Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015
|
|
- Susanna Cunningham
- 8 years ago
- Views:
Transcription
1 Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015 organizations tend to have comparatively robust and mature cybersecurity programs. It makes sense, given that many have been in the vanguard of developing the systems and tools that have forever altered how businesses operate, market products, and interact with customers. The bad news? Cyber-threat actors seem to have the advantage. Consider the following: In the past year, hackers infiltrated the servers of a global software company and stole not only source code but also personal information of tens of millions customers. Computers of prominent multinational Internet companies were d as a result of watering-hole attacks. Hackers employed key-logging software to steal the user credentials of more than 2 million social media and accounts from companies that dominate the Web. A prominent social networking and entertainment website was taken down by a massive distributed denial of service (DDoS) attack. And European Internet service providers were prominent targets of an extremely complex and stealthy espionage tool that has been in use for more than six years. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. // 1
2 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 5K 4K 3K 4,529 3,777 Incidents 2.5M Sources of incidents 2.0M Security spending 3M 2M Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Average number of detected incidents Estimated total financial losses 1M // 2
3 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 50% 40% 30% 32% 36% 34% 35% Incidents 40% 31% Sources of incidents Security spending 22% 28% Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Current employees Former employees Hackers Competitors // 3
4 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 5M 4M 3M 5.2M 4.1M Incidents 3.7% Sources of incidents 3.7% Security spending 3% 2% Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Average annual information security budget Information security spend as percentage of IT budget 1% // 4
5 companies are detecting fewer incidents, despite evidence that attacks are rising across industries. The Global State of Information Security Survey (GSISS) 2015 shows that the technology sector leads most industries in implementation of the technologies, processes, and personnel skills that are vital to protecting data and quickly responding to incidents. But even among these technologically sophisticated companies, there are troubling trends. Our survey of 1,892 technology industry executives reveals that respondents reported 17% fewer security incidents in the past year despite overwhelming evidence that insider as well as targeted threats continue to multiply. (We define a security incident as any adverse incident that threatens some aspect of computer security.) Against a global backdrop of escalating cyber attacks, this finding seems counter-intuitive. One explanation might be that technology companies boosted security spending by a hefty 39% in, which may have enabled them to implement solutions and processes to help ent attacks. What s more, as businesses deploy monitoring and logging technologies they will detect more incidents that are benign and do not result in costly damage. Another interpretation may lie in the increased use of outsourced or cloud services, which is shifting some responsibility and potentially making it more difficult to gain visibility into events. Taking another view, one might assume that technology companies are simply not detecting many incidents. Today s sophisticated adversaries, particularly foreign nation-states and organized crime, make it their business to carry out sustained attacks without detection. Consequently, the volume of incidents may very well be under-reported. Information security d significantly this year, particularly among smaller businesses. // 5
6 If the decrease in incidents leaves room for interpretation, there is no positive way to spin the steep 21% decrease in information security spending in. Looking at security spending by company size sheds some light on the spending patterns. Small companies (those with revenues of 100 million or less) reduced security spending by 36% in, while large companies (revenues of 1 billion or more) trimmed investments by 9%. Medium-size firms (revenues of 100 million to 1 billion) reported a 3% drop in security budgets. Security budgets by company size 12.5 million 11.3 million The decreased commitment to information security among small businesses is downright alarming and a bit puzzling. One explanation may be that small businesses often consider themselves unworthy of serious cyber adversaries. We could also posit that the over-abundance of security solutions has resulted in an analysis paralysis that has rendered small companies unable to take action. And the current shortage of experienced security professionals may mean that the most skilled candidates go to larger organizations with hefty budgets. Nonetheless, these declining investments in security do not bode well for future cyber readiness. 1.4 million 893 thousand Small Revenues less than 100 million 3.6 million 3.5 million Medium Revenues 100 million 1 billion Large Revenues more than 1 billion // 6
