Are European companies equipped to fight off cyber security attacks?

Transcription

1 A Steria Report Are European companies equipped to fight off cyber security attacks? In collaboration with PAC

2 2 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 3 Contents FOREWORD 03 OBJECTIVES AND METHODOLOGY 04 EXECUTIVE SUMMARY 06 PART 1: CHANGES IN THE THREAT ECOSYSTEM 11 European companies are predominantly concerned about internal attacks 12 European companies are still relatively unconcerned about organised crime and state-sponsored attacks 13 Data theft remains a major concern and will continue to be so 15 PART 2: SECURITY STRATEGIES ARE BECOMING GLOBAL 16 Security strategies are defined and have far-reaching ambitions 17 The high degree of importance accorded to security favours ambitious strategies 19 PART 3: INCREASING RESOURCES AVAILABLE FOR SECURITY 20 Budgets are still weighted in favour of security 21 Companies remain optimistic about their ability to attract talent 22 PART 4: SIGNIFICANT GROWTH IN THE IMPLEMENTATION OF SECURITY SOLUTIONS 24 PART 5: STILL ROOM FOR IMPROVEMENT IN PERFORMANCE MEASUREMENT 27 PART 6: OUTSOURCING IS BECOMING A GENUINE ALTERNATIVE 29 Although no single model dominates as yet, outsourcing is gaining support 30 Future prospects 31 A call for security experts to review their approach in the light of the sensitive nature of their business 33 PART 7: QUESTIONS OF SECURITY: ARE COMPANIES BETTER PROTECTED THAN BEFORE? 34 Despite the growing cyber security threat, confidence remains high 35 Companies do not have extensive cyber security risk insurance cover 36 CONCLUSIONS AND RECOMMENDATIONS 37 GLOSSARY OF TERMS 40 Digital has opened up new ways of working and interacting socially. It has created open, collaborative and connected virtual environments on top of our physical environments. It has enabled electronic document exchange, mobility, cloud computing and social networks. But at the same time, it has opened up new prospects for malevolent acts. Cyber-related risks are greater than ever. It has been estimated that in 2012 the world saw a staggering 42% increase in targeted attacks compared to 2011, $110 billion worth of financial losses due to cyber attacks and more than $200 billion lost due to online fraud. Attacks are becoming more diverse, complex and professional on a daily basis, with increasingly serious effects on business and finance, as well as on firms competitiveness and reputations. Given this alarming state of affairs, we must ask whether companies have fully grasped the scope of the attacks with which they are increasingly being faced. Are they properly equipped to deal with major crises? Even if complete protection is not possible, have they put in place the resources, solutions and governance needed to provide the best possible prevention, detection and protection? Do they have access to appropriate resources and offerings from security experts? Steria has surveyed 270 public and private sector organisations across Europe, lifting the veil on how Europe s firms are positioned today in terms of cyber security. We have also assessed what short- and mediumterm trends these organisations foresee. To be able to make the most of all the business opportunities in our multi-faceted digital world, the key is to be properly armed for cyberwarfare, without making things too complex or cumbersome. Patricia Langrand Executive Vice President Group Business Development & Marketing, Steria Florent Skrabacz Head of Security Business, Steria

3 4 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 5 2% 36% 33% 22% 40% Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees Steria, a European leader in IT and business services, has worked with Pierre Audoin Consultants (PAC) to publish this independent report on cyber security. The report is based on a survey of 270 security decisionmakers in France, the United Kingdom, Germany and Norway. They represent small and medium companies, as well as large organisations working in all areas of activity. In this context, companies refers to both private and public-sector organisations. Large companies are defined as those with more than 5000 employees. Except where otherwise stated, all figures used in this report have been taken from this survey. The survey comprises a quantitative phase and a quantitative phase. The quantitative phase draws on 250 telephone interviews conducted as follows: 70 interviews in France, 70 in the UK, 17 in Germany and 40 in Norway. PAC also conducted 20 in-depth face-to-face interviews. Based on the same questionnaire as the quantitative interviews, these were an opportunity for security decision-makers from large companies and specialised government bodies to discuss their cyber security strategy and how it is implemented. This report provides an outlook on cyber security strategies and models for the next three years. Its purpose is to reveal how current and future threats are actually perceived by companies in Europe and the appropriateness or otherwise of the resources brought to bear. Are European companies equipped to fight off cyber security attacks? 62% 6% Norway France UK Germany 6% 67% 78% 60% Figure 2 : Distribution by size and country (n = 270) 6% 11% 6% Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees 12% 21% 12% 27% 20% 63% 10% Banking Insurance Manufacturing Public sector Retail Services Telecom Transport Utilities Figure 3 : Distribution by business sector (n = 270) Figure 1 : Size of organisations surveyed (n = 270)

