Key findings from the 2013 US State of Cybercrime Survey
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Key findings from the 2013 US State of Cybercrime Survey June, 2013 Cyberthreats have become so persistent, the attacks so pervasive, that organizations—and their leaders—have essentially become inured to what cybersecurity and US Government officials call an ever-increasing threat. When organizations fall victim to cyberattacks, only then do they realize the time to take action was yesterday. Co-Sponsored by: • The Software Engineering Institute CERT® Program at Carnegie Mellon University • CSO Magazine • United States Secret Service
Executive Summary This year’s cybercrime survey The entities that collaborated collaboration, expanding the use highlights what many in government on preparing and analyzing this of mobile devices, moving the and the cybersecurity industry have year’s survey saw the emergence of storage of information to the cloud, known for years: The cybercrime threat three themes: digitizing sensitive information, environment has become increasingly moving to smart grid technologies, pervasive and hostile—and actions 1. Leaders do not know who and embracing workforce to stem the tide of attacks have had is responsible for their mobility alternatives—without limited effect. We must accept that organization’s cybersecurity, nor first considering the impact these cyberattacks are now a routine part are security experts effectively technological innovations have on of doing business in today’s uncertain communicating on cyberthreats, their cybersecurity profiles. world, and they likely will be a part of cyberattacks, and defensive doing business going forward. technologies. If organizations The news, however, is not entirely fail to identify who is in charge, grim. In our view, most of these The survey results tell us that many they will be left with identifying cybersecurity challenges can be organizational leaders do not know or who is to blame in the wake of addressed internally. The majority of appreciate what they are up against, crippling attacks. attacks (roughly 80%) rely on exploits lack a clear, real-time understanding that companies can readily defend of the nature of today’s cyber-threats 2. Many leaders underestimate their against, if they focus their attention on and those who pose these risks, cyber-adversaries’ capabilities fundamental cybersecurity education, and have made little headway in and the strategic financial, properly maintained IT infrastructure, developing strategies to defend reputational, and regulatory risks and effective monitoring. against both internal and external they pose. Despite indications cyber-adversaries. that the Securities and Exchange In addition, the right cybersecurity Commission (“SEC”), Congress, strategy, awareness of the threat The survey also tells us that we and the White House appreciate the environment, and a solid asset collectively have a long way to go threat, many companies still have identification and protection program in coming to terms with the extent not adequately grasped the degree can help entities manage another of the threat, its short- and long- to which failure to address the 15% of attacks. The final 5% of term implications, and what actions digital threat environment may have attacks emanate from sophisticated— should be taken to curtail the multi- wider repercussions. and often nation state-sponsored faceted impact. adversaries—who threaten our 3. Leaders are unknowingly national security, and should be increasing their digital attack faced in strong collaboration with vulnerabilities by adopting social government agencies. PwC 1
What makes this survey different? This is the first year that PwC has Additionally, we have placed special partnered with CSO Magazine and emphasis on the unique cybersecurity the other co-sponsors to conduct challenges posed by the insider threat. and evaluate the 2013 US State of Cybercrime Survey. Together, we CSO Magazine and its partners have applied our deep experience in Carnegie Mellon University’s Software data analytics to dig into the layers of Engineering Institute (“CMU SEI”) data and identify central concepts we and the United States Secret Service see as vital to organizations that are (“USSS”) have again participated in attempting to make sense of current this effort. and future cyberthreats and attacks. We have brought the issue into focus We have also brought to bear our by going beyond the statistics and experience in identifying security- and focusing on the factors that can impact cyber- trends by drawing on results an organization’s cybersecurity stance, from PwC’s annual Global CEO Survey such as by considering: and annual Global State of Information Security Survey. • Strategy and execution of the cybersecurity program; • Understanding changes in the threat environment; • Identifying key organizational assets in need of protection; and • Spreading that protection beyond the walls of the entity to encompass the enterprise ecosystem. 2 Key findings from the 2013 US State of Cybercrime Survey
Key findings from the 2013 US State of Cybercrime Survey In this 11th survey of cybercrime In reviewing the survey data from One goal of this paper is to drive an trends, over 500 US executives, the past three years, we found little urgent call to action, to appreciate the security experts, and others from the movement in key indicators. When need to bridge a gap that exists today public and private sectors provided we compare this with the almost daily among those who do not perceive their views on the state of cybercrime: reports of cyber-breaches against cybersecurity as a strategic business who the internal and external threat public and private organizations issue and those who do, and to actors are, what they are after, how in the United States and globally, increase awareness as to the strategic well public-private collaboration we are struck by the possibility implications of the cyber concerns we, supports cybersecurity, and what that the threats have become so as a collective, face. technologies are best able to defend persistent, the attacks so pervasive, and protect against cyberattacks. that organizations—and their Our in-depth analysis of the survey leaders—have