Cybersecurity continues to increase in importance for organizations as breaches impact businesses across various industries. In fact, 66% of organizations reported they are more concerned about cybersecurity threats than they were just one year ago. Given the frequency of cyberattacks and potential consequences involved, organizations must take the necessary security measures and properly train their employees.
The U.S. State of Cybercrime Survey is conducted annually to evaluate trends in the frequency and impact of cybercrime incidents, cybersecurity threats, and information security spending (click to tweet). This year's study coincides with National Cybersecurity Awareness Month, an annual initiative to ensure every American has the resources needed to stay safer and more secure online, while increasing the resiliency of the nation during cyberthreats. The 2018 research was a collaborative effort between CSO, the CERT Division of Software Engineering Institute at Carnegie Mellon University, U.S. Secret Service, and KnowBe4.
Prevalence & Impact of Security Threats
The threat of cyberattacks has become a top priority for organizations in recent years, and all signs point to this continuing. Forty-one percent of respondents reported the frequency of cybersecurity events increased in 2017. In particular, enterprise organizations are being hit the hardest by cybersecurity events. While SMBs experienced an average of 24 cybersecurity events this past year, this number increased to 195.9 for enterprise organizations. A major issue for companies is that threat detection continues to take longer, thus preventing organizations from taking swift action to eliminate the threat. Thirty-five percent of organizations indicated it takes longer than a month to identify intrusions on their network, which is up from 28% last year.
In addition to putting both company and customer information in danger, security breaches have resulted in significant monetary loss for the affected organizations. Overall, 23% of organizations reported their monetary losses increased in 2017, which is up from 13% in 2016. Again, enterprise organizations are being impacted the most with estimated financial losses at an average of $642K, compared to $34K for SMBs.
"Organizations must take a more proactive approach to cybersecurity," said Bob Bragdon, SVP and publisher of CSO. "There is too much at stake for companies to be complacent while failing to take the proper steps to protect themselves from cyberattacks. Organizations need to invest in the right talent and technologies, and continually train their employees on security best practices."
IT Investments & Strategies to Address Cyberthreats
As cybersecurity threats increase, organizations are taking notice and allocating their budgets accordingly. Fifty-nine percent of organizations have increased their cybersecurity budgets from 2017, compared to 48% the previous year. Specifically, budgets are being allocated to implementing new technologies (46%), conducting audits and assessments (34%), and adding new skills and capabilities (32%).
It is important to note that 80% of enterprises have a methodology in place to help determine the effectiveness of their organization's security programs, and 37% use it more than once a year. Firewalls prove to be the most effective security technology (86%), followed by spam filtering (80%), access controls (76%), and strong authentication (75%).
Though the importance of effective security programs cannot be understated, it is also crucial that organizations are prepared to respond to a breach if one is to occur. "Despite investments in sophisticated security technology, some organizations may still fall victim to a breach," said Christopher Leone, Assistant to the Special Agent in Charge - Criminal Investigative Division, U.S. Secret Service. "In these instances, it is critical that organizations have a plan in place to limit the extent of the attack. Additionally, a practiced relationship with law enforcement may clear obstacles to allow for a more effective investigation to ultimately hold criminal parties accountable."
Seventy-eight percent of enterprise organizations have a formal incident response plan while this number decreases to 53% for SMBs. Still, over a fourth (26%) of organizations do not have a plan for responding to security incidents - an alarming statistic given the serious consequences involved in the event of a cyberattack. Financial organizations appear to be taking greater initiative as 85% reported they have a formal incident response plan in place, and 69% of them test it at least once a year.
Defending Against Outsider & Insider Attacks
Cybersecurity breaches can stem from both external and internal threats. Respondents reported that 75% of cyberattacks were caused by outsiders, while 25% were due to insiders. Hackers prove to be the greatest cyberthreat as 39% of respondents said cybercrimes caused by outsiders were the most costly for their organization. The most common outsider tactics leading to cybersecurity breaches include phishing (53%), malicious malware (50%), and spyware (45%).
While outsiders pose the most serious threat to organizations, insiders still create cause for concern. Most notably, innocent employees falling for phishing or attacker scams are considered the greatest insider risk (42%), followed by careless employees blending work and personal usage (26%). These insider incidents have led to compromised data such as customer records (61%), confidential records (trade secrets or intellectual property) (56%), and theft of personally identifiable information (49%).
"The increase of insider incidents further highlights the importance of security training," said Randall Trzeciak, Director of the CERT National Insider Threat Center in the Software Engineering Institute at Carnegie Mellon University. "Many of these breaches might have been avoided if employees were properly educated. In some instances, the naivety of employees has led to phishing and attacker scams, resulting in compromised data and monetary losses."
Security Awareness & Training
Based on the prevalence of cyberattacks, security awareness training should be a point of emphasis for organizations. The majority of employees do receive security training on an annual basis: once a year (29%), twice a year (15%), quarterly (15%), monthly (7%). Still, there is room for improvement, particularly at the C-level. Respondents reported that C-level executives are most in need of training to protect themselves from attacks (52%).
Security awareness training has proved to be a worthy investment for organizations as 66% said it has had a significant/reasonable impact on reducing the number of successful phishing attacks at their organization. Video-based security awareness trainings were reported to be the most popular (82%), followed by live, classroom or lecture style in-person training (77%), and phishing and social engineering behavior testing (76%).
Though security training is becoming more common for organizations, there needs to be greater value placed on cybersecurity from an overall standpoint. Breaches continue to make headlines and too many organizations have left themselves vulnerable to attacks. "The more advanced technology becomes, the more cybercriminals will go after the end user as a way in. Most malicious data breaches are a result of phishing" said Stu Sjouwerman, CEO, KnowBe4. "Employees are the weakest link in an organization, and the most effective way to manage the ongoing problem of social engineering is to train and phish your users."