Date post: | 19-Jan-2015 |
Category: |
Technology |
Upload: | cionet-international |
View: | 580 times |
Download: | 0 times |
Brussels, October 12th 2010
CIOnet survey on Cyber Security The results
Chris Verdonck
EMEA Leader, Deloitte Enterprise Risk Services
© 2010 2 UNCLASSIFIED - CIOnet survey on Cyber Security
“It's the great irony of our Information Age - the very technologies that empower us to create and to build also empower those who would
disrupt and destroy.”
USA President Barack Obama on "Securing Our Nation's Cyber Infrastructure “
© 2010 3
Agenda.
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010
Agenda
4
Survey context
Respondents
Results
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010
Survey Context
5
Cyber culture is growing faster than cyber security, so everything that depends on cyber space is at risk
Information is ubiquitous - Our society and economy have become critically dependent on digital connectivity and services;
Cyber security threats are continuously increasing in complexity and occurrence; thus they require more management attention;
CIOnet members were surveyed on 16 questions regarding cyber security until September 26th 2010.
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010 6
Respondents.
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010
Response demographics
7 UNCLASSIFIED - CIOnet survey on Cyber Security
Countries 53 respondents from 6 different
countries;
Most responses from Belgium (35,8%) followed by Italy and UK (each 18,8%)
Sectors Responses spread over different
sectors
Most respondents in Financials (24,5%), and Industrial & Manufacturing (20,7%)
© 2010
Response company types
8 UNCLASSIFIED - CIOnet survey on Cyber Security
Company type 67.9% of respondents
representing their company’s headquarters.
Number of employees In terms of company size, over
half of the survey responders has more then 1000+ employees.
© 2010 9
Results.
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010
Cyber liabilities
10 UNCLASSIFIED - CIOnet survey on Cyber Security
Almost 85% responded that they analyzed their cyber liabilities in a thorough way;
However there is still uncertainty on what regulations are applicable. EU DPA and ISO 27001 may not be enough to comply with;
Despite that respondents indicate to have assessed their liabilities, further responses in the survey indicate a need for stronger action.
© 2010 11 UNCLASSIFIED - CIOnet survey on Cyber Security
Over 76% of the survey respondents is confident that their organization have an overview of applicable laws in the context of cyber security;
A large part of them only operates in one country, but legal aspect with regards to cyber security can differ greatly between countries.
Applicable legislation
© 2010 12 UNCLASSIFIED - CIOnet survey on Cyber Security
Almost 18% of the respondents’ organizations have not assessed the risk of loosing trade secrets;
For the respondents that claim they have, the question is how comprehensive such assessment was;
It is essential to ensure that the risks regarding theft of trade secrets are frequently re-assessed and appropriate actions taken to mitigate them.
Theft of trade secrets
© 2010 13 UNCLASSIFIED - CIOnet survey on Cyber Security
All respondents indicated their organisation could be impacted in at least one domain;
Over 81% of respondents believes cyber attacks would impact the brand and image of their organization. Stakeholders expect cyber security challenges to be addressed appropriately;
Respondents indicate that internal attacks are more likely to cause critical operation disruption, and external attacks could affect market share more.
Impact of internal or external cyber attacks
© 2010 14 UNCLASSIFIED - CIOnet survey on Cyber Security
Over 35% of respondents see a primary threat in the increased complexity of identity and access management;
It is interesting to note that almost 22% of the respondents indicate that their current controls are struggling to keep pace;
Inadequate network access control and the uptake of social networks also raises cyber security concerns.
Cyber Security threats
Other: • User and management awareness of cyber risks, • Unpatched and unsupported legacy applications and systems • Crimeware will be the biggest threat over workstations, mobile operators and
eventually mobile phones
© 2010 15 UNCLASSIFIED - CIOnet survey on Cyber Security
Over 35% of the respondents’ organizations have no policy regarding maintaining a security staff;
There is a risk of critical information exposure and knowledge drain as people rotate in and out of organizations;
The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff and skills.
