By David Burg. PwC published this week the key findings from the 2015 US State of Cybercrime Survey, which we co-sponsored with CSO, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service. The responses from more than 500 executives of U.S. businesses, law enforcement, and government agencies provided telling insight on a broad range of cybercrime issues. I want to focus on three that need be addressed promptly: Board engagement; balanced investment in cybersecurity; and third-party risks.
First, the survey reveals that most Boards of Directors can do more to engage on cybersecurity. Given the tight link between strategy and risk, the National Association of Corporate Directors recommends that a company’s full Board oversee risk and, more specifically, cybersecurity risk. Yet, 30% of respondents said that no Board committees or members were engaged in cyber-risks, and only 25% said that the full Board was involved.
Moreover, while it is essential for Boards to treat cybersecurity as an overarching corporate risk issue rather than simply an IT matter, 49 percent of Boards do just that while 42 percent see it as a corporate governance issue. This is troubling given that cyber threats are among the most significant business risks facing organizations today. Just consider the following:
- Cybersecurity breaches can have systemic impacts with global effects;
- The financial impact of a breach can be huge, with losses in the billions of dollars; and
- Regulatory compliance is becoming more challenging and increasingly costly. For example, the European Union’s Data Protection Directive provides for fines up to 5% of a company’s global revenue.
Thus, the optimum oversight is one in which an organization’s full Board engages the issue on an enterprise-risk basis. Ideally, the Board would oversee a formal, quantitative estimate of cyber-risks – what is known as cybersecurity value at risk. Doing so can help CEOs, CROs, and Boards better understand what digital assets are at risk, how to address the risks, and how to project potential losses.
A second issue the survey identifies is that many organizations today aren’t correctly balancing their cybersecurity investments, focusing too much on technology. Forty-seven percent of the survey’s respondents said adding new technologies is a spending priority, higher than all other initiatives. In contrast, only 15% said that redesigning processes is a priority, and only 33% prioritize adding new skills and capabilities.
The problem is that organizations must invest sufficiently in processes and employee training to maximize their technology investments. Nonetheless, only 50% of survey respondents said they conduct periodic security awareness and training programs, and only the same percentage offer security training for new employees.
This is especially troubling when perhaps the most worrisome type of cyber-attack is phishing, which is often used to implant malware within an organization’s network and initiate complex, covert attacks. Almost 31% of respondents said they had been hit by phishing attacks in 2014, making it the second most frequent type of attack. And, what is a critical part of warding against successful phishing? Employee training. Thus, employee awareness programs, balanced with up-to-date technologies and processes, best arms companies against cyber threats.
The survey’s third cautionary finding is that organizations can better address third-party cyber-risks. The last year saw some high-profile breaches begin with attacks on business partners, and this year 62% of respondents said they evaluate the security risks of third-party partners and 57% said they do so for contractors. Forty-two percent consider supplier risks.
While higher than previous years, these numbers still reveal that a significant number of organizations are not addressing this problem. And the responses indicate that those that are could be doing much more – only 16% of respondents said they evaluate third-party cybersecurity more than once a year. Furthermore, 19% of CEOs, CFOs, and COOs say they are not at all worried about any kind of supply-chain risk. Even 19% of CIOs were unconcerned about supply-chain risks.
Thus, due diligence of business partners appears inadequate. Those not taking greater care here should take note that regulatory authorities are increasingly interested in this issue. For example, last October, the New York State Department of Financial Services polled 40 regulated banking organizations for information on third-party information security failures.
In the end, we know that cyber criminals are constantly developing new forms and pathways of attack, and seeking out new targets. These facts, and the growing number of bad actors, make it critical for organizations to take fundamental steps to protect themselves. This year’s cybercrime survey makes it clear not only that the threat is increasing, but that organizations can be doing more to combat that threat.