7 Incidents attributed to sophisticated threat actors are escalating. Current and former employees are once again the most-frequent culprits of security incidents, cited by 36% and 32% of respondents, respectively. While s caused by employees often fly under the media radar, those committed by organized crime groups, activists/ hacktivists, and nation-states typically do not. Attacks by these threat actors remain among the least frequent, but they are also the fastest growing. report loss of intellectual property. Many, it seems, are not prepared: Almost half of tech respondents have no procedures in place to protect intellectual property. Edward J. Snowden s disclosures of government surveillance have added a new adversary to the list of threat actors: domestic intelligence services. This year we included this option as a response to our question regarding the source of incidents, and 8% of technology respondents attributed incidents to domestic surveillance agencies, a rate that is higher than the global sample. In a finding that reflects the mood of the technology industry, almost two-thirds (65%) of respondents say they are somewhat or very concerned about government surveillance. Many businesses are particularly worried about attacks by nation-states, which often target tech companies to steal IP and trade secrets as a means to advance their own economic advantage. With good reason: Incidents attributed to nationstates soared by 80% over. The jump in nation-state incidents may also explain the rising theft of intellectual property, including source code of products and services, designs for products like chipsets and networking equipment, and proprietary manufacturing processes. This year, 42% of technology respondents This type of espionage is prompting some businesses to reconsider their relationships with certain solutions providers. More than one-quarter of respondents (28%) say they are purchasing fewer products and services from technology companies based in certain nations, and 9% say they no longer procure products and services from those in specific countries. Given that this type of surveillance is most closely associated with the US, the implications for American technology companies are potentially serious. Compromises by foreign nation-states are the fastest growing type of threats. // 7
8 Many technology companies have not deployed basic identity and access technologies. When it comes to cybercrime, many top executives know that security breaches by insiders employees as well as contractors and business partners with trusted access can be even more damaging than those attributed to external adversaries. In the US State of Cybercrime Survey, we found that almost one-third (32%) of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. 1 In part, that s because internal threat actors hold the advantage since they are more likely to know where valuable data is stored and what processes and technologies are in place to protect this information and ent theft. Nonetheless, many technology companies are still grappling with automated identity and access management, a fundamental tool for enting and managing insider incidents. Consider, for instance, that just over half (53%) of respondents have implemented identity management tools and only 54% employ multifactor authentication. Other technologies that are central to managing access and monitoring employee behavior are also not adequately deployed. Employees and managers are vital to insider-threat management because they are often in a position to notice suspicious behavior or risk indicators. Consequently, employee training forms the spine of an effective insider program. So it was worrisome to find that the percentage of organizations that have an employee training and awareness program dropped to 51% this year. Internal threats represent a people issue, not a technology problem, and an insider-threat program cannot be addressed by the IT function alone. Effective management will require a disciplined, cross-functional approach that includes IT, information security, corporate security, human resources, legal counsel, audit, and privacy, as well as leadership from lines of business. Just half of technology respondents have a cross-functional team that coordinates security issues. The increase in insider incidents, particularly among employees, could have critical implications for technology companies. Increasingly, external threat actors employ social engineering techniques such as spear phishing to steal credentials of employees with privileged access to data and networks, then use that information to infiltrate the company s network. Limiting and controlling access to key data assets is increasingly pivotal to information security and privacy. Almost half of respondents have not implemented identity and access management tools. 1 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC, and the US Secret Service, March-April // 8
9 Many companies lack tools to manage insider threats 66% 60% 56% 58% 54% 45% 44% 46% Have network access control software User activity monitoring tools Have employee training and awareness program Have behaviorial profiling and monitoring // 9
10 More businesses are adopting cloud-based security services. It s official: The cloud is now mainstream. This year 64% of technology respondents say they use some form of cloud computing. Tentative early implementations of cloud services have given way to large-scale deployments of business functions such as customer relationship management, talent management, payroll, and enterprise communications. As organizations are becoming more familiar with the cloud and as cloud providers are maturing, the perception that providers security practices are incapable of protecting sensitive data and mission-critical workloads is beginning to shift. In fact, our research shows that the majority of organizations that use cloud services report that doing so has improved their information security program. In particular, we have seen growing interest in cloud-based identity and access management (IAM) solutions. While small and medium-size businesses were among the first to adopt cloud-based security as a means to extend their IAM capabilities, larger organizations are also beginning to embrace the concept, often as a replacement for on-premises solutions. In fact, 28% of respondents who employ cloudbased security are big businesses, while 19% are small. No matter the size, enterprises that move sensitive data and mission-critical workloads to the cloud should do so following a carefully considered cloud strategy and due diligence. But many do not. In fact, only 52% of respondents have a security strategy for cloud computing, and just 54% perform risk assessments on third-party vendors, including cloud providers. Adoption of cloud computing by company size It was somewhat surprising to find that big enterprises are most likely to employ cloud services. More than three quarters (77%) of large companies employ cloud, as compared with 74% of medium-size businesses and 55% of small firms. Another intriguing finding: One in four technology respondents use cloud-based security services, a solution that is gaining favor as providers offer more sophisticated, secure services. Large businesses are leading the way to the cloud and to cloud-based security services. 55% 74% 77% Small Revenues less than 100 million Medium Revenues 100 million 1 billion Large Revenues more than 1 billion // 10
