Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

cybercrime

11 Cyber Security Questions Every Small Business Should Ask

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

In cloud environments, 75% of the security risk can be attributed to just 1% of users

Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Consequently, developing a comprehensive understanding of user behavior and the implications thereof becomes paramount to corporate security strategy.

In analysing user behavior across 10 million users, 1 billion files, and over 91,000 cloud applications, CloudLock surfaced surprising trends.

In this report, Cloudlock examine cloud cybersecurity trends across three primary dimensions: users, collaboration, and applications. The Pareto Principle, the “80/20” rule, holds true across all three dimensions, revealing a truth with surprising implications for security professionals.

Key Findings

Users: 1% of users create 75% of cloud cybersecurity risk, signalling abnormal user behavior whether unintentional or malicious.

  • Collaboration: While organizations on average collaborate with 865 external parties, just 25 of these account for 75% of cloud-based sharing per organization. Unexpectedly, 70% of sharing occurs with non-corporate email addresses security teams have little control over.
  • Apps: 1% of users represent 62% of all app installs in the cloud – a high concentration. Without security awareness, this small user base introduces a high volume of risk. Additionally, 52,000 installs of applications are conducted by highly privileged users – a number that should be zero given privileged accounts are highly coveted by malicious cybercriminals.

4 Actionable Takeaways for a more secure cloud environment

The findings of this report show disproportionate cloud cybersecurity risk across users, collaboration, and applications. Consider the four following risk remediation strategies.

1. Focus on the User Behavior

Focusing on the riskiest subset of users, security professionals can efficiently and dramatically reduce risk. Any abnormal behavior by data-dense and risky users should be prioritized providing the security team with valuable direction on what truly requires attention and resolution immediately.

2. Focus Security on Organizations You Collaborate With Most

Given that, on average, 75% of inter-organizational sharing is with 25 external organizations, focus on the frequent collaborative organizations to eliminate the bulk of risk, then address the long tail of remaining organizations.

3. Take Application Security beyond Discovery

Discovering third-party applications that reside on the network is only the tip of the iceberg. Elevate your security game beyond app discovery through enforcement capabilities, policy-driven app control, and end-user education. If users are blocked, they will find a way around.

4. Correlate Insights Across Cloud Environments

With multi-cloud intelligence, security teams can correlate security events across platforms, preventing cybercriminal exploits from slipping through the cracks. Consider an individual logging into Salesforce in San Francisco and ServiceNow in Kuala Lumpur using the same credentials simultaneously, indicating account compromise. Avoid point security solutions in favor of platforms offering multi-cloud insights across not only SaaS applications, but also laaS, PaaS, and IDaaS environments.

Data Breaches: Are You Prepared?

Data privacy and security continues to be a growing concern for many organizations. With cyber attacks increasing each year, businesses must be mindful of how data breaches occur in order to prevent the exposure of confidential information. Recognizing vulnerabilities in data security efforts can help minimize the effects a cyber attack may have on an organization.

Thomson Reuters data-breaches

Original produced here by Thomson Reuters.

Cyber Security a Major Threat for Metals Industry: Top Three Lessons for Executives

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

  • The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study
  • The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

  1. Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.
  2. The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).
  3. If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

.

The insurance implications of a cyber attack on the US power grid

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

  • The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.
  • While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
  • The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
  • Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
  • A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  • The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

The report can be found here.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

Cyber insurance is a major growth area for commercial insurers

The Insurance Information Institute (I.I.I.) conducted it’s 19th annual Property/Casualty Insurance survey and found Cyber-Crime is exposing businesses, both in the U.S. and abroad to greater levels of liability than ever before, which is why the market is far from saturated.

