20+ At risk and unready in an interconnected world

Transcription

1 At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical to indisputable. Over the past year, sophisticated cyber adversaries have infected the industrial control systems of hundreds of energy companies in the US and Europe; others successfully infiltrated a public utility via the Internet and compromised its control system network. The volume of incidents increased dramatically in the past year. respondents to The Global State of Information Security Survey (GSISS) 2015, report the average number of detected incidents skyrocketed to 7,391, a six-fold increase over the year before. (We define a incident as any adverse incident that threatens some aspect of computer.) Yet as attempts to compromise supervisory control and data acquisition (SCADA), industrial control, and information technology systems have soared, information spending has not kept pace. respondents say spending in increased by a comparatively modest 9%. In, by contrast, survey respondents reported a significant 25% boost in investments, which very well may account for a portion of this year s increase in detected incidents. After all, organizations that spend more on typically discover more incidents. 20+ Detected incidents soared to more than 20 per day, per organization // 1

2 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 8K 7,391 6K 3M $ 2.4M 4K 2M All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 1,179 $ 1.2M 1M Average number of detected incidents Estimated total financial losses // 2

3 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 40% 37% 38% 31% 30% 29% 30% All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 20% 17% 20% 14% Current employees Former employees Hackers Current service providers/ consultants/contractors // 3

4 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 4M $ 3.4M $ 3.7M 3M 6% 4.0% 3.9% 2M 4% All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 2% Average annual IS budget IS spend as percentage of IT budget // 4

5 The primary threat actors those who perpetrate incidents remained relatively constant in the past year. Current and former employees are once again the most-frequent culprits of incidents, cited by 38% and 30%, respectively, of respondents. While incidents caused by employees often fly under the radar of the media, those committed by organized crime groups, activists, and nation-states typically do not. Attacks by these threat actors remain among the least frequent, but they are also among the fastest-growing incidents. 10% 14% Often these groups employ powerful distributed denial of service (DDoS) attacks in an attempt to embarrass organizations for social or political ends, rather than to exfiltrate data or intellectual property. Similarly, the number of respondents who cited organized criminals as the source of attacks increased 31% over last year. Cyber incidents attributed to nation-states continue to garner the lion s share of attention. This year, 14% of respondents attributed incidents to activists and hacktivists, a 40% jump over. They are keenly interested in energy, and they often target critical infrastructure providers and suppliers to steal IP and trade secrets as a means to advance their own political and economic advantage. This year, incidents attributed to nation-states more than doubled over. Given the ability of nation-state adversaries to carry out attacks without detection, we believe the volume of compromises is very likely under-reported. // 5

6 The fastest-growing sources of incidents Increase over 118% 48% 40% 31% Foreign nation-states Information brokers Activists/activist organizations/hacktivists Organized crime Security executives of power and utilities companies have told us that they also see -incident patterns in which criminals seem to be indiscriminately exploring the network to find any data of any value. Once they find data, they quickly siphon it off and try to sell it. That, in part, may account for the 43% rise in respondents who report that data was exploited as a result of incidents, the most cited impact. // 6

7 While the number of detected incidents increased dramatically, organizations say the financial impact of these compromises lessened. respondents say total financial losses resulting from incidents declined to an average of $1.2 million, a 51% drop over. This finding seems counter-intuitive, given the huge upsurge in detected compromises. In part, the discrepancy may be attributed to the 25% rise in spending in, which may have enabled organizations to more quickly detect and mitigate incidents before they caused real financial harm. Another explanation may be that, while adversaries have been able to gain access to power and utilities companies networks, they are typically stopped before they can wreak havoc on operational and SCADA systems. And unlike the retail sector, which has been hit by a barrage of breaches, power and utilities companies hold comparatively few payment card records and therefore are not liable for costly mitigation of card theft and customer data. We also looked into how power and utilities respondents calculate the financial consequences of incidents, and found that many do not consider a full range of possible impacts, including costs associated with legal defense fees, court settlements, forensics, and reputational damage. // 7

8 As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies may need to take a more strategic approach to information. At the core of this initiative should be a riskbased cyber program that enhances the ability to identify, manage, and respond to privacy and threats. It all starts with an information strategy or at least it should. However, we found the number of organizations that have an overall information strategy dropped to 70% this year, down from 79% in. Moreover, those that have a strategy that is aligned with the specific needs of the business declined to 45%, from 65% last year. An effective strategy will allocate spending to the assets that are most valuable to the business. respondents show a more solid, if incomplete, commitment in this area: 62% say their investments are allocated to the organization s most profitable lines of business. companies seem to be falling short of the fundamentals: Only 54% say they have a unified and controls framework and/or enterprise riskmanagement framework to address cyber risks. Last year that number was 61%. A basic tenet of an effective information strategy is that it should be founded on risk management. A strategic approach is lacking // 8

