Professional Documents
Culture Documents
2. Public sector
4. Technology
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Skilled threat actors Key findings from The Global State of Information Security® Survey 2015 prev
infected the industrial control systems of hundreds of energy acquisition (SCADA), industrial control, and information
companies in the US and Europe; others successfully infiltrated technology systems have soared, information security spending
a public utility via the Internet and compromised its control has not kept pace. Power and utilities respondents say security
system network. spending in 2014 increased by a comparatively modest 9%. 15
Introduction // 1
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending
Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. 7,391
8K
is needed We also found some noteworthy improvements in security
practices, but it’s worth pointing out that these advances were
Guidelines for advancing fewer and comparatively incremental.
security
6K 3M
Contacts
4K 2M
Introduction // 2
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending
Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. 38%
37%
is needed We also found some noteworthy improvements in security 40%
practices, but it’s worth pointing out that these advances were
Guidelines for advancing fewer and comparatively incremental. 31% 30%
security 29%
30%
Introduction // 3
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending
Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. $ 3.7M
4M
is needed We also found some noteworthy improvements in security
practices, but it’s worth pointing out that these advances were
$ 3.4M
Guidelines for advancing fewer and comparatively incremental.
security
3M 6%
Introduction // 4
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Skilled threat actors The primary threat actors—those who perpetrate security incidents—remained relatively prev
Security executives of power and utilities companies have told That, in part, may account for the 43%
us that they also see security-incident patterns in which criminals
seem to be indiscriminately “exploring” the network to find any
rise in respondents who report that data
data of any value. Once they find data, they quickly siphon it was exploited as a result of security
off and try to sell it.
incidents, the most cited impact.
Skilled threat actors While the number of detected incidents increased dramatically, organizations say the financial prev
Another explanation may be that, while adversaries have been We also looked into how power and utilities respondents
able to gain access to power and utilities companies’ networks, calculate the financial consequences of security incidents,
they are typically stopped before they can wreak havoc on and found that many do not consider a full range of possible
operational and SCADA systems. And unlike the retail sector, impacts, including costs associated with legal defense fees,
which has been hit by a barrage of breaches, power and utilities court settlements, forensics, and reputational damage.
companies hold comparatively few payment card records and
therefore are not liable for costly mitigation of card theft and
customer data.
Skilled threat actors As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies prev
Inventory of all third parties that handle personal Active monitoring/analysis of information Risk assessments of third-party vendors
Cybersecurity and privacy should
data of employees and customers security intelligence be embedded into an organization’s
57% 50% 58% core, with a top-down commitment
to security and ongoing employee
2013
47% 2013
44% 2013
43% training programs.
2014 2014 2014
The number of organizations that have employee
Employee awareness and training program Established security standards for external partners, Require employees to complete privacy training security-awareness training programs (47%)
suppliers, vendors and customers
actually declined over last year, as did those
that require personnel to complete training on
56%
privacy practices and policies (43%). Considering
2013 that employees are the leading source of security
43%
incidents, we believe that training should be
2014 universal and that accountability should cascade
from the C-suite to every employee and third-
Security-event correlation tools
party vendor and supplier.
Skilled threat actors 45% 2014 61% 2014 65% 2014 65% 2014 54% 2014 52% 2014
prev
Contacts
An effective security program will require To do so, senior executives should proactively ensure that the Finally, cyber threats, technologies, and vulnerabilities are
top-down commitment and communication. Board of Directors understands how the organization will evolving at lightning speed, and sharing information among
detect, defend against, and respond to cyber threats. Despite public and private entities has become central to a strong
all the discussion following high-profile retailer breaches, cybersecurity program.
