global state of information ... › events › gisd2014 › key... · pwc financial losses of...

www.pwc.ch/cybersecurity

Global State of Information Security Survey 2015

The risks and repercussions of security incidents continue to rise as preparedness falls. October 2014

PwC

Agenda

• Methodology

• Key findings

• Focus on data privacy and further technical controls

• How to increase cyber security

• Conclusion

• Contacts

Slide 2

October 2014 GSISS 2015 Information Security Day

PwC

Methodology

Slide 3


PwC

Methodology

The Global State of Information Security® Survey 2015, a worldwide study by PwC, CIO and CSO, was conducted online from 27 March to 25 May 2014.

• PwC’s 17th year conducting the survey, 12th with CIO and CSO magazines

• Includes readers of CIO and CSO and clients of PwC from 154 countries

• More than 9,700 responses from executives including CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security

• More than 40 questions on topics related to privacy and information security safeguards and their alignment with the business

• 38% of respondents from companies with revenue of USD 500 million+

• 35% of respondents from North America, 34% from Europe, 14% from Asia Pacific, 13% from South America, 4% from the Middle East and Africa

• Margin of error less than 1%; numbers may not add to 100% due to rounding

• 130 respondents from Switzerland

Slide 4


PwC

0% 10% 20%

1 to 10

11 to 50

51 to 100

101 to 500

501 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 20,000

20,001 to 50,000

50,001 to 75,000

75,001 to 100,000

100,001 to 200,000

More than 200,000

Do not know

Switzerland

Europe

Total

0% 20% 40%

Aerospace & Defense

Agriculture

Consumer Products &…

Consulting /…

Education / Non-profit

Energy / Utilities /…

Entertainment & Media

Engineering /…

Financial Services

Forest / Paper /…

Government Services

Health Industries

Hospitality / Travel &…

Industrial Manufacturing

Technology

Telecommunications

Transportation &…

Switzerland

Europe

Total

Demographics – Switzerland

Industry sector: Company size:

Slide 5


PwC

Functions and roles of participants

Roles/functions (only the six most relevant roles)

Business or IT

0% 20% 40% 60%

Business

IT

Switzerland

Europe

Total

0% 5% 10% 15% 20% 25%

CEO / President /Managing Director

Chief Operating Officer(COO)

Chief Information Officer(CIO) / VP

Chief Technology Officer(CTO)

Chief InformationSecurity Officer (CISO) /

VP

Switzerland

Europe

Total

Slide 6


PwC

Key findings

Slide 7


PwC

• The US government notifies 3,000

companies that they were

attacked and charges nation-backed

hackers with economic espionage.

• Compromises of retailers culminate

in a recent breach of 56 million

credit cards.

• Heartbleed bug results in the loss

of 4.5 million healthcare records.

• ShellShock bug just released and

might cause damage on web servers

• Powerful malware infects

hundreds of energy companies

worldwide.

• More than half of global

securities exchanges are hacked.

• Regulators around the world

are beginning to more proactively

address cyber risks.

Today, security compromises are a persistent– and globally pervasive – business risk

Slide 8


PwC

A steady 66% year-on-year growth since 2009

Taking a longer-term view, our survey data shows

that the compound annual growth rate (CAGR) of

detected security incidents has increased 66%

year-on-year since 2009.

Slide 9


PwC

The bigger the business, the larger the loss

Medium-sized

organisations (revenues

of USD 100 million to USD

1 billion) showed the

biggest improvement in

their ability to detect

incidents, discovering 64%

more compromises than

last year.

Small organisations

proved the exception in

discovering security events:

companies with revenues

lower than USD 100 million

detected 5% fewer

incidents this year.

Among our global survey

sample, large

organisations (gross

annual revenues of USD 1

billion or more) detected

44% more incidents

compared with last year.

Slide 10


PwC

0% 5% 10% 15% 20% 25%

0 or none

1 to 2

3 to 9

10 to 49

50 to 499

500 to 4,999

5,000 to 99,999

100,000 or more

Do not know

Switzerland

Europe

Total

The number of security incidents continues to soar …

42.8 million

Q18: How many security incidents were detected in the past 12 months?

53% detected fewer than 10 incidents in 2013

15% detected more then 500 incidents in 2013

Slide 11


PwC

As security incidents grow in frequency, the

costs of managing and mitigating breaches

also are rising.

