pixel_dreams - Fotolia

Cyber crime widely under-reported, Isaca study shows

Cyber crime, which is the top cyber threat to business, remains widely under-reported, and only a third of organisations are confident in their ability to detect and respond to threats, a study reveals

Cyber attack vectors remain largely the same year over year, attack volume will increase and cyber crime may be vastly underreported, according to the 2019 State of cybersecurity study from global IT and cyber security association Isaca.

“Under-reporting cyber crime – even when disclosure is legally mandated – appears to be the norm, which is a significant concern,” said Greg Touhill, Isaca board director, president of Cyxtera Federal and the first US Federal CISO.

“Half of all survey respondents believe most enterprises under-report cyber crime, even when it is required to do so.”

The survey of more than 1,500 cyber security professionals around the world, sponsored by HCL, also reveals that only a third of cyber security leaders have high levels of confidence in their cyber security team’s ability to detect and respond to cyber threats.

The highest levels of confidence are correlated with teams that report directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. According to the study, 43% of respondents say their teams report to a CISO, while 27% report to a CIO.

“What we can conclude from this year’s study is that governance dictates confidence level in cyber security,” said Frank Downs, director of Isaca’s cyber security practices. “When the cyber security team reports directly to a designated and experienced cyber security executive, team leaders have significantly more confidence in their teams’ capability to detect attacks and respond effectively.”

The survey indicates that enterprises often experience confusion when structuring cyber security with information technology. The survey report points out that a CIO’s main goal is managing and implementing information technology, which is substantially different to securing and protecting it.

Read more about cyber security and the business

Where security reports to a CIO, the survey report said cyber security can become a secondary consideration, leading to a team’s lack of confidence in being cyber read. A higher percentage of respondents are confident in cyber security reporting to the CEO than to the CIO, the survey shows.

Part 1 of the Isaca report, released in March, highlighted workforce trends and challenges, while Part 2, released at Infosecurity Europe 2019 in London, covers attack trends.

The second part of the report shows that the top three threat actors remain cyber criminals, hackers and non-malicious insiders.

Phishing, malware and social engineering top the list of prevalent attack types for the third year in a row. Ransomware, however, is significantly down from 2018, with 37% of organisations reporting that they experienced ransomware in last year’s study, compared with 20% this year.

Just under half of organisations report an increase in cyber security attacks on their organisation this year, and 79% say it is likely they will experience a cyber attack next year.

“The cyber landscape is complex. Cyber security, though in focus today, suffers from a siloed and static approach,” said Renju Varghese, fellow & chief architect, cyber security & GRC, at HCL Technologies.

“Many teams are missing the attacks that significantly impact organisations because they don’t have the size or expertise to keep up with the attackers and are overwhelmed. Moreover, their existing security tools and processes are segregated and seldom work in tandem, leaving the teams staring at multiple consoles and drowning in alerts and incidents.”

However, according to Isaca’s Frank Downs, organisations can better prepare for the threats posed by cyber criminals by carefully analysing the variables that contribute to incident susceptibility and team inefficiency.

“Specifically, analysing key organisational attributes identified in the State of cybersecurity, such as cyber reporting structure, prevalent attack methods and team readiness through a culture of continuing professional education, organisations can increase their resilience to potential incidents,” he said.

Next Steps

Enterprises reluctant to report cyber attacks to authorities

Read more on IT risk management