Global trends in information security

Similar documents
The Global State of Information Security Survey 2013

Changing the game Key findings from The Global State of Information Security Survey 2013

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Developing a robust cyber security governance framework 16 April 2015

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cyber Governance Health Check Cyber security survey for top segment of Dutch market

Changing the game The State of Information Security Survey India 2013

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Assessing the strength of your security operating model

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Defending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014

Managing cyber risks with insurance

CYBER SECURITY, A GROWING CIO PRIORITY

State of Security Survey GLOBAL FINDINGS

End-user Security Analytics Strengthens Protection with ArcSight

A new era for pharmaceuticals New Commercial Models: What s working and what s not

White Paper on Financial Industry Regulatory Climate

Defending yesterday. Technology. Key findings from The Global State of Information Security Survey 2014

The Value of Vulnerability Management*

Global State of Information Security Survey 2015

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

WHITE PAPER Mapping Organizational Roles & Responsibilities for Social Media Risk. A Hootsuite & Nexgate White Paper

Is Your Company Ready for a Big Data Breach?

Cyber security Building confidence in your digital future

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Security. Security consulting and Integration: Definition and Deliverables. Introduction

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Leveraging a Maturity Model to Achieve Proactive Compliance

Aftermath of a Data Breach Study

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

20+ At risk and unready in an interconnected world

Why you should adopt the NIST Cybersecurity Framework

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Defending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014

The Protection Mission a constant endeavor

on Data and Identity Theft*

Security Incident Response Process. Category: Information Security and Privacy. The Commonwealth of Pennsylvania

Fortify. Securing Your Entire Software Portfolio

Cyber security Building confidence in your digital future

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

Healthcare Security: Improving Network Defenses While Serving Patients

CONSULTING IMAGE PLACEHOLDER

How To Buy Nitro Security

Driving Records & Information Management Transformation: Enabling program adoption

SECURITY MANAGEMENT PRACTICES

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Business Opportunity Enablement through Information Security Compliance

Electronic Health Information at Risk: A Study of IT Practitioners

Cyberprivacy and Cybersecurity for Health Data

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Net Report s PCI DSS Version 1.1 Compliance Suite

The economics of IT risk and reputation


Executive Management of Information Security

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

ALERT LOGIC FOR HIPAA COMPLIANCE

The Benefits of an Integrated Approach to Security in the Cloud

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

State of Cloud Survey SOUTH AFRICA FINDINGS

Logging and Auditing in a Healthcare Environment

BOARD OF GOVERNORS MEETING JUNE 25, 2014

EnCase Enterprise For Corporations

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Advanced Threat Protection with Dell SecureWorks Security Services

fs viewpoint

Are You Ready for PCI 3.1?

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

How To Implement Data Loss Prevention

The Directors Cut. The power of data: What directors need to know about Big Data, analytics and the evolution of information.

HCCA Compliance Institute 2013 Privacy & Security

7 Steps to Protect Your Company from a Data Breach

Cyber Security: Confronting the Threat

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Best Practices for Building a Security Operations Center

Defending yesterday. Telecommunications. Key findings from The Global State of Information Security Survey 2014

Information Security Insights From and For Canadian Small to Medium Sized Enterprises

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

How To Buy Cyber Insurance

How To Protect Your Network From Attack From A Network Security Threat

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

The Influence of Software Vulnerabilities on Business Risks 1

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Identity, Security and Risk Management. transforming. risk into. value and efficiency. Your business technologists.

Cybersecurity in the States 2012: Priorities, Issues and Trends

Transcription:

Global trends in information security Trends on the following topics are discussed in this newsflash: leadership behavior incidents and privacy tools safeguards related to people Introduction LinkedIn, Yahoo, Processors of credit cards transactions, Universities, Online retailers and as of late Caribbean financial institutions all have one thing in common. They have all been hacked in the year 2012 or later! This newsflash contains the global trends in information security. It is based on the Global State of Information Security Survey (GSIS) 2013. The GSIS is a worldwide study by PwC, CIO magazine, and CSO magazine in which more than 9,300 directors and C-level executives of IT and information security have been surveyed. PwC deems it important for you to be aware of the global trends in information security. Information security means protecting information and informations systems from being accessed by unauthorized persons. The results of the survey show that organizations often think their information security strength is higher than in reality, leaving the organizations exposed to risks. Are you really aware of your information s security level? Fill in the check marks where applicable to your organization and assess yourself. Based on the survey results percentages that are mentioned in red behind each requirement in this newsflash, you will be able to benchmark your organization s information security against the results of the GSIS survey.

1. Information security leadership Information security leaders are frontrunners that have an effective information security strategy in place and are proactive in executing the plans. The criteria below were used to measure leadership in the GSIS survey: How does your organization s information security leadership measure opposed to others? Overall information security strategy in place Currently has a chief information security officer Measured and reviewed the effectiveness of your security measures within the past year Understand what type of security events have occurred in the past year When organizations were asked to describe their own information security leadership, 42% considered themselves security leaders with an effective strategy in place and being proactive in executing the plan. However, based on the criteria mentioned above, only 8% of the respondents were ranked as true leaders. 2. Information security behavior Security can only be effective if it forms an integral part of how people think and work. Security behavior therefor relates to the integral part of organizations routines and interactions that make up an average workday. How does your organization s information security behavior measure opposed to others? 1 1. Third parties are required to comply with your privacy policies? (29%) 2. In what phases is information security involved in major projects? Inception (25%) Analysis and design phase (19%) Implementation (12%) As needed basis (26%) Don t know (18%) 3. Having an incident response process to report and handle breaches at third parties that handle your organization s data? (30%) The three requirements displayed above, indicate how well your organization complies with security behaviors compared to other organizations. Based on the criteria mentioned above, only 30% of the respondents were expressing an effective information security behavior. 1

