Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Secure Information– Safe Future
Key observations fromthe results of “The GlobalState of Information SecuritySurvey 2014”
www.pwc.pl/cyber-security
First timeresults forPoland!
December 2013
Dear Sirs,
Security of information and IT systems
– nowadays referred to as the “cyber
security” – is becoming an increasingly
important element of business.
Cloud computing, mobility, the “Internet
of Things” and social networks are more
and more prevalent in our lives, as well.
We have decided to take a look at such
trends in our annual survey on the
security of information worldwide,
conducted by PwC along with CIO and
CSO magazines.
This year, for the first time we present the
results of the survey of the Polish market
against the results worldwide.
It gives us great pleasure to present
our report to you. Feel free to read it and
contact our experts in case of any
questions.
Piotr UrbanPartner
PwC Risk Assurance
Leader
Rafał JaczyńskiPwC Cyber Security
Leader
Contents
The heart of the matter 6
An in-depth discussion 7
Today’s incidents, yesterday’s strategies 11
Weak defence 14
Preparing for the threats of tomorrow 17
Greatest obstacles 20
Security practices – Europe and Poland 21
Summary 22
Methodology of the survey 23
The Global State of Information Security ® Survey 2014The heart of the matter6
The heart of the matter
While information security risks have
evolved and intensified, security
strategies – historically compliance-
based and perimeter-oriented – have not
kept pace. In this situation approach to
security, which the main purpose is
traditionally meet the
requirements of regulation, is no
longer sufficient.
The result? Today, organizations often
rely on yesterday’s security strategies to
fight a largely ineffectual battle against
highly skilled adversaries who leverage
the technologies of tomorrow.
These sophisticated intruders are
bypassing outdated perimeter defences
to perpetrate dynamic attacks that are
highly targeted and difficult to detect.
Many use well-researched phishing
exploits that target top executives.
Compounding matters, the attack surface
– partners, suppliers, customers, and
others – has expanded as an ever-greater
volume of data flows through
interconnected digital channels.
These factors have combined to make
information security progressively more
complex and challenging. It has become
a discipline that demands pioneering
technologies and processes, a skill set
based on counterintelligence techniques,
and the unwavering support of top
executives. A key tenet of this new
approach is an understanding that
an attack is all but inevitable, and
safeguarding all data at an equally
high level is no longer practical.
The Global State of Information Security
Survey® 2014 aims to measure and
interpret how global organizations
implement practices to combat today’s
highly skilled adversaries. This year’s
survey indicates that executives are
elevating the importance of security.
They are heeding the need to fund
enhanced security activities and believe
that they have substantially improved
technology safeguards, processes, and
strategies. But while organizations have
raised the bar on security, their
adversaries have done even more. This
year’s survey shows that detected
security incidents have increased
25% over the previous year, while
the average financial costs of
incidents are up 18%.
The survey also reveals that many
organizations have not deployed
technologies that can provide insight
into threats, identify and protect key
assets, and evaluate threats within the
context of business objectives. For
many companies, security is not yet
a foundational component of the
business strategy, one that is
championed by the CEO and board,
and adequately funded.
Put simply, few organizations have kept
pace with today’s escalating risks – and
fewer still are prepared to manage future
threats.
In this new model of information
security, knowledge is power. Seize it.
Comments to the results of the
Polish survey
The global survey was supplemented
with the Polish part – the invitation
directed to the clients of PwC Poland
and readers of the THINKTANK
magazine was answered by more than 70
companies and organizations in Poland.
Due to the limited number of responses,
the observations from the Polish part are
more of a qualitative nature. Main areas
represented by the Polish respondents
were finance (banking and insurance),
telecommunications, consulting services,
software development and industry.
“Our survey was taken by
Polish companies which are
leaders of their respective
sectors. Compared to similar
businesses worldwide, Polish
companies are exceptionally
good in those areas which
require compliance with
restrictive law – in particular
the law on personal data
protection and intellectual
property. However, the
indicators of strategic
importance of cyber security
– for instance, its place in the
structure of the company or its
budget level – are significantly
worse than the best practices.”
Piotr Urban, Partner, PwC Risk
Assurance Leader
The Global State of Information Security ® Survey 2014 An in-depth discussion 7
An in-depth discussion
As digital technologies become universal,
they have transformed the business
environment.
Today, organizations are increasingly
interconnected, integrated, and
interdependent. They employ technology
and ubiquitous connectivity to share an
unprecedented volume of information
assets with customers, service providers,
suppliers, partners, and employees.
