global state of information ... › events › gisd2014 › key... · pwc financial losses of...
TRANSCRIPT
www.pwc.ch/cybersecurity
Global State of Information Security Survey 2015
The risks and repercussions of security incidents continue to rise as preparedness falls. October 2014
PwC
Agenda
• Methodology
• Key findings
• Focus on data privacy and further technical controls
• How to increase cyber security
• Conclusion
• Contacts
Slide 2
October 2014 GSISS 2015 Information Security Day
PwC
Methodology
Slide 3
October 2014 GSISS 2015 Information Security Day
PwC
Methodology
The Global State of Information Security® Survey 2015, a worldwide study by PwC, CIO and CSO, was conducted online from 27 March to 25 May 2014.
• PwC’s 17th year conducting the survey, 12th with CIO and CSO magazines
• Includes readers of CIO and CSO and clients of PwC from 154 countries
• More than 9,700 responses from executives including CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security
• More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business
• 38% of respondents from companies with revenue of USD 500 million+
• 35% of respondents from North America, 34% from Europe, 14% from Asia Pacific, 13% from South America, 4% from the Middle East and Africa
• Margin of error less than 1%; numbers may not add to 100% due to rounding
• 130 respondents from Switzerland
Slide 4
October 2014 GSISS 2015 Information Security Day
PwC
0% 10% 20%
1 to 10
11 to 50
51 to 100
101 to 500
501 to 1,000
1,001 to 5,000
5,001 to 10,000
10,001 to 20,000
20,001 to 50,000
50,001 to 75,000
75,001 to 100,000
100,001 to 200,000
More than 200,000
Do not know
Switzerland
Europe
Total
0% 20% 40%
Aerospace & Defense
Agriculture
Consumer Products &…
Consulting /…
Education / Non-profit
Energy / Utilities /…
Entertainment & Media
Engineering /…
Financial Services
Forest / Paper /…
Government Services
Health Industries
Hospitality / Travel &…
Industrial Manufacturing
Technology
Telecommunications
Transportation &…
Switzerland
Europe
Total
Demographics – Switzerland
Industry sector: Company size:
Slide 5
October 2014 GSISS 2015 Information Security Day
PwC
Functions and roles of participants
Roles/functions (only the six most relevant roles)
Business or IT
0% 20% 40% 60%
Business
IT
Switzerland
Europe
Total
0% 5% 10% 15% 20% 25%
CEO / President /Managing Director
Chief Operating Officer(COO)
Chief Information Officer(CIO) / VP
Chief Technology Officer(CTO)
Chief InformationSecurity Officer (CISO) /
VP
Switzerland
Europe
Total
Slide 6
October 2014 GSISS 2015 Information Security Day
PwC
Key findings
Slide 7
October 2014 GSISS 2015 Information Security Day
PwC
• The US government notifies 3,000
companies that they were
attacked and charges nation-backed
hackers with economic espionage.
• Compromises of retailers culminate
in a recent breach of 56 million
credit cards.
• Heartbleed bug results in the loss
of 4.5 million healthcare records.
• ShellShock bug just released and
might cause damage on web servers
• Powerful malware infects
hundreds of energy companies
worldwide.
• More than half of global
securities exchanges are hacked.
• Regulators around the world
are beginning to more proactively
address cyber risks.
Today, security compromises are a persistent– and globally pervasive – business risk
Slide 8
October 2014 GSISS 2015 Information Security Day
PwC
A steady 66% year-on-year growth since 2009
Taking a longer-term view, our survey data shows
that the compound annual growth rate (CAGR) of
detected security incidents has increased 66%
year-on-year since 2009.
Slide 9
October 2014 GSISS 2015 Information Security Day
PwC
The bigger the business, the larger the loss
Medium-sized
organisations (revenues
of USD 100 million to USD
1 billion) showed the
biggest improvement in
their ability to detect
incidents, discovering 64%
more compromises than
last year.
Small organisations
proved the exception in
discovering security events:
companies with revenues
lower than USD 100 million
detected 5% fewer
incidents this year.
Among our global survey
sample, large
organisations (gross
annual revenues of USD 1
billion or more) detected
44% more incidents
compared with last year.
Slide 10
October 2014 GSISS 2015 Information Security Day
PwC
0% 5% 10% 15% 20% 25%
0 or none
1 to 2
3 to 9
10 to 49
50 to 499
500 to 4,999
5,000 to 99,999
100,000 or more
Do not know
Switzerland
Europe
Total
The number of security incidents continues to soar …
42.8 million
Q18: How many security incidents were detected in the past 12 months?
