From the attack on Sony Pictures Entertainment late last year to the recent breach of millions of sensitive federal employees’ records maintained by the Office of Personnel Management, the increasing number of destructive cybersecurity incidents has spurred heightened awareness and concern.
According to the 2015 US State of Cybercrime Survey—a collaborative effort by Pricewaterhouse Coopers (PwC), CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the US Secret Service—cyberattacks are not only increasing in number, they are also becoming more damaging and impacting a broadening array of information and attack vectors.
In fact, PwC referred to 2015 as “a watershed year for cybercrime” that has taught us that no industry or organization is immune.
The survey pulled from the expertise of more than 500 respondents, including US business executives, law enforcement services, and government agencies. 76 percent of respondents said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent from the year before.
Growing awareness of cyber threats can be attributed to not only the progressively destructive nature of attacks, but also the public nature of cybersecurity. The report noted that, “The huge mass of risks (and attacks) once lurking below the surface are now splashed across websites, social media, and newspapers on a daily basis.”
The concern is well-warranted. A record 79 percent of respondents have detected a security incident in the past 12 months. This does not take into account the number of incidents that remain undetected, which could mean the tally is much higher.
“We’ve said it before and we’ll say it again: The time for change is now,” the report stated. “Organizations must summon the vision, determination, skills, and resources to build a risk-based cybersecurity program that can quickly detect, respond to, and limit fast-moving threats. Those that do not risk becoming tomorrow’s front-page news.”
However, as the lines separating the intents of nation-states, hacktivists, and organized crime begin to blur, it’s becoming difficult to understand the ever-evolving cybersecurity threat landscape.
Methods of attack have also evolved. Distributed denial of service (DDoS) attacks have become some of the most frequent cybersecurity incidents and ransomware, a type of attack in which adversaries take control of a company’s data until it pays a ransom, is on the rise.
In response, a growing number of companies are stepping up their cybersecurity investments. Unsurprisingly, organizations who have been hit by a high profile attack are more likely to increase their cyber spending. While 38 percent of retail organizations, which have been major targets of cyberattacks over the past year, have increased spending, but only 17 percent of banking and finance companies have increased their security budgets.
“No matter the size, as companies boost their security budgets, executives will likely place a greater emphasis on the return on investment in cybersecurity,” the report stated. “After all, they will want to make sure that the increased spending results in measurable improvements in the company’s security posture.”
Despite the increasingly public nature of cybersecurity, almost half of Boards still view cybersecurity as an IT matter, rather than an enterprise-wide risk issue. One in four respondents said their chief information security officer (CISO) or chief security officer (CSO) makes a security presentation to the board only once a year, followed by 30 percent of respondents who said their senior security executive makes quarterly security presentations.
However, 28 percent of respondents said their security leaders make no presentations at all, raising concerns that Boards and senior security executive lack substantive consideration of their organization’s operational cyber risks.
The survey revealed almost half of Boards view cybersecurity as an IT risk, while 42 percent see cybersecurity through the lens of corporate governance.
“One thing is clear: Security executives should not wait for the Board to ask questions about cyber-risks and cybersecurity preparedness,” the report stated. “CISOs and CSOs should proactively update the Board on cybersecurity risks on a semiannual basis—at the very least.”
The report emphasized the concept that cybersecurity is a board oversight issue. Cyber incidents have a substantial financial impact, which is deeply entangled with legal and class action issues. Moreover, as regulations evolve, compliance is becoming more challenging and increasingly costly. With the financial loss and damage to reputation that a significant cyberattack can cause, Boards need to beginaddressing cybersecurity as a strategic, enterprise-wide issue.
In addition to increased cybersecurity spending, sharing reliable, actionable and timely Information is key to advancing situational awareness of threats. However, only a quarter of respondents said they were involved in in industry-specific information sharing and analysis centers (ISACs), but many industry observers anticipate that President Obama’s executive order should boost participation in information sharing initiatives.
“Keeping pace with today’s sophisticated adversaries is not simply a matter of an increase in cybersecurity spending,” PwC said. “Results of this year’s survey highlight opportunities and potential for information sharing across industries and regions. Greater transparency and visibility into the threat landscape can lead to more action from corporate boards, rapid and informed decision-making, appropriate investments in spend and resources, and greater agility when responding to threats.”
To stem the losses and damages that arise from high profile incidents, keeping pace with adversaries will be essential to improving every organization and government agency’s cybersecurity posture. 2015 has made it clear that the threat is increasing, so now is the time for CISOs, CIOs and other security executives to realize their strategic role in mitigating their organization’s cyber risk.
“Organizations also should be prepared to proactively share information on cybersecurity threats and response tactics. A sustained effort, from the board down to individual employees, will be needed for many years to come,” the report concluded.