BAE Systems Cyber Security Survey Report

Transcription

1 BAE Systems Cyber Security Survey Report Q Copyright 2016 BAE Systems. All Rights Reserved.

2 Table of Contents Page Number Objectives & Methodology 3 Executive Summary 4 Key Findings 7 Detailed Findings 13 Demographic/Firmographic Profile 34 2 Copyright 2016 BAE Systems. All Rights Reserved.

3 Objectives and Methodology This report presents the findings of an online study conducted among a sample of 300 respondents who are managers for companies in the Financial Services, Insurance, or Tech/IT industries. This study was intended to: Gauge concerns and attitudes of managers toward cyber defense Determine what companies are doing to keep their information safe Identify how companies are training employees on cyber security policies and practices Invitations to participate in the study were sent beginning on December 28, 2015 and data collection continued through January 4, Where applicable, red circles indicate a significant difference at the 95% confidence level. 3 Copyright 2016 BAE Systems. All Rights Reserved.

4 4 Copyright 2016 BAE Systems. All Rights Reserved. Executive Summary

5 Executive Summary The research uncovered a gap between companies perception of their cyber security preparedness and their actual ability to defend themselves from cyber threats. While managers paint a fairly positive picture of their organization s ability to protect its data and information security, the research raises concerns about the priority businesses place on cyber defense and how it is reflected through employee communication and training. 5 Copyright 2016 BAE Systems. All Rights Reserved.

6 Executive Summary The lack of awareness by executives on the state of their cyber security protocols and training initiatives is alarming, and puts them at a serious disadvantage against cyber attackers. There is a greater need for communication and deployment of cyber security best practices across all industries surveyed. Companies need to make a more concerted effort to deal with cyber security education and training. 6 Copyright 2016 BAE Systems. All Rights Reserved.

7 7 Copyright 2016 BAE Systems. All Rights Reserved. Key Findings

8 Key Findings Respondents Recognize the Cyber Threat Seven in ten (69%) respondents believe data and information systems breaches are a threat to their company Almost seven out of ten (68%) respondents personally handle customer or client data as part of their day to day responsibilities 8 Copyright 2016 BAE Systems. All Rights Reserved.

9 Key Findings Overconfidence in Current Systems Almost all (96%) respondents rate their company s ability to protect its data and information security as good or excellent 9 Copyright 2016 BAE Systems. All Rights Reserved.

10 Key Findings Noticeable Lack of Knowledge of Key Security Policies and Procedures 42% believe they are extremely or very knowledgeable about their company s information security policies and practices. 52% for the Tech/IT industry 36% for Financial Services firms 10 Copyright 2016 BAE Systems. All Rights Reserved.

11 Key Findings Widespread use of Traditional Security Measures Nearly all (98%) use any of the listed methods below to help prevent information systems breaches: Firewall (97%) Antivirus software (95%) Data encryption (87%) Employee training (80%) Intrusion detection system (73%) 11 Copyright 2016 BAE Systems. All Rights Reserved.

12 Key Findings Formal Training in Cyber Security is Lagging 60% of respondents report that their organization has a formal cyber security training program in place Nearly 70% of surveyed companies that have cyber defense training programs only implement them on a semi-annual or annual basis, making their organizations vulnerable to attacks 12 Copyright 2016 BAE Systems. All Rights Reserved.

13 13 Copyright 2016 BAE Systems. All Rights Reserved. Detailed Findings

14 Nearly all respondents (95%) rate their company s ability to protect data and information security systems as excellent or good. Slightly more than half (55%) saying it is excellent and 41% say it is good. Findings are similar for the three industries. Those in larger companies are more likely to rate their company s ability as excellent (60% among those with more than 500 employees vs. 43% of those with 500 and under). Question 1 Total 1% Ability to Protect Data and Information Security Systems 4% 41% 55% Excellent/ Good 95% How would you rate your company s ability to protect its data and information security systems? Financial Services 2% 1% 37% 60% 97% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance Tech/IT 1% 4% 6% 38% 47% 57% 47% 95% 94% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Poor Fair Good Excellent 14 Copyright 2016 BAE Systems. All Rights Reserved.

