Last week, PricewaterhouseCoopers released their 2013 US State of Cybercrime Survey. Coming on the heels of Verizon’s 2013 Data Breach Investigations Report, recent ID theftdata from the FTC, and our own Privacy and Trust Survey, the PwC report fills in additional details on what is an all too familiar background: many companies are unprepared to handle breaches. According to the Cybercrime Survey, which was based on interviewing 500 C-level executives, almost 30% said that they did not have a plan in place to respond to cyber-security events.
Even more dispiriting is that the percentage of “don’t knows” in response to questions about corporate security practices and breach incidents hovered in the 20% range. These are not just any C-levels, but mainly CIOs, CTOs, and CSOs saying they don’t have the information to answer basic questions about types of threats, incident planning, and financial impact of breaches. PwC describes the situation as the proverbial frog in a slowly boiling pot of water. In other words, tech-oriented decision makers find the current situation uncomfortable but not intolerable, and seem to believe it won’t get worse.
There’s a small spot of good news in that C-levels understand that multi-factor authentication, one-time passwords, encryption, access controls, and role-based authentication should be part of any prevention and mitigation program. That is a good start.
However, the PwC survey team makes a strong case that executives seem unable to properly apply security technologies, taking a “throw everything at the problem” approach. Given a long list of solutions, they rate as equally effective the previously mentioned short list, as well as biometrics, spam filtering, rights management, and application configuration management.
Of course, everything has its place, but as security experts have been saying for years, strong passwords and strong authentication will stop many hacking attempts before they really get started. If hackers or malware, especially advanced persistent threats or APTs, do get past IT’s front line defenses, then well-maintained access controls are extremely effective in helping to prevent personally identifiable information (PII) and other confidential data from being taken from file servers.
I’ll add file-level auditing–which wasn’t mentioned in the PwC survey—as another effective Plan-B strategy. It’s a detective control that can spot a breach in progress, and make breaches that do happen much easier to quantify and recover from. Security pros know all to well—see Verizon’s DBIR– that cyber thieves often have months to lurk in file systems, and so the quicker they’re spotted through their unusual access patterns, the less chance they’ll have in finding high-value content.
One of the take-aways from the PwC survey is that C-level executives need more education and training on data security. Simply throwing the same-old technology at the problem won’t necessarily help as hackers evolve their threat actions, especially in the area of social attacks.
Lesson for C-level suite: the water will get hotter.
By the way, we’ll be adding some additional data points into the security conversation with a new survey that we’re just finishing up. Check back with us next week.