The State of Information Security - 2015

Business Unit
Security & Authentication - An
industry perspective
CCA
Strictly Private
and Confidential
October 2014
Endangering the present
Cyber security threats today have become increasingly sophisticated and complex. As organisations
embrace new technologies without fully comprehending the implications these have on the entire
enterprise, they are rendering themselves susceptible to an array of cyber-security threats.
An efficient and executable strategy, which encompasses the key levers of people, processes and
technology is needed to confront the changing threat landscape, as a few risk issues are as allencompassing as cyber-security.
Cyber security attacks in the news
Stuxnet worm infects critical infrastructure
facilities in Gujarat and Haryana, ONGC offshore oil rig also affected
Instances of state–sponsored espionage
against major European bank uncovered by
Symantec
US Department of Justice (DOJ) sentences
five Chinese military hackers for cyber
economic espionage against American
companies in the nuclear power, metals and
solar energy sectors
The Heartbleed defect, impacts over twothirds of web servers in the world, including
those of popular e-mail and
social
networking sites
Security & Authentication - An industry perspective • CCA
PwC
October 2014
2
Are budgets keeping up with the rising costs?
With the increase in the average cost per security incident from $194 to $414 (113%) and a 20%
increase in the average losses as a consequence of security breaches, an increase in the information
security budget would be anticipated.
However, the average information security budgets actually declined by almost 17%. It seems
counter-intuitive that, even though threats have become more frequent and damaging,
organisations have not increased their security spending.
What drives information security expenditure?
Theft of customer or employee information
Hacktivism (e.g. WikiLeaks)
$4.8
million
Internal policy compliance
Regulatory compliance
2013
Merger or acquisition activity
$4
million
Company reputation
Outsourcing
2014
Business continuity or disaster recovery
Change and business transformation
20%
25%
30%
35%
40%
45%
50%
Drop in total average information
security budgets in India
Key drivers for information security spending in India
Security & Authentication - An industry perspective • CCA
PwC
October 2014
3
The constantly evolving cyber-threat landscape is
driving the increase in security incidents
The marked increase in the number of detected incidents, in our view, is likely driven by the
changing cyber-threat landscape. As the digital channel in financial services continues to evolve,
cybersecurity has become a business risk, rather than simply a technical risk.
Lines between the threats are blurring
Motivators
Impact
Threat vectors
Nation-states
• Global competition
• National security
• Fraud
• Targeted, long-term cyber
campaigns with strategic focus
• Insider
• Third-party service providers
• Loss of intellectual property
• Disruption to critical
infrastructure
• Monetary loss
• Regulatory
Cyber criminals
• Illicit profit
• Fraud
• Identify theft
• Individual identity theft
• Data breaches and intellectual
property theft
• Insider
• Third-party service providers
•
•
•
•
•
• Opportunistic vulnerabilities
• Insider
• Third-party service providers
• Destabilize, disrupt and
destroy cyber assets of
financial institutions
• Regulatory
• Targeted organizations that
stand in the way of their cause
• Insider
• Third-party service providers
•
•
•
•
•
Cyber terrorists/
individual
hackers
Hacktivists
•
•
•
•
Ideological
Political
Disenfranchised
Malicious havoc
• Political cause rather than
personal gain
• Ideological
Security & Authentication - An industry perspective • CCA
PwC
Loss of identity
Monetary loss
Intellectual property loss
Privacy
Regulatory
Disruption of operations
Destabilization
Embarrassment
Public relations
Regulatory
October 2014
4
Insiders are the most likely perpetrators
Insider threat
Current and former employees have been cited by respondents as the most common causes of
incidents. This, however, does not imply that most users exhibit malicious behaviour, a lack of
awareness of common dos and don’ts may lead to instances in which users compromise data
through the loss of mobile devices or through targeted phishing attacks.
Loss of data through associations with customers and vendors also contribute to a reasonable chunk
of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming
from 3rd parties, is largely responsible.
50%
2014
40%
2013
30%
Estimated likely sources of
incidents (insiders)
20%
10%
0%
Current employees Former employees
Current service
providers or
consultants or
contractors
Security & Authentication - An industry perspective • CCA
PwC
Former service
providers or
consultants or
contractors
Suppliers or
business partners
Customers
October 2014
4
External sources garner most attention
Outsiders
Cyber incidents that garner the most attention are compromises caused by nation states and
organised crime and are among the least frequent. However, the fact that there has been a two-fold
increase in information security incidents caused by foreign nation-states is alarming.
