You should now understand why we say that threats are pervasive. CEOs and board members must mitigate cybersecurity risks conjointly through proactive engagement. Here are some best practices for you to follow to help secure your organization today and into the future.
Make Sure This is Understood: Security Is Your Responsibility. Officers and directors have a fiduciary obligation to run their companies with reasonable care. In carrying out these obligations, "officers and directors must assume an active role in establishing the correct governance, management, and culture for addressing security in their organization."82
Adopt a More Risk-driven Approach. You need to have a good handle on the damage cyberattacks can do to your bottom line and reputation. Ask your IT group when it last performed a full risk assessment and evaluation of brand asset protection.
Appoint Someone to Champion Data Security. Data security needs a strong advocate. Companies place that responsibility under various positions, usually within their IT or security groups. This approach best provides data security feedback to leadership.
Form an Information Security Committee. Make this group responsible for the design, implementation, and day-to-day oversight of cybersecurity compliance efforts. This will promote information sharing inside the company—especially at the executive and director levels. Regular communications between business and security leadership improves cybersecurity.
Evolve with Technology. Creating a security infrastructure is not a one-time project. Continuing to invest in capabilities that respond to evolving adversaries will better protect your business and brand equity moving forward.
Get Outside Help. Outside advisors will, ideally, offer a more holistic and objective security perspective. You know your company but an outside security consulting group knows the security practices of many companies.
Lead by Example. Don't let security policy exemptions become a perk for directors and of officers. They're not a perk - they're a weak link and the reason executives attract spear- phishing attempts. If you use encryption, secure log-ins and strong passwords and go through security audits like everyone else, your peers and employees will see you're all in for security—a powerful message.
Your adversaries are evolving. Your cybersecurity strategies must adapt to protect your business. Your employees, your reputation, and your shareholders are counting on you.
Cybersecurity terms evolve. This glossary details the terms and their definitions as used in this report and other commonly referenced materials.
A targeted attack by adversaries that penetrate a network without detection, maintains access for a period of time, all while monitoring information or stealing resources. APTs require considerable resources and may continue for years.
The process of confirming the identity of a user, most often with a username and password.
An individual with extensive computer skills used to breach security of companies for malicious purposes.
A large number of compromised computers used to create and send spam or viruses, or flood a network with messages such as in a distributed denial of service attack.
Command and control tools that allow hacker groups to manage huge numbers of compromised systems.
A technique used to analyze existing data for enhanced value.
An attack to make an online service unavailable by overwhelming it with traffic from multiple compromised systems.
Surveillance software that records every keystroke, including usernames and passwords.
A generic term for a number of different types of malicious software. A malware payload may be delivered by a virus, via email, or compromised website page.
A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data.
Social engineering through emails using known information about the target to acquire other data such as user names, passwords, or financial information.
The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
Encryption system that uses two mathematical “keys.” One, the public key, is known to everyone and used to encrypt a message. The second, the private key, is known only to the recipient and used to decrypt a message.
Third-party applications and other resources used by employees for business without IT department approval.
The approach of using multiple layers of security to maintain protection after failure of a single security component.
Broadcasting personal information about a person or group, usually done by Internet vigilantes or hacktivists. The term comes from “dropping dox” using the slang term for .DOCX, the file extension used by Microsoft Word.
Translating data into unreadable code to keep that data private. See Public Key Encryption for more.
A hardware or software system that blocks unauthorized traffic from entering (or leaving) a network.
In the mid-1990s, cybervandals defaced Web pages operated by the early generation of online businesses. These so-called script kiddies were an annoyance but did little damage. They've since given way to a new class of attacker with more sophisticated software tools and ambitions.
Ethically between black hat and white hat hackers, grey hats exploit system vulnerabilities, which is technically illegal. They tend not to leverage these hacks as a criminal, but sometimes offer to close the security gap for a fee.
Hacker or group that breaches systems for political, rather than monetary, gain.
Connection of everyday objects with embedded electronics, from smartwatches to pet collars to cars, with each other across modern networks.
A targeted digital attack filled with personal information directed at a specific executive or company.
A method used to improve security by requiring two separate items for access to a resource. These usually include something the user knows (password or PIN), something a user has (access card), or something attached to the user (fingerprint or retina to scan).
Malware that appears to be a benign and useful application to encourage users to run the program, which installs the destructive payload.
Computer security experts who penetrate networks to warn companies of gaps that a malicious attacker could exploit. They are often employed by the companies themselves to test the durability of their systems.
A computer threat that tries to exploit computer application vulnerabilities that is unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability. A cyberattack that exploits a vulnerability the day it becomes known, or even before vendors are aware they have an issue. Hackers then take advantage until users apply a patch to close the security hole.
1 PwC Global State of Information Security Survey 2015
2 AT&T Security Operations Center
3 PwC US State of Cyber Security 2015
4 Net Losses: Estimating the Global Cost of Cybercrime,” Center for Strategic and International Studies, June 2014
6 AT&T Security Operations Center
7 AT&T Security Operations Center
8 PwC Global State of Information Security Survey 2015
10 IDG “State of the CSO” survey 2015
12 PwC 2015 “Progress Stalled” Cybercrime Report
14 Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation, Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism, Washington, D.C.,
21 Sub-committee chairperson Dana Rohrbacher of the U.S. House of Representatives, United States House (2011-06-30). Communist Chinese Cyber-Attacks, Cyber-Espionage and Theft of American Technology
22 Floor Statement for Sen. Joseph Lieberman Introduction of Cybersecurity Act of 2012
26 Sony Hackers Seen Having Snooped for Months, Planted Bomb,” http://www.bloomberg.com/news/articles/2014-12-19/sony-hackers-seen-having-snooped-for-months-planted-bomb
29 https://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network- compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html
31 CSO-PricewaterhouseCoopers Global State of Information Security, 2015
34 Comprehensive Study on Cybercrime,” United Nations Office on Drugs and Crime, https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf
37 IDC Security Products and Services group.
38 The World Privacy Forum
40 “Global Economic Crime Survey,” 2014, http://www.pwc.com/gx/en/economic-crime-survey/
50 PwC “Progress Stalled”
53 PwC's 2014 U.S. State of Cybercrime Survey
54 Interview with M. Overly, Foley Lardner LLP, 8/10/15
60 National Credit Union Administration
67 2014 Bitglass Healthcare Breach Report
77 PwC US State of Cyber Security 2015
79 IDC Reveals Worldwide Security Predictions for 2015,” IDC, Dec. 11, 2014
80 IDG “State of the CSO” survey, 2015