The survey’s key findings are below:-

  • 80% of executives said they see Cyber insurance as a major growth area for commercial insurers
  • 78% expect industry capacity (as measured by policyholder surplus) to increase in 2015
  • 72% believe the federal government is interested in further expanding its regulatory oversight of insurers
  • 56% believe the economy will accelerate; 6% believe it will decelerate and 38% believe it will remain about the same
  • 92% believe that M&A activity among insurers/reinsurers increase in 2015? For example the XL Group’s acquisition of Catlin for $4.2billion

The U.S. economy appears to be picking up steam, which translates into more economic activity and the addition of capacity. This means more businesses and people will need more insurance, implying further increases in insurance premium volume,” said Dr. Steven Weisbart, senior vice president and chief economist with the I.I.I. “Moreover, business bankruptcies in 2014 dropped below their lowest level in the last two decades, so the erosion of commercial accounts will continue to ease. As the economy inches closer to full employment, we may begin to see wage increases that outpace inflation for the first time in nearly a decade, primarily affecting the workers compensation line. Further, the low-interest rate climate, which has lasted longer than virtually everyone thought likely, is expected to begin a return to normality sometime in the second half of 2015. Absent devastating natural catastrophes, 2015 could be another profitable year for insurers

The sponsoring organizations of the Forum represent a broad range of insurance interests and audiences and include: ACORD, American Insurance Association, the Association of Bermuda Insurers and Reinsurers, The Geneva Association, Insurance Institute for Business & Home Safety, Insurance Information Institute, Insurance Institute for Highway Safety, International Insurance Society, National Association of Mutual Insurance Companies, National Council on Compensation Insurance, National Insurance Crime Bureau, Property Casualty Insurers Association of America, Property & Liability Resource Bureau, Reinsurance Association of America, The Institutes and Verisk Analytics.

Find the original article here.

Reducing Cyber Risk; Marine transportation system Cybersecurity standards, liability protection and Cyber Insurance

An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool Container shipcontains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.

An excerpt:

Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.

While this technology provides great benefits, it also introduces vulnerabilities.

In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.

Some examples include:

  • Somali pirates have exploited online navigational data to choose which vessel to target for hijack
  • hackers incapacitated a floating oil rig by tilting it and forcing it to shut down
  • malware caused another drilling rig to shut down for 19 days, after bringing systems to a standstill
  • hackers infiltrated computers connected to the Port of Antwerp, located specific containers, made off with
    smuggled drugs, and deleted the records.

The full article can be found in the journal by clicking here.

2015 Security Predictions

symantec_7m2p1

The full article can be found here.

2014 Global Report on the Cost of Cyber Crime – a HP Ponemon Study.

The results of the HP Enterprise Security sponsored Ponemon 2014 Global Report on the Cost of Cyber Crime are summarised below.

During the period they conducted interviews and analysed the findings, mega cybercrimes took place. Most notable was the Target cyber breach, which was reported to result in the theft of 40 million payment cards.

More recently, Chinese hackers launched a cyber attack against Canada’s National Research Council as well as commercial entities in Pennsylvania, including Westinghouse Electric Company, U.S. Steel and the United Steel Workers Union. Russian hackers recently stole the largest collection of Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. While the companies represented in this research did not have cyber attacks as devastating as these were, they did experience incidents that were expensive to resolve and disruptive to their operations.

For purposes of this study, they refer to cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organisation’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.

The study’s goal is to quantify the economic impact of cyber attacks and observe cost trends over time. They believe a better understanding of the cost of cybercrime will assist organisations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.

Approximately 10 months of effort is required to recruit companies, build an activity-based cost model to analyse the data, collect source information and complete the analysis.

For consistency purposes, the benchmark sample consists of only larger sized organizations (i.e. more than 1,000 enterprise seats). The study examines the total costs organizations incur when responding to cybercrime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.

Global at a glance

This year’s annual study was conducted in the United States, United Kingdom, Germany, Australia, Japan, France and for the first time, the Russian Federation, with a total benchmark sample of 257 organizations. Country-specific results are presented in seven separate reports.

The estimated average cost of cybercrime for seven country samples involving 257 separate companies, with comparison to last year’s country averages. Cost figures are converted into U.S. dollars for comparative purposes.

There is significant variation in total cybercrime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $12.7 million and the Russian sample reports the lowest total average cost at $3.3 million. It is also interesting to note that all six countries experienced a net increase in the cost of cybercrime cost over the past year, ranging from 2.7% for Japan to 22.7% for the United Kingdom. The percentage net change between FY 2014 and FY 2013 (excluding Russia) is 10.4%.