15 Two out of five respondents (42%) believe they are extremely or very knowledgeable about their company s information security policies and practices. Significantly more of those in the Tech/IT industry (52%) than Financial Services (36%) and Insurance (37%) are extremely or very knowledgeable. Question 2 And how would you rate your knowledge and understanding of your company s information security policies and practices how the problems and potential problems are being acted upon and handled? Total Financial Services Insurance (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Tech/IT 3% 5% 6% 6% Knowledge and Understanding of Company s Information Security Policies and Practices 13% 16% 15% 19% 32% 38% 43% 38% 37% 32% 28% 31% 10% 15% 8% 6% Extremely/ Very 42% 36% 37% 52% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Not at all Not very Somewhat Very Extremely 15 Copyright 2016 BAE Systems. All Rights Reserved.

16 Roughly two out of three (68%) respondents indicate their company has a CSO or CISO. Similar findings were found by industry. Larger companies (those with more than 500 employees) are more likely to have a CSO or CISO (73% vs. 57% only of those with 500 or fewer employees). Interestingly, about one out of ten (11%) did not know if there was a security officer in their company, regardless of the size of the company. Question 3 Does your company have what some companies call a CSO (Chief Security Officer) or CISO (Chief Information Security Officer)? A CSO or CISO is responsible for the security of a company s communications and other business systems, especially those exposed to intrusion from outsiders on the Internet. He/she may also have a role in planning for and managing disaster recovery and is often involved in the business aspects of security as well as the purely technical aspects. (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Company Has CSO or CISO 71% 68% 69% 65% 20% 22% 22% 17% 11% 12% 13% 9% Yes No Don't know Total Financial Services Insurance Tech/IT 16 Copyright 2016 BAE Systems. All Rights Reserved.

17 Most CSO/CISO s (88%) are connected to the leadership team, with half (48%) being part of the leadership team and two in five (40%) report to the leadership team. Findings are similar by industry. 100% 90% 93% 88% 85% 86% Affiliation of CSO/CISO Question 4 Is that person someone who (Base=Company has a CSO or CISO = 205; Financial services=71; Insurance=65; Tech/IT=69) 80% 70% 60% 50% 40% 30% 54% 48% 45% 45% 42% 40% 39% 39% 20% 10% 0% Connected to leadership team (Net) Is part of the leadership team Reports to the leadership team 15% 9% 9% 3% 5% 4% 3% 0% Is not connected to the leadership team at all Total Financial Services Insurance Tech/IT Don't know 17 Copyright 2016 BAE Systems. All Rights Reserved.

18 Almost seven in ten (68%) respondents personally handle customer or client data as part of their day to day responsibilities. Findings are similar across industry. 100% Personally Handle Customer or Client Data 90% Question 5 Do you, personally, handle customer or client data as part of your day to day responsibilities? (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) 80% 70% 60% 50% 40% 30% 20% 10% 68% 70% 66% 68% 32% 30% 34% 32% 0% Yes No Total Financial Services Insurance Tech/IT 18 Copyright 2016 BAE Systems. All Rights Reserved.

19 When asked about their vendors and subcontractors, three in ten (30%) indicated that their vendors and subcontractors have the same level of data and information security as they do. One-third (34%) said they don t or are not sure (35%). Those in the Tech/IT (43%) and Insurance (38%) industries are more likely than those in Financial Services (22%) to indicate that their vendors and subcontractors do not have the same level of security. 100% 90% Vendors and Subcontractors Have Same Level of Data and Information Security Question 6 Do all of your vendors and subcontractors have the same level of data and information security that your company does? (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) 80% 70% 60% 50% 40% 30% 20% 10% 37% 30% 29% 25% 43% 41% 38% 34% 35% 37% 22% 28% 0% Yes No Don't know Total Financial Services Insurance Tech/IT 19 Copyright 2016 BAE Systems. All Rights Reserved.