Yet fewer than half (46%) of organizations have a senior
many power and utilities companies have not elevated security
executive who communicates the importance of information More than half (55%) of overall survey respondents across
to a Board-level discussion.
security to the entire enterprise. That’s a substantial drop from industries say they collaborate with others to share security
last year (65%) and demonstrates that the executive team may Consider, for instance, that only 26% of respondents say their intelligence and tactics. Among power and utilities sector,
not be taking adequate ownership of cyber risks. Board of Directors participates in the overall security strategy. however, the number of organizations that collaborate sank
Fewer (23%) say their Board is involved in reviews of current to 36% this year, a sharp drop over 2013.
security and privacy risks—a crucial component of any
effective security program. The area in which Boards are most
likely to participate is the security budget (40%).
Skilled threat actors This year’s survey indicates that power and utilities organizations are falling behind in key practices. prev
Skilled threat actors The convergence of information, operational, and consumer technologies will very likely introduce prev
tremendous benefits for businesses and significant conveniences for their customers.
Financial losses decline
Skilled threat actors To have a deeper conversation about cybersecurity, please contact: prev
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
Contacts // 13
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Public sector
Key findings from The Global State of Information Security® Survey 2015
Insider threat programs
are lacking
A need for monitoring Politically motivated hacktivists took down the website of personal information of an estimated 40,000 federal
and diagnostics Public sector the German parliament as well as the chancellor’s page.1 workers was breached in an attack on another background
State-sponsored threat actors infiltrated the systems of check contractor.2 Throughout the year, activists reacted to
a third-party firm that conducts personnel background perceived social injustices by launching powerful distributed
Why identity management If the recent string of high-profile cyber checks for US government agencies, resulting in theft denial of service (DDoS) attacks that defaced and disabled
is essential
attacks has proved anything, it’s that no of information of 25,000 employees; four months later, the websites of smaller city governments.
industry or organization is immune from risk.
The importance of
In particular, compromises by nation-states,
sharing information
social activists and hacktivists, and
employees have increased markedly in
Contacts
the past year.
Introduction // 1
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Public sector
“The threat from insiders, hacktivists, and nation-states GSISS 2015: Public sector results next
Introduction continues to challenge government agencies as they deal
with shrinking budgets and increased connectivity issues,”
at a glance
Incidents and security said John Hunt, a Principal in PwC’s Cybersecurity Practice. ➻ Click or tap each title to view data Incidents Sources of prev
The importance of
sharing information
Contacts
1K
2013 2014
Introduction // 2
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Public sector
“The threat from insiders, hacktivists, and nation-states GSISS 2015: Public sector results next
Introduction continues to challenge government agencies as they deal
with shrinking budgets and increased connectivity issues,”
at a glance
Incidents and security said John Hunt, a Principal in PwC’s Cybersecurity Practice. ➻ Click or tap each title to view data Incidents Sources of prev
Introduction // 3
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Public sector
spending decline
Public sector
Despite mounting concerns about cyber risks, many agencies GSISS 2015: Public sector security next
Introduction seem mired in a pattern of fiscal austerity—at least when it
comes to cybersecurity. Global public sector organizations
spending at a glance
Incidents and security in fact cut information security budgets by 6% in 2014 prev
spending decline compared with the year before. Nowhere was this tendency
clearer than among small agencies (those with revenues of
$100 million or less), which slashed security spending by
Insider threat programs
25%. Large entities (revenues of $1 billion or more) trimmed
are lacking 4M $ 3.7M 3.7% 4%
security investments by a modest 1% while medium-size 3.6%
$ 3.5M
organizations increased spending by 39%.
A need for monitoring
and diagnostics
3M 3%
Why identity management
is essential
The importance of
sharing information
2M 2%
Contacts
Public sector
Incidents and security Employee awareness programs and data access controls are key. prev
spending decline
Public sector
spending decline
The importance of
Conduct personnel Privileged user access User activity Unauthorized use or Employee training & Threat intelligence Behavioural profiling
sharing information background checks monitoring tools access monitoring tools awareness program subscription services & monitoring
Contacts
Enterprise-wide awareness of security risks will not be One ascendant risk that can be mitigated by employee as software to discover malicious code and anti-malware
achieved by the IT function alone. It will require a training is spear phishing, a tactic that adversaries often use solutions can also help prevent phishing attacks. They are
cross-functional approach that includes IT, information to launch an advanced attack. Increasingly, external threat also under-utilized.
