Report: Companies unprepared for cybercrime

Hackers rated biggest threat by respondents, but nation-states and organized crime should not be disregarded, Deloitte study says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals, according to a new cybersecurity report.

A new Deloitte report offers insight into organizations' perceptions on cyber incidents. Deloitte

In a survey conducted last year of 523 IT and security managers, top-level executives, and law enforcement personnel, hackers were rated the biggest threat, followed by insiders and foreign entities--probably because hackers are the "noisiest and easiest to detect," the 2010 CyberSecurity Watch Survey concluded.

However, attackers from nation-states and organized crime syndicates use more sophisticated techniques that can do more economic damage and go undiscovered, said the report, sponsored by Deloitte and conducted in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon.

The report, which was released Friday, did not discuss who the hackers are exactly or whether they may be working for organized criminals or foreign governments.

"Our view is that the growth of the threat of cyber crime has outpaced that of other cyber security threats...cyber crime constitutes a significantly more common and larger threat than respondents recognize," the report said. "Indeed, driven by the prospect of significant profits, cyber crime innovation and techniques have outpaced traditional security models and many current signature-based detection technologies."

Throwing money at the problem isn't always the best idea, the report concluded. Nearly half of the respondents said they spent a significant amount on IT security last year, $100,000 or more, but many organizations at the same time "neglect simple, inexpensive measures such as patch management, log analysis, privilege restrictions, password expiration, and termination of former employees' access through a robust de-provisioning process," the report said.

The study also found a "likely nexus" between cybercrime and threats like terrorism, industrial espionage, and foreign intelligence services.