Globally, the annual estimated reported

average financial loss attributed to cyber

security incidents was USD 2.7 million,

a jump of 34% over 2013.

Not surprising, but certainly attention

grabbing, is the finding that big losses are

more common: organisations reporting

financial hits of USD 20 million or more

increased 92% over 2013.

The financial cost of security incidents is high and rising

Slide 12


PwC

The estimated global cost of cybercrime

detected by respondents this year is

more than USD 23 billion.

Again, it’s important to note this figure

represents only detected compromises.

Monetary losses stretch into the billions of dollars …

Slide 13


PwC

Financial losses of security incidents – in Switzerland, only 26 out of 130 answered

Q22a: Estimated total financial losses as a result of all security incidents (in USD)?

0% 5% 10% 15% 20% 25% 30% 35%

Less than $10,000

$10,000 to $49,999

$50,000 to $99,999

$100,000 to $499,999

$500,000 to $999,999

$1 million to $9.9 million


$20 million or more

Do not know

Switzerland

Europe

Total

At least 9 million from 26 answers

Slide 14


PwC

Direct financial losses followed by theft of IP and loss of customers are the main areas of losses

Q22: How was your organisation impacted by the security incidents? (Check all that apply)

0% 5% 10% 15% 20% 25% 30%

Financial losses

Theft of “soft” intellectual property (e.g., information such as processes, institutional knowledge, etc.)

Loss of customers

Other

Financial Fraud (e.g., credit card fraud)

E-mail or other applications unavailable

Brand / reputation compromised

Theft of “hard” intellectual property (information such strategic business plans, deal documents, sensitive …

Switzerland

Europe

Total

Slide 15


PwC

… or trillions, depending on how you measure it

As with the number of

incidents, the global cost

of security compromises is

ultimately unknowable

because many attacks are not

reported. It’s also important

to note that the value of

certain kinds of information—

intellectual property and

trade secrets, in particular—

is very difficult to ascertain.

Based on calculations

determined by the Center for

Responsible Enterprise And

Trade (CREATe.org) and

PwC, we believe that financial

losses due to the theft of trade

secrets may range from USD

749 billion to as high as

USD 2.2 trillion annually.

Slide 16


PwC

Despite elevated risks, security budgets decline in 2014

Many organisations are undoubtedly worried about

the rising tide of cybercrime, yet most have not

increased their investment security initiatives.

In fact, global IS budgets actually decreased 4%

compared with 2013. And security spending as a

percentage of the total IT budget has remained

stalled at 4% or less for the past five years.

Slide 17


PwC

Spending sinks from previous years, particularly among small organisations

We found one explanation for

the spending slow-down by

looking at investment levels

reported in last year’s survey.

In 2013, organisations reported very

significant increases in spending over

2012, expanding IT investments

by 40% and security spending

by an even more substantial 51%.

It could be that this year’s respondents

were hard-pressed to continue

investments at that accelerated pace.

Looking at security investment by

company size also sheds some light

on the anaemic funding. This year,

companies with revenues under

USD 100 million say they reduced

security investments by 20%

over 2013, while medium-sized and

large companies report a modest

5% increase in security spend.

Slide 18


PwC

Q8: What is your organisation’s total information security budget for 2014?

Actual cyber security budget

0% 5% 10% 15% 20%

Less than $10,000

$10,000 to $49,999

$50,000 to $99,999

$100,000 to $499,999

$500,000 to $999,999






$30 million or more

Do not know

Switzerland

Europe

Total

Slide 19


PwC

0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

35.0%

Increase morethan 30%

Increase 11-30%

Increase up to10%

Stay the same Decrease lessthan 10%

Decrease 11-30%

Decrease morethan 30%

Do not know

Switzerland

Europe

Total

Information Security spendings compared to last year, 57% of Swiss Budget will increase

Q9: When compared with last year, security spending over the next 12 months will …

Slide 20


PwC

Incidents attributed to insiders rise, while security preparedness falls

Current and former employees

are the most-cited culprits of security

incidents, but implementation of key

insider-threat safeguards is declining.

• 56% have privileged user-access

tools (65% in 2013).

• 51% monitor user compliance with

security policies (58% last year).

• 51% have an employee security

training and awareness programme

(60% in 2013).