Summary of global findings

Following are the most salient findings for a sample of 257 organizations requiring 2,081 separate interviews to gather cybercrime cost results. In several places in this report, they compare the present findings to last year’s average of benchmark studies.

Cybercrimes continue to be on the rise for organizations. They found that the mean annualized cost for 257 benchmarked organizations is $7.6 million per year, with a range from $0.5 million to $61 million per company each year. Last year’s mean cost for 235 benchmarked organizations was $7.2 million. They observe a 10.4% net change from last year (excluding the Russian sample).

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, they determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,601 versus $437).

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where organizations in energy & utilities and financial services experience substantially higher cybercrime costs than organizations in media, life sciences and healthcare.

The most costly cybercrimes are those caused by malicious insiders, denial of services and web-based attacks. These account for more than 55% of all cybercrime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.

Cyber attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e. modern day attacks).

The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period. This represents a 23% increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation period. Results show that malicious insider attacks can take more than 58 days on average to contain.

Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38% of total external costs, which include costs associated with business process failures and lost employee productivity.

Detection is the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs combined account for 53% of the total internal activity cost with cash outlays and direct labour representing the majority of these costs.

Activities relating to IT security in the network layer receive the highest budget allocation. In contrast, the host layer receives the lowest funding level.

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber attacks. As a result, these companies enjoyed an average cost savings of $2.6 million when compared to companies not deploying security intelligence technologies.

A strong security posture moderates the cost of cyber attacks. They utilise Ponemon Institute’s proprietary metric called the Security Effectiveness Score (SES) Index to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.

Companies deploying security intelligence systems experienced a substantially higher ROI (at 23%) than all other technology categories presented. Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (19%).

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.

Key findings

In this section, we provide an analysis of the key findings organized according to the following topics:

  • The average cost of cybercrime by organizational size and industry
  • The type of attack influences the cost of cyber crime
  • An analysis of the cost components of cyber crime 

The average cost of cybercrime by organizational size and industry

To determine the average cost of cybercrime, the 257 organizations in the study were asked to report what they spent to deal with cybercrimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to determine the annualized cost.

The total annualized cost of cybercrime in 2014 ranges from a low of $.56 million to a high of $60.5 million. The median annualized cost of cybercrime in the benchmark sample is $6.0 million, an increase from last year’s median value of $5.5. The mean value is $7.6 million. This is an increase of $357,761 from last year’s mean of $7.2 million. Please note the percentage net change from last year’s mean for six countries is 10.4%.

As can be seen, 86 companies in our sample incurred total costs above the mean value of $7.6 million, thus indicating a skewed distribution. The highest cost estimate of $61 million was determined not to be an outlier based on additional analysis. A total of 171 organizations experienced an annualized total cost of cybercrime below the mean value.

As part of our analysis they calculated a precision interval for the average cost of $7.6 million. The purpose of this interval is to demonstrate that our cost estimates should be thought of as a range of possible outcomes rather than a single point or number.

The range of possible cost estimates widens at increasingly higher levels of confidence. Specifically, at a 90% level of confidence they expect the range of cost to be between $7.2 million to $7.9 million.

Certain attacks are more costly based on organizational size. The study focuses on 9 different attack vectors as the source of the cybercrime. They compare smaller and larger-sized organizations based on the sample median of 8,509 seats. Smaller organizations (below the median) experience a higher proportion of cybercrime costs relating to web-based attacks, viruses, worms, Trojans and other malware.

In contrast, larger organizations (above the median) experience a higher proportion of costs relating to denial of services, malicious code and malicious insiders. In the context of this research, malicious insiders include employees, temporary employees, contractors and, possibly other business partners. They also distinguish viruses from malware. Viruses reside on the endpoint and as yet have not infiltrated the network but malware has infiltrated the network. Malicious code attacks the application layer and includes SQL attack.

The cost of cybercrime impacts all industries. The average annualized cost of cybercrime appears to vary by industry segment. In this year’s study they compare cost averages for 17 different industry sectors. The cost of cybercrime for companies in energy & utilities, financial services and technology experienced the highest annualized cost. In contrast, companies in media, life sciences and healthcare incurred much lower cost on average.