security, corporate security, human resources, legal counsel, actors mount spear phishing campaigns to steal credentials
audit, and privacy, as well as leadership from lines of of employees with privileged access to data and networks, Similarly, threat-intelligence subscription services can help
business. Yet only 52% of respondents told us they have a then use that information to infiltrate the agency’s network. agencies understand current spear phishing campaigns and
cross-functional team that coordinates security strategy Staff training is the best defense, but technologies such targeted attack techniques. It’s an approach that only 54% of
and practices. public sector respondents have adopted.
Public sector
Incidents and security Anticipating risks, understanding threat actors, and rapid response are seen as prev
Public sector
spending decline
2014
2014
Insider threat programs Malicious code detection tools Vulnerability scanning tools
are lacking
62% 57%
A need for monitoring
2014
2014
and diagnostics
Intrusion detection tools Security-event correlation tools
Why identity management
is essential
61% 52%
2014
2014
The importance of
sharing information User activity monitoring tools Penetration testing
Contacts
Similarly, a commitment to monitor and analyze data and A look at specific tools for monitoring and analysis reveals a
Some governments are networks seems to be slipping. In 2014, 61% of agencies told similar tendency: Adoption of technologies like
beginning to require that their us they have implemented processes to monitor and assess security-event correlation software, vulnerability scanning,
security intelligence such as log files, network activity, and penetration testing, and monitoring of user activity declined
agencies deploy processes and vulnerability reports. The year before, 73% said they have in 2014. Overall, there seems to be a disconnect between
tools to monitor and analyze these processes, indicating that the trend appears to be voicing support for these tools and actual implementation.
heading in the wrong direction.
valuable data assets.
Public sector
Incidents and security Automated identity and access controls are fundamental tools—yet are often not deployed. prev
spending decline
54%
Half of public sector respondents tell us they have not implemented
identity management tools. Automated account provisioning/de-provisioning
47%
Risk-based authorization/authentication
3 IEEE Security & Privacy, Electronic Identity Cards for User Authentication—
Promise and Practice, February 2012
Public sector
Incidents and security Increasingly, governments are encouraging public and private entities to share cyber-threat prev
4 White House Office of the Press Secretary, FACT SHEET: US-United Kingdom
Cybersecurity Cooperation, January 16, 2015
Public sector
spending decline 20 20 20
14 14 14
Contacts Facing the future of cyber attacks The precedent has clearly been set for the elevation of a
cyber attack to a matter of national significance. That’s
As threats from nation-states shift, cybersecurity could very something that governments now recognize: Many are
well evolve into cyber warfare. creating IT cybersecurity departments that are modeled
on military defense, a trend that we expect will continue.
You need only consider the punishing assault on a US-based This will be particularly pertinent to nations whose critical
entertainment company to understand the potential. The infrastructure is owned and operated by the government.
attack, which was purportedly carried out by a nation-state,
was variously described as cyber vandalism, terrorism, and As governments continue to use the Internet for their own
an act of war. purposes, cyberspace could very well become a combat
zone. If it does, the risks and repercussions of cyber attacks
will extend far beyond data security.
Public sector
Incidents and security To have a deeper conversation about cybersecurity, please contact: prev
spending decline
Contacts
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organizations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
LA-15-0019
Contacts // 13
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Incidents rise while Key findings from The Global State of Information Security® Survey 2015 prev
budgets fall
Increasing third-party
Our research shows that retail and consumer goods “Threats to retail and consumer goods companies continue
threats
Retail and consumer companies are most likely to report cybercrime incidents to become more persistent and dynamic, and by all indicators
than businesses from any other industry except these threats will only increase,” says G. Christopher Hall,
New technologies and financial services.4 an Advisory principal focused on cybersecurity and privacy.