Compromises attributed to third

parties with trusted access

increases while due diligence weakens.

• 55% have security baselines for

external partners, suppliers, and

vendors (60% in 2013).

• 50% perform risk assessments on

third-party vendors (53% in 2013).

Slide 21


PwC

High growth in high-profile crimes

86% jump in incidents by

nation-states

64% rise in compromises

by competitors

26% increase in incidents by

organised crime.

While less frequent, incidents attributed to nation-states, organised

crime and competitors increased sharply in 2014.

Slide 22


PwC

The outsiders: cybercrime and hackers represent 50% of incidents, but insiders still at a high level!

Insiders Outsiders

Q21: Estimated likely source of incidents: (check all that apply)

0% 10% 20% 30%

Hackers

Organized crime

Competitors

Activists/activistorganizations/hackti…

Information brokers

Terrorists

Foreign entities andorganizations

Foreign nation-states

Domestic intelligenceservice

Switzerland

Europe

Total

0% 10% 20% 30% 40% 50%

Current employees

Former employees

Suppliers/business partners

Current serviceproviders/consultants/contr

actors

Former serviceproviders/consultants/contr

actors

Customers

Switzerland

Europe

Total

Slide 23


PwC

Prioritisation

needed Regulation Budget pressure

What does this mean for budgets, incidents, new technologies, regulations, and related costs

Slide 24


http://www.google.de/imgres?imgurl=http://www.showbiz.de/wordpress/wp-content/uploads/2010/10/Flagge-Schweiz.jpg&imgrefurl=http://www.showbiz.de/2010/10/11/eurovision-song-contest-2011-schweiz-sucht-kandidaten/&usg=__X2yg-Qzy-a_zuw7S9jVD_jhspsQ=&h=340&w=569&sz=4&hl=de&start=22&zoom=1&um=1&itbs=1&tbnid=9xR6O36wNk7E0M:&tbnh=80&tbnw=134&prev=/images?q=flagge+schweiz&start=21&um=1&hl=de&sa=N&ndsp=21&tbs=isch:1&ei=Q-5TTabnGIeK5AbnweTuCA

PwC

Focus on data privacy and further technical controls

Slide 26


PwC

Q12: Which data privacy safeguards does your organisation currently have in place? (Processes)

Data privacy safeguards currently in place (processes)

0% 20% 40% 60% 80%

Processes for cross-border data exchanges

Limit collection, retention, and access of personal informationto the minimum necessary to accomplish the legitimate

purpose for which it is collected

Accurate inventory of where personal data for employees andcustomers are collected, transmitted, and stored

Incident response-process to report and handle breaches tothird parties that handle data

Switzerland

Europe

Total

Slide 27


PwC

0% 10% 20% 30% 40% 50% 60%

Certification under the Swiss or EU Safe HarborAgreement, model contracts, customer or employee

consent, or binding corporate rules

Conduct risk assessments of internal and external risksto the privacy, security, confidentiality, and integrity of

electronic and paper records containing personalinformation (e.g., through internal audit)

Require third parties (including outsourcing vendors) tocomply with our privacy policies

Accurate inventory of locations or jurisdictions wheredata is stored

Incident response-process to report and handle breachesto third parties that handle data

Switzerland

Europe

Total

Monitoring, response and, even, risk management are outsourced most often

Q12b: Which data privacy safeguards does your organisation currently outsource? (Processes)

Slide 28


PwC

0% 20% 40% 60% 80%

Employ Chief Privacy Officer (CPO) or similar executive incharge of privacy compliance

Require our employees to certify in writing that they complywith our privacy policies

Require our employees to complete training on privacy policyand practices

Impose disciplinary measures for privacy program violations

Switzerland

Europe

Total

Data privacy safeguards currently in place (people)

Q12a: Which data privacy safeguards does your organisation currently have in place? (People)

Slide 29


PwC

0% 10% 20% 30% 40% 50%

Processes for cross-border data exchanges

A written privacy policy is in place and published on ourexternal website

Limit collection, retention, and access of personalinformation to the minimum necessary to accomplish the

legitimate purpose for which it is collected

Accurate inventory of where personal data for employees andcustomers are collected, transmitted, and stored

Incident response-process to report and handle breaches tothird parties that handle data

