Online criminals remain at least one step ahead of many IT groups, according to this year's "U.S. State of Cybercrime Survey," conducted annually by CSO magazine, the Secret Service, the Software Engineering Institute at Carnegie Mellon University, and PricewaterhouseCoopers. Deterrence and detection are both falling short of their goals: The 500 survey respondents faced an average of 135 security incidents last year, and 34 percent say that number was up compared to the previous year. Just one-third of respondents could estimate losses from their breaches; among those who could, the breaches cost $415,000, on average. Legal liabilities and lawsuits after breaches add to the costs.
Part of the problem is that only 38 percent of companies have established a way to prioritize their security investments to focus on actual risks and the repercussions they bring.
"You'll often see organizations spend to secure [against] the current big threat but not focus on building a sustainable security program," says John Pescatore, a director at the SANS Institute, a security training organization.
Better employee training decreases the costs associated with security problems, the survey finds. Companies without security training for new hires reported that their average annual financial losses related to cybersecurity incidents totaled $683,000, while those with training programs say they lost an average of $162,000 on security breaches.
Companies typically don't share information about security problems with each other, but some are starting to, through Information Sharing and Analysis Centers (ISAC). In ISACs for the defense, retail, electricity, financial services and other industries, member companies share best practices and pass on warnings and advice when attacks occur.
Cloud of Hurt
Hot technologies, especially mobile and cloud, bring new security problems. The bring-your-own-device trend, for instance, presents ongoing issues. "Mobile devices and the consumer cloud services to which they connect are moving so quickly that IT security technologies can't keep up," says Paula Tolliver, corporate vice president of business services and information systems at Dow Chemical.
Just 38 percent of those surveyed encrypt mobile devices, while less than half (49 percent) have a plan to respond to insider breaches.
Ken Swick, technical information security officer at Citigroup, says the company takes no chances with user-owned devices, cordoning them off from the enterprise network.
Cloud computing presents hazards of its own, but while two years ago 54 percent of organizations had a process for evaluating the security of third-party partners before entering a business deal with them, last year that number dropped to 44 percent. At Dow, one approach for mitigating risk is to use "mature" providers "in a private environment to ensure this level of service and security," Tolliver says.
Citi, meanwhile, doesn't permit its data to be sent to cloud systems that aren't under the bank's control, says Swick. Not all third-party providers are thrilled with the scrutiny they face during Citi's due diligence process. "We run into pushback when we tell them to fix what we find on our assessments," he says.