These sophisticated technologies enable
organizations to perform business tasks
with a velocity and degree of efficiency
that are unprecedented.
However this evolved business
ecosystem also imperils organizations by
putting them at the mercy of adversaries
who would exploit these technologies
and processes to disrupt operations and
even destroy businesses. As a result,
security threats have become a critical
business risk to global organizations.
The traditional reactive approach to
information security strategy, which
typically relegates security to an IT
challenge, remains commonplace. It is,
however, no longer effective, nor is it
defensible.
Today’s new world of security risks
demands that organizations treat
information security threats as
enterprise risk-management issues that
can critically threaten business
objectives.
We asked our respondents to tell us how
they are addressing information security
imperatives, and how well their privacy
and information security safeguards are
aligned with business objectives. The
results of the Polish survey show that
most people are confident in their
organization’s information security
practices.
Strong confidence in today’s
security practices
It is striking that, even in a climate of
escalating and evolving risks, executives
remain highly confident in their
organization’s security capabilities and
activities. In total, more than 80% of the
respondents say their security activities
are effective. This optimism is strongest
at the top of the organisational chart and
the executives rate such security
effectiveness very high. Lower-grade
personnel directly involved in the work
on projects is significantly more
distanced from such approach and less
convinced on the effectiveness of the
undertaken activities.
More than
80%of the respondents from Poland
claim that the activities of their
organizations in the area of
information security are
effective.
The Global State of Information Security ® Survey 2014An in-depth discussion8
This conviction on the validity of security
strategies adopted by companies is
confirmed by the evaluation of the
effectiveness of security expenditures.
However, it is noticeable that such an
approach to the evaluation of strategies
slightly decreases the general optimism
in Polish organizations. More than 64%
of the Polish respondents say security
spending is aligned with business
objectives. There are some sceptic
opinions of executives, which suggests
that the policy of budgeting initiatives
related to information security is not
always followed.
However, as in other countries, the
conviction of the Polish respondents as
to the effectiveness of their security
measures suggests that such measures
are – at least in theory – an integral part
of the business strategy. Optimism is also
prevalent in the approach to information
security.
More than
64%of the Polish respondents claim
that security spending at their
company is aligned with
business objectives.
42%
23%19%
15%
Mamy skuteczną strategię iaktywnie wcielamy ją w życie
Lepiej nam wychodziopracowanie odpowiedniejstrategii niż wcielanie jej w
życie
Lepiej nam wychodzirozwiązywanie problemu niż
określenie skutecznej strategii
Nie mamy skutecznej strategii izazwyczaj działamy reaktywnie
Figure 1: Which of the following categories describes best the approach ofyour business to the protection of information security?
We have an effectivestrategy in place andare proactive inexecuting the plan
We are better at “gettingthe strategy right” thanwe are at executing theplan
We are better at “gettingthings done” than we are atdefining an effectivestrategy
We do not have aneffective strategy inplace and are typicallyin a reactive mode
Front-runners
Strategists
Tacticians
Firefighters
Most of the respondents are willing
to be proactive in tackling new
challenges.
We label those who report they have an
effective strategy in place and are
proactive in executing the plan
front-runners, since they exhibit two
key attributes of leaders. Among this
year’s respondents, 40% say they have
the attributes of a front-runner. It is
only slightly less than indicated in the
global version of the report (where such
approach was declared by 50% of
respondents). About one in four say they
get strategy right but may not
successfully execute the plan, a category
we call strategists. Those who consider
themselves better at “getting things
done” than defining effective strategy
– tacticians – account for 20% of
respondents. The group that we call
firefighters, which do not have a
strategy in place and are typically in a
reactive mode, comprise 15% of
respondents.
The Global State of Information Security ® Survey 2014 An in-depth discussion 9
Are front-runners really leaders?
Self-assessments are, by their very
nature, biased. So we took a closer look
at the data and created a series of
requirements that define “true” leaders
on the basis of reported capabilities and
undertaken activities rather than self-
perception.
To qualify as leaders, respondents
must:
• Have an overall information security
strategy,
• Employ a chief information security
officer (CISO) or equivalent who
reports to at least a Board member or
top leadership,
• Measure and review the effectiveness
of security measures within their
organization,
• Understand exactly what type of
security events have occurred
in the past year.
Filtering for these qualities shows that
only 26% of all the Polish respondents
rank as true leaders. They usually work
for large companies, with revenues of
more than PLN 5 billion, in the following
sectors:
• retail banking or financial consulting,
• telecommunications,
• mining industry.