20 Three in five (60%) respondents said their company has a formal cyber security training program. Regardless of industry, at least one out of four said that their company does not have a training program and more than one out of ten did not know. Those in larger companies are more likely to have a formal cyber security training program (67% among those with more than 500 employees vs. 44% of those with 500 or fewer). 100% 90% Formal Cyber Security Training Program Question 7 Does your company have a formal cyber security training program? 80% 70% 60% 50% 64% 60% 59% 58% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) 40% 30% 20% 10% 30% 27% 26% 25% 13% 15% 12% 11% 0% Yes No Not sure Total Financial Services Insurance Tech/IT 20 Copyright 2016 BAE Systems. All Rights Reserved.

21 Nearly nine in ten (85%) of those companies with a formal cyber security training program require all employees to take the training. Significantly more of those in the Tech/IT industry (22%) indicate the training is just required of select employees (vs. 8% of those in Financial Services and 7% of those in Insurance). Question 8 Is the cyber security training (Base=Company has a formal cyber security training program = 181; Financial services=59; Insurance=58; Tech/IT=64) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 88% 88% 85% 78% Required of all employees Requirements of Cyber Security Training Program 13% 8% 7% 22% Just required of select employees 1% 2% 2% 2% 2% 3% 0% 0% Not required, just recommended Total Financial Services Insurance Tech/IT Don't know 21 Copyright 2016 BAE Systems. All Rights Reserved.

22 Of those with a formal cyber security training program, two in five (38%) say the training is scheduled every three or six months. Three in ten (29%) said it s scheduled annually. Findings are similar across industry. Question 9 How frequently is the cyber security training program scheduled? (Base=Company has a formal cyber security training program = 181; Financial services=59; Insurance=58; Tech/IT=64) 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 12% 9% 5% 9% 34% 31% 31% 28% Just when Every six months employees start with the company Frequency of Cyber Security Training Program 9% 7% 7% 5% Every three months 12% 12% 13% 10% On demand using video/recorded webinars 29% 33% 25% 30% Total Financial Services Insurance Tech/IT 5% 4% 3% 3% 8% 8% 12% 5% Annually Other Don't know 22 Copyright 2016 BAE Systems. All Rights Reserved.

23 Question 10 Detailed Findings Nine in ten (93%) of those who have a formal cyber security training program do any of the listed items as a follow up on the training program. Three-quarters (77%) use online courses, a third (35%) send out fake phishing s, and a third (35%) also use simulation/scenario testing. Those in the Financial Services industry are more likely than those in Insurance to use online courses as a follow up (86% vs. 67%). The same is true among larger companies (80% of those with more than 500 employees vs. 65% of those with 500 or fewer). Which of the following, if any, does your company use to follow up on the training program and ensure that everyone in the organization is up to speed on cyber security? (Base=Company has a formal cyber security training program = 181; Financial services=59; Insurance=58; Tech/IT=64) 23 Copyright 2016 BAE Systems. All Rights Reserved. Any (Net) Online courses Send out 'fake' phishing s Simulation/scenario testing None of these 7% 3% 7% 9% Training Program Follow Up 27% 26% 35% 37% 41% 35% 37% 41% 67% 77% 77% 86% 93% 97% 93% 91% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Total Financial Services Insurance Tech/IT

24 Four in five (80%) respondents have personally had training in cyber security best practices and procedures. Two-thirds (68%) have received training from their current employer. Very few have received training from a former employer (14%) or a source other than an employer (7%). Findings were similar across industries. Those at larger companies are more likely to have personally had any training in cyber security best practices and procedures (83% among those with more than 500 employees vs. 72% of those with 500 or fewer). Yes (Net) 80% 82% 81% 77% Question 11 Have you personally had any training in cyber security best practices and procedures? (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Yes, from my current employer Yes, at a former employer Yes, from a source other than an employer No, I have never had any training 14% 11% 13% 19% 7% 10% 6% 5% 20% 18% 19% 23% 68% 68% 71% 65% Training in Cyber Security Best Practices and Procedures 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Total Financial Services Insurance Tech/IT 24 Copyright 2016 BAE Systems. All Rights Reserved.

