Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015

Transcription

1 Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015 Technology advances like telematics, networked manufacturing tools, and sensorbased equipment are transforming how automotive companies produce vehicles and work with business partners. But, as always, with change comes challenge. Technology trends have helped create a raft of cybersecurity risks that could jeopardize the corporate and customer data of automotive businesses. Consider the following: Over the past year, adversaries have stolen customer data by infiltrating website servers, hijacked social media accounts, and leaked internal business information to competitors. // 1

2 Many cyber attacks against automotive companies made the news in the past year, but they have been largely overshadowed by a frenzy of media reports on risks associated with Internet-connected vehicles. Security experts have proved that hackers can remotely access the computer systems of connected automobiles and control vehicle components or steal private customer data collected by on-board computer systems. To date, no car has been commandeered by hackers. Yet the risk is very real as cyber adversaries increasingly target automotive companies and the advances from concept to corporality. Risks to automotive businesses are becoming more persistent and dynamic, and the interconnectivity of vehicle information systems will only augment the impact of these threats, says Rik Boren, a Partner in PwC s sector focused on cybersecurity and privacy. The long life cycle of an automobile, along with the increased use of technology in vehicles, means that companies must invest heavily in security personnel and processes to design vehicles that are secure from concept to implementation. GSISS 2015: results at a glance Click or tap each title to view data 5K 4K 3K 2,669 3,514 Incidents 2.2M Sources of incidents 3.2M Security spending 3M 2M 1M While it s no longer possible to protect all data, networks, and applications at the highest level, a proactive cybersecurity program will help automotive businesses prioritize protection and more quickly react to incidents that are all but inevitable. It will also be key to protecting the connected cars of today and the autonomous autos of tomorrow. Average number of detected incidents Estimated total financial losses // 2

3 Many cyber attacks against automotive companies made the news in the past year, but they have been largely overshadowed by a frenzy of media reports on risks associated with Internet-connected vehicles. Security experts have proved that hackers can remotely access the computer systems of connected automobiles and control vehicle components or steal private customer data collected by on-board computer systems. To date, no car has been commandeered by hackers. Yet the risk is very real as cyber adversaries increasingly target automotive companies and the advances from concept to corporality. Risks to automotive businesses are becoming more persistent and dynamic, and the interconnectivity of vehicle information systems will only augment the impact of these threats, says Rik Boren, a Partner in PwC s sector focused on cybersecurity and privacy. The long life cycle of an automobile, along with the increased use of technology in vehicles, means that companies must invest heavily in security personnel and processes to design vehicles that are secure from concept to implementation. GSISS 2015: results at a glance Click or tap each title to view data 60% 50% 40% 30% 34% 37% 31% 35% Incidents 28% 33% Sources of incidents Security spending 51% 57% While it s no longer possible to protect all data, networks, and applications at the highest level, a proactive cybersecurity program will help automotive businesses prioritize protection and more quickly react to incidents that are all but inevitable. It will also be key to protecting the connected cars of today and the autonomous autos of tomorrow. Current employees Former employees Hackers Third-party service providers, suppliers, contractors, business partners // 3

4 Many cyber attacks against automotive companies made the news in the past year, but they have been largely overshadowed by a frenzy of media reports on risks associated with Internet-connected vehicles. Security experts have proved that hackers can remotely access the computer systems of connected automobiles and control vehicle components or steal private customer data collected by on-board computer systems. GSISS 2015: results at a glance Click or tap each title to view data 7M 6M 6.1M 5.1M Incidents Sources of incidents Security spending To date, no car has been commandeered by hackers. Yet the risk is very real as cyber adversaries increasingly target automotive companies and the advances from concept to corporality. Risks to automotive businesses are becoming more persistent and dynamic, and the interconnectivity of vehicle information systems will only augment the impact of these threats, says Rik Boren, a Partner in PwC s sector focused on cybersecurity and privacy. The long life cycle of an automobile, along with the increased use of technology in vehicles, means that companies must invest heavily in security personnel and processes to design vehicles that are secure from concept to implementation. 5M 4.2% 4.6% 5% 4% 3% While it s no longer possible to protect all data, networks, and applications at the highest level, a proactive cybersecurity program will help automotive businesses prioritize protection and more quickly react to incidents that are all but inevitable. It will also be key to protecting the connected cars of today and the autonomous autos of tomorrow. Average annual information security budget Information security spend as percentage of IT budget // 4