4 6 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 7 As concerns about the impact of cyber security rise in tandem with the uptake of digital technologies, this report sets out to examine where European companies currently stand in their defence of corporate assets and reputations. What measures do they have in place and how great an understanding is there of the scope and scale of cyber-related risks? The 270 security decision makers who took part in our survey across both public and private sector organisations revealed a number of challenges and opportunities in the corporate fight against cyber crime. European companies are confident about their future security in terms of available resources, funding, and their ability to withstand major risks 1.European companies have not yet fully grasped the scope of the attacks to which they will be increasingly exposed 2.European companies appear extremely unruffled about the prospect of a major security crisis; 90% of them believe they are capable of dealing with one. One in five of the larger companies identifies a lack of experienced security resources as one of their main risks, but 85% of respondents believe that within the next three years they will have good access to the necessary skills. Security budgets have not been cut and are likely to remain protected: less than one third of the companies surveyed anticipate cuts. 85% of the respondents are of the opinion that they will have an appropriate security budget over the next three years. Maintaining these budgets is, however, accompanied by cost control, with cost KPIs in place in over half of the companies surveyed. Despite the growing number of external attacks, European companies are still more concerned about internal attacks. More than 50% of companies still see external attacks as accounting for less than 20% of the threat. Despite the fact that organised crime and state-sponsored attacks are becoming an increasing and genuine threat, these types of attack are still of relatively little concern to European companies in the short and medium term. Overall, less than 15% of companies believe that, either currently or in the next three years, they will have to deal with organised crime; less than 6% believe they will have to deal with state-sponsored attacks. Only the largest organisations are starting to become concerned about this type of attack: 19% of them believe they will be faced with attacks from organised crime within the next three years, and 18% believe they will be faced with state-sponsored attacks. Data theft is a major concern and is likely to remain so. 60% of the companies surveyed say that data theft is one of the three most significant risks keeping them awake at night, and is set to remain so over the next three years. The impact of Prism, Bullrun, and Mandiant is clearly evident. Advanced Persistent Threats (APTs), a three-letter threat that should have heads of security quaking in their boots, has not yet been identified as one of the major risks. Only 12% of the companies identified APTs as one of the three chief threats. However, 35% of the largest companies are concerned about APTs.

5 8 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 9 It is unclear whether this show of confidence is backed up by reality. Many companies have not taken the most basic ad hoc measures to deal with crises Companies mostly adopt a self-reliant approach when dealing with risks 3.24/7 security is not yet standard: only one quarter of the companies surveyed have implemented it. Fewer than half of the largest companies benefit from this level of protection. As yet, companies have little insurance cover for cyber security risks and have not taken out this type of policy; two thirds of them do not plan to take out specific insurance in the future. Cyber risk insurance has not yet found its market: policies are seen as being too complex, with too many exclusions. Changes in cyber security strategy are not predominantly driven by changing cyber risks or the need to protect against cyber threats. Strategic priorities are directed more at risks arising from the use of new information and communication technologies, particularly with mobility and Bring Your Own Device (BYOD) policies. 4.European companies identify a number of structural barriers to outsourcing (security criticality, giving priority to internal resources, etc). Only one in five of the largest companies would have no problem in outsourcing. There is a perceived lack of maturity in industry offerings: 20% of companies (and one in four large companies) have not yet found the right outsourcing offering for their requirements. Looking forward, however, companies believe they will be more willing to envisage outsourcing; almost three-quarters of them believe that they will outsource part of their security operations in the future. The most compelling argument in favour of outsourcing is cost reduction. For companies with over 5000 employees, however, improvements in attack detection rank second.

6 10 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 11 PART 1 The relationship between companies and their security partners will need 5.to change in coming years Changes in the threat Ecosystem Within the next five years, more than one enterprise in four (and more than one large enterprise in three) believe that security is likely to be dealt with mainly by external providers. Over the same period, co-operation between companies in the same business sectors is predicted to become a reality: 15% of companies think they will end up pooling security resources with other players in their sector. Security as a service has not yet achieved market maturity. Less than 10% of companies have bought security as a service or plan to do so in However, companies of all sizes are open to this possibility in the future. Over 40% of all companies have already done so, or plan to do so ultimately.

