günümüzde siber güvenlik : güncel tehditler, yeni...

Günümüzde Siber Güvenlik : Güncel Tehditler, Yeni Yaklaşımlar

2

Siber riskler sadece bir teknoloji riski mi ve şirketlerin sadece Bilgi Teknolojileri altyapısı mı tehlikede?

3

4

Target

Millions of customer records stolen via a

malware on POS system

CEO had to step down

+ $1 billion – Potential cost to Target

Initial intrusion via a third-party HVAC

company

PwC

5

SONY Pictures

PwC

The Global State of Information Security® Survey

6PwC

7

The survey includes 10,000 respondents from 127 countries.

37% North

America

14% South

America

30% Europe

16% Asia Pacific

3% Middle East

& AfricaPwC

8

A mix of business and IT security executives are represented.

20%IT & Security

(Other)

25%IT & Security

(Mgmt.)

9%Compliance,

Risk, Privacy

21%CISO, CSO,

CIO, CTO

25%CEO, CFO,

COO

PwC

16 Aralık 2015Siber Güvenlik

9

Tehditler ne durumda?

10

In 2015, respondents detected 38% more information security incidents.*

Average number of security incidents in past 12 months

* A security incident is defined as any adverse incident that threatens some aspect of computer security.

2011 2012 2013 2014 2015

2,5622,989

3,741

4,948

6,853

Small organizations reported a dramatic increase in incidents, while the number of detected compromises among large companies grew at the slowest pace.

PwC

11

Small(Revenues less than

$100 million)

Medium(Revenues $100 million

to $1 billion)

Large(Revenues more than $1 billion)

2014 2015

The financial costs of incidents more than doubled for small organizations.

Small companies reported a two-fold increase in total financial losses attributed to security incidents, while large companies said losses dropped 16% in 2015.

Average total financial losses due to security incidents

$4.9million

$5.9million

$1.3million

$1.3million

$940,429$428,471

PwC

12

Employees remain the most cited source of compromise, but incidents attributed to business partners are up substantially.

Estimated likely source of incidents

Security events ascribed to current and former third-party partners jumped 22% over the year before, while those attributed to employees inched down a notch.

Current employees Former employees Current service providers/consultants/contractors

Former serviceproviders/consultants/contractors

Suppliers/business partners

2014 2015

35%

30%

18%

13%15%

34%

29%

22%19%

16%

PwC

13

Increasingly, organizations report that employee, customer and internal data are primary targets of cyberattacks.

Customer recordscompromised

Employee recordscompromised

Loss or damageof internal records

Theft of “soft”intellectual property

Theft of "hard" intellectual property

2014 2015Impact of security incidents

While compromise of customer records rose 35%, theft of “hard” intellectual property like strategic business plans and financial documents increased more than any other data loss.

28% 29%

20%

24%

15%

38%

33%

26% 25%23%

PwC

16 Aralık 2015Siber Güvenlik

14

Peki ya önlemler?

15

Among organizations that have a CISO (54%), the security executive is most likely to report directly to the CEO.

Where the CISO reports (all respondents)

23%Board ofDirectors

15%CTO

13%CPO

25%CIO

36%CEO

PwC

16

In large businesses, the security function is often organized under the CIO.

Where the CISO reports (by company size)

CISOs of small companies are slightly more likely to report to the Board.

CEO BoardCIO

24% 25%

22%

30% 18%

24%

37% 39%

33%

Large

Medium

Small

PwC

17

* Information security budget refers to funds specifically and explicitly dedicated to information security,

including money for hardware, software, services, education, and information security staff.

2011 2012 2013 2014 2015

$2.7million

$2.8million

$4.3million

$4.1million

$5.1million

As risks rise, organizations significantly boost investments in information security.*

Reversing last year’s slight drop in security spending, respondents increased their information security budgets by 24% in 2015.

of IT budget spent on

information security

19%

Information security budget for 2015

PwC

18

Small companies take a decisive lead in expanding spending for security programs.

Small organizations doubled information security budgets in 2015, while large companies’ spending has remained stable.

Small(Revenues less than

$100 million)

Medium(Revenues $100 million

to $1 billion)

Large(Revenues more than $1 billion)

2014 2015

Information security budget for 2015

$10.1million

$10.0million

$3.3million

$2.8million

$1.5million

$733,052

PwC

19

Adoption of risk-based security frameworks

Have not adopted asecurity framework

Have adopted othersecurity framework(s)

Have adopted ISFStandard of Good

Practice

Have adopted SANSCritical Controls

Have adopted NISTCybersecurityFramework

Have adoptedISO 27001

8%18%

26%28%

34%40%

91%

Most respondents (91%) have implemented one or more risk-based information security frameworks. A majority of organizations also say they collaborate with external industry partners to improve security and reduce risks.

PwC

20

of respondents who use cloud-based

cybersecurity also employ real-time

monitoring and analyticsfrom cloud providers

Many organizations have adopted cyber securityinsurance, cloud-based initiatives and Big Data analytics

Adoption of strategic initiatives

56%

Cybersecurity insurance Big Data analytics Cloud-based cybersecurity

59% 59%69%

PwC

Nereden Başlamalı, Neler Yapmalı?

16 Aralık 2015Siber Güvenlik

21

CISO

Cyber Security Strategy

Cyber Security Awareness

(Staff + Execs)

Teşekkürler...

© 2016 PwC Türkiye. Tüm hakları saklıdır. Bu belgede “PwC” ibaresi, her bir üye şirketinin ayrı birer tüzel kişilik olduğu PricewaterhouseCoopers International

Limited’in bir üye şirketi olan PwC Türkiye’yi ifade etmektedir. “PwC Türkiye”, Başaran Nas Bağımsız Denetim ve Serbest Muhasebeci Mali Müşavirlik A.Ş.,

Başaran Nas Yeminli Mali Müşavirlik A.Ş. ve PricewaterhouseCoopers Danışmanlık Hizmetleri Ltd. Şti. ticari unvanları ile Türkiye’de kurulmuş tüzel kişiliklerden

oluşan PwC Türkiye organizasyonunu ifade ve temsil etmektedir.

burak.sadic @ tr.pwc.com@adilburaksadic

tr.linkedin.com/in/buraks/www.pwc.com.tr/siberguvenlik