The type of cyber-attack influences the cost of cyber crime

In our studies they look at 9 different attack vectors as the source of the cybercrime. This year, the benchmark sample of 257 organizations experienced 429 discernible cyber-attacks or 1.6 attacks per company each week. The list below shows the number of successful attacks for the past three years, which has steadily increased.

  • FY 2014, 429 attacks in 257 organizations or 1.7 successful attacks per company each week
  • FY 2013, 343 attacks in 234 organizations or 1.4 successful attacks per company each week
  • FY 2012, 262 attacks in 199 organizations or 1.3 successful attacks per company each week

Virtually all organizations had attacks relating to viruses, worms and/or Trojans and malware over the four-week benchmark period. Malware attacks and malicious code attacks are inextricably linked. They classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack.

59% experienced botnets and 58% experienced web-based attacks. Denial of service attacks and stolen devices were experienced by 49% of companies. Only 35% of companies say a malicious insider was the source of the cybercrime.

Costs vary considerably by the type of cyber-attack. The benchmark results for seven countries, showing the proportion of annualized cost of cybercrime allocated to 9 attack types compiled from all benchmarked organizations.

With respect to web-based attacks, the percentage annualized costs seem to be fairly consistent ranging from a low of 13% for Australia to 19% of Japan and Russia. For denial of services, they see a low of 8% for France and a high of 25% for the United Kingdom. In the case of malicious insiders, they see a low of 6% for Germany and a high of 21% for Japan. Finally, the cost of malware has a low of 6% for the US and Japan and a high of 17% of the Russian Federation.

The cost of cybercrime is also influenced by the frequency of attacks. The most to least expensive cyber-attacks when analysed by the frequency of incidents. The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost.

Time to resolve or contain cybercrimes increases the cost. The mean number of days to resolve cyber attacks is 31 with an average cost of $20,758 per day, or a total cost of $639,462 over the 31 day remediation period. This represents a 23% increase from last year’s cost estimate of $509,665 over a 27-day remediation period. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e., modern day attacks).

Some attacks take longer to resolve and as a result are more costly. The time it takes to resolve the consequences of the attack increases the cost of a cybercrime. The analysis reveals that the average days to resolve cyber attacks for 9 different attack types studied in this report. It is clear from this chart that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious code and web-based attackers (hackers). Malware, botnets and viruses on average are resolved relatively quickly (i.e., in a few days or less).

An analysis of the cost components of cyber crime

Information theft remains the most expensive consequence of a cybercrime. In this research they look at four primary consequences of a cyber attack: business disruptions, the loss of information, loss of revenue and damage to equipment. Among the organizations represented in this study, business disruption represents the largest cost component (38%). The cost of business disruption includes diminished employee productivity and business process failures than happen after a cyber attack. Information and revenue loss follow at 35% and 22%, respectively.

Companies spend the most on detection and recovery. Cybercrime detection and recovery activities account for 53% of total internal activity cost. This is followed by containment and investigation cost (both at 15%. Detection and recovery cost elements highlight a significant cost-reduction opportunity for organizations that are able to systematically manage recovery and to deploy enabling security technologies to help facilitate the detection process.

The largest portion of the security budget is allocated to the network layer. The network layer receives the highest allocation at 33% of total dedicated IT security funding. At only 7%, the host layer receives the lowest funding level.

The organization’s security posture influences the cost of cybercrime. We measure the security posture of participating organizations as part of the benchmarking process. The annualized cost and regression of companies in descending order of their security effectiveness as measured by the SES.

The figure shows an upward sloping regression, suggesting that companies with a stronger security posture experience a lower overall cost. The SES range of possible scores is +2 (most favourable) to -2 (least favourable). Compiled results for the present benchmark sample vary from a high of +1.90 to a low of -1.7 with an SES mean value at .31.

Organizations deploying security intelligence technologies realize a lower annualized cost of cybercrime. The average amount of money companies can save with SEIM in the 6 activities conducted to resolve the cyber attack. The figure compares companies deploying and not deploying security intelligence systems. In total, 124 companies (48%) deploy security intelligence tools such as SIEM, IPS with reputation feeds, network intelligence systems, big data analytics and others.

