Share

USA State of cybercrime Survey

ByJavier Martínez-Torres - 01 / 10 / 2014

 

Due to our close collaboration with European Commission in cyber security matters, in this last week I had the chance to have a look into an interesting report about the ”2014 US State of Cybercrime Survey”. Although the report is available online this post will summarize from my point of view the highlights found out in this broad survey with interviewees coming from more than 500 executives of US businesses, law enforcement services, and government agencies.

This is the 12th annual survey and should be stressed that the survey has been conducted by prestigious institutions, such as Software Engineering Institute at Carnegie Mellon University, United States Secret Services, CSO Magazine and PwC. The result of the survey was published in June 2014 and there are many different interpretations in internet about the conclusions, but one of them is common: "the cybersecurity programs of US organizations do not rival the persistence and technological prowess of their cyber adversaries", Or, in other words, the enemy is getting stronger.

Beyond the conclusion reached, the report highlights the need to dispelling the idea that the cybersecurity of the organization must be carried exclusively by its own experts. According to the report, the 82% of companies with high-performing security practices collaborate with others to deepen their knowledge of security and threat trends. Thus the Information Sharing will play a paramount role in near future if we want to fight effectively against cybercrime. And this assertion is accompanied with the statement of the Secretary of Homeland Security, Jeh Johnson, who said: “Cybersecurity is a shared responsibility. So everyone needs to work on this: Government officials and business leaders, security professionals, and utility owners and operators.” while he was presenting the Framework for Improving Critical Infrastructure Cybersecurity in past February.

Some other interesting findings reported in the survey are:

  • Mobile technologies and their associated risk move faster than security measures for these devices. Few companies have restrictive policies such as: mobile phones hardening, device encryption, etc.
  • The threats are not assessed continuously. Often the companies include the cyber risks as a part of enterprise risk management and that makes them to ignore the rapidly increase of threats. “. This issue can be undertaken with paradigms such as or real time cyber risk management, a.k.a. dynamic cyber risk assessment.
  • The employees can launch insider attacks but companies usually do not have a plan to detect and mitigate these malicious actions with a serious impact. Furthermore these incidents are managed internally without involving any law enforcement agencies.

The report finishes with a set of figures resulted from the survey and recommending actions to implement the NIST Cybersecurity Framework (mentioned above) I hope that this blog has raised your interest so you go deeper into this really interesting topic. Highly recommended!