Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015

Transcription

1 Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015 organizations tend to have comparatively robust and mature cybersecurity programs. It makes sense, given that many have been in the vanguard of developing the systems and tools that have forever altered how businesses operate, market products, and interact with customers. The bad news? Cyber-threat actors seem to have the advantage. Consider the following: In the past year, hackers infiltrated the servers of a global software company and stole not only source code but also personal information of tens of millions customers. Computers of prominent multinational Internet companies were d as a result of watering-hole attacks. Hackers employed key-logging software to steal the user credentials of more than 2 million social media and accounts from companies that dominate the Web. A prominent social networking and entertainment website was taken down by a massive distributed denial of service (DDoS) attack. And European Internet service providers were prominent targets of an extremely complex and stealthy espionage tool that has been in use for more than six years. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. // 1

2 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 5K 4K 3K 4,529 3,777 Incidents 2.5M Sources of incidents 2.0M Security spending 3M 2M Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Average number of detected incidents Estimated total financial losses 1M // 2

3 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 50% 40% 30% 32% 36% 34% 35% Incidents 40% 31% Sources of incidents Security spending 22% 28% Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Current employees Former employees Hackers Competitors // 3

4 These are just a few of many attacks against technology companies in the past 12 months. While many breaches resulted in theft of customer information, others were more maleficent in intent. Increasingly, cyber criminals target technology companies to lift intellectual property, sabotage websites and reputations, and modify source code. The result has been worldwide negative publicity, loss of shareholder value, reduced profits, and millions of dollars in breach-mitigation expenses not to mention an erosion of customer trust. Businesses and people are becoming more and more connected and empowered by technology, and technology companies in particular and the customers they serve and products and services they produce are becoming increasingly valuable targets, says Mark Lobel, Principal in PwC s Advisory practice focused on cybersecurity and privacy. At the same time, the complexities of the global business ecosystem and the evolving threat and compliance landscape are forcing technology companies to re-imagine security. To do so, organizations should invest in security personnel, processes, and technologies that address holistic information security strategies and go beyond outdated, ineffective security models. GSISS 2015: results at a glance Click or tap each title to view data 5M 4M 3M 5.2M 4.1M Incidents 3.7% Sources of incidents 3.7% Security spending 3% 2% Clearly, it s no longer possible to protect all data, networks, and applications at the highest level. But a proactive cybersecurity program will enable businesses to prioritize protection and more quickly react to attacks that are all but inevitable even against the most tech-savvy of businesses. Average annual information security budget Information security spend as percentage of IT budget 1% // 4

5 companies are detecting fewer incidents, despite evidence that attacks are rising across industries. The Global State of Information Security Survey (GSISS) 2015 shows that the technology sector leads most industries in implementation of the technologies, processes, and personnel skills that are vital to protecting data and quickly responding to incidents. But even among these technologically sophisticated companies, there are troubling trends. Our survey of 1,892 technology industry executives reveals that respondents reported 17% fewer security incidents in the past year despite overwhelming evidence that insider as well as targeted threats continue to multiply. (We define a security incident as any adverse incident that threatens some aspect of computer security.) Against a global backdrop of escalating cyber attacks, this finding seems counter-intuitive. One explanation might be that technology companies boosted security spending by a hefty 39% in, which may have enabled them to implement solutions and processes to help ent attacks. What s more, as businesses deploy monitoring and logging technologies they will detect more incidents that are benign and do not result in costly damage. Another interpretation may lie in the increased use of outsourced or cloud services, which is shifting some responsibility and potentially making it more difficult to gain visibility into events. Taking another view, one might assume that technology companies are simply not detecting many incidents. Today s sophisticated adversaries, particularly foreign nation-states and organized crime, make it their business to carry out sustained attacks without detection. Consequently, the volume of incidents may very well be under-reported. Information security d significantly this year, particularly among smaller businesses. // 5