essentially become results identified four critical The frog in the pot of inured to what cybersecurity and US areas that have the most impact hot water government officials call “an ever- on organizational responses increasing threat.” to cybercrime: There were no significant changes in C-Suite threat awareness, no 1) Understanding ecosystem- Many senior executives have become spikes in spending on cyber-defense, wide risks; the proverbial “frog in the pot of no breakthroughs in the use of hot water”—unaware of the ever technology to combat cybercrime, and 2) Integrating threat intelligence and increasingly hostile environment. no significant change in the ability of information-sharing into proactive When the pot boils over and organizations to measure the impact defense programs; their organization falls victim to of both cybercrimes committed by cyberattacks, only then do they realize insiders and those caused by external 3) Identifying and mitigating the time to take action was yesterday. cyberattacks. (See Figure 1). cybercrime committed by Or as Ira Winkler, the president of trusted insiders; and the Information Systems Security Association (“ISSA”), put it, “We 4) Understanding and using Figure 1: Do you have a hear about wake-up calls, but people cybersecurity technology effectively. methodology that helps you keep hitting the snooze button.”1 determine the effectiveness of your Perhaps part of the problem, to Gaining a better understanding organization’s security programs continue the analogy, is the failure on of these areas, combined with a based on clear measures? many companies’ part to appreciate strong grasp of a continuously the strategic need to measure the organization’s threat environment temperature of the water in which and an appreciation of its sensitive 22% one sits. assets, should give senior executives Don’t know/not sure 40% No a stronger basis for an adaptive Yes 1 http://www.reuters.com/article/2013/05/16/ cybersecurity strategy. The technical 38% us-cyber-summit-congress- idUSBRE94F06V20130516 debt built up over the years, and the vulnerabilities created as a results, must also be acknowledged. (See Technical Debt on page 16) PwC 3
Understanding risks across Figure 2: Percentage of responding CIOs (including CTOs) indicating the ecosystem “Don’t Know” or “Not Sure” In the cyber-arena, what you don’t know can hurt both you and everything your organization touches. Advances 22% When compared with the prior 12 months, how have monetary in technology have interconnected responded: losses as a result of cybersecurity events in your organization Don’t know/ changed? businesses to partners, suppliers, Not sure customers, government entities, and even competitors. Cybercrime is an equal-opportunity event—it can 22% When considering the financial losses or costs to your company responded: from those targeted attacks aimed at your company, has the affect every entity across a company’s financial loss or cost increased or decreased when compared to Don’t know/ business ecosystem. Not sure the prior 12 months? As a result, the entity’s leaders should develop a thorough cybersecurity 21% responded: Which of the following proactive activities and techniques are plan that encompasses all aspects of you using to counter advanced persistent threats? Don’t know/ their global business ecosystem. Yet a Not sure significant number of respondents to this year’s survey answered ‘unknown’ or ‘I don’t know’ to important survey 21% responded: Which of the following groups posed the greatest cyber security questions. Of particular concern, Don’t know/ threat to your organization during the past 12 months? we noted that those who identified Not sure themselves as Chief Information Officers (“CIOs”) or Chief Technology 21% Officers (“CTOs”) often were responded: In general, what causes of electronic crimes were more costly or unfamiliar with key cornerstones Don’t know/ damaging to your organization? of a strong cybersecurity program. Not sure (See Figure 2) 17% What was your organization’s approximate annual budget for responded: security products, systems, services and/or staff for each of the Don’t know/ following areas during the last 12 months? Not applicable 17% Please indicate all of the cybercrimes committed against your responded: organization during the past 12 months, along with the source(s) Don’t know of these cybercrimes to the best of your knowledge. 16% If you were to find it necessary to seek government assistance responded: with cybercrime or a cyber security-related event, which Don’t know organization(s) would you contact immediately? 4 Key findings from the 2013 US State of Cybercrime Survey
Some survey respondents might not all organizations in an ecosystem have Although supply chain risk be in a position to have access to to have the same strategy, tools, and management is a capability identified cybersecurity strategy and response technologies—but it does mean that by respondents as something they information, or might not be individual organizations should have use to address cyber-risk, only 22% of directly involved in the company’s some confidence that their partners respondents actually conduct incident insider threat or law enforcement aren’t passing on increased cyberrisks response planning with their third liaison processes. But in our view, through the ecosystem web. party supply chain. (See Figure 3) cybersecurity is everyone’s business— Additionally only 20% of respondents employees, contractors, consultants, Companies grappling with evaluate the security of third parties and senior executives should all have cybersecurity should be prepared to more than once a year. (See Figure 4) at a minimum, a basic understanding address two types of supply chains: of how the company protects people and information from cyberattacks. 1. The IT supply chain, which includes the software and hardware used Figure 3: Do you conduct incident The good news from this year’s to support corporate networks and response planning with your third- survey? A strong strategy to protect operations; and party supply chain? the ecosystem starts with sensible IT security policies and processes. 