Gold Sponsor of the study: Incident Response Management

Transcription

1 Gold Sponsor of the study: Incident Response Management How European Enterprises are Planning to Prepare for a Cyber Security Breach Y R A M SUM IVE T U C E PAC 2015 X E

2 Telefonica company profile About Telefonica Telefonica is one of the largest telecommunications companies in the world in terms of market capitalisation and number of customers. From its consolidated position in the sector, and with fixed telephony and mobile broadband as key areas that support future growth, the company focuses its strategy on securing its leadership in the digital world. Present in 21 countries and with a customer base of more than 341 million customers, Telefonica has a strong presence in Europe and Latin America, important industrial alliances and a leading global scale which positions the company to capture growth opportunities. Telefonica is a fully publicly traded company with more than 1.5 million direct stakeholders and its ordinary shares are traded in various stock markets, including London and New York among others. Telefonica is committed to delivering more secure and market leading innovation across its security value proposition through its division Telefonica Business Solutions, a leading provider within the Telefonica Group of a wide range of integrated communication and digital solutions for the B2B market. The security value proposition in Telefonica Business Solutions is underpinned by its Security product division including ElevenPaths, Telefonica s fully-owned subsidiary, which brings radical and disruptive innovation in security services and Alliances which include world leading security partners and organizations. At ElevenPaths, the vision is to develop innovative security products that redefine how Telefonica addresses emerging threats, as well as guaranteeing security and privacy for all without interfering with their day-to-day lives. Telefonica s customers depend on technology, communications and the Internet which makes them vulnerable to exposure to security threats. The breakneck pace of change has to be matched by the speed of innovation, creating agile structures that enable us to stay ahead of attackers. MC template PAC

3 Telefonica company profile About Telefonica (continued) The Security division within Business Solutions is designed to enable Telefonica to exceed customer expectations while adapting to their specific characteristics and needs though a ground-breaking value proposition. Telefonica s extensive experience in security and communication networks, expert workforce and the development of intelligence-driven managed security services of cutting-edge technology, as well as the capillarity of focused local security units across the world, makes Telefonica a market leading partner. In the cyber-security, Telefonica is dedicated to protecting the property and businesses of its customers (Government, Enterprises, Multinationals and Small and Medium Business) through unobtrusive services, providing a portfolio of solutions that help prevent attacks, detect any breaches or incidents, and ensure we support our customers address the ongoing challenge of security. For more information: Follow us in: Blog: Blog.elevenpaths.com ( ( LinkedIn/elevenpaths ( YouTube/elevenpaths ( MC template PAC

4 Key Findings Most organisations suffered a breach last year Security spend is shifting towards Incident Response Are firms really ready for cyber breaches? Most organisations outsource Incident Response Technology support for Incident Response is emerging 67% of organizations reported a cyber breach in the last 12 months 100% of firms surveyed reported a cyber breach at some point in the past A breach is - to all intents and purposes - inevitable. Traditionally, cyber security focuses on Prevent & Protect approaches Firms are migrating spend to Detect a breach quickly and Respond to minimise the impact of that breach. 86% of firms claim a high state of readiness for cyber breaches Yet 39% do not have a cyber readiness plan And only 30% of firms that have a plan test it monthly. CISOs generally prefer to keep operations in house But with incident response, outsourcing is more common Accessing required expertise, on demand, is the driver. Two-thirds of organisations do use some technology for Incident Response But most use in-house solutions or a patchy variety of existing technologies IR Management solutions are emerging and will gain rapid adoption. Incident Response Management PAC