6 If the decrease in incidents leaves room for interpretation, there is no positive way to spin the steep 21% decrease in information security spending in. Looking at security spending by company size sheds some light on the spending patterns. Small companies (those with revenues of 100 million or less) reduced security spending by 36% in, while large companies (revenues of 1 billion or more) trimmed investments by 9%. Medium-size firms (revenues of 100 million to 1 billion) reported a 3% drop in security budgets. Security budgets by company size 12.5 million 11.3 million The decreased commitment to information security among small businesses is downright alarming and a bit puzzling. One explanation may be that small businesses often consider themselves unworthy of serious cyber adversaries. We could also posit that the over-abundance of security solutions has resulted in an analysis paralysis that has rendered small companies unable to take action. And the current shortage of experienced security professionals may mean that the most skilled candidates go to larger organizations with hefty budgets. Nonetheless, these declining investments in security do not bode well for future cyber readiness. 1.4 million 893 thousand Small Revenues less than 100 million 3.6 million 3.5 million Medium Revenues 100 million 1 billion Large Revenues more than 1 billion // 6

7 Incidents attributed to sophisticated threat actors are escalating. Current and former employees are once again the most-frequent culprits of security incidents, cited by 36% and 32% of respondents, respectively. While s caused by employees often fly under the media radar, those committed by organized crime groups, activists/ hacktivists, and nation-states typically do not. Attacks by these threat actors remain among the least frequent, but they are also the fastest growing. report loss of intellectual property. Many, it seems, are not prepared: Almost half of tech respondents have no procedures in place to protect intellectual property. Edward J. Snowden s disclosures of government surveillance have added a new adversary to the list of threat actors: domestic intelligence services. This year we included this option as a response to our question regarding the source of incidents, and 8% of technology respondents attributed incidents to domestic surveillance agencies, a rate that is higher than the global sample. In a finding that reflects the mood of the technology industry, almost two-thirds (65%) of respondents say they are somewhat or very concerned about government surveillance. Many businesses are particularly worried about attacks by nation-states, which often target tech companies to steal IP and trade secrets as a means to advance their own economic advantage. With good reason: Incidents attributed to nationstates soared by 80% over. The jump in nation-state incidents may also explain the rising theft of intellectual property, including source code of products and services, designs for products like chipsets and networking equipment, and proprietary manufacturing processes. This year, 42% of technology respondents This type of espionage is prompting some businesses to reconsider their relationships with certain solutions providers. More than one-quarter of respondents (28%) say they are purchasing fewer products and services from technology companies based in certain nations, and 9% say they no longer procure products and services from those in specific countries. Given that this type of surveillance is most closely associated with the US, the implications for American technology companies are potentially serious. Compromises by foreign nation-states are the fastest growing type of threats. // 7

8 Many technology companies have not deployed basic identity and access technologies. When it comes to cybercrime, many top executives know that security breaches by insiders employees as well as contractors and business partners with trusted access can be even more damaging than those attributed to external adversaries. In the US State of Cybercrime Survey, we found that almost one-third (32%) of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. 1 In part, that s because internal threat actors hold the advantage since they are more likely to know where valuable data is stored and what processes and technologies are in place to protect this information and ent theft. Nonetheless, many technology companies are still grappling with automated identity and access management, a fundamental tool for enting and managing insider incidents. Consider, for instance, that just over half (53%) of respondents have implemented identity management tools and only 54% employ multifactor authentication. Other technologies that are central to managing access and monitoring employee behavior are also not adequately deployed. Employees and managers are vital to insider-threat management because they are often in a position to notice suspicious behavior or risk indicators. Consequently, employee training forms the spine of an effective insider program. So it was worrisome to find that the percentage of organizations that have an employee training and awareness program dropped to 51% this year. Internal threats represent a people issue, not a technology problem, and an insider-threat program cannot be addressed by the IT function alone. Effective management will require a disciplined, cross-functional approach that includes IT, information security, corporate security, human resources, legal counsel, audit, and privacy, as well as leadership from lines of business. Just half of technology respondents have a cross-functional team that coordinates security issues. The increase in insider incidents, particularly among employees, could have critical implications for technology companies. Increasingly, external threat actors employ social engineering techniques such as spear phishing to steal credentials of employees with privileged access to data and networks, then use that information to infiltrate the company s network. Limiting and controlling access to key data assets is increasingly pivotal to information security and privacy. Almost half of respondents have not implemented identity and access management tools. 1 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT Division of the Software Engineering Institute at Carnegie Mellon University, PwC, and the US Secret Service, March-April // 8