25 Seven in ten (69%) respondents believe data and information systems breaches are a threat to their company, rating it a 3, 4, or 5. Those in the Insurance industry (77%) are more likely than those in the Financial Services industry (60%) to think these breaches are a threat. Those in larger companies are more likely to indicate that data and information systems breaches are a major threat (24% of those with more than 500 employees vs. 11% of those with 500 or fewer). Threat of Data and Information Systems Breaches Top 3 box Question 12 Total 10% 21% 30% 19% 20% 69% How much of a threat do you think data and information systems breaches are to your company? Financial Services 15% 25% 26% 16% 18% 60% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance 5% 18% 34% 18% 25% 77% Tech/IT 9% 21% 29% 24% 17% 70% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Minimal threat (1) (2) (3) (4) Major threat (5) 25 Copyright 2016 BAE Systems. All Rights Reserved.

26 Those who believe data and information systems breaches are a threat to their company were asked how these breaches are a threat. More than four in five (85%) indicated damage to their company s reputation and standing/customer confidence. A similar proportion (84%) said the impact on customers/clients. Three-quarters (74%) mentioned legal liability and seven in ten (70%) said financial damage to the company. Significantly fewer (23%) said loss of jobs at the company. Those in the Financial Services industry (93%) are more likely to cite damage to the company reputation than are those in Tech/IT (83%). Those in the Financial Services (92%) and Insurance (87%) industries are more likely to cite impact on customers/clients than are those in Tech/IT (73%). Those in Financial Services (82%) are more likely to cite financial damage to the company than are those in Insurance (65%) and Tech/IT (64%). How Data and Information Systems Breaches are a Threat Question 13 Damage to company reputation and standing/customer confidence 85% 93% 81% 83% In what way are they a threat? Impact on customers/clients (such as identity theft, etc.) 73% 84% 92% 87% (Base=Think data and information systems breaches are a threat to their company = 207; Financial services=60; Insurance=77; Tech/IT=70) Legal liability Financial damage to the company 74% 78% 75% 70% 70% 82% 65% 64% Loss of jobs at the company 23% 28% 17% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100% Total Financial Services Insurance Tech/IT 26 Copyright 2016 BAE Systems. All Rights Reserved.

27 Very few (17%) carry Cyber Insurance. The majority (69%) don t know if their company carries it. Those in the Tech/IT industry (22%) are more likely to say that their company does not carry Cyber Insurance (vs. 11% of those in Insurance and 10% of those in Financial Services). Those in Financial Services (77%) are more likely than those in Tech/IT (61%) to indicate that they don t know if their company carries Cyber Insurance. Those at smaller companies with 500 or fewer employees are more likely to know whether or not they carry Cyber Insurance (43% don t know vs. 80% of those with more than 500 employees). Question 14 Does your company carry Cyber Insurance? (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Company Carries Cyber Insurance 77% 69% 69% 61% 20% 22% 17% 17% 13% 14% 10% 11% Yes No Don't know Total Financial Services Insurance Tech/IT 27 Copyright 2016 BAE Systems. All Rights Reserved.

28 Nearly all (98%) use any of the listed methods to help prevent information systems breaches. Most used are a firewall (97%) and antivirus software (95%), followed by data encryption (87%). Four in five (80%) use employee information security awareness training, while three-quarters (73%) use a cyber intrusion detection system Question 15 Which, if any, of the following methods does your company use to help prevent information systems breaches? (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Methods Used to Prevent Information Systems Breaches Any (Net) Firewall Antivirus software Data encryption Employee information security awareness training Cyber intrusion detection system 98% 99% 96% 100% 97% 96% 96% 99% 95% 95% 93% 98% 87% 85% 87% 89% 80% 82% 84% 75% 73% 72% 72% 76% 0% 20% 40% 60% 80% 100% Total Financial Services Insurance Tech/IT 28 Copyright 2016 BAE Systems. All Rights Reserved.

29 Nearly all (95%) use antivirus software, regardless of industry. Use of Antivirus Software Total 4% 1% 95% Question 15 Which, if any, of the following methods does your company use to help prevent information systems breaches? Financial Services 5% 95% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance 4% 3% 93% Tech/IT 2% 98% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Don't know Do not use Use 29 Copyright 2016 BAE Systems. All Rights Reserved.