2. The more traditional supply chain For cybersecurity to work across an that encompasses the parts and 22% 26% ecosystem, all players need to know not services that are integrated into the Don’t know/not sure only what the policies and processes entity’s customer offerings, be they No are, but also why they need to adhere physical products, data or services. Yes 52% to them. In questions related to IT In today’s interconnected ecosystem, security processes, it appears that a both of these supply chain avenues are solid majority of IT staff and IT leaders often direct freeways to compromise understand the policies and processes company assets. Not all companies Figure 4: On average, how often do in place to protect corporate data. you evaluate the security of third- recognize that supply chain vendors and business partners such as joint parties with which you share data The issue of establishing, or network access? communicating, and effectively ventures, strategic partnerships, and evaluating cybersecurity policies franchisees can have lower—even non- and practices extends beyond existent—cybersecurity policies and practices, a situation that can increase Don’t know/not sure organizational boundaries. Because 22% 23% More than 1×/year of the interconnected nature of the cybercrime risks across any entity that 1×/year or less ecosystem and today’s reliance on partner or supplier touches. And those 20% We don’t typically global supply chains, organizations who do recognize the risk often fail 35% evaluate third parties must integrate their vendors and to understand what mitigation steps suppliers into their cybersecurity should be taken. strategy. This does not mean that PwC 5
Previous PwC surveys support the view and how they operate. Many C-Suite that will likely be of interest to your that the supply chain is a potential executives have neither adequate adversaries. Such awareness can weak link in cybersecurity—both in the knowledge of who the most serious also help make more efficient the United States and globally. In the PwC threat actors are, nor (logically organizations’ assessment of their 2013 Global CEO Survey, the inability given the foregoing) do they have vulnerabilities to cyberattacks from the to protect intellectual property (“IP”) a cybersecurity strategy to defend most likely threat actors. and customer data in the corporate against them. Despite all the talk supply chain was a concern for 36% about cybercrime and cybersecurity, We asked survey respondents which of corporate leaders in the United awareness of the threat environment is type of proactive tools they used to States. Companies often struggle to get not increasing. counter the Advanced Persistent their suppliers to comply with privacy Threat (“APT”), a commonly used term policies—a baseline indicator of data ‘Threat awareness’—the ability to define remote attacks employed protection capabilities. to understand cyberthreat actors’ by sophisticated threat actors, often capabilities, motivations, and nation states or their intelligence This is especially true for industries objectives—should be one of your services. Only 21% of respondents said able to easily understand the tangible organizations’ starting points for they used threat modeling, a relatively information types that are at risk, developing an adaptive cybersecurity inexpensive tool that organizations such as those industries focused on strategy, providing the contextual can adapt to their particular threat protecting personally identifiable background against which environment and asset protection information (“PII”), such as financial organizations can identify key assets requirements. (See Figure 5) services, and those that are affected by the Health Insurance Portability and Accountability Act (“HIPAA”) Figure 5: Which of the following proactive activities and techniques are protected data, as well as those that you using to counter advanced persistent threats? manage Payment Card Industry (“PCI”) information. Yet fewer than Malware analysis 51% one-third of all industry respondents to Inspection of outbound traffic 41% PwC’s 2013 Global State of Information Security Survey required third parties Rogue device scanning 34% to comply with privacy policies. Analysis and geolocation of IP traffic 31% Subscription services 30% Threat intelligence and Deep packet inspection 27% information-sharing Examining external footprint 27% Don’t know/not sure 25% Threat Intelligence Threat modeling 21% While US cyberthreat anecdotes have Document watermarking/tagging 9% become almost routine (keeping the media focused on this issue) the barrage of alarms has not significantly raised survey respondents’ understanding of who these cyber adversaries are, what they target, 6 Key findings from the 2013 US State of Cybercrime Survey
The majority of survey participants Figure 6: Which of the following groups posed the greatest cybersecurity cited malware analysis and inspection threat to your organization during the past 12 months? of outbound traffic as a tool they currently have in place. While these Hackers technologies are effective in identifying 22% How CSOs (including CISOs) compare: intrusions and potential losses, if they Current employees & former employees 1: Hackers are installed in the right place, they 21% 2: Foreign nation states are after-the-fact techniques that can Foreign nation-states 3: Current and former employees help organizations proactively only if (e.g. China, Russia, North Korea) 11% the results are incorporated into an Activists/activist organizations/hactivists How CIOs (including CTOs) compare: adaptive and forward-looking threat 5% 1: Current and former employees modeling strategy. As a result, these Organized crime 2: Hackers entities can be vulnerable to APTs 4% 3: Organized crime seeking to access sensitive information All respondents surreptitiously over an extended period of time. Information Sharing of ISACs is particularly low and has In fact, CIOs and Chief Security A sensible approach to public-private not increased appreciably over the Officers (“CSOs”) do not agree on what partnerships should be a cornerstone past three years, with the exception constitutes the most significant threat of any cybersecurity strategy. And of the banking and finance industry, to their operations. When asked in the those who take advantage of available the survey showed. (See Figure 