7 12 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 13 European companies are predominantly concerned about internal attacks European companies are still relatively unconcerned about organised crime and state-sponsored attacks 54% of European companies believe that 80% of the threat is originated internally The rule of thumb stating that 80% of the threat is internal is still largely true, despite the development of external attacks. Threats to IT systems ( Menaces sur le système informatique ), published on September 12, 2006 by France s National Defence General Secretary, states that between 70 and 80% of cases involving known threatening elements [...] are internal in nature. Another survey conducted in 2012 (PwC s Global State of Information Security 2012) indicated that 31% of security incidents originating internally were attributed to employees, 27% to former employees and 16% to companies providers. Today, despite external attacks growing in number and becoming increasingly diverse and complex, internal attacks are still perceived as the predominant security threat by companies, especially smaller ones. Indeed, more than 50% of companies (and 62% of smaller ones) believe that external attacks account for less than 20% of their overall threats. Almost all companies are more concerned about internal attacks. Indeed, internal threats in one form or another are a concern for all companies monitoring and controlling employees to counter these threats. Only in highly exposed large companies is the threat of external attacks deemed to be significant: 17% of companies with more than 5000 employees see external attacks as accounting for more than 50% of the total threat. Even though the threat of organised crime and state-sponsored attacks has been shown to be increasingly real, European companies are still relatively unconcerned about these in the short and medium term, particularly smaller companies. Hactivism (where a computer system is hacked for a political or socially-motivated purpose) is by far the greatest external source of concern for companies now and for the next three years. 64% of large companies expect to have to deal with this within the next three years, compared to 51% of all respondents. The contrast is even sharper when considering two specific types of threat: those that require resources capable of being brought to bear only by groups supported by nation states and those represented by organised crime. Indeed, despite the scope of the threat, just 18% of large companies believe that they will be faced with state-sponsored attacks within the next three years; 19% of them believe that they will have to deal with attacks conducted by groups with links to organised crime; for the sample as a whole, the figures are 6% and 14% respectively. It is worth pointing out that all companies perceive attacks by competitors as a significant threat; (22% believe they are exposed to such threats). Against a background of harsh economic conflict, large companies are confronted with increasingly offensive action. This is indicated by the head of security for a French energy group when detailing the external threats to which he believes his organisation will be exposed over the next three years: Since we are in competition for contracts worth billions worldwide, I would list attacks supported by nation states, organised crime and, increasingly, attacks by competitors, with the boundaries between these different players becoming increasingly blurred. The Prism affair, in which US security agencies had reportedly been spying on other countries electronic data, also brought to light a new form of cyber attack driven by intelligence operations. It has raised the issue of the confidentiality of private and professional data online and, even more so, the control of storage and access to this data. In the wake of such cases, the increase of cyber threats is a trend that is being taken extremely seriously by the highest international bodies. The 2013 Global Risks report published by the International Monetary Fund (IMF) claims that cyber threats are the foremost worldwide technological risk, with cyber attacks and massive data theft leading the pack. 15% 3% 32% 50% Less than 20% Between 20 and 50% Between 50 and 80% More than 80% Data theft is the primary concern and is set to remain so for Figure 4 : Large companies estimate of the percentage of external attacks as a total of all the IT security threats they face 60% of the companies surveyed

8 14 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 15 Hacktivism Competitors Criminal individuals Organised crime State-sponsored attacks Other None of them Today In 3 years 15% Today In 3 years Today In 3 years 4% 19% 14% 9% 15% 18% 2% 23% 4% 2% 1% 1% 4% 11% 12% 22% 19% 8% 8% 16% 84% 15% 26% 27% 14% 15% 15% 14% 31% 42% 24% 23% 60% 64% 35% 31% 42% 46% Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees Figure 5 : Breakdown of origins of external attacks faced by organisations today and predicted in three years time Today In 3 years 48% 22% 22% 15% 12% 5% 2% 51% 24% 24% 30% 14% 6% 1% The impact of Prism, Bullrun and Mandiant are clearly evident. Data theft remains a major concern and will continue to be so In the wake of the Prism, Bullrun and Mandiant affairs, data theft remains a major concern and is likely to remain so. 60% of companies see data theft as the risk most likely to keep them awake at night. Large companies are less worried than the others, but this is still the case for 45% of them. The results of the survey indicate a uniform perception of major security risks by all companies. The risk of data theft is followed by damage to reputation (30%) and IT espionage (26%) as top concerns. These findings show that Europe s companies are concerned mainly about protecting their assets, whether in terms of information, image or know-how. Risks that can be defined as technical (i.e. not directly linked to business processes) are perceived as being less significant. For instance, the lack of qualified security resources (14%), Advanced Persistent Threats (APT) (12%) and dependence on third-party security providers (8%) are the least cited risks. APTs, which are highly sophisticated and precisely-targeted cyber threats, ought to have heads of security quaking in their boots. Conducted by exceptionally well-organised criminals, they enable covert access to even the best-protected networks to extract highly sensitive information or carry out massive destruction of data. Even though they are the most dangerous, APTs have not yet emerged as one of the major risks identified by companies. Only 12% of them rank APTs in the top three threats. This is not the case, however, for large companies, for which APTs are identified as the second-largest risk; (35% of them place APTs in the top three). APTs may have one of two goals: they may be designed to destroy vital interests or give a competitive advantage to a third party. For large companies, the line between vital interests and business interests is very hard to draw, and any attack on these interests is clearly perceived as one of the major risks by these stakeholders: they are generally major national champions, sometimes with state backing. This is evidenced by the concept of Operator of Vital Importance introduced in France: The main risks for us are attacks plotted by states, APTs and targeted attacks on our production and distribution systems, says the Head of Information Security Services of a major French transport company. This Steria security survey also reveals a high level of disparity between countries for two types of attack: IT espionage is perceived as the lowest risk in the UK (15%) and as the highest in France (37%). The risk of an impact on Information System (IS) availability is perceived as highly significant in Norway and the UK, with a score of 28% and 26% respectively, whereas in France only 9% of respondents think this will keep them awake at night. Hacktivism Competitors Criminal individuals None of them Organised crime Figure 6 : Origins of external attacks faced by organisations today and predicted in three years time State-sponsored attacks Other Theft of data Reputation damage IT espionage Internal fraud Unavailability of information systems Lack ok skilled resources Advanced Persistent Threats Depending on third parties for security services Other France UK Germany Norway Figure 7 : The key risks keeping companies awake at night: breakdown by country (multiple choices) % % % %

