Embed Size (px)
Citation preview
Moving forward withcybersecurity and privacy
Key findings from The Global State of InformationSecurity® Survey 2017 — China and Hong Kong
December 2016
Samuel Sinn, Partner, Cybersecurity & Privacy ,PwC China
www.pwc.com/cybersecurity
How organisations are adopting innovative safeguards tomanage threats and achieve competitive advantagesin a digital era.
PwC
About the Global State of InformationSecurity Survey (GSISS)
2
PwC
Methodology
The Global State of Information Security® Survey 2017, a worldwide study by PwC, CIO and CSOMagazine, was conducted online from April 2016 to June 2016.
• PwC’s 19th year conducting the online survey, 14th year with CIO and CSO Magazine
• Readers of CSO and CIO Magazine and clients of PwC from 133 countries
• Responses from more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT andsecurity practices worldwide
• Forty-eight percent (48%) of respondents from organisations with revenue of USD500 million+
• More than 40 questions on topics related to privacy and information security and how businessesare implementing innovative new safeguards
• Thirty-four percent (34%) of respondents from North America, 31% from Europe, 20% from AsiaPacific, 13% from South America and 3% from the Middle East and Africa
• 440+ respondents from China/Hong Kong
• The margin of error is less than 1%; numbers may not add to 100% due to rounding
3
PwC
The survey includes 10,000 respondents from 133 countries.
Respondents by region of employment
4
34%North America
13%South America
31%Europe
20%Asia Pacific
3%Middle East & Africa
PwC
A mix of business and IT security executives are represented
Respondents by title — Global vs. China/Hong Kong
5
Global23%
China/Hong Kong20%
CEO, CFO,COO
CISO,CSO,CIO, CTO
Global20%
China/Hong Kong49%
Compliance,Risk,Privacy, Audit
Global12%
China/Hong Kong3%
IT & Security(Mgmt.)
Global21%
China/Hong Kong17%
IT & Security(Other)
Global24%
China/Hong Kong11%
PwC
A balanced range of organisation sizes by revenue
Respondents by company revenue size — Global vs. China/Hong Kong
6
Large (>$1B US)
36%
Medium($100M -$1B US)
27%
Small(<$100MUS)28%
Non-profit,Government,Education 3%
Do not know 6%
Large (> $1BUS)36%
Medium($100M -$1B US)
29%
Small(<$100MUS)29%
Non-profit,Government,Education 1%
Do not know 5%
Global China/Hong Kong
PwC
Growing trends of cyber attack inChina/Hong Kong
7
PwC
China/Hong Kong respondents detected a significantincrease in cybersecurity incidents*
While the average number of detected security incidents in China /Hong Kong is smaller incomparison with the global figure, it has dramatically increased almost tenfold of the 2014average, and more than twofold of the 2015 average.
8
All respondents globally 2014 2015
Global China/Hong Kong
6853-3%
Average number of detected security incidents per respondent in the past 12 months asof June 2015 and June 2016 respectively
+969%
* A security incident is defined as any adverse incident that threatens some aspect of computer security.Question 18: “What is the number of security incidents detected in the past 12 months?”
4,948
6,853
4,7822,577
1,254
241
All respondents globally
201620152014
PwC
In 2016, global respondents detected fewer informationsecurity incidents.*
9
Question 18: “What is the number of security incidents detected in the past 12 months?”
Average number of security incidents in the past 12 months
* A security incident is defined as any adverse incident that threatens some aspect of computer security.
3,7414,948
6,853 4,782
In five industries, incidents increased over the year before. Several are highly regulated industries thathave continuously invested in security, while others are catching up.
Industrial products Healthcare payers& providers
Financial services Entertainment, media& communications
Telecommunicatons
1,978
4,938
7,6748,536
3,218
70%increase
13%increase
2%increase
26%increase
28%increase
PwC
2014 2015 2016
Global cybersecurity budget for 2016 China/Hong Kong cybersecurity budget for 2016
2014 2015 2016
Global China/Hong Kong
China/HK companies have reduced cybersecurity spend.This comes after substantial budget increases last year, whilecybersecurity budgets for global companies stayed flat in 2016
10
* Information security budget refers to funds specifically and explicitly dedicated to information security,including money for hardware, software, services, education and information security staff.Question 7: “What is your organisation's total information technology budget for 2016?”Question 8: “What is your organisation’s total information security budget for 2016?”