53% detected fewer than 10 incidents in 2013
15% detected more then 500 incidents in 2013
Slide 11
October 2014 GSISS 2015 Information Security Day
PwC
As security incidents grow in frequency, the
costs of managing and mitigating breaches
also are rising.
Globally, the annual estimated reported
average financial loss attributed to cyber
security incidents was USD 2.7 million,
a jump of 34% over 2013.
Not surprising, but certainly attention
grabbing, is the finding that big losses are
more common: organisations reporting
financial hits of USD 20 million or more
increased 92% over 2013.
The financial cost of security incidents is high and rising
Slide 12
October 2014 GSISS 2015 Information Security Day
PwC
The estimated global cost of cybercrime
detected by respondents this year is
more than USD 23 billion.
Again, it’s important to note this figure
represents only detected compromises.
Monetary losses stretch into the billions of dollars …
Slide 13
October 2014 GSISS 2015 Information Security Day
PwC
Financial losses of security incidents – in Switzerland, only 26 out of 130 answered
Q22a: Estimated total financial losses as a result of all security incidents (in USD)?
0% 5% 10% 15% 20% 25% 30% 35%
Less than $10,000
$10,000 to $49,999
$50,000 to $99,999
$100,000 to $499,999
$500,000 to $999,999
$1 million to $9.9 million
$10 million to $19.9 million
$20 million or more
Do not know
Switzerland
Europe
Total
At least 9 million from 26 answers
Slide 14
October 2014 GSISS 2015 Information Security Day
PwC
Direct financial losses followed by theft of IP and loss of customers are the main areas of losses
Q22: How was your organisation impacted by the security incidents? (Check all that apply)
0% 5% 10% 15% 20% 25% 30%
Financial losses
Theft of “soft” intellectual property (e.g., information such as processes, institutional knowledge, etc.)
Loss of customers
Other
Financial Fraud (e.g., credit card fraud)
E-mail or other applications unavailable
Brand / reputation compromised
Theft of “hard” intellectual property (information such strategic business plans, deal documents, sensitive …
Switzerland
Europe
Total
Slide 15
October 2014 GSISS 2015 Information Security Day
PwC
… or trillions, depending on how you measure it
As with the number of
incidents, the global cost
of security compromises is
ultimately unknowable
because many attacks are not
reported. It’s also important
to note that the value of
certain kinds of information—
intellectual property and
trade secrets, in particular—
is very difficult to ascertain.
Based on calculations
determined by the Center for
Responsible Enterprise And
Trade (CREATe.org) and
PwC, we believe that financial
losses due to the theft of trade
secrets may range from USD
749 billion to as high as
USD 2.2 trillion annually.
Slide 16
October 2014 GSISS 2015 Information Security Day
PwC
Despite elevated risks, security budgets decline in 2014
Many organisations are undoubtedly worried about
the rising tide of cybercrime, yet most have not
increased their investment security initiatives.
In fact, global IS budgets actually decreased 4%
compared with 2013. And security spending as a
percentage of the total IT budget has remained
stalled at 4% or less for the past five years.
Slide 17
October 2014 GSISS 2015 Information Security Day
PwC
Spending sinks from previous years, particularly among small organisations
We found one explanation for
the spending slow-down by
looking at investment levels
reported in last year’s survey.
In 2013, organisations reported very
significant increases in spending over
2012, expanding IT investments
by 40% and security spending
by an even more substantial 51%.
It could be that this year’s respondents
were hard-pressed to continue
investments at that accelerated pace.
Looking at security investment by
company size also sheds some light
on the anaemic funding. This year,
companies with revenues under
USD 100 million say they reduced
security investments by 20%
over 2013, while medium-sized and
large companies report a modest
5% increase in security spend.
Slide 18
October 2014 GSISS 2015 Information Security Day
PwC
Q8: What is your organisation’s total information security budget for 2014?
Actual cyber security budget
0% 5% 10% 15% 20%
Less than $10,000
$10,000 to $49,999
$50,000 to $99,999
$100,000 to $499,999
$500,000 to $999,999
$1 million to $1.9 million
$2 million to $4.9 million
$5 million to $9.9 million
$10 million to $19.9 million
$20 million to $29.9 million
$30 million or more
Do not know
Switzerland
Europe
Total
Slide 19
October 2014 GSISS 2015 Information Security Day
PwC
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
Increase morethan 30%
Increase 11-30%
Increase up to10%
Stay the same Decrease lessthan 10%
Decrease 11-30%
Decrease morethan 30%
Do not know
Switzerland
Europe
Total
Information Security spendings compared to last year, 57% of Swiss Budget will increase
Q9: When compared with last year, security spending over the next 12 months will …
Slide 20
October 2014 GSISS 2015 Information Security Day
PwC
Incidents attributed to insiders rise, while security preparedness falls
Current and former employees
are the most-cited culprits of security
incidents, but implementation of key
insider-threat safeguards is declining.