Figure 2: Front-runners vs. leaders
40%
26%
Category 1 Category 2Front-runners Leaders
Global figures indicate that real
leaders detect more security
incidents, have a better
understanding of what types of
security incidents occur and the
source of those incidents, and
report lower average financial
losses as a result of security
incidents.
The Global State of Information Security ® Survey 2014An in-depth discussion10
Cause for concern: too low
investments
Although the majority of respondents
declared a great commitment and
expressed a huge optimism, the budgets
for activities related to information
security still remain at a very low level.
Our results indicate that on average they
represent only 2.7% of the entire IT
budget. Therefore, we can state that the
will to act and increasing commitment in
information security are drastically
limited by insufficient funding. For
comparison – globally, the security
budget constitutes on average 3.8% of
the IT budget and the level of spending
on IT technologies is much bigger
worldwide.
But what about the future? Most
respondents do not expect any
significant improvement in the current
situation. Only 33% of the Polish
respondents claim that their budget for
information security will increase within
the next 12 months. In this category, we
are lagging way behind other markets,
where spending on information security
are in general expected to grow (51% of
responses in the global survey).
Only
33%claim that their budget for
information security will
increase.
The Global State of Information Security ® Survey 2014 An in-depth discussion 11
Today’s incidents, yesterday’s
strategies
It has been all but impossible to ignore
the barrage of news reports about
increasingly sophisticated – and often
successful – security breaches over the
past year. Given the sometimes
sensational, and often click-driven
nature of news reporting, it’s only natural
to question the accuracy of reports
concerning cyber intrusions.
Global survey respondents report a 25%
jump in detected incidents over the last
year.
This would seem to validate the
headlines trumpeting elevated security
threats – unfortunately, Polish
companies do not seem to be concerned
about it. Considering that, according to
independent research, 75% of attacks
come from the very fact of existence of a
gap in security measures, not the
attractiveness of the target, the
discrepancies in this area may indicate a
lower effectiveness of processes and
solutions related to the detection of
security incidents.
“Right now it is only a matter of
time before a given company
becomes a target. It is best to
assume that our security had
already been breached, but we
have not detected yet. This
means that crisis management
and security start to intertwine
and must be considered jointly.”
Rafał Jaczyński, PwC Cyber Security
Leader
2 5622 989
3 741
2011 2012 2013
Figure 3: Average number of security incidents in past 12 months (in theglobal survey)
2011 2012 2013
The Global State of Information Security ® Survey 2014An in-depth discussion12
“The increase in the number of
detected IT security incidents
does not indicate the
ineffectiveness of the
implemented security
strategies. On the contrary
– thanks to new technologies
and monitoring processes
companies may detect threats
and hacking attempts much
earlier.”
Patryk Gęborys, PwC Cyber Security
Manager
The concern that Polish companies are
not sufficiently prepared to detect and
handle security incidents is confirmed by
the figures which indicate how many
respondents do not have knowledge on
the number of security incidents at their
organization. In Poland, it is 22%, 4
percentage points more than the global
level.
The increase in the number of incidents
combined with a concurrent rise in the
volume of business data being shared
digitally means that the most frequent
result of potential security incidents is
the loss or theft of data. In Poland,
almost half of all attacks lead to a leakage
or unavailability of certain information.
The global survey also suggests that the
above risk becomes more and more
serious – this year, 24% of respondents
reported loss of data as a result of
security incidents, a hike of 16% over
2012.
Upon analysing detailed results of
security incidents in Poland, we can
arrive at new conclusions. In almost half
of all cases, such incidents involve brand
or reputation loss. This is related to the
type of information to be disclosed.
Usually such information concerns
intellectual property or identity of a
client or an employee. Almost all our
respondents told us that this is exactly
the kind of data which is considered the
most important in their companies.
Therefore, it seems natural to focus
protection on such data which often
becomes targeted in the first place.
Nevertheless, the results of the survey
indicate that the security measures
currently in use do not allow to fight
effectively the risk of data or intellectual
property theft.
40%
30%
20%15% 15% 15%
Category 1 Category 2 Category 3 Category 4 Category 5 Category 6
Figure 4: Impact of security incidents in Poland
Threat to brand/reputation
Theft of “soft”intellectual property(e.g. processes,institutionalknowledge, etc.)
Identify theft (clientor employee datastolen)
Theft of “hard”intellectual property(e.g. company’sstrategic plans,documents ontransactions, etc.)