5 companies report double-digit increases in detected incidents and financial losses. The Global State of Information Security Survey (GSISS) shows that, among 173 worldwide automotive respondents, the number of incidents detected in climbed 32% over the year before. (We define a security incident as any adverse incident that threatens some aspect of computer security.) While this acceleration in incidents undoubtedly reflects increased activity of cyber adversaries, detected compromises also may be rising as businesses deploy network monitoring and logging technologies. These tools enable automotive companies to discover more incidents, after all. Insiders like current and former employees remain the most frequently cited culprits of security incidents. That s not to say that all employees are deliberately careless or malicious, however. Increasingly, external threat actors leverage social engineering to steal credentials of employees with privileged access to data and networks, and then use that information to infiltrate the organization s networks. Last summer, for instance, hackers mounted a spear-phishing campaign to successfully penetrate the networks of automotive companies in four European nations 1. Not all insiders are employees, however. executives are increasingly worried about threats that can arise from sharing networks and data with external service providers, contractors, and suppliers. They know that business partners can be a weak link through which adversaries gain a foothold on the organization s ecosystem for long-term exfiltration of sensitive business data. This year, more than half (57%) of automotive respondents attribute security incidents to these de facto insiders. Employees are the most-cited culprits of incidents, but incidents caused by hacktivists and competitors are rapidly increasing. 1 Symantec Corp., European automobile businesses fall prey to Carbon Grabber, August 22, // 5

6 The number of incidents attributed to activists and hacktivists almost doubled over, making this sophisticated class of adversaries the fastest-growing source of incidents. We also noted a significant jump in compromises attributed to competitors. Increasingly, automotive executives are concerned that rivals including those that may be backed by nation-states are infiltrating their networks to pilfer trade secrets, product designs, and communications regarding mergers and acquisitions. They also may convince financially motivated employees to leak valuable business information. The fastest-growing sources of security incidents Increase over 84% 80% 70% 63% 60% Whatever the source, these increases in compromises come at great cost: Financial losses attributed to security incidents soared 47% over. 28% 19% 15% Activists/hacktivists Competitors Organized crime Former service providers/consultants/ contractors Hackers // 6

7 Following huge increases in, information security budgets decline this year. Despite the rise in detected incidents and the attendant financial costs, most automotive companies have trimmed their information security budgets. In fact, security spending declined 16% in. It s worth noting, however, that automotive companies boosted security spending by a hefty 93% in. Given the uncertain economic recovery, some may have been hardpressed to continue investment at that pace. We have also seen some automotive companies transfer responsibility for vehicle security development from the IT function to the research and development (R&D) and design divisions. As a result, the funds invested in security for invehicle communications and telematics may no longer be tallied under the CIO s budget. Some automobile companies are shifting vehicle security responsibilities and security budgets from IT to the R&D and design divisions. This is a logical approach for companies that view vehicle security and corporate IT security as separate matters. The challenge, however, is that business units may not adequately communicate vehicle security initiatives, which can lead to a disjointed approach to overall security. So while it might make sense to develop automobile security outside the sphere of traditional IT, a holistic security practice will require coordination and communication between functions. // 7