7) survey to name the top threats facing government sources of cyber- As we noted in our September 2012 their organization this year, CSOs, intelligence can gain a fuller picture ZoomLens article on cybersecurity2, including Chief Information Security of both the threats and the leading the Financial Services- ISAC (“FS- Officers (“CISOs”) pointed to hackers practices for defending against them. ISAC”) is often praised for its work (26%) and foreign nation-states President Obama, in his February 2013 in bringing public and private (23%). CIOs, including CTOs, however, Executive Order on Cybersecurity, sector counterparts together, but were more concerned about insiders designated the Department of with the myriad number of public- (27%)—current or former employees- Homeland Security (“DHS”) as the private information sharing groups but only 6% were concerned about focal point for intelligence-sharing available, companies are often unable nation-states. (See Figure 6) This lack with the private sector. to determine what government of consensus, which likely contributes agencies to engage and what to expect to a lack of action at the C-suite and While DHS coordinates the process from them. board level, reflects differences in by which Information Sharing and the threat landscape from industry- Analysis Centers (“ISACs”) engage to-industry, or varying perspectives with key sectors of the US critical 2 http://www.pwc.com/us/en/forensic-services/ assets/zoomlens-cybersecurity.pdf according to job responsibilities: the infrastructure, awareness and use old but often true adage that “where you stand depends on where you sit” applies. PwC 7
While open-source information Figure 7: Does your organization Figure 8: Please identify all can provide threat context to a participate in any Information sources you monitor to keep up Sharing and Analysis Center cybersecurity strategy, these sources with current with trends, threats, (ISAC) activities (http://www. vary greatly in quality, accuracy, vulnerabilities, technology, isaccouncil.org/), if available in timeliness. At a 2011 conference on and warnings your industry sector? APT sponsored by RSA, attendees observed that, “…attackers seem to Cyber security websites and emails 2011 share intelligence more effectively 71% 31% than legitimate enterprises do.”3 Subscription-based services (free) 49% 63% Organizations should have a robust, 20% Peers multi-source information collection 57% 2012 and analysis strategy, drawing on Print publications or websites 24% a variety of external and internal 50% 48% data sources and integrating new 28% Government websites and emails information on both emerging threats (other than DHS) 2013 and innovative technologies to create 47% 21% an agile cyberdefense. Subscription-based services (paid) 57% 33% 22% A cybersecurity strategy is the Industrial trade associations cornerstone of protecting sensitive 27% Don’t know No Yes business assets, yet nearly 30% of DHS 24% companies surveyed (see Figure 9) do not have a plan. And, of those that Information Sharing and Analysis Centers How company leaders get their (ISACS) information on threats might be part do, half fail to test it. Companies that 23% of the problem. Even though reporting understand what their key corporate Other on the severity and complexity of the assets are and then develop and 16% threat has grown over the past few constantly update their cybersecurity None years, security and business executives strategy based upon new intelligence 9% are increasingly turning to publicly- to protect their assets will likely find available sources of information, themselves in a stronger position to such as free Internet websites, as defend against cyberattacks. their sources of information. Smaller numbers turn to subscription services, 3 http://www.rsa.com/innovation/docs/APT_ industry colleagues, and the US findings.pdf Government for information. (See Figure 8) 8 Key findings from the 2013 US State of Cybercrime Survey
Figure 9: Does your organization Additionally, many of the companies Cybercrime from within: who lack or fail to test a cybersecurity Examining the insider have a formalized plan outlining policies and procedures for plan are likely the same ones threat reporting and responding to who report they don’t know what The Insider Threat cybersecurity events committed government agency to contact when a against your organization? cybercrime is suspected. Interestingly, Insiders from anywhere within the there are differences between business ecosystem can wreak havoc. Yes, and we test it at least once per year industries regarding which agencies The Software Engineering Institute 26% are the top choices for such support. CERT® Program at Carnegie Mellon Yes, but we do not test it at least once per year While many reach out to the FBI or the University notes in its Common 26% USSS, several industries still rely on Sense Guide to Mitigating Insider Don’t know/not sure local law enforcement for support. Threats,5 “…contractors, consultants, 19% outsourced service providers, and No plan currently, but intend to have one The study reveals that the number of other business partners should be within the next 12 months companies that reach out to the United considered as potential insider threats 17% States Computer Emergency Readiness in an enterprise risk assessment.” No plans at this time or in the near future 12% Team (“US- CERT”) remains quite low, an indicator that many organizations The threat of trusted organizational are unaware of the robust cybercrime- insiders committing cybercrime related information US-CERT makes has received less media and public available to the US private sector on a attention than other cyberthreats. And regular basis. we see little shifting of respondent attitudes, despite a recent high-profile Deciding who within the government FBI campaign to raise awareness can best help your organization of instances of insiders stealing depends on your corporate experience, trade secrets. industry-specific considerations, the identity of likely threat actors, and Still, highly publicized research the severity of the suspected crime. from Carnegie Mellon University As a retired senior FBI cyber-official cited the significant damage insiders recently stated, “The government