+24%+16%
0% -7.6%
USD4.1M
USD5.1M USD5.1M
USD6.8M
USD7.9M USD7.3M
PwC
Key sources of security incidents
11
PwC
Insiders are still the No. 1 source of security incidents
12
Top 3 estimated likely sourceof incidents
Number of respondents that experienced incidents attributed to insiders (current and formeremployees, service providers, consultants and business partners) has continued increasing.
41%
Of incidents attributed to insiders
Question 21: “Estimated likely source of incidents” (Not all factors shown.)
44%
1
3
2
Insiders
Competitors
Organised crime and unknown hackers
Global China/Hong Kong
PwC
Competitors in China/Hong Kong are the source of securityincidents more often than the rest of the world
13
Question 21: “Estimated likely source of incidents” (Not all factors shown.)
Global China/Hong Kong
Of incidents that are attributed to competitors
34% of respondents in China/Hong Kong experienced security incidents attributed to competitors,compared to 23% globally.
23% 34%
PwC
2015 20162016 2015 2016
Consumer Technologies have become the most targeted set oftechnologies being breached in China/Hong Kong
Rapid adoption of Consumer Technologies (or sometimes called the Internet of Things (IoT)) and lackof cybersecurity focus on IoT products is driving an increase in Consumer Technologies (e.g. webcam,home automation devices) being targeted and breached by cybercriminals.
14
Global China/Hong Kong
-14% +18%
2015
Question 19: “How did the security incident(s) occur?” (Not all factors shown.)
29.2%36.1%
25.3%
42.7%
PwC
2015 20162016 2015 2016
Operational Technologies have quickly became the second set oftargeted technologies being breached in China/Hong Kong
Driven primarily by the rapid adoption of Operational Technologies (or sometimes called the “IndustrialInternet of Things” (IIoT)) and the lack of cyber security focus, Operational Technologies (industrialcontrol systems) jumped from an insignificant breach target to the second most targeted set oftechnologies in China/Hong Kong being breached by cybercriminals. Approximately anincreaseof22times (average number of incidents) higher than previous year.
15
Global China/Hong Kong
-9% +2,213%
2015
Question 19: “How did the security incident(s) occur?” (Not all factors shown.)
26.9%
1.9%
24.6%
42.1%
PwC
38% 49%
1
3
2
Business email compromise and ransomware emerge asleading business impact, while phishing is the top attackvector
49% of respondents in China/Hong Kong cite business email compromise as the leading impact ofincidents, while phishing becomes the top attack vector of cybersecurity incidents.
16
Question 22: “How was your organisation impacted by the security incidents?” Question 19: “How did the security incident(s) occur?”
Global China/Hong KongTop 3 business impacts ofsecurity incidents
Business email compromise
Brand/reputation compromised
Theft of “hard” intellectual property(information such as strategic businessplans, deal documents, sensitivefinancial documents, etc.)
Cite phishing attacks, making it the No. 1attack vector of cybersecurity incidents this year
PwC
Cybersecurity investments andsecurity priorities to strengthenprotection
17
PwC
Organisations are prioritising spending on broad strategiesto strengthen their digital ecosystems this year
88% of China/Hong Kong said digitisation affected security spending. Security priorities in 2016emphasise new security safeguards for evolving business models and the Internet of Things (IoT).
18
Question 10a_2017: “What types of security safeguards does your organisation plan to invest in over the next 12 months?”Question 10_2017: “What impact has digitisation of the business ecosystem had on your organisation’s security spending?”
