Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 If the recent string of high-profile cyber attacks has proved anything, it s that no industry or organization is immune from risk. In particular, compromises by nation-states, social activists and hacktivists, and employees have increased markedly in the past year. Politically motivated hacktivists took down the website of the German parliament as well as the chancellor s page. 1 State-sponsored threat actors infiltrated the systems of a third-party firm that conducts personnel background checks for US government agencies, resulting in theft of information of 25,000 employees; four months later, personal information of an estimated 40,000 federal workers was breached in an attack on another background check contractor. 2 Throughout the year, activists reacted to perceived social injustices by launching powerful distributed denial of service (DDoS) attacks that defaced and disabled the websites of smaller city governments. And the threat extends from the most powerful nation-state actors to the smallest municipal agencies. Consider, for instance, the past 12 months in cyber attacks. 1 CNET, Political hackers take on Germany over Ukraine-Russia issues, January 7, 2015 2 SC Magazine, 40,000 federal employees impacted by contractor breach, December 19, // 1
The threat from insiders, hacktivists, and nation-states continues to challenge government agencies as they deal with shrinking budgets and increased connectivity issues, said John Hunt, a Principal in PwC s Cybersecurity Practice. Government agencies must step up their efforts to invest in security personnel, processes, and technologies that address holistic information security strategies. There s every reason to believe these risks to data, applications, and networks will continue to accelerate as governments continue to shift more services and data online. Yet according to key findings from The Global State of Information Security Survey (GSISS) 2015, many public sector organizations are not taking decisive action to address cyber threats and improve their security programs. GSISS 2015: results at a glance Click or tap each title to view data 3K 2K 3,105 2,317 Incidents Sources of incidents 1K 2013 Average number of detected incidents // 2
The threat from insiders, hacktivists, and nation-states continues to challenge government agencies as they deal with shrinking budgets and increased connectivity issues, said John Hunt, a Principal in PwC s Cybersecurity Practice. Government agencies must step up their efforts to invest in security personnel, processes, and technologies that address holistic information security strategies. There s every reason to believe these risks to data, applications, and networks will continue to accelerate as governments continue to shift more services and data online. Yet according to key findings from The Global State of Information Security Survey (GSISS) 2015, many public sector organizations are not taking decisive action to address cyber threats and improve their security programs. GSISS 2015: results at a glance Click or tap each title to view data 40% 30% 27% 35% 26% 27% 25% Incidents Sources of incidents 20 19% 15% 11% 2013 2013 2013 2013 Current employees Former employees Hackers Activists/hacktivists // 3
Employees remain the most-cited culprits. Despite overwhelming evidence that cyber risks continue to multiply, the number of security incidents detected by public sector respondents declined 25% in to a three-year low. (We define a security incident as any adverse incident that threatens some aspect of computer security.) Against a global backdrop of escalating cyber attacks, a drop in detected compromises is not necessarily a good thing. One explanation may be that intrusions by advanced adversaries like nation-states often go undiscovered. It s also worth pointing out that more than a quarter of respondents (26%) did not know the number of compromises, and slightly more could not determine the source of incidents. What s more, many agencies are reluctant to discuss the risks and repercussions of security events, which could explain the drop in incidents that are disclosed. It is unsurprising that current personnel remain the mostcited culprits of security incidents, followed by former employees. Increasingly, government agencies are also concerned about threats posed by insiders like service providers, consultants, and contractors who have trusted access to an organization s network and sensitive data. It s a risk that continues to inch up year over year. While incidents attributed to insiders often fly under the radar of the media, compromises by nation-states, activists, and hacktivist organizations are among the most avidly covered. These threat actors are also increasingly active: Attacks by nation-states soared 77% in over the year before, while those carried out by activists and hacktivists climbed 39%. Nation-states and activists/hacktivists are the fastest-growing sources of security incidents. Incidents and financial losses decline // 4
Despite mounting concerns about cyber risks, many agencies seem mired in a pattern of fiscal austerity at least when it comes to cybersecurity. Global public sector organizations in fact cut information security budgets by 6% in compared with the year before. Nowhere was this tendency clearer than among small agencies (those with revenues of $100 million or less), which slashed security spending by 25%. Large entities (revenues of $1 billion or more) trimmed security investments by a modest 1% while medium-size organizations increased spending by 39%. GSISS 2015: security spending at a glance $ 3.7M 4M 4% $ 3.5M 3.6% 3.7% 3M 3% 2M 2% 2013 2013 Average annual information security budget Information security spend as percentage of IT budget Incidents and financial losses decline // 5
