www.pwc.ch/cybersecurity Global State of Information Security Survey 2015 The risks and repercussions of security incidents continue to rise as preparedness falls.
Agenda Methodology Key findings Focus on data privacy and further technical controls How to increase cyber security Conclusion Contacts Slide 2
Methodology Slide 3
Methodology The Global State of Information Security Survey 2015, a worldwide study by, CIO and CSO, was conducted online from 27 March to 25 May 2014. s 17th year conducting the survey, 12th with CIO and CSO magazines Includes readers of CIO and CSO and clients of from 154 countries More than 9,700 responses from executives including CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business 38% of respondents from companies with revenue of USD 500 million+ 35% of respondents from North America, 34% from, 14% from Asia Pacific, 13% from South America, 4% from the Middle East and Africa Margin of error less than 1%; numbers may not add to 100% due to rounding 130 respondents from Slide 4
Demographics Industry sector: Company size: Transportation & Do not know Telecommunications Technology Industrial Manufacturing Hospitality / Travel & More than 200,000 100,001 to 200,000 75,001 to 100,000 Health Industries 50,001 to 75,000 Government Services Forest / Paper / Financial Services Engineering / Entertainment & Media 20,001 to 50,000 10,001 to 20,000 5,001 to 10,000 1,001 to 5,000 Energy / Utilities / 501 to 1,000 Education / Non-profit Consulting / Consumer Products & Agriculture Aerospace & Defense 101 to 500 51 to 100 11 to 50 1 to 10 0% 20% 40% 0% 10% 20% Slide 5
Functions and roles of participants Roles/functions (only the six most relevant roles) Business or IT Chief Information Security Officer (CISO) / VP Chief Technology Officer (CTO) Chief Information Officer (CIO) / VP Chief Operating Officer (COO) IT Business CEO / President / Managing Director 0% 5% 10% 15% 20% 25% 0% 20% 40% 60% Slide 6
Key findings Slide 7
Today, security compromises are a persistent and globally pervasive business risk The US government notifies 3,000 companies that they were attacked and charges nation-backed hackers with economic espionage. Compromises of retailers culminate in a recent breach of 56 million credit cards. Heartbleed bug results in the loss of 4.5 million healthcare records. ShellShock bug just released and might cause damage on web servers Powerful malware infects hundreds of energy companies worldwide. More than half of global securities exchanges are hacked. Regulators around the world are beginning to more proactively address cyber risks. Slide 8
A steady 66% year-on-year growth since 2009 Taking a longer-term view, our survey data shows that the compound annual growth rate (CAGR) of detected security incidents has increased 66% year-on-year since 2009. Slide 9
The bigger the business, the larger the loss Among our global survey sample, large organisations (gross annual revenues of USD 1 billion or more) detected 44% more incidents compared with last year. Medium-sized organisations (revenues of USD 100 million to USD 1 billion) showed the biggest improvement in their ability to detect incidents, discovering 64% more compromises than last year. Small organisations proved the exception in discovering security events: companies with revenues lower than USD 100 million detected 5% fewer incidents this year. Slide 10
The number of security incidents continues to soar Do not know 42.8 million 100,000 or more 5,000 to 99,999 500 to 4,999 50 to 499 10 to 49 15% detected more then 500 incidents in 2013 3 to 9 1 to 2 0 or none 53% detected fewer than 10 incidents in 2013 0% 5% 10% 15% 20% 25% Q18: How many security incidents were detected in the past 12 months? Slide 11
The financial cost of security incidents is high and rising As security incidents grow in frequency, the costs of managing and mitigating breaches also are rising. Globally, the annual estimated reported average financial loss attributed to cyber security incidents was USD 2.7 million, a jump of 34% over 2013. Not surprising, but certainly attention grabbing, is the finding that big losses are more common: organisations reporting financial hits of USD 20 million or more increased 92% over 2013. Slide 12
Monetary losses stretch into the billions of dollars The estimated global cost of cybercrime detected by respondents this year is more than USD 23 billion. Again, it s important to note this figure represents only detected compromises. Slide 13
Financial losses of security incidents in, only 26 out of 130 answered Do not know $20 million or more $10 million to $19.9 million $1 million to $9.9 million $500,000 to $999,999 $100,000 to $499,999 $50,000 to $99,999 $10,000 to $49,999 At least 9 million from 26 answers Less than $10,000 0% 5% 10% 15% 20% 25% 30% 35% Q22a: Estimated total financial losses as a result of all security incidents (in USD)? Slide 14
Direct financial losses followed by theft of IP and loss of customers are the main areas of losses Theft of hard intellectual property (information such strategic business plans, deal documents, sensitive Brand / reputation compromised E-mail or other applications unavailable Financial Fraud (e.g., credit card fraud) Other Loss of customers Theft of soft intellectual property (e.g., information such as processes, institutional knowledge, etc.) Financial losses 0% 5% 10% 15% 20% 25% 30% Q22: How was your organisation impacted by the security incidents? (Check all that apply) Slide 15