9 16 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 17 PART 2 have far-reaching ambitions In a globalised environment driven by the digital revolution in mobile technology, security strategies are no longer the sole preserve of IT. Instead, they also address business and strategic issues, positioned in the uppermost levels of organisations. Security strategies are becoming global Almost 80% of decision-makers have implemented security strategy and solutions to minimise information leakage and so on Almost all companies have established a security strategy; (80% have already done so and this is underway for a further 11%). This is the case in both medium and large companies. Security strategies have been designed chiefly to address the issues arising from mobility and Bring Your Own Device (BYOD). Somewhat counterintuitively, security strategies have not predominantly been geared to addressing threats from cyber risks and their development. They have been designed to address security issues specific to the line of business (35%) and above all to address changes in the use of new information and communication technologies, such as mobility and BYOD (57%). This is true for all companies, irrespective of their size, sector and country. Astonishingly, this is even more the case in the public sector, where mobility is cited by 59% of respondents, and line-of-business issues by 37%. Security policies should enable better protection of mobile infrastructures. They address the issue of maintaining quality of service amidst a background of cost-cutting and staff cuts in public-sector organisations. This is illustrated by the head of security for a major UK police department. He emphasised, above all, the issue of public confidence relating to the confidentiality of information as being the main aim of public-sector security strategy: Damage to reputation may be the most important issue by far, because it could adversely affect relations with our community. The public will not go to the police if they do not trust us to preserve their confidentiality, and this would become a long-term problem, he said. Business-specific issues are the second major influence on security strategies, scoring 35%, ahead of cyber threats (27%). Business-specific issues are ranked very differently in different countries: only 15% in Norway, as opposed to 49% in France. Cloud computing is ranked in fourth place among issues determining strategy, scoring 26%, although here again, there is considerable discrepancy between different countries: in the UK, which has largely adopted cloud computing, it scores 44%. Cost, meanwhile, is a relatively weak influence on security strategies: only 21% of companies rank cost pressures as being among the three most important factors influencing their security strategy, and only 10% of companies employing more than 5000 people. Cost has the least influence in France (8%), and the most in Norway (33%). In larger organisations, however, the cloud is ranked second, just ahead of businessspecific security issues. Data confidentiality is still one of the major reasons for some companies being reluctant to adopt cloud-based computing. Companies are increasingly seeking to give employees access to their business applications via the cloud when they are mobile. However, this creates a much broader access, with all the accompanying risks of breaches. Security systems must adapt to cater for this shift.