have done to both private and public is…sharing information as fast as we organizations. While most of the can get it.” The official continued, media cybercrime reporting has however, by saying that “when the been on remote network attacks over government does provide information the Internet, survey results show on a cybercrime, the agency hoped the that among respondents answering company had already contemplated insider-related questions, insiders the potential for a cyberattack and has were deemed more likely to be the developed a response plan.”4 As noted sources of cyberattacks. For the second above, our survey showed that most year in a row, a greater number of do not. respondents identified insider crimes (34%) as causing more damage to an organization than external attacks (31%). (See Figure 10) 4 http://www.ctlawtribune.com/PubArticleCT.jsp?id= 1202601094171&slreturn=20130503094156 5 http://www.sei.cmu.edu/reports/12tr012.pdf p. 27. PwC 9
Many information security tools As we previously noted, what you Figure 10: In general, electronic focus on access and authentication. don’t know can hurt both you and crimes were more costly or damaging to your organization However, these tools are less effective everything your organization touches. when caused by: against insiders such as employees, Similar to our ecosystem findings, the contractors, and third parties who ‘don’t know’ answers related to the have been granted legitimate access Insider Threat are concerning. Just as to sensitive data and systems. (See more than one-third of respondents 35% 28% 31% 35% Figure 11) These insiders are likely to said ‘don’t know’ when asked whether be one step ahead of external threat insiders or external actors could cause actors because they tend to already their organization more damage, the 37% 34% know what the company’s crown most popular answer to questions 2012 2013 jewels are: those assets that drive cash about the sources of cybercrime and flows, competitive advantage, and the mechanisms insiders used was Don’t know/not sure shareholder value. They also know also ‘don’t know’. Twenty four percent Insider: Current or former employee, where they reside on the networks of respondents who had suffered an service provider or contractor and how to gain access to them for insider attack did not know what the Outsider: Someone who has never had the purposes of theft, disclosure, attack’s consequences were; 33% of authorized access to an organization’s systems or networks or destruction. respondents had no formalized insider Figure 11: Please indicate all mechanisms used by insiders in committing cybercrimes against your organization in the past 12 months Top 10 attack mechanisms reported by those who responded they experienced an attack conducted by an insider (excluding “don’t know”) 17% Laptops 16% Compromised an account 16% Copied information to mobile device (e.g., USB drive, iPod, CD) 16% Remote access 15% Used their own account 15% Social engineering 14% Downloaded information to home computer 13% Stole information by sending it out via email 12% Stole information by downloading it to another computer 11% Rootkit or hacking tool Respondents indicated 29% of events they experienced during the past 12 months were known or suspected to have been conducted by Insiders. 10 Key findings from the 2013 US State of Cybercrime Survey
threat response plan (See Figure 12); Figure 12: Does your organization Figure 13: How effective is and, many were uncertain as to how have a formalized plan for your organization in reporting their company handled investigating responding to insider security managing and intervening in potential insider threat cases. (See events committed against your cyber threats with internal Figure 13) Of those who did know organization? employees? what the insider threat handling procedures were, the majority reported that the cases were handled 17% 21% 25% Minimally Don’t know in-house, absent legal action or law 50% Moderately No enforcement involvement. 33% 18% Extremely Yes 36% Don’t know It remains unclear whether this stems from conscious decision making regarding the handling of • Be capable of responding to Our experience suggests that the lack insider cases or if it reflects a lack them; and of centralized collection and analysis of understanding about how law of corporate data in these insider enforcement agencies can support • Be capable of effectively cases is a primary contributor to this such investigations. It seems likely, mitigating them. general lack of knowledge. Pertinent however, that many organizations information is often held in separate are not sufficiently incorporating the To detect and manage the insider repositories owned by HR, legal, potential damage insiders can cause to threat, the entity will need information information security, and physical corporate assets, business operations and tools across a range of functions, security. In addition, the legal and and reputations in deciding whether to including IT, information security, personnel implications of insider cases, pursue prosecution. physical security, HR, and legal, which along with training and awareness often handles privacy and internal issues, indicates the importance Insider Threat Management investigation issues. Yet, the survey of developing an insider threat indicates only 14% of respondents management program, anchored by While some companies seem to be handle the insider threat using an interdepartmental team comprising aware of the damage insiders can an interdepartmental team. representatives from IT, information cause, the survey shows that many (See Figure 14) security, physical security, legal, respondents are not taking the threat and HR, including training and seriously enough, nor doing a good ethics officers. enough job of responding to it. Figure 14: Who is responsible for responding to insider attacks in While significant technology advances A strong, enterprise-wide insider your organization? in recent years enable security threat risk mitigation program is teams to identify and investigate needed to: IT department 42% potential insider threats quickly, non-technical collaboration among • Recognize the risks posed by Information security department 30% primary stakeholders is often pivotal insider threats; Interdepartmental team dedicated in stopping a smart and motivated • Be capable of detecting them; to insider threat insider. Data from The Software 14% Engineering Institute CERT® Program We do not have a response mechanism at Carnegie Mellon University Insider for insider security events 12% Threat Database, a repository of Physical security department reported insider threat cases involving 2% theft of IP using IT, IT sabotage, or PwC 11