9 Many companies lack tools to manage insider threats 66% 60% 56% 58% 54% 45% 44% 46% Have network access control software User activity monitoring tools Have employee training and awareness program Have behaviorial profiling and monitoring // 9

10 More businesses are adopting cloud-based security services. It s official: The cloud is now mainstream. This year 64% of technology respondents say they use some form of cloud computing. Tentative early implementations of cloud services have given way to large-scale deployments of business functions such as customer relationship management, talent management, payroll, and enterprise communications. As organizations are becoming more familiar with the cloud and as cloud providers are maturing, the perception that providers security practices are incapable of protecting sensitive data and mission-critical workloads is beginning to shift. In fact, our research shows that the majority of organizations that use cloud services report that doing so has improved their information security program. In particular, we have seen growing interest in cloud-based identity and access management (IAM) solutions. While small and medium-size businesses were among the first to adopt cloud-based security as a means to extend their IAM capabilities, larger organizations are also beginning to embrace the concept, often as a replacement for on-premises solutions. In fact, 28% of respondents who employ cloudbased security are big businesses, while 19% are small. No matter the size, enterprises that move sensitive data and mission-critical workloads to the cloud should do so following a carefully considered cloud strategy and due diligence. But many do not. In fact, only 52% of respondents have a security strategy for cloud computing, and just 54% perform risk assessments on third-party vendors, including cloud providers. Adoption of cloud computing by company size It was somewhat surprising to find that big enterprises are most likely to employ cloud services. More than three quarters (77%) of large companies employ cloud, as compared with 74% of medium-size businesses and 55% of small firms. Another intriguing finding: One in four technology respondents use cloud-based security services, a solution that is gaining favor as providers offer more sophisticated, secure services. Large businesses are leading the way to the cloud and to cloud-based security services. 55% 74% 77% Small Revenues less than 100 million Medium Revenues 100 million 1 billion Large Revenues more than 1 billion // 10

11 Half of respondents say they have a strategy for the convergence of information, operational, and consumer technologies. The convergence of information, operational, and consumer technologies typically referred to as the Internet will introduce tremendous business opportunities for companies that produce technologies. It also will create a new world of security risks. Yet a closer look at the data reveals that many respondents do not yet have security strategies for technologies that underpin the Internet and most likely do not an have integrated plan for the convergence of these technologies. Doing so will demand that companies assess how technology convergence will affect the individual organization, and then establish goals for securing information and operations for future convergence. A disciplined, enterprisewide assessment of the scope of valuable assets that are potentially at risk will be a key step. As more devices are connected, exponentially more data will traverse an expanded constellation of enterprise ecosystems, increasing risks to sensitive corporate data and private consumer information. It s a risk that many technology companies seem to recognize. In fact, half of respondents say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies; an additional 28% say they are developing a strategy. Consider, for instance, that only 52% of respondents have a security strategy for cloud computing, and the same number have a security strategy for mobile devices. We believe technology businesses are beginning to develop a strategy for convergence, but have not yet integrated disparate components into a holistic strategy. // 11

12 Strategies for technologies that underpin the Internet A closer look at the data reveals that many companies lack security strategies for mobile, social, and cloud technologies. 54% 52% 52% 52% 52% Security strategy for BYOD Security strategy for mobile devices Security strategy for cloud computing Security strategy for social media Security strategy for big data Identifying sensitive assets and determining ownership of data will become increasingly arduous as the Internet of Things expands and more electronic information is shared among new business partners and consumers. For many tech companies, that s already a challenge. Just 57% of respondents have a program to identify sensitive assets and fewer (51%) have an inventory of all third parties that handle personal data. The Internet will also require that technology companies improve fundamental security processes like user access controls, patch management, and third-party risk assessments. Privacy of consumer data is also critical and represents an opportunity for improvement considering that only 55% of respondents require third parties to comply with their privacy policies. // 12