10 18 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 19 11% 11% 9% 80% Yes No Ongoing Figure 8 : Companies that have established an IT security strategy The high degree of importance accorded to security favours ambitious strategies In companies employing more than 5000 people, security is overseen by Senior Management (40%), ahead of IT functions (38%). For most respondents, security is generally overseen by an IT department (54%), but in companies employing more than 5000 people, senior management is principally responsible for security (40%). This development is also supported by security managers themselves, such as this respondent from a large German energy company: I am surprised that most people say they are overseen by the IT department; I think the responsibility should ultimately lie with the executive committee. Of course, the IT department defines the controls to be put in place and so on. To achieve the ambitious aims set out in their security strategies, managers are preserving and in some cases even increasing resources and investments in this field. The fact that senior management is taking on more direct responsibility for the issue of cyber security may also be due to the strategic impact of cyber crime in terms of its implications for legal affairs and image (notoriety and reputation), as well as business and financial issues. According to a 2012 survey, financial losses due to security incidents amounted to $110 billion. It thus comes as little surprise that the protection of private and public-sector assets is becoming an absolute priority at the highest levels of government and enterprise. Mobility / BYOD Cyber threats Cloud computing Cost pressure Purchasing policies Social networks Availability of skilled competencies Legislation and compliance Other Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees 60% 51% 58% 58% 49% 34% 31% 15% 35% 16% 22% 38% 15% 44% 22% 23% 8% 27% 24% 33% 15% 18% 22% 25% 13% 6% 16% 5% 19% 12% 19% 17% 11% 3% 23% 3% 3% 5% 58% 58% 38% IT department 31% 29% 40% Executive management (board level) 11% 11% 6% Information Systems Security Manager (ISSM) Figure 10 : Principal oversight for IT security by company size 1% 8% Security managers within the IT department 2% 8% Lines of business 3% Other France UK Germany Norway

11 20 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 21 PART 3 Increasing resources available for security Budgets are still weighted in favour of security Security has become a priority for companies; security budgets have remained untouched and should continue to stay that way. While most corporate activities have to contend with budget restrictions, security has been unaffected. 68% of all respondents and 74% of those from large companies believe that their budget will increase moderately or considerably. Less than one third anticipate any reduction (one quarter for large companies). 87% of the respondents believe that they will have an appropriate security budget for the next three years. The French are the most optimistic in this respect (90%) and the Norwegians the most pessimistic (8%). One explanation for these results may be the legal measures enacted in France to increase the levels of protection for companies and administrations. However, these encouraging figures should be seen against the backdrop of a significant increase in the number of cyber attacks. Security is no longer simply an option, but a real priority that is nonetheless difficult to seize. The Head of Information Security Services of one of the UK s large industrial groups sums up the dichotomy of his job in terms of budgets: The strange thing about budgets is that if we have a large number of incidents, we get more money, whereas if performance is state-of-the-art and there are no incidents, our budgets can be cut. Whereupon things become more complicated, the number of incidents increases and money becomes available once again. Although budgets are being maintained, cost controls are in place too: more than half of all respondents said that KPI performance indicators for cost control had been implemented in their enterprise. 9% 3% 5% 27% France 69% 26% UK 54% Germany 30% 56% 35% Norway 48% 4% 11% 11% 12% Sharp increase Moderate increase Moderate decrease Sharp decrease Figure 11 : Security budgets by country: evolution

12 22 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 23 Companies remain optimistic about their ability to attract talent The issue of security skills is not a top priority for European companies: they believe they are capable of bringing to bear the required resources to protect themselves. It may also be noted that the perceived risk of a skills shortage is much lower in small companies (in which fewer than one in ten respondents ranked it among the three most significant risks). France UK % % In current market conditions, issues of competencies and recruitment are nonetheless important for many of those involved in security. 29% of those interviewed in large companies rank access to experienced resources among the top three factors influencing their security strategy. For them, access to good resources is a priority. For one in five respondents in larger enterprises, the lack of experienced resources is one of the three most important risks keeping them awake at night. This shows that the issue of competency is central, but not seen as an absolute priority. This is an important point to bear in mind, especially given that many of those involved in security in institutions and industry highlight the issue of a skills shortage. A representative of a European security agency believes that the lack of appropriate competencies should be the number one factor affecting security strategies: the lack of skills is the key challenge for us and our companies. Furthermore, the companies surveyed remain optimistic about their growing ability to mobilise experts capable of protecting them. For the vast majority of them (88%), there is every reason to be optimistic about recruiting appropriate skills to deal with security issues, or finding them outside the enterprise. Almost 20% of large companies see a skills shortage as a major risk Germany Norway Access to required skills Having the right security budget Ability to manage with complex attacks Ability to demonstrate a return on investment in security projects Providers capacity to meet our needs Users awareness Career development of my position within the organisation Alignement ok C-level executives and lines-of-business managers % %