• 56% have privileged user-access
tools (65% in 2013).
• 51% monitor user compliance with
security policies (58% last year).
• 51% have an employee security
training and awareness programme
(60% in 2013).
Compromises attributed to third
parties with trusted access
increases while due diligence weakens.
• 55% have security baselines for
external partners, suppliers, and
vendors (60% in 2013).
• 50% perform risk assessments on
third-party vendors (53% in 2013).
Slide 21
October 2014 GSISS 2015 Information Security Day
PwC
High growth in high-profile crimes
86% jump in incidents by
nation-states
64% rise in compromises
by competitors
26% increase in incidents by
organised crime.
While less frequent, incidents attributed to nation-states, organised
crime and competitors increased sharply in 2014.
Slide 22
October 2014 GSISS 2015 Information Security Day
PwC
The outsiders: cybercrime and hackers represent 50% of incidents, but insiders still at a high level!
Insiders Outsiders
Q21: Estimated likely source of incidents: (check all that apply)
0% 10% 20% 30%
Hackers
Organized crime
Competitors
Activists/activistorganizations/hackti…
Information brokers
Terrorists
Foreign entities andorganizations
Foreign nation-states
Domestic intelligenceservice
Switzerland
Europe
Total
0% 10% 20% 30% 40% 50%
Current employees
Former employees
Suppliers/business partners
Current serviceproviders/consultants/contr
actors
Former serviceproviders/consultants/contr
actors
Customers
Switzerland
Europe
Total
Slide 23
October 2014 GSISS 2015 Information Security Day
PwC
Prioritisation
needed Regulation Budget pressure
What does this mean for budgets, incidents, new technologies, regulations, and related costs
Slide 24
October 2014 GSISS 2015 Information Security Day
PwC
Focus on data privacy and further technical controls
Slide 26
October 2014 GSISS 2015 Information Security Day
PwC
Q12: Which data privacy safeguards does your organisation currently have in place? (Processes)
Data privacy safeguards currently in place (processes)
0% 20% 40% 60% 80%
Processes for cross-border data exchanges
Limit collection, retention, and access of personal informationto the minimum necessary to accomplish the legitimate
purpose for which it is collected
Accurate inventory of where personal data for employees andcustomers are collected, transmitted, and stored
Incident response-process to report and handle breaches tothird parties that handle data
Switzerland
Europe
Total
Slide 27
October 2014 GSISS 2015 Information Security Day
PwC
0% 10% 20% 30% 40% 50% 60%
Certification under the Swiss or EU Safe HarborAgreement, model contracts, customer or employee
consent, or binding corporate rules
Conduct risk assessments of internal and external risksto the privacy, security, confidentiality, and integrity of
electronic and paper records containing personalinformation (e.g., through internal audit)
Require third parties (including outsourcing vendors) tocomply with our privacy policies
Accurate inventory of locations or jurisdictions wheredata is stored
Incident response-process to report and handle breachesto third parties that handle data
Switzerland
Europe
Total
Monitoring, response and, even, risk management are outsourced most often
Q12b: Which data privacy safeguards does your organisation currently outsource? (Processes)
Slide 28
October 2014 GSISS 2015 Information Security Day
PwC
0% 20% 40% 60% 80%
Employ Chief Privacy Officer (CPO) or similar executive incharge of privacy compliance
Require our employees to certify in writing that they complywith our privacy policies
Require our employees to complete training on privacy policyand practices
Impose disciplinary measures for privacy program violations
Switzerland
Europe
Total
Data privacy safeguards currently in place (people)
Q12a: Which data privacy safeguards does your organisation currently have in place? (People)
Slide 29
October 2014 GSISS 2015 Information Security Day
PwC
0% 10% 20% 30% 40% 50%
Processes for cross-border data exchanges
A written privacy policy is in place and published on ourexternal website
Limit collection, retention, and access of personalinformation to the minimum necessary to accomplish the
legitimate purpose for which it is collected
Accurate inventory of where personal data for employees andcustomers are collected, transmitted, and stored
Incident response-process to report and handle breaches tothird parties that handle data
Ongoing monitoring of the data privacy program
Switzerland
Europe
Total
Safeguards for inventory, monitoring, incident handling, cross-border exchange are on the way
Q12c: Which data privacy safeguards does your organisation not have in place, but is a top priority over the next 12 months? (Processes)
Slide 30
October 2014 GSISS 2015 Information Security Day
PwC
Cyber insurance and what we do with it …
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
Made a claim Collected on a claim Taken steps to enhance the organization’s security
posture to lower the insurance premium
Do not know
Switzerland
Total
Europe
Q26a: If your organisation has cyber insurance, has it …
Slide 31
October 2014 GSISS 2015 Information Security Day
PwC
Be compliant and then secure – reducing cyber risks is one of the least used arguments
Q38: How does your company measure the effectiveness of information security spending? (Check all that apply)
0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0%
Reduction in security risks
Return on investment (ROI)
Internal rate of return
Payback period
Total cost of ownership
Net present value
Improvement against security metrics
Professional judgment
Lack of audit findings
Lack of regulatory findings
Other
Do not know
Switzerland
Europe
Total
Ma
turi
ty L
evel
Slide 32
October 2014 GSISS 2015 Information Security Day
PwC
What technical security measures are already in place (top 10)?