11 Half of respondents say they have a strategy for the convergence of information, operational, and consumer technologies. The convergence of information, operational, and consumer technologies typically referred to as the Internet will introduce tremendous business opportunities for companies that produce technologies. It also will create a new world of security risks. Yet a closer look at the data reveals that many respondents do not yet have security strategies for technologies that underpin the Internet and most likely do not an have integrated plan for the convergence of these technologies. Doing so will demand that companies assess how technology convergence will affect the individual organization, and then establish goals for securing information and operations for future convergence. A disciplined, enterprisewide assessment of the scope of valuable assets that are potentially at risk will be a key step. As more devices are connected, exponentially more data will traverse an expanded constellation of enterprise ecosystems, increasing risks to sensitive corporate data and private consumer information. It s a risk that many technology companies seem to recognize. In fact, half of respondents say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies; an additional 28% say they are developing a strategy. Consider, for instance, that only 52% of respondents have a security strategy for cloud computing, and the same number have a security strategy for mobile devices. We believe technology businesses are beginning to develop a strategy for convergence, but have not yet integrated disparate components into a holistic strategy. // 11
12 Strategies for technologies that underpin the Internet A closer look at the data reveals that many companies lack security strategies for mobile, social, and cloud technologies. 54% 52% 52% 52% 52% Security strategy for BYOD Security strategy for mobile devices Security strategy for cloud computing Security strategy for social media Security strategy for big data Identifying sensitive assets and determining ownership of data will become increasingly arduous as the Internet of Things expands and more electronic information is shared among new business partners and consumers. For many tech companies, that s already a challenge. Just 57% of respondents have a program to identify sensitive assets and fewer (51%) have an inventory of all third parties that handle personal data. The Internet will also require that technology companies improve fundamental security processes like user access controls, patch management, and third-party risk assessments. Privacy of consumer data is also critical and represents an opportunity for improvement considering that only 55% of respondents require third parties to comply with their privacy policies. // 12
13 How technology companies are taking a more strategic approach to security. companies continue to bolster their security programs as cyber risks evolve. But much remains to be done. As the frequency and severity of cyber attacks grows, it has become clear that every business should have an executivelevel officer in charge of the security program. For most technology companies, that person is the Chief Information Security Officer (CISO). Demand for CISOs is at an alltime high: In the past two years, the number of technology companies that employ a security executive has climbed 46%, and today more than three-quarters of organizations have a CISO in charge of information security. We believe it is imperative that the CISO report up to the CEO, Chief Financial Officer, Chief Privacy Officer, or the Board, rather than to the Chief Information Officer. Information security is, after all, a business risk issue and, as such, it should have a separate governance structure and budget to ensure that sufficient resources are allocated. Exposing security leaders to the executive level is critical to risk governance. In the wake of recent massive breaches, directors are asking for the risk intelligence necessary to make informed cybersecurity decisions and help protect the organization from cyber attacks. Board participation in security is stronger among technology businesses than in many other sectors, but leadership from the very top is not yet the norm. Only 46% of respondents say their Board is involved in the overall security strategy and fewer (27%) say directors participate in reviews of current security and privacy risks. While a very large margin of technology companies have a formal strategy for information security, the number that have a security strategy that is specifically aligned with unique business needs slipped this year. That s a key component of a risk-based security strategy. 77% of technology companies have hired a CISO to oversee their security program. // 13
