2014 US State of Cybercrime Survey

PwC US and CSO magazine have released the 2014 US State of Cybercrime Survey, an annual survey of cybercrime trends. This reveals that while the number of cybercrime incidents and the monetary losses associated with them continue to rise, most US organizations’ cybersecurity capabilities do not rival the persistence and technological skills of their cyber adversaries. According to the report, only 38 percent of companies have a methodology to prioritize security investments based on risk and impact to business strategy. The survey is a collaborative effort with PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the US Secret Service.
The State of Cybercrime Survey finds that the average number of security incidents detected over the past year was 135 per organization. Fourteen percent of respondents reported that monetary losses attributed to cybercrime have increased. The actual costs, however, remain largely unknown as more than two-thirds (67 percent) of those who detected a security incident were not able to estimate the financial costs. Among those that could, the average annual monetary loss was projected to be $415,000.
Security incidents on the rise
This year, three in four (77 percent) respondents to the survey reported a security event in the past 12 months, and more than a third (34 percent) said the number of security incidents increased over the previous year. Additionally, 59 percent of respondents reported that they were more concerned about cybersecurity threats this year than they were the year before.
Eight major cybersecurity deficiencies
The survey revealed the following key cybersecurity deficiencies:

• Most organizations do not take a strategic approach to cybersecurity spending;
• Organizations do not assess security capabilities of third-party providers;
• Supply chain risks are not understood or adequately assessed;
• Security for mobile devices is inadequate and has elevated risks;
• Cyber risks are not sufficiently assessed;
• Organizations do not collaborate to share intelligence on threats and responses;
• Insider threats are not sufficiently addressed;
• Employee training and awareness is very effective at deterring and responding to incidents, yet it is lacking at most organizations.

To combat these deficiencies, PwC recommends that organizations can: invest in people and processes, in addition to technologies; hold third parties to the same or higher standards; assess risks associated with supply chain partners; ensure that mobile security practices keep pace with adoption and use of mobile devices; perform cyber risk assessments regularly; take advantage of information sharing internally and externally to gain intelligence on fast-evolving cyber risks; develop threat-specific policies; and, enhance training and create workforce messaging to boost cybersecurity awareness across the organization.
For the full survey report, please visit: http://www.pwc.com/us/en/increasing-it-effectiveness/publications/2014-us-state-of-cybercrime.jhtml