fraud using IT, shows that 27% of the early warning signs such as poor work technologies. But a closer look at the incidents in the database were detected performance, issues with colleagues, data reveals that organizations are not by non-technical means. As an FBI disciplinary action, or living beyond faring as well in assessing exactly what insider threat analyst explained this their means; these are signs that these technologies are supposed to be at the February 2013 RSA conference, employees and managers will notice, doing to protect their information— “…the risk from insider threats is not not IT security tools. This underscores and how effective they are at actually a technical problem, but a people- the importance of training and doing that job. centric problem. So you have to look awareness as a critical element of an for a people-centric solution. People insider threat management program, In another sign that attitudes about are multidimensional, so what you one that is integrated with current cybersecurity have shifted little over have to do is take a multidisciplinary information security training and the years, respondents this year approach.”6 awareness, ethics training programs continue to generally feel the same and the ombudsman process. This about the overall effectiveness of Another important element in requires the participation of corporate technologies, regardless of the number defending against insider attacks functions: not just IT and information of reported attacks per year their is also likely one of the most cost- security, but also human resources, organization experienced—this was effective: employee training and legal and physical security. true for both IT professionals and non-IT awareness. Twice as many survey professionals, who in theory should be respondents indicated ‘unintentional Breach consequences: more familiar with the effectiveness of insiders’—those whose actions are Effective defense and the technologies. This probably points not malicious—cause more sensitive organizational resilience to a lack of understanding about how data loss than those of malicious specific technologies relate to different inside actors. Many of the survey questions focus types of attacks and limited capabilities on the technologies organizations for assessing the effectiveness of In responding to questions on use to prevent and investigate cyber one specific technology or a range of perceived threats posed by insiders, breaches, to improve organizational technologies. (See Figure 15) the majority pointed to lost laptops resilience once an attack compromises and related devices, victims of social information systems, and to improve Interestingly, when a breach does engineering, or violations of policies on overall organizational cybersecurity occur, companies reported no attaching thumb drives or peripherals. capabilities. Entities can find significant correlation between a Moreover, fellow employees and themselves in a constant cycle of attack targeted attack and financial loss. managers are in the best position to and defend. As novel attack vectors The ratio of targeted attacks to notice and report, and thus prevent and methods enter the ecosystem, non-targeted attacks as identified damage caused by unintentional the security industry develops new by respondents remains the same, insiders, if they know what to look for technologies and techniques to regardless of whether the attack and where to report it. counteract these methods. resulted in a financial loss. We had expected to see more targeted attacks Employee training and awareness The result is a long list of technology associated with financial losses. In can be equally effective in mitigating classifications that are used to defend fact, 96% reported cyber-related losses malicious insider risks and damage. against every manner and type of of less than US$1 million over the These cases often can be heralded by attack. Respondents appear to be past year. enthusiastic adopters of a variety of 6 http://www.darkreading.com/insider-threat/5- defensive, investigative, and mitigation lessons-from-the-fbi-insider-threat-pr/240149745 12 Key findings from the 2013 US State of Cybercrime Survey
Figure 15: Effective rating of technologies for respondents experiencing… Greater than 50 attacks Multi-factor/Strong authentication 3.32 One-time passwords 3.28 Firewalls 3.25 Encryption 3.24 Biometrics 3.22 Role-based authentication 3.21 Wireless encryption/protection 3.21 Access controls 3.18 Electronic access control systems 3.18 Network IDS/IPS 3.16 Policy-based network connections & enforcement 3.15 Network-based policy enforcement 3.14 Network access control (NAC) 3.13 Network-based anti-virus 3.11 Spam filtering 3.10 Network-based monitoring/forensics/esm tool 3.10 Host-based firewalls 3.09 Application configuration monitoring 3.07 Rights management 3.04 Host-based configuration mgmt./change control 3.04 Less than 50 attacks Firewalls 3.42 Multi-factor/Strong authentication 3.36 Encryption 3.34 Access controls 3.27 Wireless encryption/protection 3.24 Network access control (NAC) 3.20 Network-based anti-virus 3.19 Host-based anti-virus 3.18 Electronic access control systems 3.17 Spam filtering 3.17 Role-based authentication 3.16 Network-based policy enforcement 3.15 Policy-based network connections & enforcement 3.14 Identity management system 3.13 Rights management 3.13 Network IDS/IPS 3.13 Host-based firewalls 3.12 Biometrics 3.12 Complex passwords 3.12 Host-based policy-enforcement 3.10 0% 20% 40% 60% 80% 100% Weighted average Not at all effective (1) Not very effective (2) Somewhat effective (3) Very effective (4) PwC 13