As nation-states can carry out sophisticated attacks without detection, we believe that the volume of
compromises is, in all probability, are under-reported. Indian organisations also reported twice as
many attacks from competitors when compared with the global average.
45%
2014
40%
2013
35%
30%
25%
20%
15%
10%
5%
0%
Terrorists
Organized crime
Activists or
activist
organizations or
hacktivists
Foreign nationstates
Foreign entities
and
organizations
Competitors
Information
brokers
Hackers
Foreign entities
and
organizations
Foreign nationstates
Estimated likely sources of incidents
Security & Authentication - An industry perspective • CCA
PwC
October 2014
5
How do attacks impact organisations?
Employee and Customer records continue to be the top targets of cyber attacks
The breach of employee (45%) and customer records (42%) remained the most cited impacts of
cyber attacks. Compromise of customer records may interrupt smooth running of business, leave
the organization exposed to legal action, result in loss of customers and may also damage the
reputation of the organization.
40%
2014
2013
35%
30%
25%
20%
15%
10%
5%
0%
Financial losses
Theft of “soft” IP
Theft of “hard” IP Brand or reputation Loss of shareholder Loss of customers
compromised
value
Loss of business
partners or
suppliers
Financial Fraud
Legal exposure or Business or process
lawsuit
interruption
Impact of cyber attacks on business
Security & Authentication - An industry perspective • CCA
PwC
October 2014
6
The ‘human parameter’
Employee training and awareness is a fundamental component of every programme, as the weakest
link in the security chain is often the human resource. However, compared to last year’s 61%, fewer
respondents (56%) require their employees to complete training on privacy policy and practices.
A cross-organizational team (including leaders from finance,
legal, risk, human resources, IT, and/or security) that regularly
meets to coordinate and communicate information security
issues
Employee security awareness training program
Impose disciplinary measures for privacy program violations
Require our employees to complete training on privacy policy
and practices
Require our employees to certify in writing that they comply
with our privacy policies
50.3%
53.6%
54.7%
56.2%
64.4%
How respondents are addressing the ‘human parameter’
Security & Authentication - An industry perspective • CCA
PwC
October 2014
7
Data privacy safeguards
Many organisations have implemented the following data privacy safeguards, however, to prepare
themselves better to the changing threat landscape, all organisations should consider implementing
these data privacy safeguards.
Data privacy safeguards currently in place
People
Require our employees to complete training on privacy policy and practices
56.2%
Impose disciplinary measures for privacy program violations
54.7%
Conduct personnel background checks
58.1%
Processes
Have an information security strategy that is aligned to the specific needs of the business
60.9%
Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the
capacity to protect such information
52.9%
Inventory of all third parties that handle personal data of employees and customers
50.2%
Technology
Privileged user access
62.6%
Malware or virus-protection software
67.9%
Security information and event management (SIEM) technologies
61.2%
Security-event-correlation tools
56.2%
Security & Authentication - An industry perspective • CCA
PwC
October 2014
8
Dynamic security practices – Need of the hour
Even with the increase in the average cost per incident and the overall financial losses as a
consequence of security incidents, organisations are still reluctant in adopting technologies and
processes that can help safeguard the organisation against these incidents.
52.1%
46.4%
48.2%
45.6%
45.0%
41.2%
Employee security
awareness training
program
Identity-management Risk assessments (on
tools
third-party vendors)
User-activity
monitoring tools
43.2%
Behavioral profiling Governance, risk, and Data loss prevention
and monitoring
compliance (GRC) tools
(DLP) tools
44.7%
Intrusion-detection
tools
Respondents who answered security safeguards are not currently in place
Security & Authentication - An industry perspective • CCA
PwC
October 2014
9
Are organisations taking identity management
seriously?
Current and former employees continue to be cited as the main causes of security breaches, with
over 65% of incidents being attributed to the group. In the light of these findings, the need for
identity and access management solutions now is greater than ever.
35%
A large number of organisations have identified access controls and identity
management as one of the top security challenges
Over 25% of organisations describe Biometrics for authentication as a top priority
in the next 12 months
50%
Of organisations have identity management solutions already in place
50%
Of organisations have solutions for automated provisioning & de-provisioning of
user accounts already in place
Security & Authentication - An industry perspective • CCA
PwC
October 2014
10
Are organisations moving towards newer
authentication methods?
Newer techniques such as risk based authentication and behavioural profiling are quickly gaining
popularity. Behavioural profiling is used to accurately predict and profile the characteristics of
users that may cause breaches.