With two exceptions (investigative and incident management costs), companies using security intelligence systems experience lower activity costs than companies that do not use these technologies. The largest cost differences in millions pertain to detection ($2.83 vs. $1.63), recovery ($1.77 vs. $1.13) and containment ($1.59 vs. $.94) activities, respectively.

Security intelligence systems have the biggest return on investment. The estimated return on investment (ROI) realized by companies for each one of the 7 categories of enabling security technologies indicated above. At 23%, companies deploying security intelligence systems, on average, experience a substantially higher ROI than all other technology categories in this study.

Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds and more (19%). The estimated average ROI for all 7 categories of enabling security technologies is 15%.

Certain governance activities can reduce the cost of cybercrime. The top three governance activities are: certification against industry-leading standards, appointment of a high-level security leader (CISO) and employment of expert security personnel.

Find the full study here.

Cybercriminals see a 9% year on year improved yield on stolen records from $136 to $145

IBM and Ponemon have released their ninth annual Cost of Data Breach Study: Global Study. According to the research, the average total cost of a data breach for the companies participating in this research increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study. 

For the first time, the study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in the research, Ponemon believe they can predict the probability of a data breach based on two factors:

  1. How many records were lost or stolen
  2. The company’s industry

According to the findings, organizations in India and Brazil are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Australia are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 314 companies representing the following 11 countries participated:-

  1. Australia
  2. Brazil
  3. France
  4. Germany
  5. India
  6. Italy
  7. Japan
  8. Saudi Arabia (Saudi Arabia and the United Arab Emirates were combined as the Arabian region)
  9. United Arab Emirates
  10. United Kingdom
  11. United States

All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records. Ponemon define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

As the findings reveal, the consolidated average per capita cost of data breach (compiled for eleven countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries.

In this year’s global study, the average consolidated data breach increased from $136 to $145

However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.

Ponemon Institute conducted its first Cost of Data Breach study in the United States nine years ago. Since then, they have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan, Brazil and, for the first time this year, United Emirates and Saudi Arabia. To date, 1,279 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.

This year’s study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the 1,690 individuals interviewed over a ten-month period in the companies that are represented in this research.

The following are the key findings, measured in US dollars:

  • The most and least expensive breaches. German and US companies had the most costly data breaches ($201 and $195 per record, respectively). These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million). The least costly breaches occurred in Brazil and India ($70 and $51, respectively). In Brazil, the average total cost for a company was $1.61 million and in India it was $1.37 million. 
  • Size of data breaches. On average, U.S. and Arabian region companies had data breaches that resulted in the greatest number of exposed or compromised records (29,087 and 28,690 records, respectively). On average, Japanese and Italian companies had the smallest number of breached records (18,615 and 19,034 records, respectively). 
  • Causes of data breaches differ among countries. Companies in the Arabian region and in Germany were most likely to experience a malicious or criminal attack, followed by France and Japan. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure and UK companies were more likely to have a breach caused by human error. 
  • The most costly data breaches were malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all ten countries. U.S. and German companies experience the most expensive data breach incidents at $246 and $215 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $77 and $60 per capita, respectively. 
  • Factors that decreased and increased the cost of a data breach. Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third party involvement in the breach (+ $14.80), quick notification (+ $10.45) and engagement of consultants (+ $2.10). 
  • Business continuity management reduced the cost of a breach. For the first time, the research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $8.98 per compromised record. 
  • Countries that lost the most customers following a data breach. France and Italy had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, the Arabian region and India had the lowest rate of abnormal churn. 
  • Countries that spent the most and least on detection and escalation. On average, German and French organizations spent the most on detection and escalation activities such as investigating and assessing the data breach ($1.3 million and $1.1 million, respectively). Organizations in India and the Arabian region spent the least on detection and escalation at $320,763 and $353,735 respectively. 
  • Countries that spent the most and least on notification. Typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and German organizations on average spent the most ($509,237 and $317,635 respectively). Brazil and India spent the least amount on notification ($53,772 and $19,841, respectively). 
  • Will your organization have a data breach? As part of understanding the potential risk to an organization’s sensitive and confidential information, we thought it would be helpful to understand the probability that an organization will have a data breach. To do this, we extrapolate a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%. In addition to overall aggregated results, we find that the probability or likelihood of data breach varies considerably by country. India and Brazil have the highest estimated probability of occurrence.

