PWC released their 2014 US State of Cybercrime report yesterday. Key highlights are that:
Most organisations do not take a strategic approach to cyber security spending
Organisations do not assess security capabilities of third-party providers
Supply chain risks are not understood or adequately assessed
Security for mobile devices is inadequate and has elevated risks
Cyber risks are not sufficiently assessed
Organisations do not collaborate to share intelligence on threats and responses
Insider threats are not sufficiently addressed
Below are comments by two top security experts.
Tom Cross, director of security research at Lancope says:
"I think its worth emphasising the fact that the most popular answer for "policies and procedures most likely to help detect a criminal" was an incident response team. This result reflects the changing role that incident response is playing in network defense. Incident response teams are no longer merely a business function that cleans up the mess after the network has been compromised. Continuous incident response is becoming a central part of how organisations protect themselves, by actively hunting for compromises, studying them, and sharing what they learn.
I was very disappointed to read that only 6% of respondents had a multidisciplinary insider threat program. Insider threat is not a technical problem that can be solved by the IT organization acting alone. It is a human problem. It is a problem that has, at its root, a lack of training of employees or in some cases a total breakdown in the relationship between the employee and the organization. Management, Human Resources, and Legal are responsible for the relationship that the organisation has with its employees, and combating insider incidents must start there."
Michael Sutton, VP of security research at Zscaler writes:
"Enterprises will always be at a disadvantage when combating cybercrime. Criminals can adapt their tools and techniques immediately, while enterprises are encumbered with change control procedures and budgets. Moreover, criminals need only to exploit a single weakness in order to achieve their goal while the enterprise must defend against all possible attacks. A mistake commonly made by enterprises is the fallacy that they must focus on building an impenetrable fortress. Given the complexity of technology, the mobile workforce and well funded and resourced attackers, such a goal is unachievable. Enterprises must shift their focus and spend budget not only on preventive controls but also on detective controls. Data breaches are inevitable to at least some degree and controls must be in place to quickly identify and mitigate the damage."