Exposure to legalrisk/suit
Loss or damage ofinternal records
Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.
The Global State of Information Security ® Survey 2014 An in-depth discussion 13
The costs and complexity of
responding to incidents are
increasing. This includes the
cost to investigate, the cost to
understand business risks and
contain incidents, the cost to
manage notification to
regulators, customers, and
consumers, and the cost of
litigation. Also, the cost of
remediation is rising because
more records across more
jurisdictions are being
impacted, and security controls
have not kept pace with the
ever-changing threat
landscape.
Insiders, outsiders, and hackers
As every year, we asked our respondents
about the possible sources of security
incidents. More than half of the
respondents from Poland indicated
insiders – either employees or suppliers.
The participants of the global survey also
indicate that the main source of incidents
are insiders and trusted partners.
The results of the global GISS survey can
be compared with independent reports
prepared on the basis of actual data from
analysed security incidents: according to
the Verizon 2013 Data Breach
Investigations Report, the source of a
vast majority (92%) of incidents were
outsiders, and most of them (52%)
involved intrusions into IT systems.
This comparison calls for some
comment.
So far, the prevailing dogma of security
management has been the statement that
most incidents are caused by employees.
We believe this claim is now glaringly
obsolete and the truth is that company
employees and partners are less and less
frequently initiators of abuse – however,
they become either willing or unwilling
abettors. This change of approach
certainly does not mean the return to the
concept of a “wall” at the contact point
with the external world; it just means
that employees and IT resources used by
them directly (computers, office systems
and networks, online services) are in fact
yet another perimeter to be considered
by the company defence forces.
3%
5%
10%
15%
Category 6
Category 5
Category 4
Category 3
5%
10%
10%
25%
Category 10
Category 9
Category 8
Category 7
25%
50%
Category 2
Category 1Current employees
Former employees
Current serviceproviders/consultants/contractors
Clients
Former service providers/consultants/contractors
Information brokers
Hackers
Competitors
Organized crime
Activist/activist groups/hacktivists
Insiders
Trusted partners
Outsiders
Figure 5: Estimated likely source of incidents
Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.
The Global State of Information Security ® Survey 2014An in-depth discussion14
One reason why organizations
do not have effective plans in
place for internal threats is that
many classes of insiders, such
as partners and suppliers, are
invited within network
perimeters and a certain level
of trust is assumed. Businesses
should understand that trust in
advisors should not be implicit.
Businesses should understand
that trust in advisors should
not be implicit.
Weak defences
To combat today’s risks, organizations
should be able to achieve ongoing insight
and intelligence on ecosystem
vulnerabilities and dynamic threats.
Activities and investments should be
driven by the best available knowledge
and evaluated within the context of
business activity.
For many, this represents a significant
shift in thinking and planning. So it’s not
entirely surprising that many survey
respondents report they have not
implemented technologies and processes
that provide insight into current risks
and threats. For instance, 55% of the
respondents in Poland have not deployed
behavioural profiling and monitoring
tools, and fewer (42%) do not employ
security information and event-
management technologies. Asset-
management tools are critical to
safeguarding data assets, yet are not in
place for 41% of respondents we
surveyed. On the other hand, it is worth
mentioning that the respondents in
Poland use data loss prevention tools
(DLP) and intrusion prevention systems
(IPS) rather often – as indicated by 57%
and 60% respectively.
As data proliferates and is shared among
more partners, suppliers, contractors
and customers, it is increasingly critical
that businesses understand the risks
associated with sharing data with third
parties. What’s more, organizations
should ensure that third parties meet or
beat their requirements for data security.
Respondents in Poland declare that in
most cases (74%) they require that
external entities (including providers of
outsourced services) follow the corporate
security policy. Although more than a
half (54%) maintain a list of all external
entities which handle personal data of
employees and clients, only 34%
declared that they held periodic audits to
make sure that third parties are able to
ensure protection of such data.
As noted, today’s elevated and evolving
threat environment requires that
organizations understand that it is no
longer practical – or, indeed, possible
– to protect all information with equal
priority. In a new model of security,
businesses should identify and prioritize
the information that really matters.
The Global State of Information Security ® Survey 2014 An in-depth discussion 15
In Poland, companies are more eager to
use protection mechanisms for mobile
devices. However, still less than half of
them have implemented mechanisms
which allow for a remote management of
mobile devices (MDM), which are a key
tool for the automated management of
sets of company smartphones.