Employee awareness programs and data access controls are key. In the wake of the data leak by US government contractor Edward J. Snowden, most executives understand that security breaches by insiders whether employees or trusted business partners can be even more damaging than those attributed to external adversaries. That s why the sizable increase in insider incidents this year could have critical implications for the security stance of public sector agencies. As the ability to limit and control employee access to key data assets becomes increasingly pivotal, safeguards to manage insider threats will be a hallmark of successful cybersecurity. approach needs to be holistic in nature, and include other security concerns like physical security, personnel security, information security, as well as cyber-threat intelligence. Take employee awareness and training. The weakest link in a security program is very often human, and staff education should form the spine of every information security program. So it did not inspire optimism to find that only 57% of public sector respondents have a security awareness and training program a number that is down significantly from the year before. We also saw a decline in staff training on privacy policies. The truth is, public sector agencies often focus on the latest security technologies at the expense of employee awareness and training. Another essential process is thorough background investigation of potential employees. More than a third of respondents do not perform any background checks of potential employees, among the most basic of precautions and one that has weakened from the year before. Battling these risks will demand a new focus on employee security training, airtight control of data access, and the right technologies to continuously monitor network activity. There is evidence that many agencies have not addressed these imperatives. Never before has there been a greater need to develop a risk-based approach to cybersecurity, said Jack L. Johnson Jr., a Principal in the PwC Public Sector and the National Security Practice Leader. This risk-based Battling insider risks will also demand a new focus on the right technologies to continuously monitor network activity. // 6
Tools to manage insider threats are often not deployed 65% 63% 61% 59% 57% 54% 49% Conduct personnel background checks Privileged user access User activity monitoring tools Unauthorized use or access monitoring tools Employee training & awareness program Threat intelligence subscription services Behavioural profiling & monitoring Enterprise-wide awareness of security risks will not be achieved by the IT function alone. It will require a cross-functional approach that includes IT, information security, corporate security, human resources, legal counsel, audit, and privacy, as well as leadership from lines of business. Yet only 52% of respondents told us they have a cross-functional team that coordinates security strategy and practices. One ascendant risk that can be mitigated by employee training is spear phishing, a tactic that adversaries often use to launch an advanced attack. Increasingly, external threat actors mount spear phishing campaigns to steal credentials of employees with privileged access to data and networks, then use that information to infiltrate the agency s network. Staff training is the best defense, but technologies such as software to discover malicious code and anti-malware solutions can also help ent phishing attacks. They are also under-utilized. Similarly, threat-intelligence subscription services can help agencies understand current spear phishing campaigns and targeted attack techniques. It s an approach that only 54% of public sector respondents have adopted. // 7
Anticipating risks, understanding threat actors, and rapid response are seen as key benefits. Increasingly, governments are encouraging and sometimes mandating that agencies implement processes and tools to continuously monitor and analyze IT assets and activity. They understand that doing so can help anticipate risks and inform decisionmaking, provide intelligence on threat actors techniques, and facilitate rapid response to compromises. The benefits of continuous monitoring are clear-cut, but so are the challenges. The multitude of information systems and applications in place today make visibility and analysis progressively complex and time-consuming. For many agencies, the austere spending environment makes it difficult to secure funding for any new security initiative. And there are no precise guidelines as to what constitutes the right processes and technologies. We believe that a monitoring program will require that agencies first identify their most valuable data assets and prioritize protection. This initial step is critical because most organizations do not have the resources to protect every asset with equal vigor. It is also under-utilized: Just over half (54%) told us they have a program to identify sensitive data, a number that is down from the year before. One example of this type of initiative is the Continuous Diagnostics and Mitigation (CDM) program launched by the US Department of Homeland Security. The CDM program aims to improve the cybersecurity of federal agencies by providing them with capabilities and tools that help identify cybersecurity risks, prioritize these threats based on potential impacts, and mitigate the most significant problems first. // 8
Implementation of monitoring & diagnostics tools falls short 68% 60% Malicious code detection tools Vulnerability scanning tools 62% 57% Intrusion detection tools User activity monitoring tools 61% Security-event correlation tools Penetration testing 52% Some governments are beginning to require that their agencies deploy processes and tools to monitor and analyze valuable data assets. Similarly, a commitment to monitor and analyze data and networks seems to be slipping. In, 61% of agencies told us they have implemented processes to monitor and assess security intelligence such as log files, network activity, and vulnerability reports. The year before, 73% said they have these processes, indicating that the trend appears to be heading in the wrong direction. A look at specific tools for monitoring and analysis reveals a similar tendency: Adoption of technologies like security-event correlation software, vulnerability scanning, penetration testing, and monitoring of user activity declined in. Overall, there seems to be a disconnect between voicing support for these tools and actual implementation. // 9
