20101012 CIOnet Cyber Security Final Results
1 like610 views
The document summarizes the results of a CIOnet survey on cyber security. Over 50 respondents from 6 countries completed the survey, mostly from Belgium, Italy, and the UK. The survey found that while most organizations have assessed their cyber liabilities, ongoing risks still exist around applicable regulations, theft of trade secrets, and the impact of attacks. Respondents identified increased complexity of identity management as a top threat. However, many organizations still lack adequate security staffing and regular vulnerability assessments. The summary recommends treating cyber security as an ongoing risk management process and ensuring controls for incident response.
20101012 CIOnet Cyber Security Final Results
- 1. CIOnet survey on Cyber Security The results Chris Verdonck EMEA Leader, Deloitte Enterprise Risk Services Brussels, October 12th 2010
- 2. “It's the great irony of our Information Age - the very technologies that empower us to create and to build also empower those who would disrupt and destroy.” USA President Barack Obama on "Securing Our Nation's Cyber Infrastructure “ 2 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 3. Agenda. 3 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 4. Agenda Survey context Respondents Results 4 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 5. Survey Context Cyber culture is growing faster than cyber security, so everything that depends on cyber space is at risk Information is ubiquitous - Our society and economy have become critically dependent on digital connectivity and services; Cyber security threats are continuously increasing in complexity and occurrence; thus they require more management attention; CIOnet members were surveyed on 16 questions regarding cyber security until September 26th 2010. 5 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 6. Respondents. 6 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 7. Response demographics Countries 53 respondents from 6 different countries; Most responses from Belgium (35,8%) followed by Italy and UK (each 18,8%) Sectors Responses spread over different sectors Most respondents in Financials (24,5%), and Industrial & Manufacturing (20,7%) 7 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 8. Response company types Company type 67.9% of respondents representing their company’s headquarters. Number of employees In terms of company size, over half of the survey responders has more then 1000+ employees. 8 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 9. Results. 9 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 10. Cyber liabilities Almost 85% responded that they analyzed their cyber liabilities in a thorough way; However there is still uncertainty on what regulations are applicable. EU DPA and ISO 27001 may not be enough to comply with; Despite that respondents indicate to have assessed their liabilities, further responses in the survey indicate a need for stronger action. 10 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 11. Applicable legislation Over 76% of the survey respondents is confident that their organization have an overview of applicable laws in the context of cyber security; A large part of them only operates in one country, but legal aspect with regards to cyber security can differ greatly between countries. 11 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 12. Theft of trade secrets Almost 18% of the respondents’ organizations have not assessed the risk of loosing trade secrets; For the respondents that claim they have, the question is how comprehensive such assessment was; It is essential to ensure that the risks regarding theft of trade secrets are frequently re-assessed and appropriate actions taken to mitigate them. 12 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 13. Impact of internal or external cyber attacks All respondents indicated their organisation could be impacted in at least one domain; Over 81% of respondents believes cyber attacks would impact the brand and image of their organization. Stakeholders expect cyber security challenges to be addressed appropriately; Respondents indicate that internal attacks are more likely to cause critical operation disruption, and external attacks could affect market share more. 13 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 14. Cyber Security threats Over 35% of respondents see a primary threat in the increased complexity of identity and access management; It is interesting to note that almost 22% of the respondents indicate that their current controls are struggling to keep pace; Inadequate network access control and the uptake of social networks also raises cyber security concerns. Other: • User and management awareness of cyber risks, • Unpatched and unsupported legacy applications and systems • Crimeware will be the biggest threat over workstations, mobile operators and eventually mobile phones 14 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 15. Security Staff Over 35% of the respondents’ organizations have no policy regarding maintaining a security staff; There is a risk of critical information exposure and knowledge drain as people rotate in and out of organizations; The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff and skills. 15 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 16. Cyber Security awareness 82% of respondents indicate to increase cyber security awareness through security audits. These typically present a partial snapshot of the risk posture to the stakeholders; Furthermore respondents indicate specific training and awareness initiatives (72%), provisions in the disciplinary policy (68%), while 56% indicate to have been implementing a security framework that contributed to the general awareness. 16 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 17. Preventing legal exposure Respondents indicate how monitoring and audit of compliance is the most common action to prevent legal exposure (82%); Half of the survey candidates also monitors and requests audit reports from your third party business partners as some of the risk scope is outsourced. Other: • Vulnerability assessments and penetration testing; • Defining security controls; • Ensuring good contracting practices. 17 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 18. Assessing vulnerabilities About 20% of all organizations do not regularly assess their biggest vulnerabilities, implying they do not have a view on the most critical cyber risks they face; Organizations need a consolidated risk overview in order to define funded actions and manage risk appropriately. Comment: • “It is more a day to day job whereby risks are constantly monitored and priorities adapted overtime” 18 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 19. Incident response Over 35% of all organizations do not regularly review and update their incident response plans. Several respondents commented update action was ongoing; As the nature of cyber incidents in function of threats and vulnerabilities is constantly evolving, one can debate if yearly updates on incident response plans is even enough. 19 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 20. Incident communication Over 82% of the responding organizations are convinced of the importance of appropriate communication during and after a Cyber Security incident; In almost 18% of the respondents companies, inadequate awareness is in place regarding the significance of controlled incident communications with internal and external stakeholders. 20 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 21. Business continuity management While many respondents commented on the limited scope of their current business continuity plans (BCP), a surprising 76% indicated such plans are in place; This does conflict with the fact that only 50% have a crisis communications plan, which is an essential part of a continuity planning; Some respondents referred to their third party service agreements, but should keep in mind their own responsibilities to ensure business continuity. 21 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 22. Insurance Almost 72% indicates not having insurance coverage for cyber security incidents. Typically expert evidence is needed to calculate the financial and other damages that need to be covered; If an insurance policy is in place, 83.3% have third party damage coverage; Of all respondents, less than 10% is insured for first party losses due to cyber security incidents. 22 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 23. Final thoughts Don’t think of cyber security as merely protecting IT systems as it is ultimately about protecting a broader interest of the organization. Understand your regulatory context and possible liabilities, and take appropriate measures to mitigate the risk to your business; Approach cyber security as the ongoing management of continuously evolving risk in function of value to the organization, and the likelihood of threats and vulnerabilities; Ensure adequate and appropriate controls are implemented to coordinate and communicate actions in the case of cyber security incidents. The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff, as well as broad awareness and skills; Align cyber security with other related activities in the business to create leverage and resource efficiencies – e.g. business continuity. 23 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 24. Thank you. 24 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
- 25. Contact Deloitte Enterprise Risk Services Berkenlaan 8 b B-1831 B-1831 Diegem Chris Verdonck Belgium Partner Tel: + 32 2 800 24 20 cverdonck@deloitte.com Member of Deloitte Touche Tohmatsu 25 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010