3. Information security incidents An information security incident is when someone unauthorized gets access to your organizations information. Survey results indicate that security incidents have increased marginally but that financial losses due to security breaches have decreased significantly. An overview of the amount of security incidents that organizations experienced over twelve months can be found below. How does your organization s information security incidents over the past 12 months measure opposed to others? 2 50 or more incidents (13%) Between 1 and 50 incidents (43%) No incidents (30%) Don t know (14%) Security incidents can lead to financial losses for organizations. Besides the amount of incidents over a period of twelve months, the survey results have also revealed that many organizations do not perform a thorough appraisal of the factors that might contribute to financial losses. These financial losses can be calculated based on the factors mentioned in the graph (fig.1) below. How does your organization calculate financial losses due to security incidents, opposed to others? 3 Loss of customer business 52% Legal defence services Investigations and forensics Audit and consulting services Deployment of detection software, services, and policies Damage to brand /reputation Court settlements 35% 35% 34% 31% 27% 26% Figure 1: Factors included in calculation of financial losses from security breaches A PwC consumer survey performed in 2012, (Consumer privacy: What are Consumers Willing to Share?, July 2012) has revealed that 61% of respondents would stop using a company s products or services after a breach. This indicates the substantial risk of losing customers as a result of information security incidents. Based on the criteria mentioned above in figure 1, only 52% of the respondents have indicated that they include the loss of customer business as a factor. More alarming is the fact that, only 27% of the respondents indicated that they include damage to brand/reputation as a potential factor to determine financial losses. We therefore conclude that organizations underestimate the financial losses due to security incidents, as not all financial loss calculation factors are taken into account. 2 3

4. Information security and privacy tools Information security and privacy tools allow organizations to prohibit, monitor and detect unauthorized access to their organization s information. How does you organization s security and privacy tools measure opposed to other organizations? 4 Malicious code detection tools (spyware and adware) Intrusion Detection tools Tools to discover unauthorized devices Vulnerability scanning tools Subscription to vulnerability alerting service(s) Data loss prevention (DLP) tools 2012 Security event correlation tools 2011 83% 71% 62% 53% 57% 59% 46% 49% 48% 39% 36% Figure 2: Information security privacy tools currently in place Based on the criteria mentioned above in figure 2, a decline in basic tools of 10% can be seen within global organizations. This decline can be due to various factors e.g. a high level of information security confidence, or several years of tight IT budgets within organizations. However, this decline is leaving the organization s security at high risk. 5. Information security safeguards related to people In order to have an effective security program, adequate training of the employees is needed. How does you organization s information security safeguards measure opposed to other organizations? 5 Conduct personnel background checks Have people dedicated to employee awareness programs for internal policies, proceduresn and technical standards Have people dedicated to monitoring employee use of Internet/information assets Link security, either through organizational structure or policy, to privacy and/or regulatory compliance Employ Chief Information Security Officer (CISO) in charge of the security program 54% 51% 51% 49% 45% 48% 44% 45% 42% Integrate physical security and information security personnel Employ information security consultants 44% Employ dedicated security personnel that support internal business departments Employ Chief Security Officer (CSO) in charge of the security program 34% 40% 40% 46% 2012 2011 None of the above 16% 20% Figure 3: Information security safeguards related to people Based on the criteria mentioned above in figure 3, a decline can be seen in the information security safeguards used. Only 50% of organizations globally have employee security and privacy awareness training programs. According to the GSIS report, the lack of training is cited as a top reason why contingency and response plans are not effective. 4 5

Improving information security starts at the top of the organization Throughout this newsflash we have seen that organizations think too optimistically of their information security. They regard themselves as information security leaders whilst not meeting many of the above mentioned requirements such as the use of basic information security tools, or financial loss measurement systems. This lack of a strong information security increases the vulnerability of your information security. The security incidents over the recent years on a global scale are proof to this matter. Dfilbherher Erhergerg Werh Qwrhwer Hwr Hwerhwerhwer Possible steps towards the strengthening of your information security practice are to: 1. Understand your organization s information, who wants it, and what tactics adversaries might use to get it. 2. Implement a comprehensive information security risk-assessment strategy and align security investments with identified risks. 3. Understand that information security requirements and, indeed, overall strategies for doing business have reached a turning point. Information security today is a rapidly evolving game of advanced skill and strategy. Security models of the past decade are no longer effective. 4. Embrace a new way of thinking in which information security is both a means to protect data and an opportunity to create value to your business. We hope that the information provided in this newsflash gives you a high level view of your organizations position compared to the global trends in information security as well as some insight on strengthening your security practice. If you would like to discuss your assessment results, or the content of this newsflash, please do not hesitate to contact us. Contact information Ruben Goedhoop (Director Advisory) Stewart Marshall ruben.w.goedhoop@an.pwc.com stewart.marshall@an.pwc.com Office: T: +(297) 522 1647 or send an email to: info@an.pwc.com 2013 PricewaterhouseCoopers Aruba. All rights reserved. PwC refers to the Dutch Caribbean member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information