When it comes to cybercrime, it seems no enterprise goes unscathed. There are more breaches happening, the associated costs are rising, and business leadership grows increasingly concerned that information security remains a challenge that is out of control. Those are the headline findings of the 2014 U.S. State of Cybercrime Survey, an annual survey by CSO Magazine with help from the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC.
The 12th survey of cybercrime trends, released this week, found on average, the number of security incidents detected by enterprises reached 135 per organization. Unfortunately, more than two thirds of organizations that detected breaches are unable to place a cost on the incidents, and for those that could the average loss totaled $415,000.
"Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," said Ed Lowery, special agent in charge, criminal investigative division, at the U.S. Secret Service in a release.
Bob Bragdon, vice president and publisher, CSO says things are getting worse despite efforts in the right direction. "Things continue to get worse despite the investment in people, processes and technologies to counter cyber threats," he says. Bragdon cites the fact that companies still do not strategically invest in security, so that they are protecting their most valuable assets, such as intellectual property and trade secrets.
Another challenge: security isn't keeping up with tech innovation. "Cybersecurity for disruptive technologies remains inadequate when considering Bring Your Own Device (BYOD), cloud, Software Defined Networking (SDN) are always put it in place first and then secured later," Bragdon says.
The survey identified eight common deficiencies, where spending and efforts do lag:
" Most organizations do not take a strategic approach to cybersecurity spending.
" Organizations do not assess security capabilities of third-party providers.
" Supply chain risks are not understood or adequately assessed
" Security for mobile devices is inadequate and has elevated risks
" Cyber risks are not sufficiently assessed
" Organizations do not collaborate to share intelligence on threats and responses
" Insider threats are not sufficiently addressed
" Employee training and awareness is very effective at deterring and responding to incidents, yet it is lacking at most organizations.
The survey also found more than a third said that the number of security incidents detected increased over the previous year. So it's no surprise that more than 59% of respondents said that they were more concerned about cybersecurity threats this year than in the past. CEOs are certainly concerned. PwC's Annual Global CEO Survey 2014 found 69% of US respondents worried about the impact of cyber threats to their growth. Costs to Target, for instance, could go well into the hundreds of millions, with some estimates over $1 billion. Final costs won't be tallied until the lawsuits are done, to be sure, and it's unclear how much cyber security insurance will ultimately cover.
Sign up for Computerworld eNewsletters.