What can I say? Attempts to defeat cybercrime are failing…miserably. We recently completed the 2014 U.S. State of Cybercrime survey with our survey partners at the U.S. Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PwC. Each year I hope that the results will come back and show that things are getting better, and each year I am left disappointed. Hope truly is for children
Let me share with you some of the highlights:
- The State of Cybercrime is not good – businesses and governments are failing to keep up with the persistence, technical expertise or tactical skillset of our adversaries. As I often say, we are the hamsters running on a wheel and it doesn’t look like we’ll be hopping off any time soon.
- Insiders remain the greatest risk – despite the high profile attacks against Target, Neiman Marcus and others, insiders still pose the greatest risk to your enterprise. The unfortunate reality is that most insider risks could be mitigated with adequate employee awareness and security training, but only half of the organizations surveyed actually conduct any awareness training. An interesting side note is that insiders who were caught almost always exhibited some form of precursor characteristics (violation of IT policies, disruptive workplace behavior, poor performance, etc.) that, had the business been looking out for them, might have resulted in greater scrutiny of those insiders and possibly the prevention of those crimes. This is definitely an area to watch.
- Size matters – businesses with more than 1,000 employees take cybercrime far more seriously than their smaller counterparts and are more likely to adopt technologies and best practices that will help to mitigate the risks. While large businesses overwhelmingly view insiders as their greatest threat, smaller businesses take the opposite view, citing outsiders as their greatest threat.
- Experience breeds caution - Businesses that experienced a cybercrime in the previous 12 months take security far more seriously than do those businesses that did not experience a cybercrime. The maturity of larger businesses manifests itself in terms of technology adoption, risk management maturity and visibility into the enterprise. Interestingly, businesses that did not experience a security event were far more likely to say they don’t know the most adverse impact they’ve ever experienced, and they assume that they have been attacked, but can’t put a finger on the impact.
- Supply chain risk is under-addressed - Supply chain and partner risk is a big issue that needs to be improved (think Target), particularly at companies with fewer than 1,000 employees. These smaller organizations had a significant disconnect: they do not trust their partners but they are also far less likely to require those partners to meet their security standards.
I'll share some more specifics from this year's survey in the coming weeks. You can find complete survey results here.