0% 20% 40% 60% 80% 100%
Application firewalls
Network firewalls
Security information and event management (SIEM)technologies
Network access control software
Encryption of networking transmissions (wireless, wired,etc.)
Unauthorized use or access-monitoring tools
Secure remote access (VPN)
Encryption of databases
Centralized user data store
Malware or virus-protection software
Switzerland
Europe
Total
Q15: What technology information security safeguards does your organisation currently have in place?
Slide 33
October 2014 GSISS 2015 Information Security Day
PwC
What technical security measures are already in place but outsourced (top 10)?
0% 10% 20% 30% 40% 50%
Role-based authorization
Security technologies supporting Web 2.0 exchanges such associal networks, blogs, microblogging, wikis, or other…
Intrusion-detection tools
Asset-management tools
Protection/detection management solution for advancedpersistent threats (APTs)
Network firewalls
Privileged user access
User-activity monitoring tools
Encryption of file shares
Encryption of Web transactions
Switzerland
Europe
Total
Q15: What technology information security safeguards does your organisation currently outsource?
Slide 34
October 2014 GSISS 2015 Information Security Day
PwC
What technical security measures will be deployed the next 12 months (top 10)?
0% 10% 20% 30% 40%
Vulnerability scanning tools
Encryption of smart phones
Behavioral profiling and monitoring
Automated account provisioning/de-provisioning
Malicious code-detection tools
Enterprise content-management tools
Asset-management tools
Disposable passwords/smart cards/tokens for authentication
Code-analysis tools
Secure access-control measures
Switzerland
Europe
Total
Q15: What technology information security safeguards does your organisation not have in place, but is a top priority over the next 12 months?
Slide 35
October 2014 GSISS 2015 Information Security Day
PwC
How to increase cyber security
Slide 36
October 2014 GSISS 2015 Information Security Day
PwC
Q28: What are the greatest obstacles to improving the overall strategic effective-ness of your organisation’s information security function? (Check all that apply)
To improve cyber security, we need to convince C-level and agree on a strategy.
0% 10% 20% 30% 40% 50%
Leadership: CEO, President, Board, or equivalent
Leadership: CIO or equivalent
Lack of an effective information security strategy
Insufficient capital expenditures
Insufficient operating expenditures
Leadership: CISO, CSO, or equivalent
Lack of an actionable vision or understanding of how futurebusiness needs impact information security
Poorly integrated or overly complex information and ITsystems
Absence or shortage of in-house technical expertise
Switzerland
Europe
Total
50% leadership
Slide 37
October 2014 GSISS 2015 Information Security Day
PwC
Conclusion
Slide 38
October 2014 GSISS 2015 Information Security Day
PwC
Taking action: 5 steps toward a strategic security programme
4 Assess cyber security of third parties and supply chain partners, and ensure they adhere to your security policies and practices
2 Identify your most valuable information assets and prioritise protection of this high-value data
1 Ensure that your cyber security strategy is aligned with business objectives and is strategically funded
3 Improve processes for earlier detection, Reduce the time from detect to respond
5 Collaborate with others to increase awareness of cyber security threats and response tactics
Slide 39
October 2014 GSISS 2015 Information Security Day
PwC
Contacts
Slide 40
October 2014 GSISS 2015 Information Security Day
Jan Schreuder PwC, Partner +41 58 792 24 84 [email protected] Yan Borboën PwC, Director +41 58 792 84 59 [email protected] Marc Impini PwC, Assistant Manager +41 58 792 94 81 [email protected]
© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.
visit www.pwc.ch/gsiss2015 15