Security Staff
© 2010 16 UNCLASSIFIED - CIOnet survey on Cyber Security
82% of respondents indicate to increase cyber security awareness through security audits. These typically present a partial snapshot of the risk posture to the stakeholders;
Furthermore respondents indicate specific training and awareness initiatives (72%), provisions in the disciplinary policy (68%), while 56% indicate to have been implementing a security framework that contributed to the general awareness.
Cyber Security awareness
© 2010 17 UNCLASSIFIED - CIOnet survey on Cyber Security
Respondents indicate how monitoring and audit of compliance is the most common action to prevent legal exposure (82%);
Half of the survey candidates also monitors and requests audit reports from your third party business partners as some of the risk scope is outsourced.
Preventing legal exposure
Other: • Vulnerability assessments and penetration testing; • Defining security controls; • Ensuring good contracting practices.
© 2010 18 UNCLASSIFIED - CIOnet survey on Cyber Security
About 20% of all organizations do not regularly assess their biggest vulnerabilities, implying they do not have a view on the most critical cyber risks they face;
Organizations need a consolidated risk overview in order to define funded actions and manage risk appropriately.
Assessing vulnerabilities
Comment:
• “It is more a day to day job whereby risks are constantly monitored and priorities adapted overtime”
© 2010 19 UNCLASSIFIED - CIOnet survey on Cyber Security
Over 35% of all organizations do not regularly review and update their incident response plans. Several respondents commented update action was ongoing;
As the nature of cyber incidents in function of threats and vulnerabilities is constantly evolving, one can debate if yearly updates on incident response plans is even enough.
Incident response
© 2010 20 UNCLASSIFIED - CIOnet survey on Cyber Security
Over 82% of the responding organizations are convinced of the importance of appropriate communication during and after a Cyber Security incident;
In almost 18% of the respondents companies, inadequate awareness is in place regarding the significance of controlled incident communications with internal and external stakeholders.
Incident communication
© 2010 21 UNCLASSIFIED - CIOnet survey on Cyber Security
While many respondents commented on the limited scope of their current business continuity plans (BCP), a surprising 76% indicated such plans are in place;
This does conflict with the fact that only 50% have a crisis communications plan, which is an essential part of a continuity planning;
Some respondents referred to their third party service agreements, but should keep in mind their own responsibilities to ensure business continuity.
Business continuity management
© 2010 22 UNCLASSIFIED - CIOnet survey on Cyber Security
Almost 72% indicates not having insurance coverage for cyber security incidents. Typically expert evidence is needed to calculate the financial and other damages that need to be covered;
If an insurance policy is in place, 83.3% have third party damage coverage;
Of all respondents, less than 10% is insured for first party losses due to cyber security incidents.
Insurance
© 2010 23 UNCLASSIFIED - CIOnet survey on Cyber Security
Don’t think of cyber security as merely protecting IT systems as it is ultimately about protecting a broader interest of the organization. Understand your regulatory context and possible liabilities, and take appropriate measures to mitigate the risk to your business;
Approach cyber security as the ongoing management of continuously evolving risk in function of value to the organization, and the likelihood of threats and vulnerabilities;
Ensure adequate and appropriate controls are implemented to coordinate and communicate actions in the case of cyber security incidents.
The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff, as well as broad awareness and skills;
Align cyber security with other related activities in the business to create leverage and resource efficiencies – e.g. business continuity.
Final thoughts
© 2010 24
Thank you.
UNCLASSIFIED - CIOnet survey on Cyber Security
© 2010
Contact
25
Deloitte Enterprise Risk Services Berkenlaan 8 b B-1831 B-1831 Diegem
Chris Verdonck Belgium Partner
Tel: + 32 2 800 24 20 [email protected]
Member of Deloitte Touche Tohmatsu
UNCLASSIFIED - CIOnet survey on Cyber Security