A second report by PwC, also released in June, titled, "US Cybercrime: Rising Risks, Reduced Readiness" (CSO is a cosponsor of the report, along with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service), did not attempt to estimate total global or U.S. losses, but found that, "7% of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, compared with 3% of global organizations; furthermore, 19% of US entities reported financial losses of $50,000 to $1 million, compared with 8% of worldwide respondents."
There are a number of reasons suggested for the growth in cybercrime. One is that defenders are, effectively, outgunned. The PwC report, based on a survey of more than 500 U.S. executives, security experts, and others from the public and private sectors, was blunt: "The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries," it said.
According to the CSIS report, the incentives are with the attackers. "Cybercrime produces high returns at low risk and (relatively) low cost for the hackers," it said, while for companies, it is a business decision based on their perception of their risk.
"The problem with this is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk," the report said.
Many are indeed unaware of their risk, according to PwC, which reported that, "the FBI last year notified 3,000 US companies ranging from small banks, major defense contractors, and leading retailers that they had been victims of cyber intrusions." In other words, they didn't discover the intrusions on their own.
And that lack of awareness apparently leads to broad failures to implement even fundamental security practices practices that have been recommended by the U.S. Commerce Department's National Institute of Standards and Technology (NIST). The PwC survey found that 54% of respondents don't provide security training for new hires, and only 20% train on-site first responders to handle potential evidence.
Only half reported having a plan to respond to insider threats, and fewer than 40% reported that they have a mobile security strategy, encrypt devices and have mobile device management.
It found that many organizations, including utilities and operators of other critical infrastructure, are using outdated software like Windows XP, which is no longer supported, even though the warnings about the end of support were issued six years in advance.
And relationships with third parties are lax, and getting worse. The survey found that only 44% of companies have a process for evaluating third parties before they launch business operations with them. That is down from 54% the previous year.
Sign up for CIO Asia eNewsletters.