Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 8th, 2012 in Cybercrime by Simply Security | Be the first to comment | Tags: cybercrime

The consequences of cybercrime can be particularly profound within large corporations, yet in several respects, protection practices are still lagging behind at the corporate level.

The consequences of cybercrime can be particularly profound within large corporations, yet in several respects, protection practices are still lagging behind at the corporate level. A recent Boston.com column sought to address the factors underlying this trend and discern what companies can do to strengthen their data protection preparations.

Several recent studies have shown widespread corporate failure when it comes to proactively addressing security woes. The U.S. alone saw 855 data security breaches comprising of 174 million records in 2011, according to Verizon, who also reported that 97 percent of these could have been avoided. The average cost of a data breach was $5.5 million in 2011, according to the Ponemon Institute. Nonetheless, Boston.com writer Mark Hatton said,  executives are not getting the message.

The writer cited a 2012 Carnegie Mellon CyLab survey that found only 44 percent of executive boards were actively addressing computer and information security. A similar 2011 survey from PriceWaterhouseCoopers found a quarter of executive respondents said their CEO and board performed no regular formal review of cybercrime threats. A majority of respondents in the same survey said they do not have, or are not aware of having, a formal cybersecurity crisis response plan.

Hatton identified three primary reasons corporations have been slow to respond. For many executives, the threat does not register because there has not yet been a problem. These executives believe their current solutions are working, when in reality results are more attributable to luck than effective risk management.

Similarly, many executives do not pay attention to the threat because security is treated as a responsibility for lower-level employees. Security issues may be discussed only rarely, particularly for organizations that lack a dedicated position such as a Chief Information Security Officer. Even those that do have C-suite security staff may dismiss concerns because they are presented in highly technical, hard-to-understand language. Executives may be missing the big picture even if they know about individual risks.

There are other factors as well, Hatton said, not least of which is the sheer complexity of today's data security landscape.

“Corporations are no longer the self-contained, walled cities they used to be,” Hatton wrote. “Because of things like virtualization, the cloud, software-as-a-service, and outsourcing, it's difficult to understand where one company's infrastructure ends and another's begins.”

Despite these challenges, however, the market continues to provide corporations with strong incentive to improve. The PwC report noted that cybercrime now ranks as one of the top four economic crimes globally.

Data Security News from SimplySecurity.com by Trend Micro