13 24 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 25 PART 4 Significant growth in the implementation of security solutons To date, companies have concentrated on identity and access management (87% of them), management of mobile devices (72%) and encryption (53%). Data theft is a central concern and is likely to remain so, but companies are not well-prepared for what they fear the most: - Only 42% of them have implemented Data Loss Prevention (DLP) solutions - Only 18% of them say that they will be implementing this type of solution over the next three years, and this is true irrespective of the size of the enterprise. However, companies are implementing solutions that indirectly have a positive impact on data theft. Indeed, combating data theft involves a number of building blocks that at are at the heart of current strategies. For instance, identity and access management is the only way of establishing a link between legitimate users and data. Similarly, data scattering cannot be avoided without stringent management of mobile device fleets. The same is true with regard to encryption techniques, particularly in view of threats such as passive listening and interception of data in transit or stored in third-party data centres. What is more, the decision-makers interviewed know that there is no such thing as zero risk, especially since attacks are becoming increasingly aggressive. gressive. Large companies are also concentrating on the operational and real-time dimensions of protection solutions. For instance, 32% of large companies have set up a Security Operations Centre (SOC). A critical mass is needed for dedicated resources of this kind to be cost-effective. When it comes to organisations with fewer than 5000 employees, only 14% have a facility of this type. In Norway, which has very few companies with more than 5000 employees, the number of respondents who reported having implemented a SOC is only half that in the UK (7.5% and 15% respectively). Indeed, the UK has a great number of large firms and a strong emphasis on the operational aspects of security. In terms of outlook, France has the highest levels of growth in SOC projects: 14% of French respondents said that they would have a SOC project within the next three years, well ahead of Germany (5.6%), the UK (4.1%) and Norway (2.5%). One explanation for this trend is that France is doing its best to catch up with its European neighbours in this respect, particularly the UK. 32% of large companies have set up a SOC

14 26 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 27 87% Identity and Access Management (IAM) Mobile Device Management (MDM) 72% Encryption 53% Data Loss Prevention (DLP) 48% Instrusion Dection and Prevention System 32% Security Information and Event Management (SIEM) Governance, risk and compliance 22% 21% SOC (Security Operations Centre) 14% Security procured as a service 6% Other 2% None 3% PART 5 Still room for improvement in performance measurement Figure 13 : Existing security solutions 14% France 14% 15% UK 4% 17% Germany 6% 8% Norway 2,5% A SOC has already been implemented The implementation of a SOC is considered within the next 3 years Figure 14 : Establishment of SOCs per country

15 28 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 29 Surprisingly, security performance measurement is not focused primarily on security. Initial observations are encouraging: the use of key performance indicators (KPIs), adopted by 94% of companies for their security, indicates an increasingly professional approach to the issue. However, security is no stranger to the prevailing tendency to rationalise expenditure and optimise investments. Indeed, the KPIs measured by companies to ensure that resources allocated to security are used appropriately reflect this overall trend: controlling security costs is the most frequently used KPI, reported by 53% of respondents. While overall budget trends are good news as far as security is concerned, there is nonetheless an aspect of cost control, with related KPIs, for over half of the companies interviewed. The effectiveness of procedures needs to be demonstrated, particularly in terms of cost control. The message is clear: invest and protect, but don t waste money. However, as one head of IS security for a UK energy firm points out, cost control may not be a good performance indicator when it comes to security: We don t view costs as a KPI. Indeed, I don t really see cost as a performance indicator at all. Spending more may mean that you are better protected, but it could also show that you are not managing your security expenditure properly, and vice versa. Of course, costs must be controlled. But as far as we re concerned, KPIs should relate to the number of incidents identified and dealt with; response time is key too, of course. The frequent use of two other KPIs lends support to this argument: - 39% of companies use a KPI relating to response times in the event of a security crisis - 33% monitor the time taken to implement security fixes. However, these are not yet used widely enough to constitute a really appropriate performance measurement. There is definitely room for improvement in this area. PART 6 Outsourcing is becoming a genuine alternative 53% 39% 33% 27% 16% 2% Control of security cost Response time in the event of a major crisis Deadline for correction of critical vulnerabilities Internal customer satisfaction Information security levels within projects Other Figure 15 : Existing security performance indicators