or trillions, depending on how you measure it As with the number of incidents, the global cost of security compromises is ultimately unknowable because many attacks are not reported. It s also important to note that the value of certain kinds of information intellectual property and trade secrets, in particular is very difficult to ascertain. Based on calculations determined by the Center for Responsible Enterprise And Trade (CREATe.org) and, we believe that financial losses due to the theft of trade secrets may range from USD 749 billion to as high as USD 2.2 trillion annually. Slide 16
Despite elevated risks, security budgets decline in 2014 Many organisations are undoubtedly worried about the rising tide of cybercrime, yet most have not increased their investment security initiatives. In fact, global IS budgets actually decreased 4% compared with 2013. And security spending as a percentage of the total IT budget has remained stalled at 4% or less for the past five years. Slide 17
Spending sinks from previous years, particularly among small organisations We found one explanation for the spending slow-down by looking at investment levels reported in last year s survey. In 2013, organisations reported very significant increases in spending over 2012, expanding IT investments by 40% and security spending by an even more substantial 51%. It could be that this year s respondents were hard-pressed to continue investments at that accelerated pace. Looking at security investment by company size also sheds some light on the anaemic funding. This year, companies with revenues under USD 100 million say they reduced security investments by 20% over 2013, while medium-sized and large companies report a modest 5% increase in security spend. Slide 18
Actual cyber security budget Do not know $30 million or more $20 million to $29.9 million $10 million to $19.9 million $5 million to $9.9 million $2 million to $4.9 million $1 million to $1.9 million $500,000 to $999,999 $100,000 to $499,999 $50,000 to $99,999 $10,000 to $49,999 Less than $10,000 0% 5% 10% 15% 20% Q8: What is your organisation s total information security budget for 2014? Slide 19
Information Security spendings compared to last year, 57% of Swiss Budget will increase 35.0% 30.0% 25.0% 20.0% 15.0% 10.0% 5.0% 0.0% Increase more than 30% Increase 11-30% Increase up to 10% Stay the same Decrease less than 10% Decrease 11-30% Decrease more than 30% Do not know Q9: When compared with last year, security spending over the next 12 months will Slide 20
Incidents attributed to insiders rise, while security preparedness falls Current and former employees are the most-cited culprits of security incidents, but implementation of key insider-threat safeguards is declining. 56% have privileged user-access tools (65% in 2013). 51% monitor user compliance with security policies (58% last year). 51% have an employee security training and awareness programme (60% in 2013). Compromises attributed to third parties with trusted access increases while due diligence weakens. 55% have security baselines for external partners, suppliers, and vendors (60% in 2013). 50% perform risk assessments on third-party vendors (53% in 2013). Slide 21
High growth in high-profile crimes While less frequent, incidents attributed to nation-states, organised crime and competitors increased sharply in 2014. 86% jump in incidents by nation-states 64% rise in compromises by competitors 26% increase in incidents by organised crime. Slide 22
The outsiders: cybercrime and hackers represent 50% of incidents, but insiders still at a high level! Insiders Outsiders Customers Former service providers/consultants/contr actors Domestic intelligence service Foreign nation-states Foreign entities and organizations Current service providers/consultants/contr actors Suppliers/business partners Terrorists Information brokers Activists/activist organizations/hackti Former employees Competitors Organized crime Current employees Hackers 0% 10% 20% 30% 40% 50% 0% 10% 20% 30% Q21: Estimated likely source of incidents: (check all that apply) Slide 23
What does this mean for budgets, incidents, new technologies, regulations, and related costs Regulation Prioritisation needed Budget pressure Slide 24
Focus on data privacy and further technical controls Slide 26
Data privacy safeguards currently in place (processes) Incident response-process to report and handle breaches to third parties that handle data Accurate inventory of where personal data for employees and customers are collected, transmitted, and stored Limit collection, retention, and access of personal information to the minimum necessary to accomplish the legitimate purpose for which it is collected Processes for cross-border data exchanges 0% 20% 40% 60% 80% Q12: Which data privacy safeguards does your organisation currently have in place? (Processes) Slide 27
Monitoring, response and, even, risk management are outsourced most often Incident response-process to report and handle breaches to third parties that handle data Accurate inventory of locations or jurisdictions where data is stored Require third parties (including outsourcing vendors) to comply with our privacy policies Conduct risk assessments of internal and external risks to the privacy, security, confidentiality, and integrity of electronic and paper records containing personal information (e.g., through internal audit) Certification under the Swiss or EU Safe Harbor Agreement, model contracts, customer or employee consent, or binding corporate rules 0% 10% 20% 30% 40% 50% 60% Q12b: Which data privacy safeguards does your organisation currently outsource? (Processes) Slide 28