5 Introduction Suffering a major breach is a near-certainty. Research from a variety of sources shows that the average firm will suffer one major breach each year. The consequences of a major breach include loss of IP, availability, customer service, revenue and reputation. And the fines for data protection non-compliance are set to soar under the upcoming GDPR and NISD regulations, with mandatory breach reporting due to be introduced from Responding to an incident quickly and effectively is a complex process, involving technical, communications & management staff. And the world is watching as you respond. Our hypothesis for this study was that enterprises are struggling to cope with Incident Response. We wanted to investigate the extent to which firms are experiencing cyber breaches, and if so how organisations are prepared for this eventuality. Are cyber breaches inevitable? We were also interested in how firms cope with the skills shortage, and if they use technology and/or outsourced services to deliver Incident Response. Do firms seek to offset cyber breach risk, through a combination of IR planning and Cyber Risk insurance? We surveyed 200 decision makers in large companies in the UK, France and Germany, to understand their motivations and drivers with regard to Incident Response. This study deals with the following questions: To what extent are firms being breached, and what is their broad approach to responding to such incidents? Do companies understand the importance of IR? Do they have a defined and tested IR plan? Are they adjusting their cyber security spend, or allocating new budget, in order to fund an IR programme? Do they test their IR regularly and update processes accordingly? Do they follow best practices? Do they use an IR management tool? Do they outsource IR capability? Are they aware of the impending NIS and GDPR regulatory changes? Is their technical IR plan integrated with business and communications contingency planning? Incident Response Management PAC

6 About the Study 200 survey respondents in Western Europe Public Sector 24% Financial Services 17% Education 15% Manufacturing 14% Services 12% Retail 9% Healthcare 4% Others 8% 65% CIO/VP IT respondents 35% CISO respondents 33% 35% 33% F M A M J All respondents had over 1,000 employees FR DE UK Survey conducted between Apr-May 2015 Incident Response Management PAC

7 Anatomy of a Cyber Breach Incident 67% of firms have had a cyber breach in the last year, and 100% report a breach at some time in the past Breach severity 9% 34% 35% V.High High Med 23% Low 75k Average cost of most severe breach in last year 69% of breaches are discovered between one and six months after attack J F M A M J We used a 3 rd part monitoring service We found it ourselves We were alerted by a third party We were alerted by the media 43% 37% 21% 1% Firms require between one and six man months to recover from a breach Incident Response Management PAC

8 A fundamental shift in security spending Q. What is the split today of spend between planning, preparing and prevention versus detection, response and recovery? And how do you see this changing over the next two years? Prevent & Protect 77% 61% Average spend today 75% 60% Median spend today 23% 39% Average spend today 25% 40% Median spend today Average spend in 2 years Median spend in 2 years Average spend in 2 years Median spend in 2 years Detect & Respond Most organisations have built their cyber security approach around protecting the perimeter and preventing attacks. However, as we have seen, cyber breaches still occur. This means that organisations have used up most of the budget that has, ultimately, failed to do what it was spent to do. Most organisations take between one and six months to discover an attack, meaning that the perpetrator has been inside to the organisation long enough to cause damage or to extract information. The shift in spend towards a Detect & Respond approach is therefore a reaction to the inevitability of a cyber breach. We see this as a re-balancing of cyber security spend to a more appropriate split of operational attention. While the focus on Prevent & Protect needs to be maintained, looking for breaches and quickly remediating them has increased in priority. Incident Response Management PAC

9 How prepared are you for a cyber breach? 86% 39% 30% Of firms claim they are very or somewhat ready for a cyber breach Of firms don t have a cyber readiness plan Of those firms with a plan test it monthly or more frequently It's a case of good news followed by bad news, when it comes to preparedness for a cyber breach. An extremely healthy 86% of organisations say that they are very or somewhat ready for a cyber breach. However, readiness clearly means different things to different firms: 39% do not have a cyber readiness plan. How an organisation can claim readiness without having a plan to describe what readiness means or how to test it is a clear indication of the variability of maturity across organisations when it comes to incident response. Frequency of testing a plan is also highly variable. Only 30% of firms that have a plan test it monthly or more frequently. Most (65%) test their plan quarterly, which is common but increasingly insufficient given the rate of change in the threat landscape. 5% of firms test their incident response preparedness annually. Overall, we are concerned at the state of readiness of firms for a cyber breach. While most companies believe that they are ready for a breach this confidence does not match the reality of the situation. Firms are at best unaware of best practice when it comes to incident response, and at worst are in denial of the precariousness of their situation. Incident Response Management PAC