16 30 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 31 Although no single model dominates as yet, outsourcing is gaining support Future prospects Cost are more advantageous Streamline our organisation France The aim of outsourcing should be to control or even bring down costs whilst improving quality of service, using appropriate resources. Is the security ecosystem ready? Those decision-makers interviewed remained highly focused on cost reductions as the main benefit of outsourcing: 49% of companies ranked cost reduction as one of their top three reasons for outsourcing. This is especially the case in France (62%), where outsourcing is very definitely seen in this light, as opposed to Norway (33%). Other reasons include improving attack detection (ranked second in large companies (33%) and third in all companies as a whole (30%)), and streamlining organisation, ranked second overall for all sizes of enterprise (33%). There is quite a significant range between the most sensitive country (Norway, with 40%) and the least sensitive (Germany, 26%). Better capacity to detect cyber attacks Quality of service is better The availability of tried and tested resources is the third reason given by large companies; as seen above, they are more concerned by the issue of a shortage of competent resources. Improvements in quality of service are ranked fourth, cited by 29% of respondents, or as few as 19% in France. 62% 48% 47% 33% 36% 33% 26% 40% 24% 26% 38% 33% 19% 34% 31% 35% 22% 18% 26% 18% 5% 7% 14% 5% 3% 4% 4% 3% 13% 11% 8% We don t have enough internal skills We don t have enough investment resources UK Germany Norway Other None European companies see many reasons not to outsource (the critical aspect of security, giving priority to internal resources, the lack of appropriate offerings, and so on). Only one in five large companies sees no reason not to outsource. But at the end of the day, European companies are willing to outsource, at least partially, for reasons of cost control and to improve the way attacks are dealt with: more than two thirds of companies believe that they will outsource part of their security activities in the future. However, this forecast is offset by a prevailing precautionary principle. The most frequently mentioned non-core activities include the following: audits and intrusion testing ( The only thing that we could never do in-house is intrusion testing, which is highly specialised, explains an energy firm s head of IS security) along with risk management. In terms of SOCs, more than 20% of firms surveyed (rising to almost 50% for organisations with a workforce in excess of 5000) already have a SOC or plan to acquire one. Almost one third of these has or intends to have one on their premises, and just over 5% would be willing to share it with other companies. One in four large companies already has or will have an outsourced SOC. More than 2/3 of companies plan to make use of outsourcing within the next three years! On average, 42% of respondents have already chosen or will choose a regional partner to assist them in outsourcing their security. As for large companies, they tend to choose a global provider for security outsourcing 47% of them in all. One possible reason for this difference is the global nature of these providers themselves, their maturity when it comes to outsourcing and the international dimension of their other outsourcing partners. As to public-sector organisations, almost half (47%) are being assisted or plan to be assisted by regional stakeholders, as is the case for the Head of IT at a Norwegian administration: Partners must be based in Scandinavia; offshore and nearshore are ruled out. This means that, for the moment, we are working solely with regional, Scandinavian stakeholders. As might be expected, SMEs with fewer than 1000 employees turn mostly to local providers (46%), as the spokesperson for a European cyber security agency explains: SMEs look for a partner that they can easily approach and whose helpdesks speak their own language. They are also more inclined to work with a local provider rather than commit to a large, impersonal structure, with which they can find it very difficult to make a connection. Figure 16 : Arguments in favour of outsourcing by country

17 32 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 33 Buying security: as a service has not yet become established as a credible alternative, but is being envisaged for the future Security as a service has not yet achieved market maturity. Less than 10% of companies already purchase security as a service or intend to do so in However, companies of all sizes are open to this possibility in the future. More than 40% of all companies have already done so, or plan to do so, ultimately. This overall trend is illustrated by the comments of the Head of IT for a Norwegian administration: For the time being, we are not operating on a security as a service basis, but we could consider it for some areas, particularly the less critical ones, where it might be useful for instance, to overcome skills shortages when these become apparent. My most pressing need is for better control and more robust assurance. Europe s companies are likely to call on external providers more in the future. More than one in four companies (one in three large companies) say that within five years, security will mostly be dealt with by external providers, while 15% think that they will be sharing it with other companies in their sector. However, more than 60% of companies think that security will mainly be dealt with internally for at least the next five years. A call for security experts to review their approach in light of the sensitive nature of their business 33% of large companies intend to rely mainly on external providers, and 14% think their security activities will be carried out in closer liaison with other organisations in their sector. However, 53% of them still think that, for the next five years, they will continue to manage most of their security in-house. By far and away the greatest barrier to working with an outsourced security provider is the critical nature of security: 46% of all companies rank this consideration among the top three barriers to outsourcing, more especially large companies (64%). This figure is especially high in France (60%) and low in Norway (20%) and Germany (28%). The second reason cited is a desire to give priority to internal resources: irrespective of their size, one enterprise in four ranks this as one of the three most important reasons; this proportion rises to one in three in Norway. Too many companies have still not found the right outsourcing offerings for their needs. On average, one in five of the companies interviewed (and one in four large companies) listed the unavailability of appropriate solutions as one of the three most important reasons for not outsourcing. This reason ranks second in Norway (28%). National Regional Global 46% 46% 47% 35% 33% 27% 23% 19% 19% 60% 37% 28% 20% 18% 29% 21% 30% 23% 22% 25% 38% 12% 21% 25% 28% 17% 22% 21% 20% 10% 11% 10% 8% 10% 4% 1% 4% 7% 4% 0% 0% 9% 19% 29% 20% France UK Germany Norway Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees Security is too critical to be outsourced We have all the necessary internal resources We favor the use of internal resources We don t think that protection will be better We don t know what the market offers We have not been able to demonstrate a return on investment Other None Figure 17 : Preferred types of security provider by companiy size Figure 18 : Barriers to outsourcing by country

