Embed Size (px)
Citation preview
Perception gaps in cyber resilience: Where are your blind spots?
The hidden costs of shadow IT, cloud, and cyber insurance
Sandeep Kumar : Business Resiliency Leader, SIH east
Forbes Insights conducted a study in partnership with IBM to better
understand how business leaders are working to make their
organizations more secure and resilient by examining how leading
organizations approach business continuity and disaster recovery.
→How their organizations approach cybersecurity, business continuity, and
recovery
→The effects of Shadow IT on their organization’s security and recovery
strategies
→Their coverage and security practices related to cloud service providers
→The role cyber insurance plays in mitigating a multitude of risks
The survey gathered opinions from more than 350 executives across the globe about:
Overview
MethodologyForbes Insights surveyed 353 executives across the globe about their outlook on cybersecurity and resiliency at their organizations. Respondents are from the following demographic breakdowns.
Title
30%
30%
31%
9%
North America
Europe
Asia-Pacific
Latin America
Africa/Middle East
Region Revenue
25%
27%23%
25%
$500 million - $999.9million$1 billion - $4.9 billion
$5 billion - $9.9 billion
$10 billion or more
Industry
Banking 10%
Telecommunications, media & entertainment
9%
Automotive 7%
Insurance 7%
Healthcare 7%
Energy and utilities 7%
Retail 7%
Chemical and petroleum 6%
Government 6%
Manufacturing, resources & construction
6%
Education 6%
Travel and transportation 5%
Consumer products 4%
Life sciences 4%
Electronics 3%
Financial markets 3%
Aerospace and defense 3%
Other <1%
CIO 17%
CTO 9%
CSO 9%
CISO 8%
COO 6%
CPO 6%
CFO 5%
CEO <1%
Other C-Suite <1%
EVP/SVP/VP of IT Operations 11%
EVP/SVP/VP of Business Continuity 9%
EVP/SVP/VP of Disaster Recovery 8%
EVP/SVP/VP of IT Security Operations 6%
EVP/SVP/VP of IT Architecture 6%
Other EVP/SVP/VP of IT <1%
EVP/SVP/VP of Line of Business <1%
Who is responsible for cybersecurity (prevention and protection) at your organization? (Select all that apply)
85%
69%62%
47%41%
37%
22%
14%9% 7%
Responsibility for cybersecurity tends to fall on the Chief Information and Security Officers
Chief Information
Officer
Chief Security Officer
Chief Informati
on Security Officer
Head of IT
department
Broadly shared responsibility with a C-level
executive accountable for
policy and budget
Broadly shared responsibility
with one manager
accountable for policy and
budget
Chief Financial Officer
Narrowly shared
responsibility with a C-level
executive accountable for
policy and budget
Narrowly shared
responsibility with one manager
accountable for policy and
budget
Chief Revenue Officer
Who is responsible for business continuity and disaster recovery during a cyber event in your organization and after a cyber event in your organization?
(Select all that apply)
76% 74%
57% 55% 54%
42%38%
34%
26%
12%1% 0%
69% 69%
53%50%
53%
44%
37% 35%
24%
12%1% 0%
Responsible during a cyber event Responsible after a cyber event
CIOs are most often responsible for continuity and recovery during and after a cyber event
Chief Information
Officer
A team of executives
responsible for cybersecurity and those responsible
for BC/DR
A managed service
provider(s)
Chief Information
Security Officer
Head of business
continuity/disaster recovery
An IT partner/vendor
Chief Security Officer
Head of IT department
/infrastructu
re
Chief Risk
Officer
Chief Financi
al Officer
Other It's not always clear
→38% worry that no matter how well they protect their data, systems and
applications, they could still face a cascade of failures from a source beyond
their control
→41% recognize that their organization is more hyperconnected than ever and
that makes recovery more challenging in the face of a cyber event
→Yet, only 42% say that cyber resilience is an integral part of their organization's
digital transformation
→Only 37% believe their top management understands the difference between
mitigating cyber risk versus working toward a more comprehensive,
orchestrated, dynamic cyber-resilience strategy
→Fewer than half say that business continuity/disaster recovery teams and
protocols are an integral part of cyber-resilience planning and practice at their
organization
Planning Cyber Resilience
Has your organization been impacted by any of the following cyber events in the last three years?(Select all that apply)
40%
21%
16% 16%14% 13% 13% 11% 11%
9% 8% 7% 7% 7%5%
44%
More than half of organizations have experienced at least one cyber event in the last three years; a fifth have been victims of password phishing
Power outage
Password
phishing
Denial-of-
service
Socially engineer
ed malware
Ransomware
Attacks via
unpatched
software
Outage due to human error
Social media cyber
attacks
Identity and
access
Man in the
middle (MITM)
Advanced persistent
threats (APT)
Insider attacks
SQL injection
Crypto-jacking
Cross-site scripting
None of the above
How did that event(s) change the way your organization plans for business continuity and disaster recovery?(Select all that apply)57%
51%
46%
35% 35%
27% 27% 26%22% 20% 20%
18%
10%
90% of organizations made changes after a cyber event; more than half expanded their continuity teams or purchased cyber security solutions
Expanded our business continuity
and disaster recovery
teams/elevated their status within the organization
Purchased cyber security
solutions
Decentralized our
business continuity
and disaster recovery efforts
Hired experts to
join our business
continuity and disaster
recovery teams
Invested in new cyber
security technolog
ies
Consolidated our business
continuity and disaster
recovery efforts under one executive
Purchased cyber security insuranc
e
Revised our data
governance/manage
ment protocols
Reviewed our
providers and made changes where
necessary
Centralized our business
continuity and disaster
recovery efforts
(Re)designed our systems, practices and processes to
build in resilience
Revised our policies
regarding non-centralized and non-approved
applications
Not changed our plans
12%
12%
34%
27%
14%1- Not at all confident
2
3
4
5 - Extremely confident
Just 42% are very confident that their organization could recover from a major cyber event without impacting their business
How confident are you that your organization could recover from a major cyber event without impacting your business?
