Cybercrime and Security Surveys
Three cybercrime and security related reports were released in November. PricewaterhouseCoopers LLP (PwC) published its Global Economic Crime Survey, which finds fraud is expanding and cybercrime has risen to rank as one of the top four economic crimes. Ernst & Young's 2011 Global Information Security Survey took a slightly different look at the issues and finds the risk level is increasing as companies move to the cloud, become borderless, and digitize their business models. Lastly, InformationWeek's survey on the cloud's role in business continuity/disaster recovery (BC/DR) strategy finds that one out of three respondents do not have a BC/DR plan and one-third of the firms could not get operations back into production within a day, if at all.
Focal Points:
- A PwC survey of 3,877 respondents from organizations in 78 countries finds 34 percent of the respondents experienced economic crimes in the last 12 months, up 13 percent from 2009. Almost one in 10 who reported fraud suffered losses of more than $5 million. The top four economic crimes reported were asset misappropriation (74 percent), accounting fraud (24 percent), bribery and corruption (24 percent), and cybercrime (23 percent). 40 percent of the respondents stated they do not have the capability to detect and prevent cybercrime while 56 percent said the most serious fraud was an internal job. The PwC report also noted that suspicious transaction monitoring has emerged as the most effective fraud detection method and that 40 percent of respondents had not received any cyber security training. Other findings were 60 percent said their organizations did not keep an eye on social media sites, 25 percent had no formal review of cybercrime threats, and the majority did not have a cyber crisis response plan in place.
- The E&Y global information security survey of nearly 1,700 respondents in 52 countries noted the shift companies are making to become digital, borderless, and extending into the cloud. In fact, 61 percent of the respondents stated that they are using, or planning to use, cloud services within the next 12 months, which is up 16 percent from last year. As a result of these shifts 72 percent see an increased level of risk due to increased external threats while 42 percent perceive increased risk due to growing internal vulnerabilities. The survey shows that only 12 percent of respondents presented information security topics at each board meeting while 49 percent stated their information security function is meeting the needs of the organization. The adoption of smartphones and tablets ranked second highest on the list of technology challenges perceived as most significant. E&Y notes that 53 percent of respondents implemented limited or no access to social media as a control to mitigate risks related to social media; yet only 34 percent have implemented data loss prevention (DLP) tools. 74 percent have defined a policy for the classification and handling of sensitive data as a control for data leakage risk while 75 percent of the organizations state they will perform an external network attack and penetration assessment over the next 12 months. 36 percent of respondents stated that BC/DR was the top security funding priority for the upcoming year.
- The InformationWeek survey on cloud and BC/DR finds 67 percent of 414 business technology respondents stated their firms have a BC/DR plan in place. The most critical applications under consideration for BC/DR were databases, email, and accounting with CRM and ERP much lower on the list. 17 percent stated their organizations were using cloud based services to augment or outsource BC/DR while another 26 percent were considering it. The top four concerns associated with using cloud services for BC/DR are security, reliability and availability, cost, and privacy. Less than 20 percent of respondents claimed a recover time of less than one hour while 20 percent stated a two to four hour recovery time and another 30 percent said they would be up within a day. 25 percent of respondents claimed it would take two to five days to recover while the remainder said it would take weeks, possibly with significant data loss, or recovery was not al all possible. Nonetheless, 91 percent of the respondents stated their recovery time objective (RTO) was one day or less, with 33 percent setting their recovery point objective (RPO) at less than two hours. Lastly, 89 percent have incorporated virtualization into their BC/DR plan.
Experton Group believes the continually shifting digital landscape exposes IT and IT executives to external cybercrimes and internal attacks and vulnerabilities, which therefore requires quarterly review of security policies and procedures. While previous cyber attacks were from internal and non-professional sources, the attacks are becoming more sophisticated and originating with state and other deep-pocketed sources. Meanwhile the move to open enterprises to smartphones and tablets, social media, and other non-controllable access points increases the overall vulnerability of the organization. Since business demands are requiring greater access and openness, IT executives will need to invest more heavily in thwarting the attacks as well as the BC/DR capabilities needed to recover from attacks and other disasters. IT executives should ensure audit, the board of directors, CEO, and IT are all aligned in the fight against cybercrime and have implemented plans to protect the company against attacks. Additionally, IT executives should conduct regular fraud assessments and ensure there are credible BC/DR and cybercrime plans, including crisis response plans, in place so that the company can maintain its image of integrity and trust.
.