9 70% 79% 57% 65% 59% 56% Many key safeguards weaken Have information strategy Secure access-control measures Patch-management tools 55% Intrusion-detection tools 50% 54% 66% Privileged user access 55% 49% 68% 63% 63% 55% Vulnerability scanning tools 39% 48% Before resources can be allocated, however, it will be necessary to first identify the organization s most valuable assets and determine who owns responsibility for them. This is an area in which we found great potential for improvement: Only 54% of respondents have a program to identify sensitive assets, and the same number (54%) have an inventory of all third parties that handle personal data of customers and employees. Inventory of all third parties that handle personal data of employees and customers 47% 57% Active monitoring/analysis of information intelligence 50% 44% Risk assessments of third-party vendors 58% 43% Cyber and privacy should be embedded into an organization s core, with a top-down commitment to and ongoing employee training programs. Employee awareness and training program 43% 56% Security-event correlation tools Established standards for external partners, suppliers, vendors and customers Require employees to complete privacy training The number of organizations that have employee -awareness training programs (47%) actually declined over last year, as did those that require personnel to complete training on privacy practices and policies (43%). Considering that employees are the leading source of incidents, we believe that training should be universal and that accountability should cascade from the C-suite to every employee and thirdparty vendor and supplier. A strategic approach is lacking // 9

10 Strategic processes are often lacking 45% 61% 65% 65% 54% 52% 54% 54% 45% 46% 36% 33% Program to identify sensitive assets Have a unified and controls framework for cyber risks Information strategy is aligned with specific business needs A senior executive communicates importance of to entire enterprise Collaborate with others to improve Have cyber insurance An effective program will require top-down commitment and communication. Yet fewer than half (46%) of organizations have a senior executive who communicates the importance of information to the entire enterprise. That s a substantial drop from last year (65%) and demonstrates that the executive team may not be taking adequate ownership of cyber risks. To do so, senior executives should proactively ensure that the Board of Directors understands how the organization will detect, defend against, and respond to cyber threats. Despite all the discussion following high-profile retailer breaches, many power and utilities companies have not elevated to a Board-level discussion. Consider, for instance, that only 26% of respondents say their Board of Directors participates in the overall strategy. Fewer (23%) say their Board is involved in reviews of current and privacy risks a crucial component of any effective program. The area in which Boards are most likely to participate is the budget (40%). Finally, cyber threats, technologies, and vulnerabilities are evolving at lightning speed, and sharing information among public and private entities has become central to a strong cyber program. More than half (55%) of overall survey respondents across industries say they collaborate with others to share intelligence and tactics. Among power and utilities sector, however, the number of organizations that collaborate sank to 36% this year, a sharp drop over. A strategic approach is lacking // 10

11 This year s survey indicates that power and utilities organizations are falling behind in key practices. For many, it may be necessary to reposition the strategy by more closely linking technologies, processes, and tools with the organization s broader risk-management activities. International standards provide a good measure to gauge preparedness and build a strong cyber program. Some of the most widely used include ISO/IEC 27001, COBIT 5, and ISA A new set of guidelines from the US National Institute of Standards and Technology (NIST) compiles these global standards into one framework, providing an up-to-date model for implementing and improving risk-based. The voluntary NIST Cyber Framework, which targets critical infrastructure providers and suppliers, has been adopted by 11% of US power and utilities respondents; an additional 22% say adoption is a future priority. This comparatively low implementation rate is not necessarily discouraging; it s a matter of timing. The Framework was released in February, and our survey was conducted from March 27, to May 25,, giving organizations little time to embrace the Framework. 22% 11% Among those that have, most (54%) say they have leveraged the Framework to determine their risk based on Implementation Tiers, which are designed to help companies understand the maturity of their current cyber risk-management capabilities. It seems very likely that organizations with mature practices may have adopted some of the Framework s controls and standards, while not formally implementing the entire set of guidelines. No matter whether companies have adopted the Framework fully or partially, it seems to be elevating the discussion on cyber. We believe that organizations across industries and even geographies can gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level. As the world s sophisticated organized criminals and nation-states devise new ways to compromise systems and steal intellectual property of power and utilities companies, the Framework provides the right foundation for proactive, risk-based cyber. // 11

12 The convergence of information, operational, and consumer technologies will very likely introduce tremendous benefits for businesses and significant conveniences for their customers. It also will create a new world of risks, a possibility that power and utilities respondents are beginning to address. In fact, 25% of respondents say they have already implemented a strategy for the convergence of information, operational, and consumer technologies, most often referred to as the Internet of Things. An additional 27% say they are working on a strategy. When asked to name primary drivers for spending, this year 17% of respondents cited modernization of field assets such as IP-connected process control systems, compared with 6% last year. This increased focus on connected field assets suggests that power and utilities respondents are gearing up for the Internet of Things. // 12

13 To have a deeper conversation about cyber, please contact: United States Brad Bauch Principal brad.bauch@us.pwc.com Darren Highfill Director darren.highfill@us.pwc.com // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 13