Automated identity and access controls are fundamental tools yet are often not deployed. Identity and access management is a core component of information security, one that is progressively essential to an effective program. Yet many public sector agencies continue to grapple with automated solutions. In, only half (50%) of respondents told us they have implemented identity management tools. Other technologies that are central to managing access and monitoring employee behavior are also sparsely deployed. These include automated account provisioning and de-provisioning, role-based authorization, and user recertification. respondents said they leverage biometrics, up from 18% two years ago, and 58% said they have implemented multifactor log-ins. The step may be linking physical and logical access with identity management tools. Among European nations, for instance, there is a movement to build centralized identity management systems that leverage electronic identity cards. 3 The cryptographic cards, which contain an embedded chip that stores an individual s personal data, employ the Extended Access Control Protocol. This combination of chip and software provides a foundation upon which public sector agencies could overlay IT security controls to better enforce access to systems and data. Many agencies do not use identity management tools Secure access control measures Role-based authorization Automated password reset 60% 60% 69% More advanced organizations are starting to use biometrics such as a fingerprint scanner to log onto a computer and multifactor authentication to improve identity and access management. In, 37% of survey Many believe centralized identity management can yield a number of benefits that include improved secure access to multiple networks and applications, operational efficiencies, lower costs of access control administration, and a better audit trail. It s a trend we will continue to monitor. Multifactor authentication 58% 55% User recertification Half of public sector respondents tell us they have not implemented identity management tools. Automated account provisioning/de-provisioning 47% 54% 3 IEEE Security & Privacy, Electronic Identity Cards for User Authentication Promise and Practice, February 2012 Risk-based authorization/authentication // 10
Increasingly, governments are encouraging public and private entities to share cyber-threat intelligence. It s good news that many industries are embracing external collaboration to improve cybersecurity threat awareness and response techniques. But much more could be done to leverage the power of collaboration across industries and governments local, regional, and global. Over the past several years, government, regulatory and law-enforcement bodies have proposed guidelines and legislation to promote information sharing. Recently, the US and United Kingdom announced an agreement on cybersecurity cooperation that includes threat information sharing and educational exchanges. 4 And industry-specific initiatives known as Information Sharing and Analysis Centers (ISAC) have been created across sectors including finance, healthcare, energy, and public transit, to name a few and now have a global reach. But much remains to be done in the public sector. Despite calls for increased public-private collaboration, government agencies remain somewhat reluctant to share information. In, only 43% of respondents told us they work with others to improve security, down from 48% the year before. What s more, industries such as technology, telecommunications, and financial services are considerably more likely to collaborate with others. For many, a lack of a unified framework for information sharing between private and public sectors remains a significant barrier to information sharing. Certain guidelines exist, such as the ISO/IEC 27032 standard, which includes some details on information sharing. But a lack of a specific, detailed standard has undoubtedly hobbled the adoption of collaboration. In the US, recent initiatives to advance public-private information sharing have centered on safeguarding critical infrastructure. To that end, the National Institute of Standards and Technology (NIST) in April issued a voluntary standard to assess and improve cybersecurity of critical infrastructure providers, as well as create a common language for discussion and collaboration. Already, 21% of US public sector respondents say they have adopted the NIST Cybersecurity Framework, and 11% say it is a future priority. Even though the Framework targets US critical infrastructure providers, it offers an effective model for risk-based security and information sharing that could benefit organizations across industries and across the globe. We believe it s well worth adopting. Despite calls for increased information sharing, only 43% of public sector respondents say they collaborate with others. 4 White House Office of the Press Secretary, FACT SHEET: US-United Kingdom Cybersecurity Cooperation, January 16, 2015 // 11
How the public sector partners & collaborates 52% 52% 43% Have a senior executive who communicates importance of security Have a cross-organizational team that coordinate & communicates security issues Collaborate with others to improve security Facing the future of cyber attacks As threats from nation-states shift, cybersecurity could very well evolve into cyber warfare. You need only consider the punishing assault on a US-based entertainment company to understand the potential. The attack, which was purportedly carried out by a nation-state, was variously described as cyber vandalism, terrorism, and an act of war. The precedent has clearly been set for the elevation of a cyber attack to a matter of national significance. That s something that governments now recognize: Many are creating IT cybersecurity departments that are modeled on military defense, a trend that we expect will continue. This will be particularly pertinent to nations whose critical infrastructure is owned and operated by the government. As governments continue to use the Internet for their own purposes, cyberspace could very well become a combat zone. If it does, the risks and repercussions of cyber attacks will extend far beyond data security. // 12
To have a deeper conversation about cybersecurity, please contact: United States Jack L. Johnson Jr. Principal 703 918 1303 johnson.jack@us.pwc.com John Hunt Principal 703 918 3767 john.d.hunt@us.pwc.com www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity PwC helps organizations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. LA-15-0019 // 13