Global trends in information security Trends on the following topics are discussed in this newsflash: leadership behavior incidents and privacy tools safeguards related to people Introduction LinkedIn, Yahoo, Processors of credit cards transactions, Universities, Online retailers and as of late Caribbean financial institutions all have one thing in common. They have all been hacked in the year 2012 or later! This newsflash contains the global trends in information security. It is based on the Global State of Information Security Survey (GSIS) 2013. The GSIS is a worldwide study by PwC, CIO magazine, and CSO magazine in which more than 9,300 directors and C-level executives of IT and information security have been surveyed. PwC deems it important for you to be aware of the global trends in information security. Information security means protecting information and informations systems from being accessed by unauthorized persons. The results of the survey show that organizations often think their information security strength is higher than in reality, leaving the organizations exposed to risks. Are you really aware of your information s security level? Fill in the check marks where applicable to your organization and assess yourself. Based on the survey results percentages that are mentioned in red behind each requirement in this newsflash, you will be able to benchmark your organization s information security against the results of the GSIS survey.
1. Information security leadership Information security leaders are frontrunners that have an effective information security strategy in place and are proactive in executing the plans. The criteria below were used to measure leadership in the GSIS survey: How does your organization s information security leadership measure opposed to others? Overall information security strategy in place Currently has a chief information security officer Measured and reviewed the effectiveness of your security measures within the past year Understand what type of security events have occurred in the past year When organizations were asked to describe their own information security leadership, 42% considered themselves security leaders with an effective strategy in place and being proactive in executing the plan. However, based on the criteria mentioned above, only 8% of the respondents were ranked as true leaders. 2. Information security behavior Security can only be effective if it forms an integral part of how people think and work. Security behavior therefor relates to the integral part of organizations routines and interactions that make up an average workday. How does your organization s information security behavior measure opposed to others? 1 1. Third parties are required to comply with your privacy policies? (29%) 2. In what phases is information security involved in major projects? Inception (25%) Analysis and design phase (19%) Implementation (12%) As needed basis (26%) Don t know (18%) 3. Having an incident response process to report and handle breaches at third parties that handle your organization s data? (30%) The three requirements displayed above, indicate how well your organization complies with security behaviors compared to other organizations. Based on the criteria mentioned above, only 30% of the respondents were expressing an effective information security behavior. 1
3. Information security incidents An information security incident is when someone unauthorized gets access to your organizations information. Survey results indicate that security incidents have increased marginally but that financial losses due to security breaches have decreased significantly. An overview of the amount of security incidents that organizations experienced over twelve months can be found below. How does your organization s information security incidents over the past 12 months measure opposed to others? 2 50 or more incidents (13%) Between 1 and 50 incidents (43%) No incidents (30%) Don t know (14%) Security incidents can lead to financial losses for organizations. Besides the amount of incidents over a period of twelve months, the survey results have also revealed that many organizations do not perform a thorough appraisal of the factors that might contribute to financial losses. These financial losses can be calculated based on the factors mentioned in the graph (fig.1) below. How does your organization calculate financial losses due to security incidents, opposed to others? 3 Loss of customer business 52% Legal defence services Investigations and forensics Audit and consulting services Deployment of detection software, services, and policies Damage to brand /reputation Court settlements 35% 35% 34% 31% 27% 26% Figure 1: Factors included in calculation of financial losses from security breaches A PwC consumer survey performed in 2012, (Consumer privacy: What are Consumers Willing to Share?, July 2012) has revealed that 61% of respondents would stop using a company s products or services after a breach. This indicates the substantial risk of losing customers as a result of information security incidents. Based on the criteria mentioned above in figure 1, only 52% of the respondents have indicated that they include the loss of customer business as a factor. More alarming is the fact that, only 27% of the respondents indicated that they include damage to brand/reputation as a potential factor to determine financial losses. We therefore conclude that organizations underestimate the financial losses due to security incidents, as not all financial loss calculation factors are taken into account. 2 3
4. Information security and privacy tools Information security and privacy tools allow organizations to prohibit, monitor and detect unauthorized access to their organization s information. How does you organization s security and privacy tools measure opposed to other organizations? 4 Malicious code detection tools (spyware and adware) Intrusion Detection tools Tools to discover unauthorized devices Vulnerability scanning tools Subscription to vulnerability alerting service(s) Data loss prevention (DLP) tools 2012 Security event correlation tools 2011 83% 71% 62% 53% 57% 59% 46% 49% 48% 39% 36% Figure 2: Information security privacy tools currently in place Based on the criteria mentioned above in figure 2, a decline in basic tools of 10% can be seen within global organizations. This decline can be due to various factors e.g. a high level of information security confidence, or several years of tight IT budgets within organizations. However, this decline is leaving the organization s security at high risk. 5. Information security safeguards related to people In order to have an effective security program, adequate training of the employees is needed. How does you organization s information security safeguards measure opposed to other organizations? 5 Conduct personnel background checks Have people dedicated to employee awareness programs for internal policies, proceduresn and technical standards Have people dedicated to monitoring employee use of Internet/information assets Link security, either through organizational structure or policy, to privacy and/or regulatory compliance Employ Chief Information Security Officer (CISO) in charge of the security program 54% 51% 51% 49% 45% 48% 44% 45% 42% Integrate physical security and information security personnel Employ information security consultants 44% Employ dedicated security personnel that support internal business departments Employ Chief Security Officer (CSO) in charge of the security program 34% 40% 40% 46% 2012 2011 None of the above 16% 20% Figure 3: Information security safeguards related to people Based on the criteria mentioned above in figure 3, a decline can be seen in the information security safeguards used. Only 50% of organizations globally have employee security and privacy awareness training programs. According to the GSIS report, the lack of training is cited as a top reason why contingency and response plans are not effective. 4 5
Improving information security starts at the top of the organization Throughout this newsflash we have seen that organizations think too optimistically of their information security. They regard themselves as information security leaders whilst not meeting many of the above mentioned requirements such as the use of basic information security tools, or financial loss measurement systems. This lack of a strong information security increases the vulnerability of your information security. The security incidents over the recent years on a global scale are proof to this matter. Dfilbherher Erhergerg Werh Qwrhwer Hwr Hwerhwerhwer Possible steps towards the strengthening of your information security practice are to: 1. Understand your organization s information, who wants it, and what tactics adversaries might use to get it. 2. Implement a comprehensive information security risk-assessment strategy and align security investments with identified risks. 3. Understand that information security requirements and, indeed, overall strategies for doing business have reached a turning point. Information security today is a rapidly evolving game of advanced skill and strategy. Security models of the past decade are no longer effective. 4. Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to your business. We hope that the information provided in this newsflash gives you a high level view of your organizations position compared to the global trends in information security as well as some insight on strengthening your security practice. If you would like to discuss your assessment results, or the content of this newsflash, please do not hesitate to contact us. Contact information Ruben Goedhoop (Director Advisory) Stewart Marshall ruben.w.goedhoop@an.pwc.com stewart.marshall@an.pwc.com Office: T: +(297) 522 1647 or send an email to: info@an.pwc.com 2013 PricewaterhouseCoopers Aruba. All rights reserved. PwC refers to the Dutch Caribbean member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.