Over 47% of organisations have employed behavioural profiling tools to strengthen their
information security programme
41%
Of organisations plan to adopt tokenisation as an
emerging technology for data protection
53%
Of organisations already use multi-factor
authentication to strengthen information security
Security & Authentication - An industry perspective • CCA
PwC
October 2014
11
How prevalent is the use of smart cards and tokens for
authentication?
Security tokens are physical devices that are provided to users to introduce an additional level of
security in authentication.
There are three factors to authentication :
-
Something the user knows
-
Something the user has
-
Something the user is/ does
Traditional methods use the first factor for authentication, smart cards and tokens are used to
introduce the second factor (something the user has) to enhance security.
49%
Of organisations use disposable passwords or smart cards or
tokens for authentication
Security & Authentication - An industry perspective • CCA
PwC
October 2014
12
Are organisations adopting user activity monitoring
tools?
To ensure strong control over the activity of users, organisations are moving towards user activity
monitoring tools.
The use of these tools is more prevalent in the commercial & consumer banking, insurance,
aerospace & defence, pharmaceutical and consumer packaged goods sector.
72.0%
70.0%
68.0%
66.0%
64.0%
62.0%
60.0%
58.0%
Aerospace &
Defense
Consumer
Packaged Goods
Commercial
banking
Consumer banking
Insurance
Pharmaceutical
Adoption of user activity monitoring (sector wise)
Security & Authentication - An industry perspective • CCA
PwC
October 2014
13
Organisations are increasingly adopting risk based
authentication
Risk based authentication solutions enhance traditional authentication methods by assigning a
risk value to the user trying to gain access. Such solutions use additional parameters such as
behaviour profiling, geo-locations etc. to evaluate the user’s risk profile
Transportation & Logistics
Electronics
Software
Telecommunications
Automotive
Pharmaceutical
Utilities
Oil & Gas
Consulting / Professional Services
Agriculture
Aerospace & Defense
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
Adoption of risk based authentication (sector wise)
Security & Authentication - An industry perspective • CCA
PwC
October 2014
14
How is authentication on mobile devices being
managed?
One area that organisations are increasingly focusing on is enterprise mobility, which enables
employees, partners and customers to access and work on the organisation’s technology
platforms through any secure enabler (laptops, tablets or smartphones).
How are organisations ensuring security mobile devices?
50%
48%
46%
44%
42%
40%
38%
36%
34%
32%
30%
Mobile security strategy
Mobile devicemanagement software
Strong authentication Protection of corporate
on devices
e-mail and calendaring
on employee- and userowned devices
Initiatives organisations have taken to address mobile security risks
Security & Authentication - An industry perspective • CCA
PwC
October 2014
15
Challenges to security
Challenges from within
Even with the growing impact that cyber security incidents can have on the entire enterprise, boards
of organizations in the country remain oblivious and continue to treat cyber security as an IT
problem.
The lack of leadership to set a clear direction for the overall information security strategy along with
insufficient capital and operating expenditures represent the biggest obstacles in improving the
overall strategic effectiveness of information security.
Poorly integrated or overly complex information and IT systems
Absence or shortage of in-house technical expertise
Insufficient operating expenditures
Insufficient capital expenditures
Obstacles in improving
overall strategic
effectiveness
Lack of an actionable vision or understanding of how future
business needs impact information security
Lack of an effective information security strategy
Leadership: CISO, CSO, or equivalent
Leadership: CIO or equivalent
Leadership: CEO, President, Board, or equivalent
0%
Security & Authentication - An industry perspective • CCA
PwC
5%
10%
15%
20%
25%
30%
35%
40%
October 2014
16
Challenges to security
Increased dependence on 3rd parties
Given today’s interconnected business ecosystem, where the amount of data generated and shared
with business partners and suppliers is exponentially greater, due diligence of third parties has
become a concern. It is worrisome that the focus on third-party security weakened in the past year
in some very key areas; even as the number of incidents attributed to ‘insiders’ increased.
Require third parties (including outsourcing vendors) to comply with
our privacy policies
48.9%
Have established security baselines/standards for external
partners/customers/suppliers/vendors
Maintain inventory of all third parties that handle personal data of
employees and customers
53.8%
50.2%
Conduct compliance audits of third parties that handle personal data
of customers and employees to ensure they have the capacity to
protect such information
52.9%
How respondents are safeguarding relationships with 3rd parties
Security & Authentication - An industry perspective • CCA
PwC
October 2014
17
Security initiatives
Emerging technologies
The applications of SMAC (social, mobile, analytics and cloud) technologies have been debated for
long, but it is about time that Indian companies started leveraging them.
