US execs say insider cyber threats more costly; still do not evaluate 3rd-parties

By Chad Hemenway on June 24, 2014

Hacker stealing data from computer

Only about half of 500 US executives in a recent survey said they have a plan for responding to insider cybersecurity threats, with larger businesses holding a better understanding of the cost and damage related to insider events.

According to the results of a survey by PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon and the US Secret Service, 49 percent of respondents said they have a plan in place to combat and deal with insider threats while about one-third said insider cyber crimes are more costly than incidents from the outside, such as hackers.

Insiders include current and former employees as well as service providers and contractors.

The survey report calls insider incidents via third-party partners an “indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains.”

The news gets worse, according to the survey results, because the number of organizations who said they evaluate third-parties has dropped. Just 44 percent of respondents said they evaluate the cybersecurity of these business partners compared to 54 percent last year. Furthermore, just 31 percent include cybersecurity provisions in contract negotiations with external business partners.

“The implications are astounding: Two-thirds of organizations that, for instance, push a process to a third-party cloud-computing provider may be doing so without a property cybersecurity evaluation,” PwC reports. “It is imperative that organizations hold third-party partners to the same—or higher—cybersecurity standards than they set for themselves.”

OTHER SURVEY TAKEAWAYS

  • 69 percent of executives said they are worried cyber threats will impact growth
  • 77 percent detected a cybersecurity event within the last year
  • 26 percent could not identify the source of the attack
  • 67 percent were not able to estimate financial loss
  • 7 percent of US organizations lost $1 million or more due to cyber crime in 2013
  • 19 percent reported losses of $50,000 to $1 million in 2013
  • 72 percent identify outsiders as the source in cybersecurity incidents
  • 28 percent identified insiders

Chad Hemenway

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].