8 Individual automobiles, automotive operational systems, and IT are increasingly interconnected and at risk. Risks to data security, privacy, and even human safety will very likely expand as the connects more invehicle devices with automotive IT and operational systems. Today, most vehicles contain dozens of computers that are often linked to one another and communicate wirelessly with the outside world. It has been widely reported that hackers can remotely access these components to control the brakes, steering, and even engines with potentially fatal results. What s more, some connected automobiles automatically link to the automaker s IT and operational systems for firmware updates, maintenance monitoring, and real-time communications. This pervasive interconnectivity has created an environment in which individual automobiles, IT systems, and operational machinery are increasingly interconnected and vulnerable to cyber threats. It s a risk that many automotive executives seem to understand. In fact, 43% of survey respondents say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies; an additional 26% say they are developing a framework. If these numbers seem high, they very well may be. A closer look at survey data reveals that many respondents do not have security strategies for the technologies that underpin the. Only 48% have a security strategy for cloud computing and just 46% have a security framework for Big Data. These findings suggest that, while automotive companies are beginning to consider a strategy for convergence, they have not integrated the discrete components into a holistic framework. 46% 48% Many businesses have already begun the race toward technology convergence by offering telematics and real-time vehicle diagnostics services. 55% 55% Strategies for technologies that underpin the Have a security strategy for: Big data Cloud computing Mobile devices Employee use of personal devices on the enterprise // 8

9 Nonetheless, automotive manufacturers have already begun the race toward convergence. Almost half (45%) of automotive respondents say they produce or sell in-vehicle products or services that enable telematics, and 61% report they are involved in interactive, real-time vehicle-system diagnostics services. Not all have worked out the security and privacy details, however. When asked if they are positioned to securely provide the services they already offer, 31% of respondents say they were not or did not know. An integrated security strategy should identify sensitive data, determine ownership, and define accountability before consumer and operational technologies are connected to the IT system. The first steps will be to identify the organization s most valuable assets and determine who owns responsibility for them. That will become increasingly challenging as more electronic data is shared among a new constellation of partners and original equipment manufacturers (OEMs). It s also an area in which there is great room for improvement: We found that 58% of respondents have a program to identify sensitive assets and fewer (56%) have conducted an inventory of all third parties that handle personal data. Managing risks will require an integrated strategy that balances threats with protracted component testing timelines and product lifecycles. The truth is, many companies may have a policy that calls for assessment of third-party partners security capabilities but they may not proactively execute these procedures or may over-emphasize end-point security. As consumer demand drives implementation of new invehicle technologies and services, businesses will need to develop an integrated security strategy that balances today s threats with protracted component testing timelines and product lifecycles. Doing so will require more than technology. Development of new components may span several years, and entirely new types of cybersecurity threats may arise along the road from concept to implementation. The numerous handoffs that occur during product development will demand strong, proactive processes in addition to advanced technologies. // 9

10 Many organizations do not adequately assess the security practices of connected business partners. The rapidly expanding will demand that automotive companies implement policies, procedures, and technologies to address shared threats that result from converged technologies. Judging from survey responses, this will likely be a challenge for many businesses. Already, threat actors leverage supply chain partners with less-robust security programs to gain access to the networks of their automotive business partners. In addition to the increase in incidents attributed to third parties, we also saw a 44% jump in respondents who say their network was exploited. The latter suggests that adversaries are leveraging the connected ecosystem to gain access to automotive manufacturers networks and data. In particular, many companies are concerned that adversaries are targeting suppliers to infiltrate their ecosystems. Despite modest steps toward enting and detecting third-party compromises, much remains to be done. More than ever, threat actors are leveraging the digitally connected business ecosystem to access automotive companies networks and data. // 10

11 Shortcomings in key safeguards for third-party security & privacy 55% 54% 50% 57% 55% 56% Established security baselines/standards for external partners/customers/suppliers/vendors Require third parties to comply with privacy policies Have an inventory of all third parties that handle personal data of employees & customers 53% 49% 46% 52% Incident response process to report & handle breaches to third parties that handle data Risk assessments on third-party vendors Despite modest steps toward enting and detecting third-party compromises, much remains to be done. Case in point: Only 52% of respondents say they perform risk assessments on third-party vendors. And many are falling short of the most basic safeguards: 43% of respondents have not implemented security baselines and standards for third parties. Monitoring for threats is key to detecting suspicious activity, yet fewer than half of respondents monitor and analyze information security intelligence such as log files, and just 55% perform threat assessments. Even companies that assess and monitor the security capabilities of third-party partners often do so without rigor. Businesses may, for instance, perform a cursory security assessment with little or no follow up. Because risks and threat actors constantly evolve, curbing risks associated with third parties will require a thorough and continuous assessment of each partner. Furthermore, many third-party contracts lack specific language around breach notification or the safeguards required. // 11