 The full report can be obtained here.

RSA’s January Online Fraud Report 2013 including an excellent summary of Phishing in 2012

RSA’s January 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

The total number of phishing attacks launched in 2012 was 59% higher than 2011

It appears that phishing has been able to set yet another record year in attack volumes, with global losses from phishing estimated at $1.5 billion in 2012. This represents a 22% increase from 2011.

The estimated amount lost from phishing this year was affected by the industry median – the number of uptime hours per attack. The median dropped in 2012 (from 15.3 to 11.72 hours per attack, according to the Anti-Phishing Working Group), somewhat curbing the impact of losses overall. If attack medians had remained the same, estimated losses from phishing would have exceeded $2 billion.

There is no doubt phishing still continues to be a persistent threat to all organizations. The RSA Anti-Fraud Command Center is at the forefront of phishing attack shut down. To understand the magnitude of growth however, consider the following fact: at the end of 2011, RSA celebrated its 500,000th attack takedown; that number was achieved over seven years. In 2012 alone, RSA took down almost an additional 50% of that total volume!

The roster of countries most attacked by phishing throughout the year was not surprising; the same countries appeared on the shortlist of the most attacked, the UK, the U.S., Canada, Brazil and South Africa. In Latin America, Colombia and Brazil were the two most attacked countries.

There have been major increases in phishing attack volume in some countries, while slight declines were recorded for others. One of the most significant increases in 2012 phishing numbers occurred in Canada, where attacks increased nearly 400% in the first half of the year. There have been many speculations as to why the sharp increase, but the main reason is simply economics – fraudsters follow the money. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become as lucrative a target for cybercrime.

The list of top countries to have consistently hosted the most phishing attacks throughout 2012 remained nearly identical to 2011.

  1. U.S.
  2. UK
  3. Germany
  4. Brazil
  5. Canada
  6. France
  7. Russia
  8. Poland
  9. The Netherlands
  10. Japan

Phishing targets and tactics in 2012

The past year saw phishing diversify the top aims to include popular online retailers that were targeted via the usual web portals but also through the increasingly popular use of mobile apps for shopping. Other targets on phishers’ lists were airline companies, gaming platforms, mobile communication providers and webmail services.

It appears that malware writers are strong players in the world of phishing kit coding, responding to the demand in the underground and servicing phishers looking for off-the-shelf kit templates or custom written specialty kits. The top requests for phishing kit writers were, unsurprisingly, the login pages of U.S. based banks, credit card issuers and the dedicated login pages for business/corporate users of online banking/investments.

In terms of the tactics used by cybercriminals to launch their attacks, 2012 saw the use of rather simple hosting methods, mainly taking advantage of hijacked websites.

The most prominent trends noted came in the shape of using web shells and automated toolkits to hijack massive numbers of websites and smarter phishing kits containing custom plug-ins such as web-analytics tools. A proliferation of off-the-shelf codes written by black hat programmers, and the use of combined attack schemes to phish users and then redirect them to subsequent malware infection points were noted by RSA forensics analysts.

Global Phishing forecast for 2013

Phishing via Mobile The most prominent market trends relevant to the mobile channel have to do with the growth in mobile device usage in both our personal and work life and the pivotal role of mobile apps. RSA expects to see more phishing directed at mobile device users, particularly smartphones, as we move into 2013. Varying social engineering schemes will target users by voice (vishing), SMS (smishing), app-based phishing (rogue apps), as well as classic email spam that users will receive and open on their mobile devices.

Phishing via Apps Applications are the central resource for smartphone users, and that overall popularity of apps will become just as trendy with cybercriminals.

Nowadays, users download apps designed for just about any day-to-day activity, with the most prominent of those being gaming, social networking and shopping apps. To date, both Apple and Google have surpassed 25 billion app downloads each from their respective stores. In fact, according to research firm Gartner, this number will grow to over 185 billion by 2015.

In 2013 organizations will continue to aggressively tap into this growing market and respond by further moving products and services to this channel, delivering specialized small-screen adaptations for Web browsing, and developing native apps that supply mobile functionality and brand-based services to enable customers anywhere-anytime access.

