313 394 3535 312 298 2745 michael.d.compton@us.pwc.com joseph.nocera@us.pwc.com Peter Harries David Roath Principal, PwC Partner, PwC 213 356 6760 646 471 5876 peter.harries@us.pwc.com david.roath@us.pwc.com John D Hunt Principal, PwC 703 918 3767 john.d.hunt@us.pwc.com © 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. LA-13-0317 SL/JM
You can also read
