[BreachExchange] Report: Firms see cyber threats, but not the means to deal with them

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 11 19:18:49 EDT 2016


http://fedscoop.com/organizations-fully-aware-of-growing-cyber-threat-but-few-ready-to-deal-with-it-study-finds

As the risk of cyber crime intensifies, most large organizations are still
not prepared to deal with the onslaught of digital attacks, according to a
new report.

Countering cyber crime will require collaboration among government,
businesses and law enforcement, sharing intelligence, resources and
practices to match the agility of criminals gangs, researchers concluded.

The study, “Taking the Offensive: Working Together to Disrupt Cyber Crime,”
was undertaken by international consulting firm KPMG and telecoms group BT.

While awareness of the threat has never been higher — 73 percent of
respondents said digital security was on the agenda of board meetings —
most organizations still don’t understand the scale of the threat and
aren’t ready for it, according to the report.

Businesses are struggling to keep their data and systems secure against a
backdrop of proliferating attack tools and growing cyber-criminal
sophistication—what the report calls a “vast dark market” for cyber crime
tools. Less than a quarter (22 percent) said they were “fully prepared” to
combat security breaches by ever-more-agile cyber criminals.

Business also worry about other methods of gaining access to data and
systems, such as blackmailing and bribing employees or planting criminals
within organizations. While 96 percent said criminal entrepreneurs could be
bribing employees, only 44 percent had preventative measures in place.

Obstacles to rapid responses to the threat are many, researchers found.
Nearly half of senior decision makers said they were constrained by
regulation and lacked the right skills and people to thwart cyber crime.
Other constraints were organization-specific; 46 percent cited legacy IT
systems as an issue and 38 percent identified bureaucratic processes. Lack
of investment and even cultural change within organizations were cited as
barriers.

Dependence on third-party providers and contracts with third parties to
meet security needs was also an impediment. Researchers found that the
majority of firms have mostly or fully outsourced the running of their
security program, the investigation of incidents and the coordination of
responses to breaches. This raises the question of the extent to which
companies should retain in-house expertise and whether outsourced providers
understand their clients' business well enough to furnish a credible
response to compromises, according to the study.

To keep pace with the threat, organizations must collaborate with each
other, with law enforcement and within internal departments and functions,
researchers concluded.

“Businesses in all sectors have a common and aligned interest in fighting
digital crime,” they said.

“By working together they can exchange intelligence, fund innovation, share
best practices and develop common strategies.” They should also work with
telecom companies, Internet Service Providers, banks, credit-card
providers, insurers and the security industry “in a concerted effort” to
make it harder and more costly for cyber criminals to pursue their
objectives.

Companies also must foster collaboration among their own departments and
functions — for example, by ensuring that their security and anti-fraud
teams work together to thwart criminal activity “at every step,” from
system breaches to the point where attackers seek to monetize their actions
by selling stolen data, the study said.

“It’s important to remember that no system can ever be 100 percent secure,
so a holistic, organization-wide approach is required,” researchers stated.

Meanwhile, according to the study, individual companies can take steps
against cyber crime by gathering intelligence on changing tactics and new
threats by making it easier for employees and clients to raise issues and
share information; working with management teams to identify data and
assets criminals might target and why; and build internal strategies to
focus investments on combating cyber crime on the basics — protecting
critical information and being able to respond quickly if compromised.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160711/9551b917/attachment.html>


More information about the BreachExchange mailing list