Still, some government officials, has been victimized…calculation of an overall decrease in the number of including NSA Director General losses is challenging and can produce cyberevents over the previous year. Keith Alexander wrote in 2012 that ambiguous results.”9 About one-third reported an increase “the ongoing cyber- thefts from in events. And while reported losses the networks of public and private Another possibility: more sophisticated still appear low, only 5% had been organizations, including Fortune 500 cyberattacks targeting IP might able to reduce their monetary losses companies, represent the greatest be going undetected by detection from cyber events, with 19% stating transfer of wealth in human history.”7 technologies. According to the retired that their monetary losses have senior FBI cyber official, “What actually increased. Similarly, the FBI estimates that all IP happens with the FBI is right now, theft costs US businesses billions of approximately 60 percent of the time, Given this environment, it is hard to be dollars a year.8 The recently released we are going out and telling a company optimistic about the future trajectory report by the Commission on the Theft that they have been intruded upon.”10 of information security. Clearly many of American Intellectual Property, The survey, like many others that try companies have a poor understanding a private advisory panel headed by to build cybercrime awareness and of how their technologies are deployed former DNI Dennis Blair and former US understanding, covers several types of and how to properly gauge the Ambassador Jon Huntsman, found that cybercrime: denial of service attacks, effectiveness of those deployments. IP theft was growing and costing the credit card information thefts, website From an organizational resilience United States more than $300 billion defacement, as well as IP thefts. standpoint, things also appear to be each year. trending in the wrong direction, as These latter attacks are designed to the number of successful events and This discrepancy between public be less observable, longer lasting, and monetary losses are both rising. statements on loss estimates and what often sophisticated enough to avoid organizations themselves estimate as detection by current private sector losses is striking. cybersecurity technologies. Our view Figure 16: When compared with is that the 40% that are not notified the prior 12 months, cybersecurity So why the disconnect? One are perhaps the most serious and events in your organization have: explanation: organizations that significant thefts that are managed by have identified and even mitigated a broader national security umbrella. Increased by more than 30% a cyberattack targeting IP still 5% might lack an effective means of Losing ground? Increased by 16%–30% assessing what exactly has been From an organizational resiliency 9% stolen. According to a 2011 report on standpoint, companies appear to be Increased by 1%–15% economic and industrial espionage 19% losing ground in combating attacks. in cyberspace published by the Office Although 90% of respondents reported Remained the same 42% of the National Counterintelligence fifty or fewer attacks in the past year, Executive (“ONCIX”), “Even in those Decreased by 1%–15% only 9% of respondents reported 5% cases where a company recognizes it Decreased by 16%–30% 7 http://www.nsa.gov/research/tnw/tnw194/article2. 9 http://www.ncix.gov/publications/reports/fecie_all/ 2% shtml Foreign_Economic_Collection_2011.pdf 8 http://www.fbi.gov/about-us/investigate/white_ 10 http://www.abajournal.com/news/article/what_ Decreased by more than 30% collar/ipr/ipr law_firms_should_know_about_cyber_attacks_ 2% and_the_fbi/ Don’t know/not sure 16% 14 Key findings from the 2013 US State of Cybercrime Survey
A deeper dive into our data organization’s information security • Security budgets should be allocated can help you protect yours department. Businesses are becoming in line with business strategy. intimately involved in ever-changing With this year’s survey, we took a • Organizations should put in place global ecosystems through activities deeper dive into the data to explore mechanisms to engage their entire such as global M&As, strategic what it means for protecting US public ecosystem in security prevention partnerships with foreign competitors, and private sector organizations and response. and joint ventures that expose their amid increasing cybersecurity risks. most sensitive IP. More and more of Ignorance is far from bliss. Ignoring Perhaps most importantly, their data is less and less protected. these threats will not keep the pot organizations will be hard-pressed to from boiling over. At the same time, security budgets are manage cyber-related threats if they misaligned to respond to yesterday’s fail to understand their adversaries. Adversaries are more targeted and Get to know how your business model threats while companies are spending efficient than ever. A growing number can unintentionally open your entity’s less on ‘tried and true’ security of nation states are getting into the cyber-doors to those who will likely technologies—without understanding cyberattack game. Organized crime overstay their welcome while making how effectively they are, or are not, groups have advanced from small-scale off with precious jewels. in combating emerging cyberthreats. monetary theft to large-scale multi- Meanwhile, business units are now country simultaneous heists. Hactivists For the most part, the business world working with new technologies are working with sympathizers within tends to underestimate cyberthreats. without understanding the security organizations to gain better access. Neither corporate boards nor business consequences as they plan strategies for using social media; using public/ unit leaders are paying enough Many entities are now conducting attention to the negative business private cloud services; and allowing operations in unsafe regions around implications. According to PwC’s employees to use personal devices. the world. And not just through Global CEO Survey, one-third of customer locations. This includes CEOs don’t think a cyberattack would • The C-suite and board should places where they’re conducting negatively impact their business. Yet get directly involved with their product development and innovation 61% of consumers11 would stop using organization’s cybersecurity if they work, working with third parties a company’s product or services after a have not already done so. who have the organization’s crown breach. Think about it. jewels but aren’t subject to their • The C-suite, technology, and security policies. security leadership should 11 http://www.pwc.com/us/en/industry/ establish a cross functional steering entertainment-media/assets/pwc-consumer- Lines of business departments are committee to foster collaboration privacy-and-information-sharing.pdf using technologies and software and alignment. that haven’t been reviewed by the PwC 15