10 Internal or external resourcing? Q. How do you resource incident response? Most organisations eschew outsourcing for cyber security. They fear loss of visibility and control of their security operations. So, typically, they use outsourcing in a cautious, riskbased and selective manner. They also outsource security as a short-term fix until they are able to back-fill resources with in-house expertise. With incident response, however, the opposite appears to be true. In our survey, 69% of firms use a combination of internal and external staff, with a further 14% using external resources exclusively. 14% Use external staff only 18% Use internal staff only 69% The nature of incident response dictates that resource utilisation is unpredictable. Although all of the companies surveyed reported a cyber breach (67% in the last 12 months), the timing of a breach is indeterminable. This means that if internal staff are to be used then they are drawn from other security activities as and when the need arises. But this may impact on-going operations. So it makes sense to plan to use external resources, either retained on standby or on a more ad hoc basis. Use a combination of internal & external staff Incident Response Management PAC

11 Technology for Incident response Q. Are you using any technology to assist in incident response? 22% 61% Of which 11% Built in-house and the rest is a wide variety of existing capability delivering patchy IR coverage We asked the respondents whether they are using any technology to assist in incident response. We were surprised to find that 61% of firms do use technology in their incident response. However, when asked to describe this technology we get a very patchy view. The most common answer type of technology used is built in-house, as opposed to a commercial off-the-shelf solution. Firms corral a wide variety of technologies to support incident response, such as SIEM, threat monitoring and network security. Clearly, these technologies are not designed for managing and organisations incident response program. There is some evidence to suggest that organisations are aware that more specialised solutions for incident response are available, although this is clearly still an emerging market. Awareness of such solutions appears to be low, but as spend shifts towards Detect & Respond activities we expect this to increase rapidly. Incident Response Management PAC

12 Disclaimer, usage rights, independence and data protection This study was compiled in multi-client mode under the sponsorship of FireEye, HP, Telefonica and Resilient Systems. For further information, please visit Disclaimer The contents of this study were compiled with the greatest possible care. However, no liability for their accuracy can be assumed. Analyses and evaluations reflect the state of our knowledge in May 2015 and may change at any time. This applies in particular, but not exclusively, to statements made about the future. Names and designations that appear in this study may be registered trademarks. Usage rights This study is protected by copyright. Any reproduction or dissemination to third parties, including in part, requires the prior explicit authorization of the sponsors. The publication or dissemination of tables, graphics etc. in other publications also requires prior authorization. Independence and data protection This study was produced solely by Pierre Audoin Consultants (PAC). The sponsors had no influence over the analysis of the data and the production of the study. The participants in the study were assured that the information they provided would be treated confidentially. No statement enables conclusions to be drawn about individual companies, and no individual survey data was passed to the sponsors or other third parties. All participants in the study were selected at random. There is no connection between the production of the study and any commercial relationship between the respondents and the sponsors of this study. Incident Response Management PAC

13 Contact Founded in 1976, Pierre Audoin Consultants (PAC) is part of the CXP Group, the leading independent European research and consulting firm for the software, IT services and digital transformation industry. The CXP Group offers its customers comprehensive support services for the evaluation, selection and optimization of their software solutions and for the evaluation and selection of IT services providers, and accompanies them in optimizing their sourcing and investment strategies. As such, the CXP Group supports ICT decision makers in their digital transformation journey. Further, the CXP Group assists software and IT services providers in optimizing their strategies and go-to-market approaches with quantitative and qualitative analyses as well as consulting services. Public organizations and institutions equally base the development of their IT policies on our reports. Capitalizing on 40 years of experience, based in 8 countries (with 17 offices worldwide) and with 140 employees, the CXP Group provides its expertise every year to more than 1,500 ICT decision makers and the operational divisions of large enterprises as well as mid-market companies and their providers. The CXP Group consists of three branches: Le CXP, BARC (Business Application Research Center) and Pierre Audoin Consultants (PAC). Duncan Brown Research Director +44 (0) d.brown@pac-online.com Dominic Trott Senior Consultant +44 (0) d.trott@pac-online.com For more information please visit: PAC s latest news: Follow us on PAC 2015