PwC study: Cyber crime is a matter for bosses

The figures of the study "Global Economic Crime Survey" from PwC certainly have the potential to attract the attention of C-level executives and shareholders, such as PwC writes. According to the study, around 50 of the companies surveyed said they had lost more than five million US dollars; almost a third among them quantified cybercrime-related losses of more than 100 million US dollars. The study surveyed a total of more than 6,000 managers, primarily C-level executives and heads of business units.

Cybercrime and economic damage

The most important finding of this year's PwC study is that cybercrime now ranks second in the overall list of economic crimes against companies. In first place is a more traditional form of misappropriation of assets: the theft of money.

The survey of CEOs found that 61 percent are concerned about cybersecurity. So top executives are feeling the impact of hacking and cyber activity, which has increased sharply in recent years.

Insufficient response

However, PwC's report also contains some sobering statistics on how companies are dealing with cybercrime. Only 37 percent of respondents had a complete incident response plan. One problem with implementing these plans is inadequate staffing. According to the report, only 40 percent of study participants have a trained response team in place for emergencies.

Perhaps even more striking is the lack of IT executives in the boardroom to deal with the attacks and their potential impact. In less than half of the cases, IT executives were on the emergency response teams; they mostly consisted of members of the executive team (46 percent), lawyers (25 percent) and HR staff (14 percent).

According to PwC, contingency plans that are not optimally coordinated among all relevant stakeholders - including IT - " can limit organizations' ability to cover all of the affected areas, which is particularly important given the diversionary methods often used by hackers."

According to PwC, if the necessary expertise is lacking or the IT department is not involved from the outset, it is very possible that forensic information will be disregarded or even lost.

Real defense

PwC minces no words when it comes to inadequate cyber threat responses: organizations are simply not meeting basic requirements! Some of the more high-profile security gaps that PwC exposed were poor system configurations, inadequate controls, and other "avoidable errors". In the IT security world, simple measures such as longer user passwords, better controls for privileged accounts and stricter file access requirements are usually implemented first.

The PwC report makes it clear: Those who slack off on the basics will be punished with real economic damage. PwC recommends a multi-layered cyber security strategy that is also supported by the boardroom (and even the supervisory board), more stringent risk analyses and IT audits, and the introduction of effective monitoring processes.

What to do?

PwC's recommendations are all too familiar to us, with the experience of long-standing security experts. Improved risk analysis, more protection for data, and better monitoring are things we have been preaching since the founding of our company. However, unlike any other vendor in the security space, we believe that these approaches can be applied in the File system must be implemented.

In most security incidents today, unstructured data is stolen. Serious data breaches are reported almost daily, involving the theft of passwords, credit card data, or email addresses stored unencrypted in files. In many cases, it is easy for attackers to bypass external defenses using phishing or SQL injection. Once they have penetrated a system, they have extensive access to this sensitive data, which is distributed throughout the entire file system.

The PwC study makes it clear that this data is valuable to hackers - regardless of whether it is personal data that can be sold well or intellectual property, the theft of which can mean the end for a company. To be sure, companies usually scan their networks for unusual activity or known viruses. However, they are not usually able to detect the latest generation of malware with sophisticated cloaking capabilities, or the even more threatening new exploits that don't involve malware at all. So when it comes to protecting unstructured data, you find a big and extremely costly blind spot at many companies.

PwC recommends examining file systems for unusual activity. But that is easier said than done. The remedy can be the Analysis of user behavior: Here, the file activities and normal behaviors of users are monitored to detect unusual operations.

This captures hacking activity from attackers who have infiltrated the system, and gets the scoop on malicious employees, helping to mitigate the risk to data. From a practical standpoint, the results of the PwC survey are definitely beneficial to corporate data security. That's because CEOs and other C-level executives now consider cybercrime a strategic issue that requires a significant investment of resources: Personnel, planning and financial resources.

Like many other groups and institutes in the security field - for example, the NIST and the SANS Institute - we agree with PwC on one thing in particular: surveillance is the key to security in the real world. Hackers may never be stopped from penetrating networks. One can however, limit the damage and ultimately significantly reduce the cost of security incidents in companies.

Press release PwC