Paying off the technical debt Many organizations across the industry spectrum are suffering from substantive technology debt. It has been estimated this debt will soon exceed $1T. In effect, companies are spending their IT budgets on emerging business technologies while allowing their IT infrastructure to age and atrophy to the point that systems can’t support basic data security functions. This is similar to a lack of funding to physical infrastructure in the US, such as roads, bridges, and other transportation infrastructure. Annual spending in information technology does not appear to be keeping up with emerging threats. Technology’s influence has grown rapidly, with many corporations adopting mobile solutions, social media, alternative workplace solutions, collaborative product innovation, digitized healthcare, and tele-medicine. This is happening amid a corresponding increase in regulatory controls associated with privacy controls, health information controls, financial data controls, intellectual property protection, and financial statement controls, and more. It’s also happening at a time of increased awareness of cyber-campaigns targeting specific industries and organizations, and by adversaries who move from on-line industrial espionage to acts of destruction. In the face of such intense demand and regulatory oversight, how is it that IT budgets are flat or declining? Just as corporations should consider how much financial debt they are willing to take on and still maintain a credit rating worthy of its brand, they also should consider how much technical debt they’re willing to take on in the face of increasing regulation, disclosure requirements, and consumer trust concerns. Technical debt, however, is not on the balance sheets and therefore the entity’s leadership lacks the transparency required of management and boards to consider the risks associated with that debt. It’s not unusual for organizations to face trade-offs between the desire to keep pace with new technology-enabled services and the need to sustain existing services. Yet many executives remain in the dark about the infrastructure that can deliver emerging technology-fueled services. Still, the need to understand some fundamental technology issues should not be overlooked. Ask and consider: 1. How old are the firewalls that regulate what goes into and out of the corporate network? 2. Do they contain known vulnerabilities that our adversaries are exploiting? 3. What aspects of the identity-management system governing the role-based access are foundational to our control environment? 4. Is it current technology with a secure operating system and hardware, or did we choose the lowest cost alternative with known security issues? 5. Are the enterprise applications and their underlying databases current, or have we deferred maintenance and upgrades because they were highly customized, rendering the path to upgrade too costly to consider in our current economic climate? 6. Are the routers and switches that move data within our networks current, or have they been provided by a manufacturer that has installed ‘back doors’ into that equipment, allowing a copy of all corporate traffic to be taken without our knowledge? 7. Do we have known security vulnerabilities in key databases that we can’t remediate because the applications that depend on those databases can’t be modified? While it’s nothing new for businesses to defer maintenance and other basic technology needs as upgrades, security patches, and replacements, or to move to current generation technology. What is new is that adversaries have raised the risk for many corporations. Cyber adversaries often exploit vulnerabilities (both known and unknown) in the technology ‘stack’ that underpins most businesses today. In the current environment, it’s all too easy to amass substantive technical debt by deferring merger integrations, letting enterprise system upgrades lag, and expanding IT-enabled services—without making corresponding investments in the security infrastructure. This can open a toehold for cyber-adversaries who are hungry for system and data access to your valuable data assets. 16 Key findings from the 2013 US State of Cybercrime Survey
About PwC’s Cybersecurity Practice As a part of the largest professional services Firm in the World, PwC has market leading strategic, technical, forensic, business process, and industry knowledge and experience. PwC’s Cybersecurity consulting practice helps organizations understand, adapt and respond to dynamic cyber challenges and accelerating risks inherent to their business ecosystem. We enable our clients to preserve and protect their competitive advantage and shareholder value by prioritizing and protecting the most valuable assets fundamental to their business strategy. For more information on PwC’s cybersecurity point of view, visit: www.pwc.com/cybersecurity. About PwC US PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 158 countries with more than 180,000 people. We’re committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/US. PwC 17
www.pwc.com To have a deeper conversation about how this subject may affect your business, please contact: David Burg Gary Loveland Principal, PwC Principal, PwC 703 918 1067 949 437 5380 david.b.burg@us.pwc.com gary.loveland@us.pwc.com Michael Compton Joseph Nocera Principal, PwC Principal, PwC 313 394 3535 312 298 2745 michael.d.compton@us.pwc.com joseph.nocera@us.pwc.com Peter Harries David Roath Principal, PwC Partner, PwC 213 356 6760 646 471 5876 peter.harries@us.pwc.com david.roath@us.pwc.com John D Hunt Principal, PwC 703 918 3767 john.d.hunt@us.pwc.com © 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. LA-13-0317 SL/JM
You can also read