63%59%
48%44% 44%
7%
35%30%
39% 37%42%
19%
Klasyfikacja wartościbiznesowej
Zakaz używania lubdostępu do sieci zwłasnych urządzeń
użytkownika wmiejscu pracy
Oprogramowanie dozarządzania
urządzeniamimobilnymi (MDM)
Ochrona firmowejpoczty elektronicznej
i kalendarzy naurządzeniach
własnychpracownika iużytkownika
Strategiabezpieczeństwa
urządzeń mobilnych
Korzystanie zmechanizmów
kontroligeolokalizacji
Poland World
Strongauthentication ondevices
Ban of user-owneddevices in theworkplace/networkaccess
Mobile device-managementsoftware (MDM)
Protect corporatee-mail andcalendaring onemployee-anduser-owned devices
Mobile securitystrategy
Use of geolocationcontrols
Figure 6: Initiatives launched to address mobile security risks
Mobile devices are more and
more common in company
networks and users demand
easy access to company
resources. IT and information
security departments must find
the balance between business
expectations, regulatory
requirements and information
protection requirements.
Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.
A major risk to data security is the surge
in the use of mobile devices such as
smartphones and tablets, as well as the
“bring your own device” (BYOD) trend in
organizations. While the use of mobile
devices to share and transmit data
continues to increase, deployment of
mobile security policies lags behind, as
apparent particularly from the global
survey results.
The Global State of Information Security ® Survey 2014An in-depth discussion16
organizations have not seriously
addressed the security implications of
cloud services – only 17% of the
respondents, who utilize cloud services
declare that.
APT (Advanced Persistent Threats) is
becoming a heavily discussed topic in
media. The general trend indicates that
in the future they can constitute a large
part of all computer security threats.
Since hackers are more and more often
indicated as a potential source of attacks,
it is worrying that only 30% of
respondents in Poland have
implemented anti-hacking measures. For
comparison – more than half of the
respondents worldwide claim to use
proper measures.
Cloud computing has been around for
more than a decade and is a
commonplace – if not quite mainstream
– in the corporate ecosystem. Almost half
(48%) of the respondents in Poland said
their companies use cloud computing. Of
those, 33% reported that their security
posture has improved thanks to such
model of service delivery. But there were
also doubts – 25% of respondents are
worried about the reliability of the data
recovery process in context of
applications deployed in the cloud. A
similar number of respondents expresses
doubts as to the control of authenticated
access at the website of a service
provider.
So it is a bit surprising to learn that many
Only
17%of respondents say they have
policies governing cloud
services.
The Global State of Information Security ® Survey 2014 An in-depth discussion 17
Leaders are aligning security with
business needs, setting standards for
external partners, and, in general,
rethinking the fundamentals of security.
For instance, in as many as 83% of leader
organizations in Poland have a senior
executive who communicates the
importance of information security
across the enterprise. More than 67%
declared that they designate a cross-
functional team that regularly meets in
order to coordinate and communicate
security issues.
Policy and executive support are just a
start, however. A measure of real intent
can be gauged by whether companies
have also deployed technologies to
execute these policies.
Preparing for the threats of
tomorrow
Today, adversaries are constantly
sharpening and evolving their
capabilities to exploit new
vulnerabilities. Addressing these threats
will require that organizations approach
activities and investments with best-
available knowledge about information
assets, ecosystem threats, and
vulnerabilities.
This year’s survey indicates that those we
define as leaders more often enhance
their capabilities by implementing
policies that elevate security as a top
business imperative – not just an IT
challenge.
Involvement of senior
management and the board
allows for implementation of
consistent information security
program.
38%
75%81% 78%
58%67%
83% 83% 83% 83%
Ogólnofirmowy zespół Scentralizowane procesy Strategiabezpieczeństwa
Ustalone minimalne W organizacji
All respondents Leaders
Cross-functional teamcoordinates/communicates securityissues
A centralized securityinformation managementprocesses
Security strategy alignedwith business needs
Minimum securityrequirements/standardsfor external partners/customers/suppliers andvendors
A senior executive whocommunicates theimportance of security
Figure 7: Security policies and safeguards currently in place
Respondents were allowed to indicate multiple factors, the figure indicates thepercentage of respondents who chose a given answer.
The Global State of Information Security ® Survey 2014An in-depth discussion18
Leaders are more likely to have deployed
tools that provide a real-time analysis
of suspicious activity. For instance, 83%
of leaders say they have implemented
security information and event
management (SIEM) technologies.