59%
Global
Say digitisation has impactedInformation security spending
88%
China/Hong KongTop 3 Information securityspending priorities for 2016
1Alignment with business strategy andsecurity governance
3Security for Internet of Things (IoT)
2Biometrics and advanced authentication
PwC
China/HK’s security investment into advanced securitytechnologies such as Artificial Intelligence (AI) and MachineLearning amongst highest in the world
19
Question 10a_2017: “What types of security safeguards does your organisation plan to invest in over the next 12 months?”Question 10_2017: “What impact has digitisation of the business ecosystem had on your organisation’s security spending?”
31.5% China/Hong Kong respondents invests in advanced security technologies, compared toglobal average of 23.5%.
Global
23.5% 31.5%
China/Hong Kong
To invest in Artificial Intelligence (AI) andMachine Learning
PwC
Impact of business digitisation andmeasures undertaken to enhancesecurity safeguards and reduce risk
20
PwC
1
3
248% 45%
As trust in cloud models deepens, organisations are runningmore sensitive business functions on the cloud
45% of China/Hong Kong IT systems are most likely to be run in a cloud environment, butapproximately one-third of organisations entrust operations and marketing and sales to cloudproviders.
21
Question Q15_2017: “What business function areas does your organisation run in a cloud environment?”Question Q16_2017: “Currently, what percentage of your organisation’s IT services is delivered via cloud service providers?”
Global
Of all IT services are running in a cloudenvironment
China/Hong KongTop 3 Business functions in acloud environment
IT
Marketing and Sales
Operations
PwC
1
3
253% 75%
Respondents are using open-source software to moreefficiently deliver IT services and improve cybersecurity
75% of China/Hong Kong respondents employ open-source software — and among them 49% sayit helps to improve their cybersecurity posture.
22
Question 21_2017: “Does your organisation use open-source software in place of/in addition to traditional enterprise software infrastructure and middleware?”Question 21a_2017: “What impact has the use of open-source software had on your organisation?”
Global
Use open-source software
China/Hong Kong Top 3 impact of open-sourcesoftware
Enhanced scalability
Improved cybersecurity
Easier to develop and deploy newIT projects
PwC
1
3
246% 57%
As Internet of Things (IoT) takes off, organisations are movingto update their cybersecurity and privacy safeguards
57% of China/Hong Kong respondents invests in initiatives to address device and systeminterconnectivity, data governance and employee training.
23
Question 25_2017: “What policies, technologies and people skills does your organisation plan to implement over the next 12 months to address thecybersecurity and privacy risks associated with the Internet of Things (IoT)?”Question 10A_2017: “What types of security safeguards does your organisation plan to invest in over the next 12 months?”
Global
Investing in a security strategyfor the Internet of Things
China/Hong Kong
Top 3 policies, technologies &people skills being implementedfor the Internet of Things
Assess device & systeminterconnectivity & vulnerabilityacross the business ecosystem
Employee training on IoTsecurity practices
Policies and technologies to safeguardagainst new IoT risks
PwC
Addressing cybersecurity’s growingconcern on data privacy protection
24
PwC
1
3
256% 63%
Data privacy becomes an increasingly critical businessrequirement; employee training is a top priority
63% of China/Hong Kong businesses update privacy policies and procedures, conducting privacytraining and awareness, and conducting privacy assessments for Big Data and analytics projects,exceeding global average of 56%.
25
Question 24_2017: “Which of the following projects, if any, will your privacy function address over the next 12 months?”Question 10a_2016: “Which safeguards does your organisation currently have in place?”
Global
Currently require employees tocomplete privacy training
China/Hong Kong
Privacy training and awareness
Big Data, data analytics or datade-identification
Privacy policies and proceduresacross the business ecosystem
Top 3 privacy initiatives 2016
PwC
Cybersecurity Challenges Brought bythe New Regulations
26
PwC
China’s Cybersecurity Law-with global vision,protect China’s Sovereignty
With global vison and based onthe status quo of China, interpretthe law from national security,social security, business andpersonal perspective.
01
02
04
The authority is allowed to take measures toshut down or limit network communication incase of significant social security emergencies.
