New Study Reveals Cybercrime May Be Widely Underreported—Even When Laws Mandate Disclosure
ISACA’s State of Cybersecurity Report Also Finds Only 1 in 3 Organizations Highly Confident in Their Ability to Detect and Respond to Threats
While attack vectors remain largely the same year over year, attack volume will increase and cybercrime may be vastly underreported, according to the 2019 State of Cybersecurity Study from global IT and cybersecurity association ISACA.
“Underreporting cybercrime—even when disclosure is legally mandated—appears to be the norm, which is a significant concern,” said Greg Touhill, Brigadier General (ret), ISACA Board Director, president of Cyxtera Federal and the first US Federal CISO. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so.”
Equally concerning, only 1 in 3 cybersecurity leaders (34 percent) have high levels of confidence in their cybersecurity team’s ability to detect and respond to cyberthreats. The highest levels of confidence are correlated with teams that report directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. According to the study, 43 percent of respondents say their teams report to a CISO, and 27 percent report to a CIO.
“What we can conclude from this year’s study is that governance dictates confidence level in cybersecurity,” said Frank Downs, director of ISACA’s cybersecurity practices. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”
These findings indicate the confusion enterprises experience when structuring cybersecurity with information technology. A CIO’s main goal is managing and implementing information technology, which is substantially different than securing and protecting it. In this reporting structure, cybersecurity can fall to a secondary consideration, leading to a team’s lack of confidence to be cyberready. In fact, a higher percentage of respondents are confident in cybersecurity reporting to the CEO than to the CIO.
ISACA’s State of Cybersecurity Study, sponsored by HCL Technologies Ltd., captures the perspectives of more than 1,500 individuals who define the field—cybersecurity managers and practitioners from across the globe. Part 1, released in March, highlighted workforce trends and challenges. Part 2, released today at Infosecurity Europe, covers attack trends.
According to State of Cybersecurity Part 2, the top three threat actors remain cybercriminals, hackers and nonmalicious insiders. Phishing, malware and social engineering top the list of prevalent attack types for the third year in a row. Ransomware is significantly down from 2018, with 37 percent of organizations reporting that they experienced ransomware in last year’s study, compared to 20 percent this year.
Just under half of organizations report an increase in cybersecurity attacks on their organization this year, and 79 percent say it is likely they will experience a cyberattack next year.
“The cyber landscape is complex. Cybersecurity, though in focus today, suffers from a siloed and static approach,” said Renju Varghese, Fellow & Chief Architect, CyberSecurity & GRC, at HCL Technologies Ltd. “Many teams are missing the attacks that significantly impact organizations because they don’t have the size or expertise to keep up with the attackers and are overwhelmed. Moreover, their existing security tools and processes are segregated and seldom work in tandem, leaving the teams staring at multiple consoles and drowning in alerts and incidents.”
However, by carefully analyzing the variables that contribute to incident susceptibility and team inefficiency, organizations can better prepare themselves for the dangers presented by cyber miscreants, says ISACA’s Downs. Specifically, analyzing key organizational attributes identified in the State of Cybersecurity, such as cyber reporting structure, prevalent attack methods and team readiness through a culture of continuing professional education, organizations can increase their resilience to potential incidents.
State of Cybersecurity 2019 parts 1 and 2 are available as free downloads at www.isaca.org/info/state-of-cybersecurity-2019/index.html. The report is the latest research from ISACA’s Cybersecurity Nexus, which offers credentials, training, guidance and research for security professionals.
About the State of Cybersecurity Study
More than 1,500 cybersecurity professionals who hold ISACA’s Certified Information Security Manager (CISM) and/or CSX Cybersecurity Practitioner (CSXP) designations and positions in information in security participated in the online survey. The findings are presented in two reports, available at www.isaca.org/info/state-of-cybersecurity-2019/index.html.
Now in its 50th anniversary year, ISACA (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips practitioners with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its 460,000 engaged practitioners—including its 140,000 members—in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.
About HCL Technologies Ltd.
HCL Technologies Ltd. (HCL) is a leading global technology company that helps global enterprises reimagine and transform their businesses through digital technology. HCL operates in 44 countries and had consolidated revenues of US $8.4 billion for the 12 months ending 31 December 2018. HCL provides an integrated portfolio of services informed by its Mode 1-2-3 growth strategy. Mode 1 encompasses core services in the areas of applications, infrastructure, business processes outsourcing (BPO) and engineering, research and development services, leveraging DRYiCE™ Autonomics to transform clients’ business and IT landscape, making them lean and agile. Mode 2 focuses on experience-centric, outcome-oriented, integrated offerings of Digital and Analytics, IoT WoRKS™, Cloud Native Services, and Cybersecurity and GRC services to drive business outcomes and enable enterprise digitization. Mode 3 strategy is ecosystem-driven, creating innovative IP-partnerships to build product and platform business. HCL leverages its global network of integrated co-innovation labs to provide holistic multiservice delivery in key industry verticals including financial services, manufacturing, telecommunications, media, publishing, entertainment, retail and consumer packaged goods, life sciences and healthcare, oil and gas, energy and utilities, travel, transportation and logistics, and government. With 132,328 professionals from diverse nationalities, HCL creates real value for customers by taking “Relationships Beyond the Contract.” For more information, please visit www.hcltech.com.