The current state of cybercrime

CSO’s 2017 U.S. State of Cybercrime report reveals what IT and security pros fear, how they protect their data, what worked, and what they spend on cyber security.

idg cybercrime slide1

2017 U.S. state of cybercrime

Every year, CSO asks U.S. business executives, enforcement services, and government agencies a series of probing questions about the frequency and impact of the cybersecurity threats they see daily across a wide range of industries -- from information and telecommunications to government. They tell us what they have seen, what they spend, how they react to threats, and what needs to be done to mitigate the risks.

We aggregate the data and present this report on the current state of the cybersecurity threat in the United States.

From the role of the board to securing mobile, to handling insider threats, to what actually worked in a breach, to the role of law enforcement in cyberattacks, here is what people think, what they did, and what it cost.

cybercrime slide4

How do companies communicate with each other?

On many topics, companies send emissaries to meetings, to join organizations, and to attend conferences to understand the challenges and solutions of various aspects of their business. But when it comes to cybersecurity, no single group or organization emerged as the place everyone meets.

With no go-to source of up-to-the-minute practices, it seems that organizations struggle to share information on cybercrime. Twenty-three percent of companies used industry-specific information sharing and analysis centers (ISACs), 22 percent used the FBI’s Infraguard, 12 percent rely on the Department of Homeland Security, and 10 percent use the United States Secret Service Electronic Crimes Task Force or the National Cybersecurity and Communications Integration Center.

idg cybercrime slide5

Does the board of directors care about security?

In 2017, the board played a bigger role in security than in the past. But the reasons, according to our respondents, vary.

Six out of 10 boards still see cyber-risks as primarily an IT issue, though 43 percent saw it as a corporate governance issue.

Some boards are asking CSOs and CISOs to report more frequently than in the past. Twenty percent of boards want to hear what’s going on monthly (as opposed to only 16 percent in 2015.) The highest number of boards want to hear quarterly (30 percent). Twenty percent ask for annual updates, and 29 percent don’t hear from CSOs/CISOs at all.

When it comes to responsibility, the risk committee is most often (36 percent) on the hook. Thirty percent of companies put the responsibility for security on the board of directors, 9 percent have an audit committee, and 15 percent hold no committee accountable.

cybercrime slide6

How much do companies spend on security?

IT budgets keep going up. Each year, companies spend more than they did the previous year protecting their networks. This year is no exception. The average IT security budget increased by 8 percent since 2016. Sixteen percent of those increases were by a significant amount: 10 to 20 percent. Ten percent of companies gave their IT budgets an even bigger boost of more than 20 percent. Less than half of budgets for 2017 remained the same as in 2016. Very few companies -- around 2 percent -- decreased their budgets.

cybercrime slide7

Is IT spending worth it?

Forty percent of IT security spending focused on adding new technologies to the arsenal of tools defending their company from a breach. And 33 percent spent funds refreshing the skills of those leading the charge against threats. But 25 percent of companies invested in a complete redesign of the company’s cybersecurity strategy.

All this spending on skills and defenses is working. The number of cybersecurity events companies experienced over the past 12 months dropped by 8.2 percent for 2017. In 2016, companies reported 161 breaches. In 2017, that number was down to 148.

idg cybercrime slide8

Fewer events but costs remain high

Although the number of security events in 2017 declined somewhat over the previous year, the financial impact of those events did not.

Thirty-nine percent of companies estimated that the number of cybersecurity events had remained the same in 2017 over last year, and 39 percent estimated that the number of events had increased.

But when asked how the events of the last year compared – in terms of losses – to 2015, most companies (55%) estimated that their losses had stayed the same.

A slightly smaller number (24 percent in 2017 versus 28 percent in 2016) did not know the costs, so some progress has occurred in awareness and tracking.

cybercrime slide9

More companies are being targeted

Phishing, ransomware, financial fraud, and compromised email systems all had a significant jump in 2017. The number of companies that experienced no losses from cybercrime declined.

It was a big year for phishing: 36 percent of companies reported this as a problem. Ransomware, too, saw gains as 17 percent of companies reported experiencing this, compared to only 14 percent in 2016.

Financial fraud went from only 7 percent in 2016 to 12 percent in 2017. Back in 1015, no companies reported being the victim of a business email breach. In 2016, that jumped to 5 percent; in 2017 it increased to 9 percent.

In 2017, 38 percent of companies reported that they had experienced no financial losses from cybercrime. That number was 30 percent last year.

cybercrime slide10

When very bad things happen

Nearly one-fifth of the companies that responded to our survey experienced a critical system disruption affecting themselves or customers and partners as a result of a security event caused by an insider.