支持网络技术创新及人才培养
02 The law specifies network real-name system,and strictly on cybercrime.
03 For enterprises with cross-boarder personalsensitive data transfer, security assessment isrequired prior to the transfer.
04 The government will allocate more budget tothe study and development of teenagernetwork products and technical innovation.
Laws specific to China
Global Vision
U.S.:focuses on social security, and set upintelligence analysis department andinternational office, to reinforce internationalcollaboration.E.U.:focuses on national security, and set upcybersecurity department to promotecybersecurity strategy, law, and practice.Japan:focuses on enterprise and personalsecurity, and encourage the collaborationbetween government and non-governmentalorganization.
05 Foreign organizations and individuals whoattack China’s critical infrastructure are subjectto punishment specified by the law.
China’s top legislature adopted its Cyber Security Law on Nov 7, 2016. The law was passed at thebimonthly session of the National People's Congress (NPC) Standing Committee, after a third reading,and is set to take effective on June 1, 2017. Departmental regulations shall be issued shortly after. Thelaw defines the scope of critical infrastructure, and enforces the penalties on overseas organizations andindividuals who attack or break the nation’s critical infrastructure. The law puts more emphasis onpersonal information security, cybercrime, network product and service security, obligations of networkoperators, and sovereignty rights over cyberspace.
1 million websitesbeing attacked
Loss of over15billion USD
Over 750millionChinese internet users
PwC
Cybersecurity Challenges Brought by the New Regulations--EU GDPR Territorial Scope
European businesses
Businesses that are established in a Member State plainly fallunder GDPR.
Businesses outside of the EU
Many more entities will now fall under GDPR, which allowsfor any business located anywhere in the world to fall underits terms if a business offers goods or services in the EU ormonitors the behaviour of EU citizens, irrespective ofwhether it has a physical office or employees in Europe.
Obligation to appoint a representative
Under Article 25, a business from outside the EU that fallsunder the GDPR regime because of its activity with regard tothe citizens of a Member State is under an obligation toappoint a representative in that Member State, unless: (i) itis situated in a country that the regulator deems to be“adequate”; (ii) employs fewer than 250 people; (iii) is apublic body; or, (iv) only offers goods or services to EUconsumers on an occasional basis. The purpose of therepresentative will be to act as a point of contact for theentity’s Data Protection Officer.
PwC
Cybersecurity Challenges Brought by the New Regulations--EU GDPR Key Points
- There are a few key steps if a business did not want to embark on a full review and overhauljust yet: (i) minimise data collected; (ii) do not retain that data beyond its original purpose;and, (iii) give the data subject access and ownership of that data.
Privacy by Design
- This is really a right of consumers to erase their data. This is more far-reaching than abusiness might consider at first blush. A consumer or data subject can request to erase thedata held by companies at any time and, if it has been passed on to any third parties (orthird party websites), they would have to erase it as well.
Right to be forgotten
- For penalties the European Council wants fines of up to €10 million or 2% of the annualglobal turnover (whichever is higher). For serious penalties, the European Parliament isadvocating fines of up to €20 million or 4% of annual global turnover (whichever is higher).It would be a serious chunk of revenue of even the largest multinational.
Breach Penalties
Brand Damage
If a personal data breach is likely to affect adversely the protection of the data subject’spersonal data or privacy, security breaches must be notified to the relevant data subjectswithout undue delay, unless the controller can demonstrate that encryption or othertechnology rendered the data unintelligible to third parties. The potential for significantbrand damage, litigation and media reporting of an incident is clear and could spell the end ofbusiness overnight.
Data Protection Officer
A data protection officer (DPO) is supposed to be responsible for creating access controls,reducing risk, ensuring compliance, responding to requests, reporting breaches and evencreating a good data security policy. The European Council and European to act as the focalpoint in ensuring compliance with the GDPR and businesses will need to appoint DPOssooner rather than later
Q&A
Thank you
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2016 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please seewww.pwc.com/structure for further details.
Visit www.pwc.com/gsiss to explore the data further