Ongoing monitoring of the data privacy program

Switzerland

Europe

Total

Safeguards for inventory, monitoring, incident handling, cross-border exchange are on the way

Q12c: Which data privacy safeguards does your organisation not have in place, but is a top priority over the next 12 months? (Processes)

Slide 30


PwC

Cyber insurance and what we do with it …

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

Made a claim Collected on a claim Taken steps to enhance the organization’s security

posture to lower the insurance premium

Do not know

Switzerland

Total

Europe

Q26a: If your organisation has cyber insurance, has it …

Slide 31


PwC

Be compliant and then secure – reducing cyber risks is one of the least used arguments

Q38: How does your company measure the effectiveness of information security spending? (Check all that apply)

0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0%

Reduction in security risks

Return on investment (ROI)

Internal rate of return

Payback period

Total cost of ownership

Net present value

Improvement against security metrics

Professional judgment

Lack of audit findings

Lack of regulatory findings

Other

Do not know

Switzerland

Europe

Total

Ma

turi

ty L

evel

Slide 32


PwC

What technical security measures are already in place (top 10)?

0% 20% 40% 60% 80% 100%

Application firewalls

Network firewalls

Security information and event management (SIEM)technologies

Network access control software

Encryption of networking transmissions (wireless, wired,etc.)

Unauthorized use or access-monitoring tools

Secure remote access (VPN)

Encryption of databases

Centralized user data store

Malware or virus-protection software

Switzerland

Europe

Total

Q15: What technology information security safeguards does your organisation currently have in place?

Slide 33


PwC

What technical security measures are already in place but outsourced (top 10)?

0% 10% 20% 30% 40% 50%

Role-based authorization

Security technologies supporting Web 2.0 exchanges such associal networks, blogs, microblogging, wikis, or other…

Intrusion-detection tools

Asset-management tools

Protection/detection management solution for advancedpersistent threats (APTs)

Network firewalls

Privileged user access

User-activity monitoring tools

Encryption of file shares

Encryption of Web transactions

Switzerland

Europe

Total

Q15: What technology information security safeguards does your organisation currently outsource?

Slide 34


PwC

What technical security measures will be deployed the next 12 months (top 10)?

0% 10% 20% 30% 40%

Vulnerability scanning tools

Encryption of smart phones

Behavioral profiling and monitoring

Automated account provisioning/de-provisioning

Malicious code-detection tools

Enterprise content-management tools

Asset-management tools

Disposable passwords/smart cards/tokens for authentication

Code-analysis tools

Secure access-control measures

Switzerland

Europe

Total

Q15: What technology information security safeguards does your organisation not have in place, but is a top priority over the next 12 months?

Slide 35


PwC

How to increase cyber security

Slide 36


PwC

Q28: What are the greatest obstacles to improving the overall strategic effective-ness of your organisation’s information security function? (Check all that apply)

To improve cyber security, we need to convince C-level and agree on a strategy.

0% 10% 20% 30% 40% 50%

Leadership: CEO, President, Board, or equivalent

Leadership: CIO or equivalent

Lack of an effective information security strategy

Insufficient capital expenditures

Insufficient operating expenditures

Leadership: CISO, CSO, or equivalent

Lack of an actionable vision or understanding of how futurebusiness needs impact information security

Poorly integrated or overly complex information and ITsystems

Absence or shortage of in-house technical expertise

Switzerland

Europe

Total

50% leadership

Slide 37


PwC

Conclusion

Slide 38


PwC

Taking action: 5 steps toward a strategic security programme

4 Assess cyber security of third parties and supply chain partners, and ensure they adhere to your security policies and practices

2 Identify your most valuable information assets and prioritise protection of this high-value data

1 Ensure that your cyber security strategy is aligned with business objectives and is strategically funded

3 Improve processes for earlier detection, Reduce the time from detect to respond

5 Collaborate with others to increase awareness of cyber security threats and response tactics

Slide 39


PwC

Contacts

Slide 40


Jan Schreuder PwC, Partner +41 58 792 24 84 [email protected] Yan Borboën PwC, Director +41 58 792 84 59 [email protected] Marc Impini PwC, Assistant Manager +41 58 792 94 81 [email protected]

© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.

visit www.pwc.ch/gsiss2015 15

http://www.pwc.ch/gsiss2015

global state of information ... › events › gisd2014 › key... · pwc financial losses of...

Documents