Escaping the line of fire: 2018 U.S. State of Cybercrime

Companies in all sectors, everywhere, are continuing to experience cyber-breaches. This is no surprise: as more and more organization embrace digitization, they inevitably become prey to new cyber-dangers and, in turn, need to put much greater emphasis on the availability, stability and resilience of their IT systems. If things go south these days, both the corporate coffers and the firm’s public opinion can suffer hugely. Given the frequency of cyberattacks and the potential blowback from serious ones, organizations of all sizes must implement the right security measures and train their staff to comprehend both the types and severity of potential digital threats.

The  US State of Cybercrime Survey highlights ongoing trends in the frequency and consequences of cybercrime, cyber-threats, and cybersecurity spending. It also outlines the action plans and employee training that organizations have put in place to mitigate cyber-risks. IDG, KnowBe4, Carnegie Mellon University and the US Secret Service jointly conducted this year’s research.

With increasing digital business, there is more at stake

In the past few years, real and potential cyberattacks have become a top priority for organizations, and there is zero reason to believe this trend will turn around anytime soon. In fact, two-third (66%) of organizations say they are more concerned about cybersecurity than they were in 2017.  

Almost half of the survey respondents, 41 percent, reported that they had faced more cybersecurity events in 2017. Large organizations suffered the most: they reported an average of 195.9 events for the year, compared to 24 cybersecurity events for small- and medium-sized businesses (SMB). One major problem is that detecting today’s increasingly sophisticated threats takes longer and makes it more difficult for IT departments to move quickly to protect assets. More than one-third (35%) of respondents say it takes more than a month to pinpoint intrusions on their network, which is 28% longer than last year.

As well as endangering company and customer information, security breaches have resulted in serious monetary losses. Nearly one in four (23%) of organizations say their financial losses were greater in 2017, an average of 13% more than what they reported the previous year. Cybercriminals can inflict all sorts of damage, from denial-of-service attacks that can take an organization offline for hours or exposing customer records after they infiltrated an organization. Again, enterprise organizations are being impacted most severely, with estimated financial damages at an average of $642,000 as opposed to $34,000 for SMBs.

Anti-cybercrime strategies

In response to the growing cyber-threats, organizations are allocating greater parts of their budgets to keep them at bay. In 2018, 59% of organizations increased their cybersecurity budgets, compared to 48% in 2017. The new money is being directed to new technologies (46%), audits and assessments (34%), and adding new skills and capabilities (32%).

Significantly, eight out of ten companies have a process for gauging how well their security programs work, and 37% use it more than once a year. The most effective security technology, firewalls, are used by 86 percent of companies, followed by spam filtering (80%), access controls (76%), and strong authentication (75%).

Having an effective security programs is crucial, but so is the ability to respond promptly to a breaches. “Despite investments in sophisticated security technology, some organizations may still fall victim to a breach,” said Christopher Leone, Assistant to the Special Agent in Charge – Criminal Investigative Division, US Secret Service. “In these instances, it is critical that organizations have a plan in place to limit the extent of the attack. Additionally, a practiced relationship with law enforcement may clear obstacles to allow for a more effective investigation to ultimately hold criminal parties accountable.”

Seventy-eight percent of enterprises have a formal incident response plan, compared to 53% for SMBs. Still, a quarter (26%) of organizations lack a plan for responding to security incidents. This is troubling, in light of the potentially dire consequences of a successful cyber-attack. Bucking this trend are financial organizations, which are taking more action to ward off cyber-risks: 85% report that they have implemented a formal incident response plan, and 69% of them test it at least once annually.

Gaining resilience against cyberattacks

Cybersecurity breaches can be both internal and external in nature. The survey respondents indicate that 75% of their cyberattacks were caused by outsiders, while 25% were attributable to insiders. Hackers are the biggest cyber-threat: 39% of respondents said external hackers are the most expensive-to-thwart troublemakers. The most common tactics used by bad guys on the outside include phishing (53%), malicious malware (50%), and spyware (45%).

While outsiders pose the most critical cyber-threats, clueless or malicious staffers also create cause for concern – especially innocent employees who get sucked in by phishing or attacker scams (42%), followed by employees who loosely mix work and personal usage (26%). Such insider incidents have compromised data including customer records (61%), confidential records such as trade secrets or intellectual property (56%) and opened the door to theft of personally identifiable information (49%).

“The increase of insider incidents further highlights the importance of security training,” said Randall Trzeciak, Director of the CERT National Insider Threat Center at Carnegie Mellon University. “Many of these breaches might have been avoided if employees were properly educated. In some instances, the naivety of employees has led to phishing and attacker scams, resulting in compromised data and monetary losses.”

Cybersecurity training remains essential

Given the ever-increasing frequency and severity of cyberattacks, security training should be a no-brainer investment for organizations. Most employees receive security training at one point or another: once a year (29%), twice a year (15%), quarterly (15%), monthly (7%). Still, companies can do better, especially senior executives. A majority of respondents (52%) reported that C-suite types are the ones who most need training to protect themselves from attacks (52%).

Evidently, companies that provided security awareness training reaped positive results: 66% of them said it had a “significant” or “reasonable” impact on reducing the number of successful phishing attacks. Video-based training was the most popular (82%), followed by live, classroom or lecture style in-person training (77%), and phishing and social engineering behavior testing (76%).

Though security training is becoming more common, organizations needs to place greater value on cybersecurity overall. Breaches and hacks continue to pop up in the news, and too many organizations remain vulnerable to attacks.