As cybersecurity incidents multiply in frequency and cost, the cybersecurity programs of US organizations do not rival the persistence and technological prowess of their cyber adversaries.
Organizations do not adequately address employee and insider vulnerabilities, nor do they assess the security practices of third-party partners and supply chains.
Most do not strategically invest in cybersecurity and ensure that it is aligned with their overall business strategy.
The 2014 US State of Cybercrime Survey was co-sponsored by PwC, CSO magazine, the CERT® Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service. Cybersecurity leaders from these organizations worked together to evaluate survey responses from more than 500 executives of US businesses, law enforcement services, and government agencies. We identified requirements for effective cybersecurity and evaluated these practices against current and evolving adversaries, threats, and known attacks across the digital ecosystems of private and public organizations.
Additionally, we compared survey responses with the Core processes, practices, and technologies prescribed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework to determine how respondents’ security programs compare with the best practices recommended by NIST.
In addition to analysis of the survey results, this report also draws on previous PwC research that includes PwC’s 2014 Global CEO Survey, the 2014 Global Economic Crime Survey, and The Global State of Information Security® Survey 2014. We leveraged these surveys to provide a more thorough and balanced look into the current state of cybersecurity and cyber threats.
One thing is very clear: The cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries. Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect. Particularly worrisome are attacks by tremendously skilled threat actors that attempt to steal highly sensitive—and often very valuable—intellectual property, private communications, and other strategic assets and information.
It is a threat that is nothing short of formidable. In fact, the US Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction. Underscoring the threat, the FBI last year notified 3,000 US companies—ranging from small banks, major defense contractors, and leading retailers—that they had been victims of cyber intrusions.