20101012 CIOnet Cyber Security Final Results

Brussels, October 12th 2010

CIOnet survey on Cyber Security The results

Chris Verdonck

EMEA Leader, Deloitte Enterprise Risk Services

© 2010 2 UNCLASSIFIED - CIOnet survey on Cyber Security

“It's the great irony of our Information Age - the very technologies that empower us to create and to build also empower those who would

disrupt and destroy.”

USA President Barack Obama on "Securing Our Nation's Cyber Infrastructure “

© 2010 3

Agenda.

UNCLASSIFIED - CIOnet survey on Cyber Security

© 2010

Agenda

4

 Survey context

 Respondents

 Results


© 2010

Survey Context

5

Cyber culture is growing faster than cyber security, so everything that depends on cyber space is at risk

 Information is ubiquitous - Our society and economy have become critically dependent on digital connectivity and services;

 Cyber security threats are continuously increasing in complexity and occurrence; thus they require more management attention;

 CIOnet members were surveyed on 16 questions regarding cyber security until September 26th 2010.


© 2010 6

Respondents.


© 2010

Response demographics

7 UNCLASSIFIED - CIOnet survey on Cyber Security

Countries  53 respondents from 6 different

countries;

 Most responses from Belgium (35,8%) followed by Italy and UK (each 18,8%)

Sectors  Responses spread over different

sectors

 Most respondents in Financials (24,5%), and Industrial & Manufacturing (20,7%)

© 2010

Response company types


Company type  67.9% of respondents

representing their company’s headquarters.

Number of employees  In terms of company size, over

half of the survey responders has more then 1000+ employees.

© 2010 9

Results.


© 2010

Cyber liabilities


 Almost 85% responded that they analyzed their cyber liabilities in a thorough way;

 However there is still uncertainty on what regulations are applicable. EU DPA and ISO 27001 may not be enough to comply with;

 Despite that respondents indicate to have assessed their liabilities, further responses in the survey indicate a need for stronger action.


 Over 76% of the survey respondents is confident that their organization have an overview of applicable laws in the context of cyber security;

 A large part of them only operates in one country, but legal aspect with regards to cyber security can differ greatly between countries.

Applicable legislation


 Almost 18% of the respondents’ organizations have not assessed the risk of loosing trade secrets;

 For the respondents that claim they have, the question is how comprehensive such assessment was;

 It is essential to ensure that the risks regarding theft of trade secrets are frequently re-assessed and appropriate actions taken to mitigate them.

Theft of trade secrets


 All respondents indicated their organisation could be impacted in at least one domain;

 Over 81% of respondents believes cyber attacks would impact the brand and image of their organization. Stakeholders expect cyber security challenges to be addressed appropriately;

 Respondents indicate that internal attacks are more likely to cause critical operation disruption, and external attacks could affect market share more.

Impact of internal or external cyber attacks


 Over 35% of respondents see a primary threat in the increased complexity of identity and access management;

 It is interesting to note that almost 22% of the respondents indicate that their current controls are struggling to keep pace;

 Inadequate network access control and the uptake of social networks also raises cyber security concerns.

Cyber Security threats

Other: •  User and management awareness of cyber risks, •  Unpatched and unsupported legacy applications and systems •  Crimeware will be the biggest threat over workstations, mobile operators and

eventually mobile phones


 Over 35% of the respondents’ organizations have no policy regarding maintaining a security staff;

 There is a risk of critical information exposure and knowledge drain as people rotate in and out of organizations;

 The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff and skills.

Security Staff


 82% of respondents indicate to increase cyber security awareness through security audits. These typically present a partial snapshot of the risk posture to the stakeholders;

 Furthermore respondents indicate specific training and awareness initiatives (72%), provisions in the disciplinary policy (68%), while 56% indicate to have been implementing a security framework that contributed to the general awareness.

Cyber Security awareness


 Respondents indicate how monitoring and audit of compliance is the most common action to prevent legal exposure (82%);

 Half of the survey candidates also monitors and requests audit reports from your third party business partners as some of the risk scope is outsourced.

Preventing legal exposure

Other: •  Vulnerability assessments and penetration testing; •  Defining security controls; •  Ensuring good contracting practices.


 About 20% of all organizations do not regularly assess their biggest vulnerabilities, implying they do not have a view on the most critical cyber risks they face;

 Organizations need a consolidated risk overview in order to define funded actions and manage risk appropriately.

Assessing vulnerabilities

Comment:

•  “It is more a day to day job whereby risks are constantly monitored and priorities adapted overtime”


 Over 35% of all organizations do not regularly review and update their incident response plans. Several respondents commented update action was ongoing;

 As the nature of cyber incidents in function of threats and vulnerabilities is constantly evolving, one can debate if yearly updates on incident response plans is even enough.

Incident response


 Over 82% of the responding organizations are convinced of the importance of appropriate communication during and after a Cyber Security incident;

 In almost 18% of the respondents companies, inadequate awareness is in place regarding the significance of controlled incident communications with internal and external stakeholders.

Incident communication


 While many respondents commented on the limited scope of their current business continuity plans (BCP), a surprising 76% indicated such plans are in place;

 This does conflict with the fact that only 50% have a crisis communications plan, which is an essential part of a continuity planning;

 Some respondents referred to their third party service agreements, but should keep in mind their own responsibilities to ensure business continuity.

Business continuity management


 Almost 72% indicates not having insurance coverage for cyber security incidents. Typically expert evidence is needed to calculate the financial and other damages that need to be covered;

 If an insurance policy is in place, 83.3% have third party damage coverage;

 Of all respondents, less than 10% is insured for first party losses due to cyber security incidents.

Insurance


 Don’t think of cyber security as merely protecting IT systems as it is ultimately about protecting a broader interest of the organization. Understand your regulatory context and possible liabilities, and take appropriate measures to mitigate the risk to your business;

 Approach cyber security as the ongoing management of continuously evolving risk in function of value to the organization, and the likelihood of threats and vulnerabilities;

 Ensure adequate and appropriate controls are implemented to coordinate and communicate actions in the case of cyber security incidents.

 The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff, as well as broad awareness and skills;

 Align cyber security with other related activities in the business to create leverage and resource efficiencies – e.g. business continuity.

Final thoughts

© 2010 24

Thank you.


© 2010

Contact

25

Deloitte Enterprise Risk Services Berkenlaan 8 b B-1831 B-1831 Diegem

Chris Verdonck Belgium Partner

Tel: + 32 2 800 24 20 [email protected]

Member of Deloitte Touche Tohmatsu


Technology

20101012 CIOnet Cyber Security Final Results