Following user behavior trends (and money) in 2013, criminals will drive underground demand for threats and attack schemes designed for the mobile. Cybercriminals will focus on apps in order to deliver phishing, conceal malware, infect devices, and steal data and money from users of different mobile platforms.

Phishing via Social Media In 2008, slightly more than 20% of online users in the U.S. were members of a social network. That number has since more than doubled and stands at around 50% today.

Data collected last year from Fortune’s Global 100 revealed that more than 50% of companies said they have Twitter, Facebook, and YouTube accounts. Facebook membership, for example, has increased nearly 10 times since 2008, with over 7 billion unique visitors per month worldwide. Twitter shows that the number of members increased by a factor of five over the same period, boasting over 555 million regular users.

With the world turning into a smaller and more ‘social’ village than ever, cybercriminals are by no means staying behind. They follow the money, and so as user behavior changes, RSA expects cybercriminals to continue following their target audience (future victims) to the virtual hot-spots. According to a Microsoft research study, phishing via social networks in early 2010 was only used in 8.3% of attacks by the end of 2011 that number stood at 84.5% of the total. Phishing via social media steadily increased through 2012, jumping as much as 13.5% in one month considering Facebook alone.

Another factor affecting the success of phishing via social media is the vast popularity of social gaming; an activity that brought payments into the social platform. Users who pay for gaming will not find it suspicious when they are asked for credit card details and personal information on the social network of their choice.

Social media is definitely one way by which criminals get to their target audience, phishing them for access credentials (which are used for webmail at the very least and for more than one site in most cases), as well as stealing payment details they use online.

RSA’s Conclusion

Phishing attack numbers have been increasing annually, and although phishing is one of the oldest online scams, it seems that web users still fall for it which is why it still remains so popular with fraudsters.

With the heightened availability of kits, cybercriminals’ awareness of the latent potential in stolen credentials, and the enhanced quality of today’s attacks, the forecasted outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide.

As of January 1, 2013, the RSA Anti-Fraud Command Center has shut down more than 770,000 phishing attacks in more than 180 countries.

Phishing Attacks per Month

In December, RSA identified 29,581 attacks launched worldwide, marking a 29% decrease in attack volume from November, but a 40% increase year-over-year in comparison to December 2011.

The overall trend in attack numbers showed a steady rise in volume throughout the year, reaching an all-time high in July, with 59,406 attacks detected in a single month, 52% more than 2011’s peak of 38,970 attacks.

Number of Brands Attacked

In December, 257 brands were targeted in phishing attacks, marking a 10% decrease from November. Of the 257 targeted brands, 49% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide banks continued to be the most targeted, absorbing 79% of total attack volume in December. It is not surprising that fraudsters prefer large financial institutions over smaller ones as the potential “victim rate” rises in conjunction with the size of the bank’s customer base. Moreover, information regarding security procedures at larger institutions can be more easily located in open-source searches.

Top Countries by Attack Volume

The U.S. was targeted by the majority of, or 46%, of total phishing volume in December. The UK accounted for 19% of attack volume, while India and Canada remained third and fourth with 8% and 5% of attack volume.

Top Countries by Attacked Brands

U.S. brands were the most targeted again in December, with 28% of total phishing attack volume, followed by UK brands which were targeted by 10% of attacks. Brands in Canada, Australia, India and Brazil were each targeted by 5% of phishing volume.

Top Hosting Countries

In December, the U.S. remained the top hosting country for phishers, hosting 53% of global phishing attacks. Germany and the UK were the second top hosting countries accounting for 5% of hosted attacks.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.

.

An Insurers perspective of Cyber Crime

Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.

Beazley quote some interesting research to support their release:

  • According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
  • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)

Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.

Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”

Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:

  • The cost of responding to impacted clients is simply a postage stamp per breached record.
  • Our information is well-protected by our IT consultants.
  • Our employees would not act maliciously and know how to protect our data.
  • Security breaches are covered by our general liability policy.

Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.

Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.

Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.

Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.

Beazley’s Reasearch Sources:

(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011

(2) Verizon Research PDF can he found here.

Beazley’s website can be found here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: