Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015

Transcription

1 Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015 It will come as no surprise to most financial services executives that information security incidents are continuing to rise, as are the costs of these intrusions. Others disregard essential governance, operational processes, and people capabilities that enable rapid detection and response to compromises. As regulators around the world move to tighten compliance requirements for financial services organizations, improvements in these security practices will become increasingly essential to safeguard data as well as ensure compliance with global regulatory bodies. International financial services firms are at greater risk than ever, and by all estimates those threats will only increase, says Joe Nocera, a Principal in PwC s Cybersecurity Practice. That s why global organizations should prioritize their investments based upon risk focusing on the most critical business assets. Then they can strategically invest in the right combination of security processes, technologies, and awareness and training programs. In today s world, it s not a matter of if an incident will happen but rather when, and firms must be prepared to respond. In the past two years, sophisticated cyber adversaries around the world have launched powerful distributed denial of service (DDoS) attacks against banks, siphoned off billions of dollars from deposit accounts, stolen millions of payment card records, and infiltrated many national stock exchanges. Despite these attacks, many global financial services companies have not implemented the right processes and technologies to ent, detect, and respond to security risks. In particular, many do not adequately address threats from third parties and insiders like employees and partners with trusted access. In other words, it s no longer possible to protect all data, networks, and applications at the highest level, but a proactive cybersecurity program will enable financial services firms to prioritize protection and more quickly react to incidents that are all but inevitable. // 1

2 Yet security spending has not kept pace, particularly among smaller businesses. Detected incidents have maintained a steady upward momentum. The Global State of Information Security Survey 2015 (GSISS) shows that, among 758 global financial services respondents, the number of detected incidents we define a security incident as any adverse incident that threatens some aspect of computer security increased 8% this year over. GSISS 2015: results at a glance Click or tap each title to view data 5K 4,628 4,978 Incidents Sources of incidents Security spending The costs of security incidents jumped 24%, with big losses leading the way 4K $ 3.4M The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year. 3K $ 2.7M 3M 2M 1M Average number of detected incidents Estimated total financial losses // 2

3 Yet security spending has not kept pace, particularly among smaller businesses. Detected incidents have maintained a steady upward momentum. The Global State of Information Security Survey 2015 (GSISS) shows that, among 758 global financial services respondents, the number of detected incidents we define a security incident as any adverse incident that threatens some aspect of computer security increased 8% this year over. GSISS 2015: results at a glance Click or tap each title to view data 50% 44% Incidents Sources of incidents Security spending The costs of security incidents jumped 24%, with big losses leading the way The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year. 40% 30% 33% 25% 28% 36% 26% 20% 11% Current employees Former employees Hackers Competitors // 3

4 Yet security spending has not kept pace, particularly among smaller businesses. Detected incidents have maintained a steady upward momentum. The Global State of Information Security Survey 2015 (GSISS) shows that, among 758 global financial services respondents, the number of detected incidents we define a security incident as any adverse incident that threatens some aspect of computer security increased 8% this year over. GSISS 2015: results at a glance Click or tap each title to view data Large organizations Revenues more than $1B Small organizations Revenues less than $100M 15.4% 14.7% Incidents Sources of incidents Security spending 15 % $ 11.3M The costs of security incidents jumped 24%, with big losses leading the way $ 10.7M 12% The number of financial firms reporting losses of $10 million to $19.9 million increased by a head-turning 141% over last year. 9M 6M Small organizations Revenues less than $100M Medium organizations Revenues $100M $1B $ $ 2.6M 2.2M Medium organizations Revenues $100M $1B 3.6% 3.3% Large organizations Revenues more than $1B 3.3% 3.7% 9% 3M $ 1.0M $ 0.6M Average annual IS budget IS spend as percentage of IT budget // 4

5 While security events and costs continue to escalate, security spending has not kept pace, particularly among smaller businesses. Globally, investments in information security inched up 3% over the year before. And while financial firms invested more heavily in recent years, security spending has been stalled at less than 4% of the total IT budget for the past seven years. Security breaches not only impact a financial institution s bottom line, but also its reputation, brand, and intellectual property. Executive teams and boards can no longer afford to view cyber security as merely a technology problem, says Stephen Russell, Managing Director at PwC. The cost of defending against cyber threats has risen sharply and regulators are focusing on how well financial institutions are defending themselves against these threats. Due to a lack of investment, many financial firms are falling behind in implementing up-to-date processes and tools to detect and respond to today s evolving security threats. Year-over-year, we saw a lack of progress and in many cases, significant attrition in the use of secure access controls, risk and vulnerability assessments, threat monitoring and analysis, thirdparty security safeguards, and employee awareness and training programs, to name a few. 1 2 In analyzing this year s GSISS responses, we identified five critical areas that financial services firms should consider. Addressing these issues can help financial firms better detect and defend against threats and increase their cyber resiliency. Executive and Board support for security New regulatory requirements 3 Third-party risks 4 Insider incidents 5 Over-reliance on technology // 5

6 Falling behind in security safeguards 66% 73% 61% 64% 59% 74% 59% 67% Secure access-control measures Threat assessments Active monitoring/analysis of information security intelligence Require third parties to comply with our privacy policies 59% 63% 58% 65% 58% 67% 58% 71% Penetration testing Vulnerability assessments Risk assessments on internal systems Intrusion-detection tools 57% 66% 57% 71% 57% 63% 56% 60% Employee awareness and training program Security audits Incident response-process to report and handle breaches to third parties that handle data Risk assessments on thirdparty vendors // 6

7 Cybersecurity is no longer simply an IT concern. Today, it is a critical business issue that demands the attention and the active stewardship of the Chief Executive Officer and the Board of Directors. To be effective, cybersecurity should be integrated into the firm s overall enterprise risk-management framework, and the CEO and Board should own the responsibility for managing cyber resiliency. We consider institutions to be cyber-resilient when they have a comprehensive, well-crafted, cyber-risk management program in place with management held accountable for the program s performance and results, says Stephen Russell, Managing Director at PwC. Senior executives should establish a strong culture of security and cyber resilience by setting an affirmative tone at the top. Doing so will demand that executives proactively communicate the importance of security across the enterprise, a practice that 71% of financial services respondents say they have implemented. Beyond that, executive leaders should engage the Board in the discussion and management of cybersecurity risks. Board participation is essential to reaching an appropriate decision on the level of cyber risk an organization will accept and to building responses around those parameters. It also can be a key factor in ensuring that security practices are adequately funded an approach that most financial firms do not pursue. Only 44% of respondents say their Boards are involved in setting security budgets. Beyond the Board, risk-based cybersecurity will require crossfunctional cooperation between leaders from IT, security, legal counsel, risk management, finance, and human resources. This team should meet regularly to coordinate and communicate information security issues, a practice that 56% of financial services respondents say they have implemented. How Boards participate in security Overall security strategy Security budget Security policies Review of security and privacy risks Security technologies 26% 33% 37% 44% 50% Most firms have not done so. We know because we asked survey respondents to detail how their Boards participate in cybersecurity initiatives. The responses are telling Only one-third (33%) of respondents say their Board is involved in the review of security and privacy risks, a number that is particularly low given the criticality of enterprise-wide cyber-risk awareness. 20% 23% Review roles and responsibilities of security organization Review of security and privacy testing // 7

8 Recent actions by industry regulators in the US and Europe have signaled they may require proof that financial services firms have implemented a robust security program. These types of regulatory guidance and requirements will very likely intensify in the future. What it may take to pass a security exam 100% Consider, for instance, the European Union General Data Protection Regulation, which is on track to be finalized in The regulation is expected to add new requirements for breach notification to individuals, require organizations that handle personal data to conduct risk assessments and audits, and increase fines for compromised businesses. 1 Other regulatory bodies have announced intentions to assess financial institutions for risk vulnerability and riskmitigation policies and procedures. 2 71% 66% 66% 61% 60% 58% 57% 57% 57% 51% 80% 60% 40% 1 Vormetric Data Security, Security measures to go under spotlight as new Data Protection Directive approaches, July 8, 2 PwC, Understanding and preparing for OCIE cybersecurity exams, May Incidentmanagement response process Business continuity/ disaster recovery plans Secure access-control measures Threat assessments Privileged user access Patchmanagement tools Employee Encryption of security smartphones awareness training program Security-event correlation tools Have cyber insurance // 8

9 Guidance from the US Securities and Exchange Commission (SEC) suggests that US financial services firms should seriously consider investing in cyber insurance. In fact, the Commission included cyber insurance on its list of possible factors that may be used in examinations. What s more, the SEC goes so far as to indicate that financial services firms should be prepared to undergo examinations to actually prove their preparedness. In other words, traditional checkthe-box regulatory compliance is no longer sufficient. Firms must become more strategic because, in the near future, regulators may dictate a robust framework for cybersecurity. Regulators may also expect financial services organizations to share threat intelligence and response tactics across the organization as well as with private and public-sector partners. Many financial firms around the world already participate in the Financial Services Information Sharing and Analysis Center (FS ISAC), a global forum that was formed in Among survey respondents, 62% say they collaborate with others to improve security, a considerable gain over last year (55%). Using leading industry frameworks such as ISO or the NIST Cybersecurity Framework as a guide, many survey respondents do not appear capable of passing security examinations. Doing so will require that financial firms build a thorough risk-based cybersecurity practice that includes the following capabilities:»» A culture of security led by the C-suite and Board»» An incident response plan that is regularly tested»» Assessment and monitoring of third-party partners for security risks Such collaborations have indirectly led to new types of security preparedness, including industry-wide exercises that simulate cyber attacks on financial institutions and enable participants to work together and share response tactics. Reaching beyond enterprise boundaries to share threat intelligence and response insights is an effective way to advance security. It s also an initiative that financial firms may be judged on in future security exams.»» Advanced threat intelligence and analysis to understand business-specific threats»» Assessment of the role of cyber insurance»» Basic security fundamentals such as strong organizational governance processes and ongoing employee awareness programs // 9

10 Financial institutions are increasingly worried about their ability to combat threats that can arise from sharing networks and data with business partners, service providers, contractors, and suppliers. As recent high-profile breaches so unequivocally proved, third-party partners with access to networks and data can generate serious negative publicity and reputational harm, not to mention crippling financial losses. Key gaps in third-party security 62% 59% 57% 57% 55% 55% 100% 80% For threat actors, partners and supply chains represent a weak link through which they can gain access to a financial firm s network and data for quick monetary payoff. More farsighted adversaries may infiltrate an organization s third-party partners as a means to gain a foothold on the financial services firm s ecosystem for long-term exfiltration of business plans, financial documents, and trade secrets. 60% 40% Established security/ baselines/standards for external partners/customers/ suppliers/vendors Require third parties (including outsourcing vendors) to comply with our privacy policies Incident response-process to report and handle breaches to third parties that handle data Inventory of all third parties that handle personal data of employees and customers Conduct compliance audits of third parties that handle personal data of customers and employees Risk assessments on third-party vendors // 10

11 Banks have sustained large losses both in dollars and in public confidence as a result of successful attacks on interrelated third parties, such as major retailers, said Thomas J. Curry, US Comptroller of the Currency, at a recent Risk Management Association (RMA) conference. I ve been heavily focused on this particular type of operational risk because of the pace at which it is increasing and because of its potential to undermine confidence in our institutions. 3 Monitoring and detecting unauthorized activity by third parties and supply chains can be difficult because their employees often have trusted access to a financial firm s facilities, systems, and data. The situation becomes particularly hazardous when the security capabilities of third parties do not meet the stringent requirements of the financial services firm. It s a risk that is familiar to many financial firms participating in our survey. This year, 41% of respondents say they detected security incidents perpetrated by current and former service providers, contractors, consultants, and suppliers. While many financial services companies have detected third-party compromises, most have done very little to protect themselves. Consider, for instance, that fewer than two-thirds (62%) of respondents have established security baselines and standards for external partners, suppliers, and vendors. Just 59% require business partners to comply with their privacy policies. In essence, these firms have not taken even the most basic steps to ensure third-party security. Only 34% of financial services respondents say they have assessed the security of third-party outsourcers over the past 12 months. Roughly the same number (33%) report that they began monitoring fourth-party relationships over the past year. If the security practices of third-party partners are lacking, those even farther down the chain may represent an event more dangerous unknown. We believe that increased investment in third-party security is critical to closing this security gap. Yet when we asked respondents to name their top security spending priorities for the coming year, only 43% said they would boost budgets for monitoring and testing of business partners and vendors. While this suggests that financial firms are starting to understand the importance of third-party security, it s also worth noting that it represented the least-cited spending priority. 3 Office of the Comptroller of the Currency, remarks by Thomas J. Curry, Comptroller of the Currency, May 8, // 11

12 The number of incidents attributed to insiders current and former employees, in particular increased substantially this year, even as the readiness of financial firms to manage these risks diminished. 28% 44% Almost half (44%) of respondents attribute security incidents to existing staff, making current employees the most cited source of incidents; the second most frequently mentioned perpetrator is former employees, at 28%. The increase in insider incidents portends potentially serious implications. In the US State of Cybercrime Survey, we found that almost one-third (32%) of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. 4 In part, that s because internal threat actors hold the advantage since they are more likely to know where valuable data is stored and what processes and technologies are in place to protect this information. It s not that financial services employees are overwhelmingly careless or malicious, however. Increasingly, external threat actors leverage social engineering to steal credentials of employees with privileged access to data and networks, then use that information to infiltrate the financial firm s networks. More universal deployment of tools to monitor user access and activity would help organizations detect this type of compromise. Insider cybercrimes get less attention in the press, and they also appear to be off the radar of financial services companies. Many firms do not have an insider-threat program in place, which leaves them unprepared to ent, detect, and respond to insider threats. Employees and managers are critical to an insider-threat management program because they are often in a position to notice suspicious behavior or risk indicators. Consequently, employee training forms the spine of an effective security program. So it s a bit alarming that the percentage of respondents who say their organization has an employee training and awareness program dropped to 57%, from 66% the year before. It s good news, however, that almost half of respondents (49%) say they plan to increase their investment in employee awareness in the coming year. 4 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT division of the Software Engineering Institute at Carnegie Mellon University, PwC, and US Secret Service, March April // 12

13 Tools to manage insider threats 63% 60% 60% 59% 57% Conduct personnel background checks Unauthorized use/accessmonitoring tools Security strategy for employee use of personal devices on the enterprise User-activity monitoring tools Employee security awareness training program 57% 56% 53% 53% 48% Audit/monitor user compliance with security policy Data loss ention (DLP) tools Security technologies supporting Web 2.0 exchanges such as social networks, blogs Security strategy for social media Behavioral profiling and monitoring // 13

14 Many financial services firms view technology solutions as the best bet to protect their networks and data. Truth is, sophisticated cyber adversaries are often in the vanguard of innovation, and are constantly working to circumvent technologies as solutions vendors develop them. Essential governance and operational processes 71% 69% 59% 58% 57% 57% 57% 56% 80% That s why financial services organizations should ensure that technology solutions are deployed on top of a foundation of sound governance, operational processes, and people skills.consider, for instance, detection and analysis of cyber threats. Tools to identify and analyze threats are critical, but timely mitigation of incidents will also demand up-to-date response processes and properly trained personnel. 52% 60% 40% Acting upon alerts triggered by technology tools will require that key stakeholders receive immediate reports that enable them to proactively and quickly respond. An effective response will be best accomplished through the development of prepared responses, or playbooks, that provide step-by-step guidelines on roles, responsibilities, and actions. These playbooks should be frequently tested so that security and operational personnel are wellprepared to quickly mitigate incidents. Incidentmanagement response process Classification of business value of data Risk assessments on internal systems Program to identify sensitive assets Incident response-process to report & handle breaches to third parties Procedures dedicated to protecting intellectual property Security audits In an era in which cyber compromise is virtually certain, a coordinated approach to incident response is critical to the bottom line, as well as reputation and compliance. So it s a bit surprising to find that 29% of survey respondents have no incident response process. It s also worrisome that one-third say they have no business continuity/disaster recovery plans to ensure operations are quickly returned to normal with minimum disruption. Risk assessments on third-party vendors Governance, risk, and compliance tools // 14

15 As incidents continue to proliferate, it s becoming clear that cyber risks can never be completely eliminated. Protective measures remain important, of course, but processes and tools to detect, analyze, and respond to incidents are key to cyber resiliency and to the ongoing success of any financial services business. To make this adjustment, financial services firms should reposition their security strategy by more closely linking technologies, processes, and tools with the firm s broader riskmanagement activities. Doing so will result in a cyber-resilient program that can effectively manage risks based on the business s tolerance for risk. Five questions you should ask How much revenue would we lose if our business processes were impacted by a cyber event? Do we have capabilities to quickly respond to a cyber attack? Have we identified our most critical business assets and do we understand their value to our adversaries? Do we know where to invest to reduce cyber risks? Is the business resilient enough to survive a cyber attack? // 15

16 To have a deeper conversation about cybersecurity, please contact: United States Shawn Connors Principal shawn.connors@us.pwc.com Christopher Morris Principal christopher.morris@us.pwc.com Joe Nocera Principal joseph.nocera@us.pwc.com Stephen Russell Managing Director stephen.j.russell@us.pwc.com Andrew Toner Principal andrew.toner@us.pwc.com Prakash Venkata Managing Director prakash.venkata@us.pwc.com // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 16