Three in five execs think security and disaster recovery are independent and don’t work well together
Where do you see impediments to improving your organization's cyber resilience? (Select all that apply)
16%
17%
22%
34%
35%
43%
45%
52%
60%Security and disaster recovery are independent and don't work well together
Lack of clear accountability for business continuity and disaster recovery
Systems not designed for resilience
Lack of in-house expertise
Too little money budgeted to recovery
Business continuity and disaster recovery are not a priority of top management/board
Too much reliance on outside vendors for continuity and recovery
Lack of understanding of risk to ongoing operations from potential cyber event
None of the above
4%7%
11%
20%
25%
31%
1000 or more
Between 750 and 1000
Between 500 and 750
Between 250 and 500
Between 100 and 250
Less than 100
None
I don't know
Two thirds—68%—retain at least 100 different applications and only 48% are very confident that they are aware of all technologies users rely on
Approximately how many applications does your organization or company retain?
8%
20%
25%
32%
16% 1- Not particularly confident
2
3
4
5 - Extremely confident
How confident are you that your organization is aware of all the technology users rely on to do their jobs?
Shadow IT
11%
10%
31%
36%
12%1 - Not particularlyaware/responsive
2
3
4
5 - Extremely aware/responsive
Fewer than half believe their organization is adequately aware of shadow IT risks; three quarters use network monitoring to detect unknown devices
How aware and responsive do you believe your organization is when it comes to the potential risks and vulnerabilities of
shadow IT?
What policies and protections does your organization employ toward shadow IT? (Select all that apply)
33%
34%
67%
71%
74%Network monitoring to detect
unknown devices
Well-publicized guidelines for BYOD, cloud services and third-party
applications
Restricted access to non-sanctioned third-party applications
Users can choose their own devices and a wide range of applications,
minimizing the need for shadow IT
Zero-trust policy for logging into sensitive parts of the network
Shadow IT
12%
20%
22%
29%
17%1 - Completely disagree
2
3
4
5 - Completely agree
Four out of ten say direct purchasing of SaaS and other non-sanctioned software by individuals and business units makes it impossible to protect all their data, systems and applications
To what extent do you agree with the following statements around planning and maintaining cyber resilience in your organization?
Shadow IT
Direct purchasing of software-as-a-service, personal and business applications and other non-sanctioned software by individuals and business units at our organization makes it impossible to protect all our data, systems and
applications all of the time
21%
79%
Yes
No
One in five organizations experienced a cyber incident due to non-sanctioned hardware; three in five don’t include shadow IT in threat assessments
Have you or your office or department ever experienced a loss-of data, sales, operations, worktime or reputation-because of a cyber incident or
outage related to non-enterprise, non-sanctioned hardware?
40%
41%
19%Yes, as much as possible for knowncritical applications
No, but it should
No, we protect what matters mostand shadow IT is not consideredcritical
I don't know
Does your organization's threat/risk assessment include shadow IT?
Shadow IT
Nearly nine in ten executives believe the users themselves are responsible for security of unsupported applications; just 41% say their security team is
Who do you believe should be responsible for security and recovery when it comes to applications that are not directly supported by your organization's IT function?(Select all that apply)
11%
25%
36%
39%
41%
41%
64%
68%
87%The users themselves
Our IT department
The vendors or providers of each application
Our security team
In-house developers who customize applications for your department or functionDisaster recovery teams
The line-of-business manager who sanctioned them
Our cloud service provider(s)
Third-party developers who customize applications for your department or function
Shadow IT
Hybrid cloud is the most common IT infrastructure; tiering is the most popular means to secure data in the cloud
What type of IT infrastructure does your organization rely on? (Select all that apply)
How does your organization secure data in the cloud?(Select all that apply)
38%
42%
44%
46%
60%
65%
75%Prioritize and tier data based
on accessibility required
We have a regularly updated recovery plan(s) with our cloud
provider(s)
Conduct regular back-up and failover testing with CSP
Monitor access11%
37%
39%
56%
62%Hybrid cloud
Traditional data centers
Public cloud
Private cloud
Multi cloud
Encrypt sensitive data
Zero-trust policy for access
We rely on our CSP's guarantee of security, recovery and continuity.
