State of cybercrime 2018: Security spending up, but so are the risks

In the past year, security teams have seen both large and small organizations hit by high-profile breaches. They’ve also witnessed the cost, not just monetary, but in loss of reputation for both the affected organizations and security leaders. Layered on top of that are new privacy and security regulations that redefine many aspects of how security organizations do their jobs.

These trends and events are driving companies to take IT security more seriously, according to a new survey from CSO. Its results provide insight into not only the nature and scope of the threats that U.S. businesses face, but exactly how those businesses are responding.

The 2018 U.S. State of Cybercrime survey is conducted annually by CSO in partnership with the US Secret Service and CERT at the Software Engineering Institute at Carnegie Mellon University. The survey covers the time period of June 2017 to May 2018.

Of the 515 respondents, 34 percent identified themselves as IT management, 20 percent said they were in security management, 14 percent said they were business management, and the remainder said they were staff or other. The average company size was 10,874 people, and 51 percent of respondents said they worked for small-to medium-sized companies while 49 percent worked at enterprise-level organizations.

Security spending is on the rise

One notable change from last year’s survey is in the average IT security budget. It increased to $15 million, up from $11 million. That’s nearly a 27 percent rise, and it is another indicator that security is top-of-mind among business leaders. The $15 million does not include physical security, which respondents said they spent an average of $13 million on in 2018.

Fifteen percent of respondents said their IT security budget was more than $10 million. Interestingly, 37 percent said their IT security budget was less than $250,000. That suggests that some companies represented in the survey spend significantly more than $10 million given the average spend of $15 million.

Changing reporting lines for CISOs

Although anecdotal evidence has suggested that more CISOs are reporting to CEOs, the survey shows the opposite trend. Only 28 percent of respondents said their top security executive reported to the CEO. That’s down by seven points from last year’s survey.

The biggest change in reporting lines is to the CIO. Twenty-five percent of respondents said the top security executive reports to the CIO, a nine-point increase from the 2017 survey. More CISOs are reporting to boards of directors and CTOs, too: 8 percent and 6 percent, respectively. That’s up from 6 percent and 3 percent over last year.

Regardless of to whom security executives report, they are meeting with boards of directors more often. Thirty-eight percent of respondents said they have quarterly security meetings with the board, as opposed to 30 percent in 2017. Only 19 percent said there were no board meetings about security—down from 29 percent in 2017.

An evolving threat landscape

The average number of security events at respondents’ companies continues to decline—down to 107 from 148 in 2017. The disparity between enterprise-level organizations and SMBs is large, however. Enterprises reported 196 events, while SMBs reported only 24. Those numbers might seem low depending on how you define a security event, and the question that the survey posed left it to the respondent to determine what constituted an event.

A better indicator of the seriousness of security events is whether an organization had to notify individuals or regulators. The 2018 survey asked this question for the first time. Twenty-four percent of enterprise respondents and 12 percent of SMB respondents said they had to notify individuals impacted by a breach. Twenty-three percent of enterprise respondents and 5 percent of SMB respondents had to notify regulators of a breach.

CSO

Average monetary losses from security events declined slightly in 2018, to $353,000 from $381,000 in 2017. Those totals include all expenses associated with resolving the incident.

One of the most alarming findings is the increased time needed to detect a network intrusion. That’s up to 108.5 days from 92 days in 2017, a 28 percent increase. Given the increase in both budget and attention for security, the longer detection times seem to indicate that hackers are getting better at avoiding mechanisms put in place to identify their activities.

Although the breakdown between incidental and targeted cyber attacks were nearly the same as in 2017 (38 percent and 62 percent, respectively), monetary losses from targeted attacks are increasing. Forty percent of all losses were due to targeted attacks, and 27 percent of respondents reported an increase in losses.

Insider versus outsider threats

Security incidents executed by hackers outnumber those from insiders at a rate of three to one. Twice as many respondents consider hackers the most significant threat than those how say insiders are the most significant. Thirty-nine percent said that cybercrimes committed by outsiders were the most costly to their organizations.

The biggest concern over insider threats is compromised records. Sixty-one percent of respondents said that an insider incident compromised customer records, while 56 percent said that insiders compromised trade secrets or intellectual property. Respondents said that 36 percent of all insider incidents were unintentional or accidental.

CSO

For these reasons, 72 percent of organizations monitor their employees’ behavior, up from 58 percent in 2017. The biggest concerns are employees falling for a phishing attack or other hacker scam (42 percent), employees carelessly blending work and personal usage, disgruntled employees (7 percent) and employees circumventing policies (7 percent).

How organizations are responding to today’s security risks

The most common way companies are addressing threats is, of course, to throw new technology at it (46 percent). That’s followed by conducting audits and assessments (34 percent) and adding new skills and capabilities (32 percent). The most effective security technologies, according to respondents, are firewalls (86 percent), spam filtering (80 percent), access controls (78 percent), and strong authentication (75 percent).

CSO

Other options that potentially could have a bigger impact are less popular and include redesigning cybersecurity systems (24 percent), redesigning processes (18 percent) and knowledge sharing (11 percent). A more positive finding is that 66 percent of respondents have a methodology in place to measure the effectiveness of their security programs, although only 32 percent of them use it more than once a year.

Similarly, most respondents (59 percent) evaluate their business partners’ cybersecurity effectiveness. However, 33 percent of them do it only once a year or less frequently.  

Security awareness training still inadequate

While the vast majority (79 percent) of respondents feel they have the expertise to address risks, most organizations leave their employees and management under-trained on security. Only 15 percent of respondents said their organizations do continual security training, which is widely considered the most effective approach. Twenty-nine percent provide training only once a year.

Most respondents felt that the group in their organization that needed the most training was the c-suite (55 percent). That was followed by low-level staff (43 percent) and, interestingly, the IT department (34 percent).

Since more than half (53 percent) of organizations represented in the survey were victims of a phishing attack, much of the training done in 2018 was focused on preventing it. Thirty-nine percent commonly use phishing and social engineering behavior testing and training, while 37 percent use a combination of broader security training and phishing testing.