The good guys are losing the cybercrime war. One major reason is that they don't understand their enemies, and therefore are not fighting back effectively. Another is that Edward Snowden, currently the world's most famous insider threat, apparently has a lot of company.\n\nThose are among the most important, and sobering, conclusions of the 2013 State of Cybercrime Survey from PwC US and CSO magazine, which included responses from 500 U.S. executives, security experts, and others from both private and public sectors.\n\nThis, the 11th survey of cybercrime trends, released last week, found that while cybercrime threats are increasing, current defenses against them remain ineffective, in large measure because too many executives still do not understand the extent and seriousness of those threats, or have simply become numb to the news about them.\n\n"There were no significant changes in C-Suite threat awareness, no spikes in spending on cyber-defense, no breakthroughs in the use of technology to combat cybercrime, and no significant change in the ability of organizations to measure the impact of both cybercrimes committed by insiders and those caused by external cyberattacks," the survey reported.\n\nThat, according to Dave Burg, PwC Global and US advisory cyber security leader, has been the case for a decade. "(We) have seen virtually no movement by survey respondents in the past 10 years," he said.\n\n"Possibly the most alarming theme that came out of this year's survey results was that U.S. organizations are misjudging the severity of risks they face from cyber attacks from a financial, reputational, and regulatory perspective," said Bob Bragdon, vice president and publisher, CSO.\n\nThe result is that organizations aren't developing better ways to detect and counter attacks on their networks. The report said too many senior executives resemble the proverbial "frog in the pot of hot water" \u2014 losing awareness of the increasing threat environment.\n\n"When organizations fall victim to cyberattacks, only then do they realize the time to take action was yesterday," the survey said.\n\nAnd it is not nearly enough to defend the perimeter of a network. The survey found, for the second year in a row, that insiders \u2014 many times with malicious intent \u2014 are a greater threat to organizations than outside attackers. Insiders are not just direct employees either \u2014 they can be contractors, consultants, outside service providers, suppliers and business partners who have access privileges.\n\nThe survey, co-sponsored by the CERT Program at the Carnegie Mellon University Software Engineering Institute, CSO and the U.S. Secret Service, with collaboration with the FBI, found three major themes: \n\nThe cyber threats confronting modern businesses are many and varied. And the survey found that too many of them are enabled by a lack of attention to risk. Among the more obvious risks are supply chains, both of the hardware and software supporting IT and the more traditional supply of parts and services. \n\n"In today's interconnected ecosystem, both of these supply chain avenues are often direct freeways to compromise company assets," the survey said, noting that many vendors and business partners "can have lower \u2014 even nonexistent \u2014 cybersecurity policies and practices," than the enterprises they serve.\n\nDave Burg said it is not necessarily that suppliers don't care about security, but that they may not have the same resources that their client enterprises do. \n\n[Employers in denial about insider threat to data security ]\n\n"The threat actors know this and are targeting the small and medium sized organizations in order to exploit the weaker target as a means to get to the ultimate target," he said.\n\nGetting suppliers to comply with privacy policies can also be a problem, especially in industries like financial services, health care and the Payment Card Industry (PCI), where the protection of personally identifiable information (PII) is crucial.\n\n"Yet fewer than one-third of all industry respondents to PwC's 2013 Global State of Information Security Survey required third parties to comply with privacy policies," the survey reported.\n\nRandy Trzeciak, technical manager of the Insider Threat Center at CERT, said it can be very challenging for an enterprise to get suppliers to match its security needs since many times there needs to be an integration of very disparate systems. \n\n"You need to communicate your expectations," he said. "You need to write them into service level agreements prior to signing anything. And you need due diligence as well. You should be able to go out and inspect those suppliers if needed."\n\nThe threat is just as high, and the potential damage even higher, from more direct insiders \u2014 employees. As the survey noted, those with malicious intent already have access, they know what the company "crown jewels" are and they often know where they are. \n\nTo mitigate that threat requires both technical and nontechnical means. Trzeciak said CERT promotes "trust but verify" \u2014 trusting workers to support the organization, but limiting access to what they need to do their jobs. He said CERT has a Common Sense Guide to Mitigating Insider Threats on its website that offers 19 practices for enterprises to detect and prevent insider threats.