12 Many organizations show progress in some fundamental security practices. Despite declines in some security safeguards, incremental improvements in key areas suggest the automotive industry is beginning to take a more strategic approach to information security. It all starts with a strategy and a top-down commitment to security. This year, 80% of respondents say their organization has implemented an overall information security strategy. Another practice that is critical to success is hiring a Chief Information Security Officer (CISO) who is in charge of the security program, a tactic that 79% of automotive businesses have embraced. An effective security program also will require top-down commitment and communication of information security fundamentals and priorities. businesses have made solid progress in this measure: 70% of respondents have a senior executive who proactively communicates the importance of information security to the entire enterprise. Communications also should flow upward to the Board of Directors to ensure that members have the information they need to manage cyber risks. Despite recent high-profile breaches, however, many companies have not yet elevated security to a Board-level discussion. Fewer than half (47%) of respondents say their Board participates in the overall security strategy, while 48% say the Board has a hand in the security budget. Only one-third say the Board is involved in reviews of current security and privacy risks a crucial component of any effective security program. Sharing information about security internally and externally has become increasingly important as cyber threats, technologies, and vulnerabilities evolve at lightning speed. Employee training and awareness is particularly important because the weakest link in the security chain is often human. So it was a bit worrisome to find that the number of respondents who have an employee training program in place dropped to 50%, from 55% in. 79% of automotive companies have hired a CISO to oversee their security program. // 12

13 Gains in strategic security practices 74% 68% 61% 80% 79% 70% Have an overall security strategy Have a CISO in charge of information security Have a senior executive who proactively communicates the importance of security 47% 50% 50% 58% 58% 55% Collaborate with others to improve security Have a program to identify sensitive assets Have purchased cyber insurance // 13

14 Externally, sharing information among public and private entities has enabled businesses to gain actionable intelligence on threats and response tactics. Among our survey respondents, 58% say they collaborate with others to share security intelligence and tactics. That s an improvement over last year, and the commitment to collaboration will likely continue to grow. The Alliance of Automobile Manufacturers and the Associate of Global Automakers recently created an Information Sharing and Analysis Center (ISAC) that aims to provide a forum for security researchers to share their findings, address vulnerabilities, and issue incident alerts. Finally, businesses are finding that cyber insurance can be an effective way to help manage threats and mitigate financial losses of cyber attacks. It s an option that has received considerable attention as recent victims of highprofile breaches reported that they expect to recover tens of millions of dollars in mitigation costs through insurance policies. Linking information security and risk As security incidents continue to proliferate, it s becoming clear that cyber risks can never be completely eliminated. Protective measures remain important, of course, but they cannot reliably be guaranteed to stop determined and highly skilled adversaries. Consequently, many automotive businesses may need to reposition their security strategy by more closely linking technologies, processes, and tools with broader riskmanagement activities. Effective cybersecurity will require up-to-date processes, trained personnel, and tools to detect, analyze, and respond to today s incidents. While a well-designed cybersecurity program will not totally eliminate risk, it can enable automotive companies to better manage threats through an informed decision-making process, boost efficiencies in security practices, and create a more resilient security practice. Businesses are adopting overall security strategies, improving communications, and collaborating with others to share threat intelligence. This year, 55% of automotive respondents say they have purchased cybersecurity insurance, up from 50% in. Perhaps more significant is the finding that some companies are leveraging cyber insurance as a means to improve their security program. Almost half (46%) say they have taken steps to enhance their security posture in order to lower insurance premiums. // 14

15 To have a deeper conversation about cybersecurity, please contact: United States Rik Boren Partner rik.boren@us.pwc.com Ryan Bachman Director ryan.j.bachman@us.pwc.com Kristin McCallum Ritter Director kristin.m.ritter@us.pwc.com Larry Wiggins Director larry.wiggins@us.pwc.com // PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. The Global State of Information Security is a registered trademark of International Data Group, Inc. LA km // 15