Similarly, a majority of leaders say they
have deployed event correlation tools,
which aggregate and correlate
information from disparate tools like
vulnerability and intrusion monitoring
systems. Tools for scanning systems for
security weaknesses and vulnerabilities
are quite often used by respondents
– 67% in total claim they have such
software.
While our focus is on leaders who have
implemented the technologies above, it’s
just as important to stress that, given
today’s elevated threat landscape, all
organizations should strongly consider
implementation of these safeguards
when applicable.
Another example can be found in
Security measures which are high priority for the next 12 months:
• monitoring of unauthorized access or use,
• encryption of smartphones (e.g. iPhone, BlackBerry, Android-based devices),
• security strategy on the use of own devices by employees at the companypremises,
• security strategy for social media,
• procedure of reacting to incidents, on reporting of breach events to externalentities which deal with the data and on handling such reports,
• profiling and monitoring behaviours,
• program of trainings in the knowledge of security,
• conducting risk assessments in relation to internal and external threats to privacy,security, confidentiality and integrity of hard copy and digital records which includepersonal data (e.g. through internal audits),
• standards/procedures for the security of mobile devices,
• security strategy for cloud computing,
• intrusion prevention systems (IPS),
• detecting malware in mobile devices.
employee security awareness program.
More than 56% of respondents say they
have such a safeguard in place. Because
adversaries often target employees with
social engineering schemes, all
organizations should implement an
effective employee-training program.
To gauge Polish respondents’ priorities
in preparing for the threats of tomorrow,
we looked at priorities for
implementation of process and
technology safeguards over the next 12
months.
A part of preparations involves mobile
devices, in particular encrypting their
content and implementing proper
security procedures and standards. The
companies also plan to introduce
regulations on social media and on using
own devices by employees at their
premises. The implementation of new
strategies of monitoring and detecting
security incidents also remains a priority.
In the face of new dangers, we consider it
a good practice to introduce a series of
trainings on the knowledge of security
and risk assessment on threats to
personal data. Our analyses indicate that
those areas may currently constitute an
important weakness in corporate security
strategies, which is why relevant
initiatives may reduce the risk level and
increase awareness of the existence of
potential threats.
The Global State of Information Security ® Survey 2014 An in-depth discussion 19
In the past year, sharing information
about security threats – even among
competitors – has emerged as a powerful
offensive tool. We believe that
collaboration can enable a business to
more quickly adapt to market changes. In
PwC’s 5th Annual Digital IQ Survey we
found that firms with collaborative
C-suites intertwine business strategy and
IT, which often improves the
performance of a business.
So we were curious how Polish
respondents, many of whom operate in
an increasingly competitive
environment, would view collaboration
with others to improve security and share
knowledge of threats. Many
organizations see the merits of
collaboration: 52% of respondents said
they officially collaborate with other
(including the competition) in order to
improve security and mitigate risk
in the future; and among leaders, that
number rises to 83%.
In this regard, the figures in Poland are
almost identical to global. Of course, we
should bear in mind that those results
concern companies which decided to
take part in the survey – after taking into
account much lower popularity of such
surveys among Polish companies, it is
reasonable to claim that the tendency for
collaboration and share information on
threats is in Poland much lower than the
best global practice.
Among the 36% of respondents that do
not collaborate with other entities,
primary reasons for not sharing
information is the lack of confidence that
such collaboration could bring in direct
benefits.
Companies often believe that their
competitors are not more advanced in
the area of security (33% of
respondents). However, it should be
remembered that even slight experience
with various forms of threats is a good
basis for sharing experience. Other
reasons indicate frank distrust of
competitors and fear that acquired
information could be used against those
who proposed such exchange.
11%
22%
22%
33%
uważamy
obawiamy się
Nie chcemy
Nie sądzimyNo one competitor is considerably more advancedthan others
Do not want to draw attention to potential weaknesses
Are concerned that a competitor would use suchinformation to market against us
Larger organizations with more financial resourceswould use collaboration to their advantage
Figure 8: Why companies don’t collaborate with competitors on informationsecurity?
Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.
The Global State of Information Security ® Survey 2014An in-depth discussion20
know-how to implement new security
practices. For comparison – in the global
survey this obstacle is mentioned only at
the fifth place. This suggests that the
Polish companies may lack effective
trainings or certification programs. The
problem with acquiring funds for
security-related initiatives is equally
serious. This confirms our earlier
conclusion that the budget for security is
too small compared to general IT
expenditures in Polish companies. Other
respondents indicate also the lack of
proper vision, which could be used to
determine the impact of future business
needs on the strategy of promoting
information security, or even the lack of
the strategy itself.