30 Three-quarters (73%) use a cyber intrusion detection system, that is a hardware or software application that monitors network or system activities for malicious activities or policy violations. Findings were similar among industry Use of Cyber Intrusion Detection System Question 15 Total 21% 5% 73% Which, if any, of the following methods does your company use to help prevent information systems breaches? Financial Services 23% 5% 72% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance Tech/IT 18% 23% 6% 5% 72% 76% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Don't know Do not use Use 30 Copyright 2016 BAE Systems. All Rights Reserved.

31 Nearly all (97%) use a firewall, regardless of industry Use of a Firewall Total 2% 1% 97% Question 15 Which, if any, of the following methods does your company use to help prevent information systems breaches? Financial Services Insurance 4% 2% 2% 96% 96% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Tech/IT 1% 99% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Don't know Do not use Use 31 Copyright 2016 BAE Systems. All Rights Reserved.

32 Four in five (80%) use employee information security awareness training. Findings are similar across industry. Those at larger companies are more likely to use employee information security awareness training (89% of those with more than 500 employees vs. 61% of those with 500 or fewer). Use of Employee Information Security Awareness Training Question 15 Total 6% 14% 80% Which, if any, of the following methods does your company use to help prevent information systems breaches? Financial Services 4% 14% 82% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance Tech/IT 6% 7% 10% 18% 84% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Don't know Do not use Use 32 Copyright 2016 BAE Systems. All Rights Reserved.

33 Nine in ten (87%) use data encryption, regardless of industry. Significantly more larger companies use data encryption (91% of those with more than 500 employees vs. 77% of those with 500 or fewer). Use of Data Encryption Question 15 Total 7% 6% 87% Which, if any, of the following methods does your company use to help prevent information systems breaches? Financial Services 10% 5% 85% (Base=Total = 300; Financial services=100; Insurance=100; Tech/IT=100) Insurance Tech/IT 6% 7% 5% 6% 87% 89% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Don't know Do not use Use 33 Copyright 2016 BAE Systems. All Rights Reserved.

34 Demographic/Firmographic Profile 34 Copyright 2016 BAE Systems. All Rights Reserved.

35 Demographic/Firmographic Profile Total Financial Services Insurance Tech/IT Total Financial Services Insurance Tech/IT Title/Role Manger Director VP/SVP Time with Company 5 years or less 6-10 years years years years More than 25 years Average (n=300) (n=100) (n=100) (n=100) (b) (c) (d) 64% 61% 64% 67% 23% 15% 26% 28%b 13% 24%cd 10% 5% 33% 31% 30% 39% 22% 30%d 19% 18% 17% 17% 19% 15% 11% 7% 10% 15% 6% 7% 8% 3% 11% 8% 14% 10% (n=300) (n=100) (n=100) (n=100) Number of employees (b) (c) (d) Under % 27% 20% 19% % 10% 7% 7% More than % 63% 73% 74% Gender Male 51% 48% 42% 64%bc Female 49% 52%d 58%d 36% Age % 64% 51% 52% 50 or older 44% 36% 49% 48% Average b Copyright 2016 BAE Systems. All Rights Reserved.

36 36 Copyright 2016 BAE Systems. All Rights Reserved. Thank You

37 BAE SYSTEMS Surrey Research Park Guildford Surrey GU2 7YP United Kingdom T: +44 (0) F: +44 (0) Unpublished Work Copyright 2016 BAE Systems. All Rights Reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. The information in this document contains proprietary information of BAE Systems. Neither this document nor any of the proprietary information contained therein shall be (in whole or in part) published, reproduced, disclosed, adapted, displayed, used or otherwise made available or accessible (in each case, in any form or by any means) outside of BAE Systems without the express written consent from the document originator or an approved representative of BAE Systems. BAE Systems Applied Intelligence Limited registered in England and Wales Company No with its registered office at Surrey Research Park, Guildford, England, GU2 7YP. 37 Copyright 2016 BAE Systems. All Rights Reserved.