\n\nThey include the centralization of information and tools across functions including IT, information security, physical security, HR and legal, rather than keeping them in separate repositories. \n\nBut technology is not enough. The survey quotes an FBI insider at February 2013 RSA conference, who said, "the risk from insider threats is a people-centric problem. So you have to look for a people-centric solution."\n\n"Poor performance, issues with colleagues, disciplinary actions, living beyond their means; these are signs that employees and managers will notice, not IT security tools," the survey said.\n\nInsiders can also be a problem even when they're not malicious, since they can be "spear phished" \u2014 tricked into clicking on a link in an email purporting to come from a trusted source, or through social engineering. \n\nTraining and awareness can mitigate that, but John McClurg, vice president and CSO at Dell, said the skill with which spear phishers harvest details from social media sites, "even the most security aware employees can be induced into clicking in a moment of weakness."\n\nBut, he added that "great cyber intelligence is available through (different) groups, and is an indispensable asset any CSO can leverage."\n\nThere are other ways for enterprises to improve their security posture. The survey concluded that companies could defend against 80% of attacks simply through better education, IT infrastructure maintenance and monitoring. \n\nAnother 15% can be defeated through effective strategy, better awareness of the threats and good asset identification and protection. The final 5%, which come from sophisticated, nation-state actors, need to be confronted with the help of government agencies.\n\nBut that requires a cybersecurity strategy that includes planning for attacks and better sharing of information on threat levels, neither of which are being done by a majority of enterprises. \n\n"A cybersecurity strategy is the cornerstone of protecting sensitive business assets, yet nearly 30% of companies surveyed do not have a plan. And of those that do, half fail to test it," the survey found.\n\nDave Burg said part of that plan means that an organization must, "understand what its critical assets are from a threat actor's perspective. Determining the most serious threat actors depends on what is being targeted."\n\n"For example, nation states, motivated to achieve economic, political, and\/or military advantage, tend to target trade secrets, sensitive business information, emerging technologies, and critical infrastructure. Organized crime groups, looking for immediate financial gain," he said.\n\nIt also found that while the Department of Homeland Security (DHS) coordinates interaction between Information Sharing and Analysis Centers (ISACs) and key sectors of the US critical infrastructure, "awareness and use of ISACs is particularly low and has not increased appreciably over the past three years, with the exception of the banking and finance industry."\n\nThis is partly due to security and business executives getting their threat information from public sources, which the survey said, "vary greatly in quality, accuracy (and) timeliness."\n\nAnd it is partly because, "many of the companies who lack or fail to test a cybersecurity plan are likely the same ones who report they don't know what government agency to contact when a cybercrime is suspected."\n\nThe FBI declined to comment on the report, but furnished a link to testimony before Congress by Richard A. McFeely, executive assistant director of the agency's Criminal, Cyber, Response, and Services Branch, promising better cooperation with the private sector. \n\n"In the past, industry has provided us information about attacks that have occurred, and we have investigated the attacks, but we have not always provided information back. We realize the flow of information must go both ways," McFeely said. "As part of our enhanced private sector outreach, we have begun to provide industry partners with classified threat briefings and other information and tools to help them repel intruders."\n\nBut even that requires readiness to respond by the private sector. The survey quoted a retired FBI official saying that the agency is sharing information as quickly as it gets it, but most companies dont have response plans in place to take advantage of it.\n\nFinally, companies must address their "technology debt," which the survey estimated will soon reach $1 trillion. \n\n"Companies are spending their IT budgets on emerging business technologies while allowing their IT infrastructure to age and atrophy to the point that systems can't support basic data security functions," it said, comparing it to the neglect of transportation infrastructure in the U.S.\n\nIt recommended inspecting firewalls, identity management systems, operating systems, hardware, enterprise applications, routers and switches, to make sure they are current.\n\nWhile deferred maintenance is nothing new, it noted, "What is new is that adversaries have raised the risk for many corporations."\n\nBurg said that analysis of cyber incidents often finds that attackers gains entry to an organizations infrastructure, "through known vulnerabilities in older operating systems, hardware, and software on which maintenance, upgrades and retirements have been delayed to meet near-term budget pressures. In effect organizations are increasing their attack surface."