When I read the 2017 U.S. State of Cybercrime Survey, its findings confirmed many of my concerns about America’s cybersecurity and its impact on business. The Survey was released on November 7th, and the parties behind the research are a mix of private sector, academic, and public-sector entities.
The Survey is a coordinated effort between IDG Communications’ CSO, Forcepoint, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service. For the sake of transparency, I’ll mention that my work has been published in CSO although I’ve never been employed by IDG.
Over five hundred executives from government agencies, law enforcement, and private sector businesses responded to the Survey. The focus is entirely on the United States. Respondents were given an online questionnaire with 61 questions. Participants were found through CSO’s website, and the margin of error is 4.3% in either direction.
Here’s some good news first. The average number of cybersecurity incidents reported by each respondent’s company or agency has gone down each year from 2015 to 2017. An average of 163.3 incidents were reported by respondents in 2015, 161.1 in 2016, and a significant drop down to 147.8 in 2017.
The rest of the findings were either neutral or worrisome in nature.
Threats are becoming more difficult to detect. Respondents were asked how much time passed between the beginning of an intrusion and discovering it. They reported an average of 57.6 days for 2015, 80.6 days for 2016, and a whopping 92.2 days for 2017.
Enterprises are having more difficulty with intrusion detection than small and medium-size businesses (SMB) overall. Enterprises reported an average of 138.3 days for 2017, whereas SMBs reported an average of 62.3 days. What good is a slight decrease in incidents reported if they’re more difficult to detect? How many incidents are organizations missing?
The possible silver lining is that 28% of SMB organizations say it takes them less than a day to discover an intrusion. If the math inside my head is right, that means the other 72% of SMB organizations could have a higher average than what enterprises reported.
Respondents were asked which groups posed the greatest cyber threat to their organization in the past twelve months. Thirty-three percent said “hackers,” which is both vague and ominous sounding. That’s a substantial increase from 26% in 2016.
Maybe more executives are watching Mr. Robot? Six percent reported organized crime as the greatest threat, 5% said foreign nation-states, 5% said other foreign entities or organizations, and 3% said hacktivists. Hacktivism is when a party engages in cyber attack for purely political reasons without a profit motive. An example would be an animal rights group vandalizing the website of a fur retailer.
Twenty-four percent of respondents were uncertain as to which group was the biggest threat. Thirteen percent said current employees were the biggest threat. Internal attacks are actually a very common cybersecurity problem, especially as insiders can often cyber attack more easily than outsiders. But 28% of overall respondents said that internal attacks are usually accidental or otherwise unintentional. Oops! Who forwarded the email with that nasty Trojan?
Dr. Richard Ford, Chief Scientist at Forcepoint, shared his thoughts on the matter. "Insider threats can arise from any number of scenarios, ranging from simple mistakes to malicious actions. The actions of people - or malware that's taken the identity of an employee - are at the center of many security incidents. As is so often the case, we need to follow the data and understand how the data is accessed by users, why it's used and where it travels. With this lens, companies can distinguish between what is normal and what is abnormal - and from there, what is good and what is not."
Seventy-five percent of respondents consider cybersecurity websites such as this one and emails to be a top source of “cyber news,” more than any other source. Sixty-eight percent mentioned free subscription-based services, 54% relied on peers, 47% cited print publications and their websites, and only 19% mentioned information sharing and analysis organizations. Respondents could mention more than one source of “cyber news.”
Here’s the finding that may be the most concerning. Cyber attacks are probably getting more expensive. Enterprise organizations estimated an average cyber attack related financial loss of $471,000. For 2017, the estimate nearly doubled to $884,000.
Bob Bragdon, publisher of CSO, shared ideas about what organizations can do about the growing cyber threat to their bottom line: "As organizations prepare for various attacks and breaches, hackers continue to be savvier in their approaches. Resilient organizations must have all employees embrace security practices, from awareness training to behavior monitoring to gap protections."
Hopefully both private sector and public-sector entities, regardless of industry or size, will look at the results of the Survey and realize they need to do better in the face of growing cyber threats.