Cloud Service Providers
3%9%
44%
31%
13%1 - Not at all confident
2
3
4
5- Extremely confident
Only 45% are confident that cloud service providers can meet service-level agreements in the case of a cyber event
How confident are you that cloud service provider(s) can meet service-level agreements should there be a cyber event?
16%
31%
54%
The cloud service provider wouldcover most costs
Our organization would be on thehook for most costs
Costs would be shared as outlinedin our contract
Not sure
If a cloud provider is responsible for an outage or a breach and service-level agreements are not met, who would bear the cost for recovery,
downtime and any monetary or reputational loss?
Cloud Service Providers
12%
18%
24%
21%
24% 1 - Completely disagree
2
3
4
5 - Completely agree
45% say their increased reliance on cloud-based systems makes it impossible to protect all their data, systems and applications all of the time
To what extent do you agree with the following statements around planning and maintaining cyber resilience in your organization?
Cloud Service Providers
Our increased reliance on cloud-based systems makes it impossible to protect all our data, systems and applications all of the time
13%
87%
Yes
No
Not sure
13% have lost data or faced downtime because of an incident with a cloud service provider; 58% of those incidents involved security breaches
Has your organization lost data or faced downtime because of an incident with a cloud service provider?
What was the cause of the incident?*(Select all that apply)
2%
27%
29%
33%
40%
44%
58%Security breach
Physical damage to cloud service provider's facility
System misconfiguration (e.g. permissions set to public)
Human error
I don't know
*Only asked to those who said ‘Yes.’
Failover failure
Power outage
Cloud Service Providers
44%
56%
Yes
No
Not sure
One third of those impacted by a cyber incident say their cloud provider did not meet service level agreements
Was your firm compensated by the provider for any lost business, downtime, legal fees or any
other financial loss that was the result of a cloud service provider incident?*
36%
33%
29%
2%Yes
No
They were exemptas specified in ourcontract
Did your cloud service provider meet service-level agreements following the incident?*
*Only asked to those who said ‘Yes.’
Cloud Service Providers
Three-quarters of firms incorporate cloud service providers in their threat and risk assessment
78%
21%
Yes
No
Not sure
Does your organization incorporate cloud service providers in your threat/risk assessment?
Cloud Service Providers
27%
8%
31%
20%
15%
Yes
Not yet, but we are planning topurchase cyber insurance in thenear futureNo, but we need it
No, and we don't need it
Not sure
Only a quarter of organizations have cyber insurance; three quarters of those say they have it because their risk department determined they should
Does your organization have cyber insurance? What are the most important reasons behind why your organization initiated or will initiate insurance coverage?*
(Select all that apply)
8%
31%
34%
63%
72%Our risk department
determined we should have it
To offset potential costs of a cascading event in a more
connected environment We have experienced one or more
cyber events and recognize the need to minimize our risks and
costsNot sure
Our board of directors mandated coverage
*Only asked to those who said ‘Yes’ or ‘Not yet, but we are planning to
purchase cyber insurance in the near future.’
Cyber Insurance
Which costs and incidents do you believe are covered by your cyber insurance policy?*
40% 39%32% 27% 24% 21% 18% 15% 14% 14% 13% 11% 11% 11%
31% 32%34% 40% 45%
45%36% 46%
57%
24% 31% 36%
52%37%
16% 17% 26% 21%26%
20%35% 23%
22%
43% 33%
47%
34%
37%
13% 12% 9% 12%5%
14% 11% 16%6%
19% 23%
6%15%
Costs covered in full Costs covered in part
Cost of data
recovery
Four in ten executives believe that the costs of data recovery and managing a crisis are covered in full by their cyber insurance
*Only asked to those who said ‘Yes’ they have cyber insurance.
Cost of managi
ng a crisis
Monetary loss from network
downtime/business
interruption
Legal expenses associated with the release of confidential
information or intellectual
property
Credit monitorin
g for affected
customers
Legal settleme
nts
Cost of forensics
investigation/coordination
with law enforcement
and third-party organizations
Regulatory fines
Cost of cyber
extortion, such as
ransomware
Reputational costs
Events originating
with vendors, service
providers or other third parties that impact your organization
Non-malicious acts by an employee (human
error) that lead to an outage or
breach
Data breach notifications
to customers
and affected parties
Cost of preventing
similar events in
the future
Cyber Insurance
15%
24%
61%
The ability to underwrite some of the risks associated with a cyberevent
Developing and maintaining a more robust resilience plan thatcovers the lifecycle of critical data and processes
They are both equally important
Other
Only 24% believe that developing and maintaining a more robust resilience plan is more important than the ability to underwrite cyber risk
Which do you believe is most important to minimizing the impact of a cyber event?
Cyber Insurance
Thank you