Fourteen percent of these critical events were limited to the organization. Ten percent of these events involved a loss of confidential or proprietary information. Four percent caused a loss to current or future revenue. And 4 percent (down slightly from 2016) harmed the company’s reputation. Four percent of these events cause a critical system disruption that affected customers and business partners.

cybercrime slide11

Do you know you have been breached?

One thing is clear from the numbers. Security breaches have become harder to detect. Back in 2015, the average time it took to detect an intrusion was 57.6 days. In 2017, despite increased budgets and investment in tools and skills for detection, it took 92.2 days to realize that an attack had occurred. That gives hackers an entire extra month to roam around corporate systems, gathering data, stealing money, sapping bandwidth, and changing code.

cybercrime slide12

We are getting smarter and more worried

Most respondents (74 percent) admit that they worry more now than they did last year about security threats. Given that 15 percent had had to notify individuals affected by a breach, and 10 percent experienced financial losses, this is perhaps not a big surprise.

And there are a lot of new technologies to protect now: cloud, mobile, social, data analytics, mobile payment systems, and connected devices (IoT).

But most respondents (76 percent) believe they have the expertise to address the risks associated with these technologies. Only 16 percent admitted they did not feel prepared to protect these new technologies.

cybercrime slide13

The threat is outside

When asked where the threats to their company most likely lay, 33 percent of respondents believed it would be from hackers, 6 percent from organized crime, 5 percent from foreign nation-states, and 5 percent from foreign entities and organizations. That adds up to a sizeable majority who believe that whoever the threat is, it would be outside the company. Only 13 percent thought the greatest threat would come from its current employees.

That outside threat promised to be the most costly as well, with 39 percent of respondents believing that the most costly breaches of the organization would come from someone who had never had authorized access. Twenty-nine percent thought the most costly attacks would come from a former employee, service provider, or contractor.

cybercrime slide14

Where do threats come from?

Guarding against all foes is a huge job. We asked companies where, in the case of actual incidents, the threat came from. The largest source was viruses, worms, and other malicious code. Phishing -- mostly from outsiders -- was not far behind. Ransomware came in third.

But threats come from a wide range of places including extortion and DoS attacks. No threat appears too small to guard against. And, although most threats did come from outside, each type of threat was also identified by some organizations as having originated inside the company.

cybercrime slide15

The biggest insider threat? Negligence.

When we asked security pros who had experienced some form of insider threat what they believed the perpetrators’ motives were, 28 percent believed that these incidents were simple accidents. Eighteen percent of respondents believed that attacks were intentional and 8 percent attributed the event to the theft of an insider’s credentials.

By far the biggest internal threat, according to our survey, is the innocent employee who falls for a phishing or hacker scam or who lets his credential get stolen. The next biggest threat? The careless employee who has no clear boundaries between work and personal. Only 8 percent thought that disgruntled employees were a significant threat.

It’s clear that better employee training could reduce this threat.

idg cybercrime slide16

Crime and punishment: What does it cost?

Cyberattacks increasingly target particular companies, according to respondents, rather than capturing many companies in broad attacks.

In 2015, only 28 percent of attacks were aimed precisely at a company’s employees or customers, as opposed to general attacks that happened to affect the company. In 2017, that number jumped to 39 percent. Targeted attacks that cost the company money were up to 44 percent in 2017 compared to 28 percent in 2015.

Estimating the cost is difficult. Most companies (65 percent) don’t know the value of the losses from an attack. Prosecuting the perpetrators is also difficult. Forty-four percent couldn’t prosecute because they could not identify the attackers; 32 percent could not accumulate enough evidence to prosecute.

cybercrime slide17

Are businesses doing enough to secure their ecosystem?

We asked companies how they vet the people they trust: those in the supply chain, their partners, and others who have access to data or networks.

Thirty-eight percent have a process for evaluating the cybersecurity of the entities and partners they trust and they scrutinize them through that process before doing business with them.

A large portion (35 percent) have no process at all, and 11 percent have a process but only implement it after doing business with a vendor. Thirty percent evaluate everyone they are already doing business with annually, but an equal number (30 percent) don’t typically evaluate third parties at all.

Of those that do evaluate their ecosystem partners regularly, 21 percent have terminated a relationship as a result.

