One metric that’s difficult to gauge when it comes to cybercrimes is the economic impact felt by companies.
However, PwC took on this challenge and just released the results of its 19th Global Economic Crime Survey.
It revealed the kinds of numbers that get the attention of executives, and for public companies, their shareholders as well.
According to the survey, “a handful of respondents (approximately 50 organizations) said they had suffered losses over $5 million; of these, nearly a third reported cybercrime-related losses in excess of $100 million.”
What makes this report different is that instead of trying to estimate the costs of cyber incidents, PwC asked the people at the top what they thought.
Their 6,000+ respondents are heavily weighted towards C-levels and heads of business units. In other words, it’s a survey group that truly understands the operational details of their company, and are in the best position to judge real economic impact.
Cybercrime and Economic Loss
The most significant take away from this year’s PwC survey is that cybersecurity has jumped into the second slot in the overall list of economic crimes experienced by companies. Cybercrime is now only preceded by the more traditional crime of asset misappropriation —stealing money.
When PwC surveyed just CEOs, they found that 61% of this group of corporate leaders are concerned with cybersecurity.
This means that executives at the highest levels are feeling the effects of the increased levels of hacking and other cyber activities over the last few years.
The PwC report has some equally sobering statistics on how companies are dealing with cybercrime. Only 37% of respondents have a complete incident response plan.
One of the problems in getting these plans operationalized is that the staffing levels are inadequate. The report has found that just 40% of those surveyed had a fully-trained response team.
Perhaps even more striking is the lack of IT leadership in the high-level management that’s brought in to deal with these attacks and their aftermath. Less than half of first responder teams include IT executives. For the record, these teams are made up mostly of senior management (46%), legal (25%) and HR (14%).
PwC says that data breach responses that are not completely coordinated with all the relevant players — more specifically, IT — “might also limit the organization’s ability to investigate all the areas that have actually been breached, especially critical considering hackers’ frequent use of diversion techniques.”
Without IT’s expertise and involvement from the beginning, PwC notes that forensic information is neglected and perhaps even lost.
A Real Defense
PwC is also very blunt about other causes behind this inadequate cyberthreat response: they’re just not getting the basics right!
A few of the more prominent security lapses they found include: poor system configurations, inadequate controls, and other “unforced errors” being made.
In the IT security world, we call this block-and-tackle defense — typically addressing low-hanging fruit such as requiring longer user passwords, better controls of privileged accounts, and tighter file access requirements.
As the PwC report suggests, when you don’t get the basics right, you’ll have to deal with real economic loss.
Their recommendations call for a multi-tiered defense that includes buy-in at the highest management levels (and even the board of trustees!) for a cybersecurity strategy, tougher risk assessments and IT audits, and implementing effective monitoring processes.
The Varonis Answer
When you’ve been in the data security business as long as we have, you’ll find nothing controversial about PwC’s recommendations.
Better risk assessments, improved data protection, and better monitoring are what we’ve been focusing on since the beginning of Varonis. However, unlike everyone else in the security business, we believe the file system is where these ideas need to be implemented.
Most breaches today involve the theft of unstructured data. In fact, we read now about serious data breaches occurring almost daily involving theft of passwords, credit card numbers, or email addresses found in plain text within files. In many cases, attackers easily penetrate external defenses (through phishing or injection), and once inside they have broad access to this sensitive data that’s scattered across the file system.
And as the PwC report makes clear, this data is valuable to hackers – either as monetizable PII or IP that could lead to corporate extinction if stolen.
While companies may be monitoring networks for unusual activity or scanning for known viruses, they’re generally unequipped to spot the newest generation of stealthy malware and, even more ominously, the recent arrival of malware-free exploits.
In short: companies have a huge and costly blind spot when it comes to protecting their unstructured information repositories.
It is easier said than done, as PwC recommends, to monitor a file system for unusual activity. This is where Varonis has a unique enterprise-class solution that addresses this problem. Our DatAlert product is based on User Behavior Analytics (UBA) technology, which watches user file activity and baselines what users are doing to detect things that don’t look normal.
We can spot hackers who are inside your systems as well as employees who become threats, thereby reducing risks of data exposure.
UBA is a fairly new term, but in fact Varonis has a long and successful track record of using this technology. Our DatAdvantage recommendations and alerts are two examples that have been proving themselves for years. Our software has been tracking and analyzing behavior that no one else does: user access to unstructured data, like files and emails.
The PwC report is in practical terms, good news for corporate data security. CEOs and other C-levels now see cybercrime as a strategic issue that requires significant resources — staffing, planning, and money.
We also agree with PwC as do many others security standards groups – see for example, NIST and SANS – that monitoring is the key to real-world security. While we may never be able to prevent hackers from getting inside, Varonis can limit the damage and ultimately reduce the bottom line costs of data breaches for companies.