The good guys are losing the cybercrime war. One major reason is that they don't understand their enemies, and therefore are not fighting back effectively. Another is that Edward Snowden, currently the world's most famous insider threat, apparently has a lot of company.
Those are among the most important, and sobering, conclusions of the 2013 State of Cybercrime Survey from PwC US and CSO magazine, which included responses from 500 U.S. executives, security experts, and others from both private and public sectors.
This, the 11th survey of cybercrime trends, released last week, found that while cybercrime threats are increasing, current defenses against them remain ineffective, in large measure because too many executives still do not understand the extent and seriousness of those threats, or have simply become numb to the news about them.
"There were no significant changes in C-Suite threat awareness, no spikes in spending on cyber-defense, no breakthroughs in the use of technology to combat cybercrime, and no significant change in the ability of organizations to measure the impact of both cybercrimes committed by insiders and those caused by external cyberattacks," the survey reported.
That, according to Dave Burg, PwC Global and US advisory cyber security leader, has been the case for a decade. "(We) have seen virtually no movement by survey respondents in the past 10 years," he said.
"Possibly the most alarming theme that came out of this year's survey results was that U.S. organizations are misjudging the severity of risks they face from cyber attacks from a financial, reputational, and regulatory perspective," said Bob Bragdon, vice president and publisher, CSO.
The result is that organizations aren't developing better ways to detect and counter attacks on their networks. The report said too many senior executives resemble the proverbial "frog in the pot of hot water" — losing awareness of the increasing threat environment.
"When organizations fall victim to cyberattacks, only then do they realize the time to take action was yesterday," the survey said.
And it is not nearly enough to defend the perimeter of a network. The survey found, for the second year in a row, that insiders — many times with malicious intent — are a greater threat to organizations than outside attackers. Insiders are not just direct employees either — they can be contractors, consultants, outside service providers, suppliers and business partners who have access privileges.
The survey, co-sponsored by the CERT Coordination Center at Carnegie Mellon University, CSO and the U.S. Secret Service, with collaboration with the FBI, found three major themes:
Many organizational leaders don't even know who is responsible for their cybersecurity. That may be in large measure because their security experts are not communicating effectively about threats, attacks and defensive technologies.
Sign up for Computerworld eNewsletters.