18 34 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 35 PART 7 Questions of security : Are companies better protected than before? Despite the growing cyber security threat, European companies are particularly confident about their ability to withstand a major security crisis, despite the fact that they have not taken the most basic ad hoc measures to deal with such incidents. 91% of companies say that they are capable of coping with a major security crisis. However, only one in four companies have operational capacity 24/7, and less than 14% have an SOC. Yet, the fact is that SOCs and related security activities, such as control, crisis management, monitoring and so on, are indispensable when dealing with a major crisis. The survey highlights noteworthy disparities with regard to 24/7 security. Germany scores the best, with 35% of companies already protected 24/7 (compared to an average of 27% across all countries); Norway brings up the rear with just 20% of companies protected 24/7. Given the nature of the very real, operational risks that are of concern to companies, the lack of permanent security capabilities appears evident. 90% of companies say they are capable to face a major security crisis 25% have 24/7 operational capacities 14% are equipped with a SOC

19 36 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 37 Companies do not have extensive cyber security risk insurance cover Two thirds of the respondents are not considering cyber insurance policies Only 15% of companies think their insurance covers their cyber risks (30% of large companies) and 63% of companies are not considering taking such a policy out within the next two years (50% of large companies). There has not been any massive uptake of cyber risk insurance, echoing the previous indication of companies being over-confident when it comes to the potential crises they could experience. Two thirds of respondents do not envisage any such solution. Since the market does not yet appear to be mature, it will probably be several years before this type of offer emerges. This also indicates a need to structure and smooth services and improve security performance. The cyber risk insurance market has not yet come into being. CONCLUSIONS AND RECOMMENDATIONS 15% 63% 22% Yes No but it is planned within the next two years No, and there is nothing planned Figure 19 : Companies with an insurance policy covering cyber risks

20 38 Are European companies equipped to fight off cyber security attacks? Are European companies equipped to fight off cyber security attacks? 39 Being properly equipped to deal with cyber risks is vital to enable organisations small, medium and large to make the most of all the business opportunities available in a multi-faceted digital world. There is no such thing as zero risk, but European companies must put in place prevention, detection, protection and response resources commensurate with the actual threat levels. In view of the growing sophistication of attacks, European companies are still too focused on internal threats, and not concerned enough about new forms of external attack; they have not yet implemented even the most basic resources, for example in order to deal with major crises 24/7. However, there are some more positive observations. Firstly, budget decisions still favour security, with budgets in this field remaining intact and likely to do so in the future. Secondly, the fact that security is currently managed at high levels within companies favours the implementation of ambitious strategies that address business issues. While security experts clearly still have some way to go in tailoring their outsourcing offerings to client needs and making their solutions better known, improving attack detection is already cited as the second most important reason for outsourcing by major companies, just behind cost reduction. Awareness of outsourcing is growing as is the willingness to pool resources. Two thirds of the companies interviewed plan to make use of outsourcing in the future; over one quarter of them believe that five years from now, security will be handled mostly by external partners. Motives are still largely centred on cost control the chief criterion for evaluating security performance to date. It is now up to security experts to demonstrate the effectiveness of their capabilities in terms of attack prevention and detection (as well as response) if they are to persuade Europe s security decision-makers of the benefits of pooling protection resources. Recommendations for optimum cyber security The above conclusion means that a number of recommendations can be made when it comes to defending the best interests of companies in cyberspace. The following recommendations in particular may be made: - greater co-operation is needed in Europe between security experts and all other stakeholders in order to create global, joint capabilities and to increase the firepower of European providers - performance measurement for security should be improved by focusing first and foremost on security itself (number of attacks detected and dealt with, response times, etc). Today, although security budgets have been maintained, the leading KPI is cost control, whereas greater expenditure may actually indicate better protection - 24/7 operational security management should be provided more systematically - there is a need to develop professional service offers that are better geared to addressing the twofold challenge of economic performance and security effectiveness, in line with companies expectations. Some industry professionals have already invested heavily to develop top-ranking cyber security capabilities, and are inviting companies to benefit from these. Cooperation between Europe s security experts and companies is dependent on three factors: - better support by the experts to help companies understand security issues, diagnostics and the definition of the right governance and resources, in terms of criteria based on efficiency and return on investment - greater maturity of security implementation models in order to drive a much broader uptake whilst improving practices - developing innovative technological partnerships within Europe to provide better protection from the most sophisticated attacks (such as APTs) and to respond as quickly as possible. These recommendations will enable European companies to take hold of the many opportunities offered by every aspect of the digital world, whilst keeping cyber risks under control. As a result, companies will be able to express cautious confidence in their digital activities and cyber security controls and, just as importantly, be justified in doing so.