Companies Unprepared as Hacking Increases

Hacking increased so much this past year that approximately half of U.S. adults had their information stolen, yet less than half of U.S. companies have taken enough precautions to protect consumer data, two separate studies report.

During the past 12 months the news has been filled with reports about hackers stealing credit card data, online account passwords and other personal information. These included data breaches of networks at retailers like Target and Michaels, along with the Heartbleed security gap that made software vulnerable to spying and online theft.

In the latest security incident on May 21, eBay wrote a blog post asking all its users to change their passwords “because of a cyberattack that compromised a database containing encrypted passwords and other nonfinancial data.”

[READ: FTC Wants Consumer Data Protection Laws]

There was no evidence of unauthorized activity following the hack, the company added.

Approximately 110 million people, or 47 percent of U.S. adults, have had their personal information exposed by such attacks, according a study by CNNMoney and the Ponemon Institute, a cybersecurity research firm. Attacks will likely become more frequent as Internet and mobile device use grows, but hacker culture is also becoming more sophisticated, CNNMoney reports.

Hackers are always trying to stay a step ahead of cybersecurity fixes to halt their attacks, but companies are lagging behind trying to protect themselves, according to PricewaterhouseCoopers’ 2014 U.S. State of Cybercrime Survey published Wednesday.

Less than half of companies in the cybercrime survey took necessary steps to protect themselves, as only 38 percent prioritized security investments based on the risks to their businesses, and only 31 percent have a security strategy for the rapidly growing mobile sector.

[ALSO: Freedom Act Passes House After Compromises]

Businesses are unprepared in part because of poor cybersecurity training at colleges, which teach “cybersecurity specialists” tech policy but not enough technical expertise, says Alan Paller, co-chairman of the Secretary of Homeland Security's Task Force on CyberSkills, which advises how to train cybersecurity professionals. Security training was not provided for new employees at 54 percent of the businesses in the PricewaterhouseCoopers survey.

“Colleges are creating people who can tell you about security but they cannot fix the system,” says Paller, who has consulted Senate staff on matters including the Cybersecurity Act of 2010.

Many cybersecurity specialists with practical computer expertise “are not coming out of academia – they are a lot of self-taught people,” says Paller, founder of the SANS Institute cybersecurity training school.

Failure to protect a network from security gaps at partner companies is also a problem, as only 27 percent have incident response plans with businesses in their supply chain, and only 44 percent evaluate the cybersecurity of third party companies they work with, the PricewaterhouseCoopers survey shows. The five most used hacks reported were malware, phishing emails that send malicious links, network interruption, spyware that tracks computer activity and denial-of-service attacks that overload Web traffic.

[MORE: FCC Approves Net Neutrality With Partisan Vote]

Congress has hammered retailers including Target recent months about failure to prevent data breaches, but lawmakers in recent years have failed to pass legislation that would set cybersecurity standards for businesses. The Obama administration has encouraged companies to share information about online threats, issuing guidance that collaboration on that issues would not be an antitrust concern.

In an effort to share online threat information, retailers including Target, Gap and Nike partnered with the Retail Industry Leaders Association on May 14 to form the Retail Cyber Intelligence Sharing Center. Only 25 percent of companies in the PricewaterhouseCoopers survey participate in such arrangements that share threat data with similar businesses in their sector.

Lack of technical expertise among cybersecurity specialists can make information sharing arrangements between companies inadequate to protect consumers, Paller says, explaining that staff may lack computer and coding skills to make use of shared data on threats.