13 How technology companies are taking a more strategic approach to security. companies continue to bolster their security programs as cyber risks evolve. But much remains to be done. As the frequency and severity of cyber attacks grows, it has become clear that every business should have an executivelevel officer in charge of the security program. For most technology companies, that person is the Chief Information Security Officer (CISO). Demand for CISOs is at an alltime high: In the past two years, the number of technology companies that employ a security executive has climbed 46%, and today more than three-quarters of organizations have a CISO in charge of information security. We believe it is imperative that the CISO report up to the CEO, Chief Financial Officer, Chief Privacy Officer, or the Board, rather than to the Chief Information Officer. Information security is, after all, a business risk issue and, as such, it should have a separate governance structure and budget to ensure that sufficient resources are allocated. Exposing security leaders to the executive level is critical to risk governance. In the wake of recent massive breaches, directors are asking for the risk intelligence necessary to make informed cybersecurity decisions and help protect the organization from cyber attacks. Board participation in security is stronger among technology businesses than in many other sectors, but leadership from the very top is not yet the norm. Only 46% of respondents say their Board is involved in the overall security strategy and fewer (27%) say directors participate in reviews of current security and privacy risks. While a very large margin of technology companies have a formal strategy for information security, the number that have a security strategy that is specifically aligned with unique business needs slipped this year. That s a key component of a risk-based security strategy. 77% of technology companies have hired a CISO to oversee their security program. // 13

14 Many businesses are embracing guidelines developed by the US National Institute of Standards and (NIST) to more closely link their technologies, processes, and personnel skills with the organization s broader riskmanagement activities. The NIST Cybersecurity Framework, which targets critical infrastructure providers and suppliers, has been adopted by 41% of US technology respondents; an additional 28% say the Framework is a future priority. In addition to improving risk-based cybersecurity, the Framework also aims to create a common language to facilitate collaboration and communications among internal executives and external industry and government organizations. Sharing of threat intelligence and response tactics has become an indispensable tool to advance cybersecurity, one that the tech sector has readily adopted. This year, 62% of technology respondents say they work with others to improve security, compared with 55% of the overall survey sample. Finally, many organizations are finding that cyber insurance can be effective in helping manage risks and mitigate financial losses of cyber attacks that are all but inevitable. In fact, cyber insurance has received considerable attention over the past year as victims of high-profile breaches reported that they recovered tens of millions of dollars in mitigation costs through insurance coverage. Among technology respondents, 59% say they have purchased cybersecurity coverage. Perhaps more significant is the finding that some companies are leveraging cyber insurance as a way to improve their security program. More than onethird say they have taken steps to enhance their security posture in order to lower insurance premiums. Linking information security and risk As security incidents continue to proliferate, it s becoming clear that cyber risks can never be completely eliminated. Protective measures remain important, of course, but they cannot reliably be guaranteed to stop determined and highly skilled adversaries. Consequently, many technology businesses may need to reposition their security strategy by more closely linking technologies, processes, and tools with broader riskmanagement activities. Effective cybersecurity will require up-to-date processes, trained personnel, and tools to detect, analyze, and respond to today s incidents. While a well-designed cybersecurity program will not totally eliminate risk, it can enable businesses to better manage threats through an informed decision-making process, boost efficiencies in security practices, and create a more resilient security practice. 41% of respondents say they have adopted the riskbased NIST Cybersecurity Framework. Detect Identify Recover Protect Respond // 14

15 To have a deeper conversation about cybersecurity, please contact: United States Shafeeq Banthanavasi Managing Director shafeeq.banthanavasi@us.pwc.com Mark Lobel Principal mark.a.lobel@us.pwc.com // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 15