Cyber Security

By Chris Tribbey

The threat of cyber attacks has never been more on the minds of executives of American businesses, according to a new report from PricewaterhouseCoopers (PwC). But even with increased awareness of today’s cyber threats, companies haven’t changed their policies and processes fast enough to better protect themselves against today’s cyber threats.

More than 75% of executives surveyed in the “2015 U.S. State of Cybercrime Survey” report said they’re more concerned about cyber risks, up from 59% in 2014. However, despite nearly 80% of respondents admitting their companies had a security incident in the past year, only 62% said they evaluate the security risks of third-party partners, only 57% said they do so for contractors, and one in five (19%) of CEOs, COO and CFOs surveyed said they were not concerned about supply chain risks. Nearly 25% of respondents said they don’t evaluate third parties at all.

“Headlines in 2015 make it clear that the threat is increasing, yet much more must be done to stem losses and damages. High profile incidents teach us over and over again that no system is immune – and that speed to identify and respond is of the essence when it comes to combatting cyber threats and reducing the risk and associated damages,” said David Burg, global and U.S. cybersecurity leader for PwC. “Keeping pace with today’s sophisticated adversaries is not simply a matter of an increase in cybersecurity spending.

“Results of this year’s survey highlight opportunities and potential for information sharing across industries and regions. Greater transparency and visibility into the threat landscape can lead to more action from corporate boards, rapid and informed decision-making, appropriate investments in spend and resources, and greater agility when responding to threats.”

The PwC survey — which was co-sponsored by CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service — found that while the board of directors for corporations are increasingly concerned about cyber threats, they’re not as informed as they should be: the report saw just 30% of respondents saying their chief information security officer (CISO) or Chief Security Officer (CSO) makes quarterly security presentations to the board. One in four said their senior security executive presents once a year, while 28% said their security leaders make no presentations.

“If an organization’s management — including boards of directors, senior executives, and all managers — does not establish and reinforce the business need for effective enterprise security, the organization’s desired state of security will not be articulated, achieved, or sustained,” said Julia Allen, principal researcher with the CERT cyber risk management team. “To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at a governance level, not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance.”

Thirty-one percent of respondents said they were victim of a phishing attack in 2014, while nearly 20% said they were hit by a distributed denial of service (DDoS) attack.

For more information about the PwC report, visit http://www.pwc.com/us/cybercrime.