Another interesting fact is that some
respondents indicated the attitude of
higher officials as a potential obstacle in
implementing an effective security
strategy. In the global report we see an
interesting trend in the correlation of the
answers of respondents and their
respective job positions. CEOs
overwhelmingly named themselves as
obstacle No. 1 in following an effective
plan to improve the strategic
effectiveness of the security area. CFOs,
meanwhile, point to CEOs as the leading
hindrance. Ask CISOs, the executives
directly responsible for information
security, and they’ll put insufficient
funding (both capital and operating) at
the top of the list, followed by a lack of
in-house technical expertise. CIOs flag a
lack of strategy and vision, along with
leadership of CEOs and security
executives.
This lack of clarity on obstacles
to effective security shows, in
part, that businesses have not
engaged in sufficient dialogue
around security. Building and
sustaining a culture of security
awareness will also require the
full support of top executives,
including the CEO and board.
This must be an ongoing
discussion.
Greatest obstacles
Most people who deal with security in
their companies agree that new actions
to improve the information security are
needed. However, there are many
obstacles which reduce the effectiveness
of the implementation of new security
measures. We asked the Polish
respondents, which obstacles are the
worst and it turned out that potential
problems comes from many various
areas of the company’s operations.
Many respondents believe that insiders
do not have sufficient specialist
8%
12%
15%
23%
27%
35%
38%
42%
42%
Kierownictwo: członek zarządu
Kierownictwo: dyrektor
Kierownictwo
Brak skutecznej
Slabo
Niewystarczające
Brak przekładalnej
Niewystarczające nakłady
Brak lub niedobórLack or shortage of in-house technical expertise
Insufficient capital expenditures
Lack of an actionable vision or understanding of how futurebusiness needs impact information security
Insufficient operating expenditures
Poorly integrated or overly complex information and IT systems
Lack of an effective information security strategy
Leadership: CIO or equivalent
Leadership: CEO, President, Board, or equivalent
Leadership: CISO, CSO, or equivalent
Figure 9: Greatest obstacles to improving the overall strategic effectiveness ofsecurity in organisation
Respondents were allowed to indicate multiple factors, the figure indicates the percentage ofrespondents who chose a given answer.
The Global State of Information Security ® Survey 2014 An in-depth discussion 21
Security practices – Europe and Poland
be noticed in the procedures for
protection of intellectual property.
Although such elements of the security
policy are not yet widespread in all
European countries, the results of the
survey in Poland indicate better
readiness to adopt such good practice.
Europe Poland
Will security spending increase over the next 12 months? 46% 33%
Have an overall security strategy 77% 75%
Employ a Chief Information Security Officer 68% 36%
Have a senior executive who communicates the importance of security? 51% 57%
Have policy for backup and recovery/business continuity 45% 75%
Require third parties to comply with privacy policies 55% 74%
Employee security awareness training program 55% 56%
Have procedures dedicated to protecting intellectual property (IP) 17% 35%
Have intrusion-detection technologies in place (IPS) 63% 60%
Inventory of where personal data are collected, transmitted, and stored 52% 77%
Is organisation officially collaborating with others (including competitors) toimprove security and reduce risks?
45% 52%
Table 1. Security practices – Europe and Poland
The results of the global survey indicate
that investment in information security
is down slightly (3%) over last year in
Europe, and the continent continues to
lag in adoption of key security
safeguards. In Poland, only 33% of
respondents believes that security
spending will increase over the next 12
months, compared to 46% of
respondents from the entire Europe. It
indicates a significant deterioration of
perspectives of the development of
security divisions in Polish companies,
and then – the increased risk of more
numerous attacks.
Poland lags behind Europe also in the
organizational structure. Only 36% of
respondents indicated that their
organization employs a Chief
Information Security Officer For
comparison. In Europe, such a solution is
used almost twice as often.
On the other hand, Polish companies
care more about defining relevant policy
for backup and recovery/business
continuity. Such approach was indicated
by 74% of respondents, which
significantly exceeds the average figures
for Europe (55%). Similar relations may
“If you spend more on coffee
than on security, you will get
hacked. More – you deserve to
get hacked.”