14 Many businesses are embracing guidelines developed by the US National Institute of Standards and (NIST) to more closely link their technologies, processes, and personnel skills with the organization s broader riskmanagement activities. The NIST Cybersecurity Framework, which targets critical infrastructure providers and suppliers, has been adopted by 41% of US technology respondents; an additional 28% say the Framework is a future priority. In addition to improving risk-based cybersecurity, the Framework also aims to create a common language to facilitate collaboration and communications among internal executives and external industry and government organizations. Sharing of threat intelligence and response tactics has become an indispensable tool to advance cybersecurity, one that the tech sector has readily adopted. This year, 62% of technology respondents say they work with others to improve security, compared with 55% of the overall survey sample. Finally, many organizations are finding that cyber insurance can be effective in helping manage risks and mitigate financial losses of cyber attacks that are all but inevitable. In fact, cyber insurance has received considerable attention over the past year as victims of high-profile breaches reported that they recovered tens of millions of dollars in mitigation costs through insurance coverage. Among technology respondents, 59% say they have purchased cybersecurity coverage. Perhaps more significant is the finding that some companies are leveraging cyber insurance as a way to improve their security program. More than onethird say they have taken steps to enhance their security posture in order to lower insurance premiums. Linking information security and risk As security incidents continue to proliferate, it s becoming clear that cyber risks can never be completely eliminated. Protective measures remain important, of course, but they cannot reliably be guaranteed to stop determined and highly skilled adversaries. Consequently, many technology businesses may need to reposition their security strategy by more closely linking technologies, processes, and tools with broader riskmanagement activities. Effective cybersecurity will require up-to-date processes, trained personnel, and tools to detect, analyze, and respond to today s incidents. While a well-designed cybersecurity program will not totally eliminate risk, it can enable businesses to better manage threats through an informed decision-making process, boost efficiencies in security practices, and create a more resilient security practice. 41% of respondents say they have adopted the riskbased NIST Cybersecurity Framework. Detect Identify Recover Protect Respond // 14
15 To have a deeper conversation about cybersecurity, please contact: United States Shafeeq Banthanavasi Managing Director shafeeq.banthanavasi@us.pwc.com Mark Lobel Principal mark.a.lobel@us.pwc.com // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 15
20+ At risk and unready in an interconnected world
At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical
More informationDriving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015
Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015 Technology advances like telematics, networked manufacturing tools, and
More informationSecurity deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015
Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015 It will come as no surprise to most financial services executives that information security
More informationCybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015
Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 If the recent string of high-profile cyber attacks has proved anything, it s that
More informationCybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015
Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Over the past year, the phrase data breach has become closely associated with
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationDefending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationHealthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015
Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Healthcare payers Technology is not the only agent of change. Innovations
More informationJanuary IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
More informationwww.pwc.com Cybersecurity and Privacy Hot Topics 2015
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationAssessing the strength of your security operating model
www.pwc.com Assessing the strength of your security operating model May 2014 Assessing the strength of your security operating model Retail stores, software companies, the U.S. Federal Reserve it seems
More informationGlobal State of Information Security Survey 2015
www.pwc.ch/cybersecurity Global State of Information Security Survey 2015 The risks and repercussions of security incidents continue to rise as preparedness falls. Agenda Methodology Key findings Focus
More informationUS cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey
www.pwc.com/cybersecurity US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey July 2015 About the 2015 US State of Cybercrime Survey The 2015 US State of Cybercrime
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationDefending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationDefending yesterday. Telecommunications. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Detection, analysis, and understanding of threat
More informationDo you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape
January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both
More informationGetting real about cyber threats: where are you headed?
Getting real about cyber threats: where are you headed? Energy, utilities and power generation companies that understand today s cyber threats will be in the best position to defeat them June 2011 At a
More informationUS cybercrime: Rising risks, reduced readiness Key findings from the 2014 US State of Cybercrime Survey
www.pwc.com/cybersecurity US cybercrime: Rising risks, reduced readiness Key findings from the 204 US State of Cybercrime Survey June 204 As cybersecurity incidents multiply in frequency and cost, the
More informationDefending yesterday. Technology. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationwww.pwc.co.uk Cyber security Building confidence in your digital future
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationState of Security Survey GLOBAL FINDINGS
2011 State of Security Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: Cybersecurity is important to business... 8 Finding 2: The drivers of security are changing... 10 Finding
More informationTHE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED
THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationThe Top Ten of Information Security - For 2015
7 th Annual Information Security Summit The Executive Forum Information Security Management Overview June 4, 2015 Copyright 2015. Citadel Information Group. All Rights Reserved. 2 Establishing Leadership.
More informationCyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte
Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private
More informationCYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS
CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS PREPARING FOR ADVANCED CYBER THREATS Cyber attacks are evolving faster than organizations
More informationDefending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationHealthcare Information Security Today
Healthcare Information Security Today 2015 Survey Analysis: Evolving Threats and Health Info Security Efforts WHITE PAPER SURVEY BACKGROUND The Information Security Media Group conducts an annual Healthcare
More informationInformation Technology in the Automotive Aftermarket
Information Technology in the Automotive Aftermarket March 2015 AASA Thought Leadership: The following white paper consists of key takeaways from three AASA surveys conducted in 2014, which focused on
More informationCYBERSECURITY: Is Your Business Ready?
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationCyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats
Cyber4sight TM Threat Intelligence Services Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats Preparing for Advanced Cyber Threats Cyber attacks are evolving faster than organizations
More informationPwC Cybersecurity Briefing
www.pwc.com/cybersecurity Cybersecurity Briefing June 25, 2014 The views expressed in these slides are solely the views of the presenters and do not necessarily reflect the views of the PCAOB, the members
More informationUtilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: What do large enterprises need in order to address increasingly
More informationDefending yesterday. Key findings from The Global State of Information Security Survey 2014
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More information2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY
2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY 1 EXECUTIVE SUMMARY INTRODUCING THE 2015 GLOBAL THREAT INTELLIGENCE REPORT Over the last several years, there has been significant security industry
More informationA BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
More informationNine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity
Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers
More information10Minutes. on the stark realities of cybersecurity. The Cyber Savvy CEO. A changed business environment demands a new approach:
10Minutes on the stark realities of cybersecurity The Cyber Savvy CEO Highlights Business leaders must recognise the exposure and business impact that comes from operating within an interconnected global
More informationwww.pwc.nl/cybersecurity Cyber security Building confidence in your digital future
www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future 2015 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence
More informationExecutive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3
GLOBAL ADVANCED THREAT LANDSCAPE SURVEY 2014 TABLE OF CONTENTS Executive Summary 3 Snowden and Retail Breaches Influencing Security Strategies 3 Attackers are on the Inside Protect Your Privileges 3 Third-Party
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationMiddle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationSecurity risks and responses in an evolving telecommunications industry
Security risks and responses in an evolving telecommunications industry Telecommunications reach deep into the daily circumstances of individuals, businesses, and governments. Telecoms, in fact, touches
More informationConnecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationWRITTEN TESTIMONY OF
WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationCyber security: Are consumer companies up to the challenge?
Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies
More informationwww.pwc.com Developing a robust cyber security governance framework 16 April 2015
www.pwc.com Developing a robust cyber security governance framework 16 April 2015 Cyber attacks are ubiquitous Anonymous hacker group declares cyber war on Hong Kong government, police - SCMP, 2 October
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationAnswering your cybersecurity questions The need for continued action
www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:
More informationNew York State Department of Financial Services. Report on Cyber Security in the Banking Sector
New York State Department of Financial Services Report on Cyber Security in the Banking Sector Governor Andrew M. Cuomo Superintendent Benjamin M. Lawsky May 2014 I. Introduction Cyber attacks against
More informationPeer Research Cloud Security Insights for IT Strategic Planning
SEPTEMBER 2011 Peer Research Cloud Security Insights for IT Strategic Planning Intel s IT Manager Survey on Cloud Security Why you should read this document: This report describes key findings from a survey
More informationSecurity for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape
White Paper Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape Financial services organizations have a unique relationship with technology: electronic data and transactions
More informationWHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.
WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY. A guide for IT security from BIOS The Problem SME s, Enterprises and government agencies are under virtually constant attack today. There
More informationCyber Governance Preparing for the Inevitable Perimeter Breach
SAP Brief SAP Extensions SAP Regulation Management by Greenlight, Cyber Governance Edition Objectives Cyber Governance Preparing for the Inevitable Perimeter Breach Augment your preventive cybersecurity
More informationHow cloud-enabled cybersecurity will transform your business
How cloud-enabled cybersecurity will transform your business 8% 2012 47% 2013 55% 2014 How cloud-enabled cybersecurity will transform your business Cybersecurity is at a crossroads. As more businesses
More informationPwC s 2014 Annual Corporate Directors Survey. Trends shaping Governance and the board of the future IT and cybersecurity oversight
PwC s 2014 Annual Corporate Directors Survey Trends shaping Governance and the board of the future IT and cybersecurity oversight Table of contents The influence of emerging IT IT strategy and risk mitigation
More informationCombatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation
Combatting the Biggest Cyber Threats to the Financial Services Industry A White Paper Presented by: Lockheed Martin Corporation Combatting the Biggest Cyber Threats to the Financial Services Industry Combatting
More informationPRIORITIZING CYBERSECURITY
April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies
More informationA NEW APPROACH TO CYBER SECURITY
A NEW APPROACH TO CYBER SECURITY We believe cyber security should be about what you can do not what you can t. DRIVEN BY BUSINESS ASPIRATIONS We work with you to move your business forward. Positively
More informationThe Cloud Balancing Act for IT: Between Promise and Peril
The Cloud Balancing Act for IT: Between Promise and Peril Table of Contents EXECUTIVE SUMMARY...2 ONBOARDING CLOUD SERVICES...3 SYSTEMS OF RECORD: THE NEXT WAVE OF CLOUD ADOPTION...6 A CULTURE OF COMPLIANCE
More informationWHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD
WHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD CONTENTS EXECUTIVE SUMMARY 3 THE LIFEBLOOD OF MANY BUSINESSES IS UNDER ATTACK 3 IT LEADERS FACE A DIFFICULT BALANCING ACT 3 Companies
More informationCyber Security Management
Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationInformation Technology Risk Management
Find What Matters Information Technology Risk Management Control What Counts The Cyber-Security Discussion Series for Federal Government security experts... by Carson Associates your bridge to better IT
More informationHow To Protect Your Organization From Insider Threats
Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security FINANCIAL SERVICES EDITION #2015InsiderThreat RESEARCH BRIEF US FINANCIAL SERVICES SPOTLIGHT ABOUT
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationIdentity & Access Management in the Cloud: Fewer passwords, more productivity
WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability
More informationdefending against advanced persistent threats: strategies for a new era of attacks agility made possible
defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More informationCyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?
Cyber Warfare David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP Global Economic Crime Survey Cyber crime is the fastest growing economic crime up more than 2300% since 2009 1 in 10 companies
More informationState Governments at Risk: The Data Breach Reality
State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO
More informationManaging the Ongoing Challenge of Insider Threats
CYBERSECURITY IN THE FEDERAL GOVERNMENT Managing the Ongoing Challenge of Insider Threats A WHITE PAPER PRESENTED BY: May 2015 PREPARED BY MARKET CONNECTIONS, INC. 11350 RANDOM HILLS ROAD, SUITE 800 FAIRFAX,
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationPosted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am
1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing
More informationCyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015
Cyber Threats Insights from history and current operations Prepared by Cognitio May 5, 2015 About Cognitio Cognitio is a strategic consulting and engineering firm led by a team of former senior technology
More informationState of Network Security 2014
State of Network Security 2014 An AlgoSec Survey Copyright 2014. AlgoSec, Inc. All rights reserved. Executive Summary A survey of 142 information security and network operations professionals and application
More informationStatement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives
Statement for the Record Richard Bejtlich Chief Security Strategist FireEye, Inc. Before the U.S. House of Representatives Committee on Energy and Commerce Subcommittee on Oversight and Investigations
More information2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE
2015 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE FOURTH ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE February 2015 2015 Network Security & Cyber Risk Management: The FOURTH
More informationServices. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure
Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies
More information