Data privacy safeguards currently in place (people) Impose disciplinary measures for privacy program violations Require our employees to complete training on privacy policy and practices Require our employees to certify in writing that they comply with our privacy policies Employ Chief Privacy Officer (CPO) or similar executive in charge of privacy compliance 0% 20% 40% 60% 80% Q12a: Which data privacy safeguards does your organisation currently have in place? (People) Slide 29
Safeguards for inventory, monitoring, incident handling, cross-border exchange are on the way Ongoing monitoring of the data privacy program Incident response-process to report and handle breaches to third parties that handle data Accurate inventory of where personal data for employees and customers are collected, transmitted, and stored Limit collection, retention, and access of personal information to the minimum necessary to accomplish the legitimate purpose for which it is collected A written privacy policy is in place and published on our external website Processes for cross-border data exchanges 0% 10% 20% 30% 40% 50% Q12c: Which data privacy safeguards does your organisation not have in place, but is a top priority over the next 12 months? (Processes) Slide 30
Cyber insurance and what we do with it 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Made a claim Collected on a claim Taken steps to enhance the organization s security posture to lower the insurance premium Do not know Q26a: If your organisation has cyber insurance, has it Slide 31
Maturity Level Be compliant and then secure reducing cyber risks is one of the least used arguments Do not know Other Lack of regulatory findings Lack of audit findings Professional judgment Improvement against security metrics Net present value cost of ownership Payback period Internal rate of return Return on investment (ROI) Reduction in security risks 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% Q38: How does your company measure the effectiveness of information security spending? (Check all that apply) Slide 32
What technical security measures are already in place (top 10)? Malware or virus-protection software Centralized user data store Encryption of databases Secure remote access (VPN) Unauthorized use or access-monitoring tools Encryption of networking transmissions (wireless, wired, etc.) Network access control software Security information and event management (SIEM) technologies Network firewalls Application firewalls 0% 20% 40% 60% 80% 100% Q15: What technology information security safeguards does your organisation currently have in place? Slide 33
What technical security measures are already in place but outsourced (top 10)? Encryption of Web transactions Encryption of file shares User-activity monitoring tools Privileged user access Network firewalls Protection/detection management solution for advanced persistent threats (APTs) Asset-management tools Intrusion-detection tools Security technologies supporting Web 2.0 exchanges such as social networks, blogs, microblogging, wikis, or other Role-based authorization 0% 10% 20% 30% 40% 50% Q15: What technology information security safeguards does your organisation currently outsource? Slide 34
What technical security measures will be deployed the next 12 months (top 10)? Secure access-control measures Code-analysis tools Disposable passwords/smart cards/tokens for authentication Asset-management tools Enterprise content-management tools Malicious code-detection tools Automated account provisioning/de-provisioning Behavioral profiling and monitoring Encryption of smart phones Vulnerability scanning tools 0% 10% 20% 30% 40% Q15: What technology information security safeguards does your organisation not have in place, but is a top priority over the next 12 months? Slide 35
How to increase cyber security Slide 36
To improve cyber security, we need to convince C-level and agree on a strategy. Absence or shortage of in-house technical expertise Poorly integrated or overly complex information and IT systems Lack of an actionable vision or understanding of how future business needs impact information security Leadership: CISO, CSO, or equivalent Insufficient operating expenditures Insufficient capital expenditures Lack of an effective information security strategy Leadership: CIO or equivalent Leadership: CEO, President, Board, or equivalent 50% leadership 0% 10% 20% 30% 40% 50% Q28: What are the greatest obstacles to improving the overall strategic effectiveness of your organisation s information security function? (Check all that apply) Slide 37
Conclusion Slide 38
Taking action: 5 steps toward a strategic security programme 1 2 3 4 5 Ensure that your cyber security strategy is aligned with business objectives and is strategically funded Identify your most valuable information assets and prioritise protection of this high-value data Improve processes for earlier detection, Reduce the time from detect to respond Assess cyber security of third parties and supply chain partners, and ensure they adhere to your security policies and practices Collaborate with others to increase awareness of cyber security threats and response tactics Slide 39
Contacts Slide 40
Jan Schreuder, Partner +41 58 792 24 84 jan.schreuder@ch.pwc.com Yan Borboën, Director +41 58 792 84 59 yan.borboen@ch.pwc.com Marc Impini, Assistant Manager +41 58 792 94 81 marc.impini@ch.pwc.com visit www.pwc.ch/gsiss2015 15 2014. All rights reserved. refers to the network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.