Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

PwC Report Shows That Cybercrime Is a Top C-Level Concern

One metric that’s difficult to gauge when it comes to cybercrimes is the economic impact felt by companies. However, PwC took on this challenge and just released the results of...
Michael Buckbee
3 min read
Published April 1, 2016
Last updated June 9, 2023

One metric that’s difficult to gauge when it comes to cybercrimes is the economic impact felt by companies.

However, PwC took on this challenge and just released the results of its 19th Global Economic Crime Survey.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

It revealed the kinds of numbers that get the attention of executives, and for public companies, their shareholders as well.

According to the survey, “a handful of respondents (approximately 50 organizations) said they had suffered losses over $5 million; of these, nearly a third reported cybercrime-related losses in excess of $100 million.”

What makes this report different is that instead of trying to estimate the costs of cyber incidents, PwC asked the people at the top what they thought.

Their 6,000+ respondents are heavily weighted towards C-levels and heads of business units. In other words, it’s a survey group that truly understands the operational details of their company, and are in the best position to judge real economic impact.

Cybercrime and Economic Loss

The most significant take away from this year’s PwC survey is that cybersecurity has jumped into the second slot in the overall list of economic crimes experienced by companies. Cybercrime is now only preceded by the more traditional crime of asset misappropriation —stealing money.

When PwC surveyed just CEOs, they found that 61% of this group of corporate leaders are concerned with cybersecurity.

This means that executives at the highest levels are feeling the effects of the increased levels of hacking and other cyber activities over the last few years.

Inadequate Response

The PwC report has some equally sobering statistics on how companies are dealing with cybercrime. Only 37% of respondents have a complete incident response plan.

One of the problems in getting these plans operationalized is that the staffing levels are inadequate. The report has found that just 40% of those surveyed had a fully-trained response team.

Perhaps even more striking is the lack of IT leadership in the high-level management that’s brought in to deal with these attacks and their aftermath. Less than half of first responder teams include IT executives. For the record, these teams are made up mostly of senior management (46%), legal (25%) and HR (14%).

PwC says that data breach responses that are not completely coordinated with all the relevant players — more specifically, IT — “might also limit the organization’s ability to investigate all the areas that have actually been breached, especially critical considering hackers’ frequent use of diversion techniques.”

Without IT’s expertise and involvement from the beginning, PwC notes that forensic information is neglected and perhaps even lost.

A Real Defense

PwC is also very blunt about other causes behind this inadequate cyberthreat response: they’re just not getting the basics right!

A few of the more prominent security lapses they found include: poor system configurations, inadequate controls, and other “unforced errors” being made.

In the IT security world, we call this block-and-tackle defense — typically addressing low-hanging fruit such as requiring longer user passwords, better controls of privileged accounts, and tighter file access requirements.

As the PwC report suggests, when you don’t get the basics right, you’ll have to deal with real economic loss.

Their recommendations call for a multi-tiered defense that includes buy-in at the highest management levels (and even the board of trustees!) for a cybersecurity strategy, tougher risk assessments and IT audits, and implementing effective monitoring processes.

The Varonis Answer

When you’ve been in the data security business as long as we have, you’ll find nothing controversial about PwC’s recommendations.

Better risk assessments, improved data protection, and better monitoring are what we’ve been focusing on since the beginning of Varonis. However, unlike everyone else in the security business, we believe the file system is where these ideas need to be implemented.

Most breaches today involve the theft of unstructured data. In fact, we read now about serious data breaches occurring almost daily involving theft of passwords, credit card numbers, or email addresses found in plain text within files. In many cases, attackers easily penetrate external defenses (through phishing or injection), and once inside they have broad access to this sensitive data that’s scattered across the file system.

And as the PwC report makes clear, this data is valuable to hackers – either as monetizable PII or IP that could lead to corporate extinction if stolen.

While companies may be monitoring networks for unusual activity or scanning for known viruses, they’re generally unequipped to spot the newest generation of stealthy malware and, even more ominously, the recent arrival of malware-free exploits.

In short: companies have a huge and costly blind spot when it comes to protecting their unstructured information repositories.

It is easier said than done, as PwC recommends, to monitor a file system for unusual activity. This is where Varonis has a unique enterprise-class solution that addresses this problem. Our DatAlert product is based on User Behavior Analytics (UBA) technology, which watches user file activity and baselines what users are doing to detect things that don’t look normal.

We can spot hackers who are inside your systems as well as employees who become threats, thereby reducing risks of data exposure.

UBA is a fairly new term, but in fact Varonis has a long and successful track record of using this technology. Our DatAdvantage recommendations and alerts are two examples that have been proving themselves for years.  Our software has been tracking and analyzing behavior that no one else does: user access to unstructured data, like files and emails.

The PwC report is in practical terms, good news for corporate data security. CEOs and other C-levels now see cybercrime as a strategic issue that requires significant resources — staffing, planning, and money.

We also agree with PwC as do many others security standards groups – see for example, NIST and SANS – that monitoring is the key to real-world security.  While we may never be able to prevent hackers from getting inside, Varonis can limit the damage and ultimately reduce the bottom line costs of data breaches for companies.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

3-tips-to-monitor-and-secure-exchange-online
3 Tips to Monitor and Secure Exchange Online
Even if you don’t have your sights on the highest office in the country, keeping a tight leash on your emails is now more important than ever. Email is commonly...
sox-compliance-checklist-&-audit-preparation-guide
SOX Compliance Checklist & Audit Preparation Guide
The Sarbanes-Oxley Act (SOX) requires public U.S. companies meet strict reporting and security standards. Here’s what you need to know to comply with SOX.
how-to-create-a-good-security-policy
How to Create a Good Security Policy
CIOs have taken note of the nightmarish scenarios data breaches can bring – remember Sony and Target? To combat this ticking time bomb, they’ve beefed up their security budgets. The Computer...
so-i-creep:-aggregating-salesforce-permissions-can-add-up-to-excessive-risk
So I Creep: Aggregating Salesforce Permissions Can Add up to Excessive Risk
Salesforce entitlements go beyond object and record access — they can give users the ability to perform actions within Salesforce as well. Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss how the combination of Salesforce profiles, permission sets, and permission set groups can grant users far greater rights than were intended.