Social
Media
The ambiguity in calculating the return on social media investments, coupled with the
difficulty in understanding the applications of social media in business and leveraging
them to generate a profit stream has led to a slow adoption
Mobile
Organisations are now widely adopting enterprise mobility, while taking initiatives to
address risks from its adoption as well, over 65% respondents already have a mobile
security strategy in place
56%
54%
50%
48%
54%
Respondents that audit
or monitor employee
postings to external
blogs or social
networking sites
41%
41%
Mobile deviceBan of user-owned
Protection of corporate e- Strong authentication on
management (MDM) or devices in the workplace mail and calendaring on
devices
mobile-access
or network access
employee- and usermanagement (MAM)
owned devices
software
Security & Authentication - An industry perspective • CCA
PwC
Device encryption
Internal app store for
employee mobile devices
Mobile security initiatives taken by organisations
October 2014
18
Security initiatives
Analytics
As organisations adopt social media and mobile platforms and the digital footprint of its
customers increases, the shear amount of data that is available for organisations to
analyse and use increases exponentially. More and more organisations are using big data
analytics for data driven insights
Over 69% respondents employ big data analytics to model for and identify information security
threats. Almost one-third respondents use big data analytics as a cloud service.
8%
60%
3%
57%
50%
20%
47%
40%
30%
19%
20%
20%
22%
10%
Currently in place
Currently outsourced
0%
Detected more
incidents
No change in detected
incidents
Detected fewer
incidents
Impact of big data analytics on information security
Security & Authentication - An industry perspective • CCA
PwC
Not in place but is a priority over the next 12 months
No plans to adopt
Do not know
How organizations employ big data analytics
October 2014
19
Security initiatives
Cloud
Migrating to cloud based services marks a fundamental shift in the way business is done,
with a variety of deployment & service models available, organisations need to develop a
sound strategy to manage cloud services
Almost 68% respondents already use cloud services in some form (SaaS or PaaS or Iaas), although
the use of cloud services for file storage and sharing remains the most popular.
80%
Global
India
70%
60%
50%
40%
30%
20%
File storage and
sharing
Database hosting
Application hosting
E-mail hosting
Application
development/testing
Website hosting
E-commerce
Disaster
recovery/business
continuity
Big Data analytics
Security services
How are organisations using cloud services?
India vs Global average
Security & Authentication - An industry perspective • CCA
PwC
October 2014
20
Cyber risk management
Organisations in India have been focused on perimeter security. It is only now that there are visible
signs of organisations moving from the asset and technology centered paradigm for information
security to comprehensive cyber-risk management. The first step for all organisations will be to
align security spending with the organisation’s strategic assets
Safeguards that are a top priority for respondents in the next 12 months
Procedures dedicated to protecting intellectual property (IP)
19.2%
Program to identify sensitive assets
23.0%
Centralized security information-management processes
22.6%
Classification of business value of data
16.3%
Risk assessments (on internal systems)
19.2%
Risk assessments (on third-party vendors)
26.8%
Active monitoring/analysis of information security intelligence (e.g., vulnerability reports, log files)
20.5%
Governance, risk, and compliance (GRC) tools
26.0%
Enterprise content-management tools
22.9%
Protection/detection management solution for advanced persistent threats (APTs)
28.3%
Security information and event management (SIEM) technologies
24.2%
Security & Authentication - An industry perspective • CCA
PwC
October 2014
21
Demographics
Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30%
(approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our
respondents were small enterprises with annual gross revenues of less than 100 million USD,
making it an inclusive survey with a distributed respondent base.
5.3%
7%
3.1%
29.5%
32.6%
3%
Large (> 1 billion USD)
7%
37%
Medium (100 million
USD to 1 billion USD)
CIPS
Small (< 100 million
USD)
FS
TICE
Govt
Non-Profits,
government, educational
Others
Unknown
29.5%
Respondents by annual gross revenues
Security & Authentication - An industry perspective • CCA
PwC
47%
Respondents by industry sector
October 2014
22
Thank you.
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Private
Limited, its members, employees and agents do not accept or assume any liability,
responsibility or duty of care for any consequences of you or anyone else acting, or refraining
to act, in reliance on the information contained in this publication or for any decision based on
it.
© 2014 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC”
refers to PricewaterhouseCoopers Private Limited which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal
entity.