Richard Clarke, Cyber Security Advisor,
White House
The Global State of Information Security ® Survey 2014Summary22
Summary
Our approach comprises four key
precepts:
• Strategy
An integrated security strategy should
be a pivotal part of your business
model; security is no longer simply an
IT challenge. The understanding of
the role and complexity of cyber
security-related issues should be
reflected in the organizational
structure and the budget for security.
• Awareness
Effective security requires that you
understand the exposure and
potential business impact associated
with operating in an interconnected
global business ecosystem. The
company awareness of cyber security
also means the ability to acquire and
analyse information on both external
and internal threats. What is also
important is collaboration with other
entities as to the exchange of such
information – only in such a way the
companies may together face more
and more determined opponents.
One thing is certain: the current approach is no longer sufficient
in the face of ever-changing threats.
• Selectivity
Effective security requires that you
understand and adapt to changes in
the threat environment by identifying
your most valuable information
prioritize your organization’s
resources to protect it. It will help you
reduce expenses and ensure the
proper level of monitoring and
response to incidents.
• Responsiveness
Preventive measures do not give
sufficient guarantee that information
and the processing power of systems
will not fall prey to criminals.
The ability of the company to notice
the moment of breach and launch
adequate response to the incident is
currently one of the most important
indicators of the maturity of the
company when it comes to cyber
security. Quick detection and
response – in the same way as the
quality of preventive measures – in
real life determine the ability of the
company to protect critical resources.
Unfortunately, the results of the survey
this year suggest that the previous
tendency gets only stronger. On the one
hand, our respondents declare progress
by implementing new security measures,
on the other – they do not pay sufficient
attention to key aspects like
determination of the business value of
information. They declare the need for
bigger investments in security, but they
still do not have a strategy for such
solutions like cloud processing.
Taking into account the dynamically
changing threats and environment, we
are not surprised that the choice of the
proper direction is by no means simple
or obvious. One thing is certain: the
current approach is no longer sufficient.
New risk will require a completely new
approach to information security.
In order to effectively respond to threats
of the future, in our opinion, the
approach to information security must be
based on the thorough knowledge of the
opponent, threats and environment. We
must accept that security incidents will
happen and must be taken into account
as one of business risks – unavoidable,
but possible to mitigate down to the
acceptable level.
The Global State of Information Security ® Survey 2014 Methodology of the survey 23
Methodology of the survey
Global State of Information Security
2014 is a world-wide undertaking of
PwC, CIO Magazine and CSO Magazine.
It was conducted online between
1 February and 1 April 2013. Readers of
CIO and CIO magazines and clients of
PwC were asked to take part in the
survey by e-mail. The global results in
this report are based on responses from
more than 9 600, including presidents
and members of management boards of
companies and organizations, CEOs and
people responsible for finance, IT,
security or privacy from 115 countries.
Thirty six per cent (36%) of respondents
were from North America, 26% from
Europe, 21% Asia and Pacific, 16% from
South America and 2% from Middle East
and Africa. The error margin was less
than 1%.
In this report, figures from the global
survey were compared with the Polish
survey – the invitation directed to the
clients of PwC Poland and the readers of
the THINKTANK magazine was
answered by more than 70 companies
and organizations in Poland. Main areas
represented by the Polish respondents
were finance (banking and insurance),
telecommunications, consulting services,
software development and industry.
Our experts are at your disposal, both in all mattersrelated to this report and any other questions you mayhave about the security of information and IT systems.
Contact persons– PwC Cyber Security
Piotr UrbanPartnerPwC Risk Assurance Leader+48 502 184 [email protected]
Rafał JaczyńskiPwC Cyber Security Leader+48 519 507 [email protected]
Patryk Gęborys+48 519 506 [email protected]
Rafał Skoczylas+48 519 506 [email protected]
This presentation has been prepared for general information purposes only; it does not constitute advice within the meaning of the Polish law.You are discouraged from basing your actions/ decisions on the information provided in this presentation without obtaining a prior professionaladvice. We do not guarantee (neither explicitly nor implicitly) that the information provided in this presentation is accurate or precise.Furthermore, within the scope laid down in the Polish law, PricewaterhouseCoopers Sp. z o.o., its partners, employees and representatives donot undertake any obligations nor accept any liability – neither contractual nor on any other account – for any losses, damage or expenseswhich may directly or indirectly result from actions undertaken based on the information provided herein or decisions made based on thispresentation.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
© 2013 PricewaterhouseCoopers Sp. z o.o. All rights reserved. The name “PwC” refers to companies that are parts of the networkPricewaterhouseCoopers International Limited, and each of them is an autonomous and independent entity.