More than half (56%) never conduct incident response exercises with partners. In fact, only 14 percent do this annually.

cybercrime slide18

Half of all organizations monitor user behavior but only a third understand intent

More than half (58%) of the companies we surveyed monitor the behavior of the people who use their company networks (though fully 31 percent don’t do this at all). But only 33 percent have a method in place that helps them understand the intent of the employees who interact with their business data.

Half of the companies have no visibility into their data-protection vulnerabilities from cloud applications that are not supported by the IT department. Twenty-three percent don’t know if they have this visibility. That leaves only 26 percent who know how these unsupported tools leave them vulnerable.

idg cybercrime slide19

Only one-fourth of companies frequently measure their own security effectiveness

Slightly more than half of the companies we surveyed (53%) have a system in place, with a clear methodology they use to measure the effectiveness of their security programs.

Thirty percent don’t test their own security systems at all and have no clear measure or methodology for measuring it.

But only 24 percent of the companies who do test their security effectiveness, do it frequently (more than once a year.) Fifteen percent test their own systems annually; 13 percent test less often than once a year.

cybercrime slide20

Who handles insider cybercrime?

Insider cybercrime is rarely called in front of law enforcement, according to our survey. Fully 76 percent of incidents are handled internally without legal action. Thirteen percent are handled internally with the help of law enforcement. Only 7 percent are referred to law enforcement to be handled externally, and only 5 percent ever result in a civil action.

cybercrime slide21

Do companies expect IT to fund protections against insider threats?

An insider threat is one that comes from an employee, contractor, or other person who works for or with the company. This threat often goes undetected and is frequently considered a low probability. But the consequences can be huge. Some believe this threat increases in probability over time.

Many of the companies we surveyed who guarded against this threat, put the responsibility for protection squarely in the lap of IT (22 percent). Eighteen percent said their IT budget was flexible enough to implement a clearly superior solution to this potentially dangerous problem, and 12 percent said the company had ample budget to stay ahead of it. But 20 percent said this concern did not apply to them at all, and 19 percent they didn’t know who was responsible.

idg cybercrime slide22

Technology usage and effectiveness

What works to secure a network? We asked companies how effective they thought the tools they have in place are – on a scale of one to five. No one believes any tool is extremely effective (a five on this scale.) In fact, nothing rated higher than 3.5, and most scored somewhere around a three.

Seventy-three percent use multifactor authentication to secure their network and it earns a 3.5 on the effectiveness scale. Seventy-eight percent use encryption but it scores an average of 3.44 on the effectiveness scale. Almost everyone uses a firewall (92 percent) but that tool only averages 3.28. Sixty-seven percent of companies use role-based authentication. They give it a 3.28 effectiveness rating.

cybercrime slide23

They used it. Did it work?

We install technologies and procedures to guard against the worst, and we hope nothing ever happens. But when breaches do occur, the incident offers a clear way to find out what worked and what didn’t. So we asked companies that had experienced an incident what worked for them. And they told us.

When it comes to deterring a potential criminal, 57 percent told us that their physical security did the job. Half said multifactor authentication worked to keep criminals out.

Logging and monitoring was what worked for 46 percent when it came to detecting a criminal in their network. Logging and monitoring also served companies well (37%) when it came to prosecuting an alleged criminal.

idg cybercrime slide24

How do you secure mobile?

With a workforce carrying an increasing amount of important data in their pockets at all times, how that data is secured has become an important part of a company’s security strategy.

We asked which technologies companies used to secure their smartphone and tablet-toting workforce. Twenty-six percent of companies use dedicated mobile security technologies to keep a handle on smartphones and tablets that connect to the company. But the lion’s share of companies (39 percent) rely on remote wipe capability to secure these devices. Thirty-five percent use mobile device management software; thirty four percent rely on encrypting the device, and thirty-two percent bank on strong encryption installed on the device.

cybercrime slide25

Keeping up with threats requires vigilance

Staying in the know when it comes to cyberthreats is a big job. The people who worry about this spend a great deal of time constantly monitoring numerous sources on the current state of threats and vulnerabilities.

Seventy-five percent scan cybersecurity websites and emails. Nearly as many (68 percent) stay abreast via free subscription email services. Many IT pros talk to their peers (54 percent) or read print publications and sites (47 percent). They join trade associations (40 percent), pay for subscription-based services (39 percent), and scan government websites and emails on the subject (38 percent).

Less vigilance is paid to creating an action plan in case of attack though. Thirty-five percent have no plan outlining procedures and policies for responding to a cyber event. Fifty-two percent do have a plan, but only 29 percent test that plan annually.