Skip to main content

See also:

Hacking Stats Show Enormity of Problem, Danger to Small Businesses

CBS Money Watch reported on May 29, 2014 under the headline “Have you been hacked? You have plenty of company” that 47% of American adults have experienced compromise of their personal information within the past year. That translates to as many as 432-million online accounts which have been accessed by unauthorized people.

The 2014 U.S. State of Cybercrime Survey has just been released by Price Waterhouse Coopers. Primarily a survey of large companies who safeguard consumer data, the survey states summarily, “Most companies don't fully understand or address their security risks." In an environment of increasing cyber attacks, "most U.S. organizations' cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries," the report continues. The document cites the Worldwide Threat Assessment of the US Intelligence Committee, January, 2014, in which the Director of National Intelligence states that cybercrime ranks as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction. It goes far beyond ripping off consumer credit card numbers from department store websites, and the problem is disproportionately worse in the U.S. than worldwide.

Survey respondents reported these policies and procedures helped them deter a criminal activity:

Internet connection monitoring (external) 49%
Government security clearances 45%
Use of “white hat” hackers 44%
Technically enforced segregation of duties 44%
Vulnerability management 43%

Respondents reported these policies and procedures helped them detect criminal activity:

Cyber threat research 24%
Public law enforcement partnerships 23%
Security event analysis 18%
Computer forensics 17%
Incident response team 16%

While these data point to macro concerns, small business owners and managers need to be aware of the insidious side of information compromise: insider cybercrime. The term “insiders” describes present and past employees, service providers, authorized users of internal systems, and contractors, and these five categories could easily encompass numbers of people two, three, or more times your current staff. Small business concern should be rooted in the findings as to the primary motivation of hackers:

Financial Gain 16%
Curiosity 12%
Revenge 10%
Non-financial Personal Benefit 7%
Excitement 6%

Totaled, up, these five reasons explain just over half of all insider cybercrime. Insight into these hackers is found in reported behavior characteristics:

Violation of IT policy 27%
Misuse of organization resources 18%
Disruptive workplace behavior 10%
Formal reprimands/disciplinary action 8%
Poor performance reviews 7%

Is your organization free of disgruntled people? If not, here’s what the survey found were the methods used by hackers:

Social engineering 21%
Laptops 18%
Remote access 17%
E-mail 17%
Copy data to remote device 16%

The report notes that “criminals have found that third-party partners may provide relatively easy access to confidential data. It’s an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains.” So, what are the most common business consequences of these hackers?

Loss of confidential/proprietary data 11%
Reputational harm 11%
Critical system disruption 8%
Loss of current/future revenue 7%
Loss of customers 6%

The study authors identified eight “cyber insecurities,” issues that should be of concern to organization decision-makers (quoted directly):

1. Spending with a misaligned strategy isn’t smart: 38% prioritize security investments based on risk and impact to business
2. Business partners fly under the security radar: 44% have a process for evaluating third parties before launch of business operations
3. A missing link in the supply chain: 27% conduct incident-response planning with supply chain partners
4. Slow moves in mobile security: 31% have a mobile security strategy
5. Failing to assess for threats is risky business: 47% perform periodic risk assessments
6. It takes a team to beat a crook: 25% participate in Information Sharing and Analysis Centers (ISACs)
7. Got suspicious employee behavior? 49% have a formal plan for responding to insider events
8. Untrained employees drain revenue: 54% do not provide security training for new hires

Other takeaways from the survey include:

1. “A low 31% of respondents include security provisions in contract negotiations with external vendors and suppliers. It is imperative that organizations hold third-party partners to the same—or higher—cybersecurity standards that they set for themselves. Compliance should be mandated in contracts.”

2. “A strategic investment also will require that organizations identify and invest in cybersecurity practices that are most relevant to today’s advanced attacks. Rather than an emphasis on prevention mechanisms, for instance, it is essential to fund processes that fully integrate predictive, preventive, detective, and incident-response capabilities to minimize the impact. In particular, we find that many organizations fail to invest in the people and process capabilities that allow them to rapidly respond to and mitigate incidents.”

3. “Those that demonstrate a more advanced cybersecurity posture are not necessarily smarter. They have
simply invested more and have learned from experience.”

4. “Cybersecurity spending will be most productive when the allocation of resources is based on specific business risks.”

In related news, many media are reporting that the increase in hacking of Apple devices (iPhones, iPads, and Macs) which began in Australia and New Zealand has reached the U.S. and Canada where the locating app can be exploited to lock the device in an extortion effort. Considering the survey finding that fewer than 1/3 of organizations even have a mobile security strategy, that handy little gadget that lets you text or email your colleagues could be the Achille’s heel of your network or mainframe.

There are as many reasons for hacking as there are potential hackers, and it only takes one to target your organization and do significant damage. If you are not adequately budgeting and planning for security which includes your own people and those of companies with which you exchange information, it won’t take the expertise and dedication of the cyber thieves who downloaded millions of credit card numbers from eBay. There is good additional information in the 21-page report which may be downloaded in pdf format at www.pwc.com