their risks Over the past year, the phrase “data breach” “Companies must step up their efforts to invest in security
These breaches have resulted in global negative publicity, loss
has become closely associated with the word personnel, processes, and technologies that address holistic
of shareholder value, reduced profits, and millions of dollars
Toward a more strategic “retailer” as attacks reached epic levels. information security strategies and go beyond any industry-
approach in breach-mitigation expenses. They also may have eroded specific mandates.”
customer trust, which is indispensable to any retailer and
The most notable “mega-breaches” occurred in the US, brand. Our research shows, for instance, that concerns about
Linking security and risk where cyber compromises resulted in the loss of information the security of personal and payment data are top reasons
for more than 100 million payment cards. The trend is not why some consumers still do not shop online.5 These breaches
Contacts limited to America, however. In the UK, payroll and bank have very likely increased shopper concerns about in-store
account numbers of 100,000 employees of a supermarket security as well.
chain were stolen.1 And hackers employed a new version 467
of the point-of-sale (POS) malware known as ChewBacca
to pluck payment card data from numerous retailers in
95% of incidents were
within the retail industry
11 nations, including Russia, Canada, and Australia.2
Labeling 2013 as “the year of the retailer breach,” Verizon counted 467 retailer compromises around the
world in its annual Data Breach Investigations Report, noting that payment card data was the primary target
in 95% of incidents within the retail industry.3
1 Networkworld, Morrisons supermarket suffers major pay-roll data breach after 3 Verizon, 2014 Data Breach Investigations Report, April 2014
insider attack, March 14, 2014. 4 PwC, Global Economic Crime Survey 2014, February 2014
2 Networkworld, Tor-enabled malware stole credit card data from PoS systems at 5 PwC, Global Total Retail Survey 2014, February 2014
dozens of retailers, January 30, 2014
Introduction // 1
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 2
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 3
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
3M 3%
New technologies and
their risks
The breaches have also increased awareness of cyber
Toward a more strategic risks across industries and elevated the cybersecurity
approach discussion to top executives and Boards of Directors. 2M 2%
Introduction // 4
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Incidents rise while The number of detected incidents may be rising because many organizations have deployed network prev
Increasing third-party The Global State of Information Security® It’s also worth noting that adversaries appear to be While the total number of survey respondents who link
Survey (GSISS) shows that, among 836 targeting retailers more frequently than consumer products incidents to sophisticated threat actors like nation-states,
threats
manufacturers. Consumer products companies detected an hacktivists, and organized crime are comparatively low,
worldwide retail and consumer goods
average of 2,065 incidents, fewer than the 3,447 incidents they are among the fastest growing sources. Respondents
New technologies and respondents, the number of detected detected by retailers, and a decline of 14% over 2013. who cited foreign nation-states as the cause of incidents
their risks incidents in 2014 increased 19% over 2013. increased 115% in 2014.
Current employees (34%) and former employees (30%)
Toward a more strategic (We define a security incident as any adverse incident that account for the most incidents, with a notable increase in Customer and employee data are the target of most
approach threatens some aspect of computer security.) retail and consumer goods respondents who point the finger incidents—not surprising, considering that threat actors often
at current employees. We also saw a 27% jump in incidents set their sites on payment card information. Among consumer
While this proliferation undoubtedly reflects the increased attributed to third-party service providers, contractors, goods manufacturers, theft of intellectual property (IP) is a
Linking security and risk suppliers, and business partners, which often have trusted larger concern. That’s because manufacturers often produce
activity of cyber adversaries, the number of detected
incidents also may be rising because many organizations access to the company’s network and data. products for other smaller businesses, and they often store
Contacts have deployed network monitoring and logging technologies these clients’ IP and research and development information.
in recent years. Use of these technologies will result in
discovery of more incidents.
Despite the rise in detected incidents, retail It is troubling, however, to find that information security next
Introduction budgets are down 15% over 2013. Retailers cut their security
and consumer companies report that total
investments more sharply than consumer goods companies.
financial losses resulting from security prev
Incidents rise while
incidents declined 46% in 2014. The decline in security spending initially seems puzzling,
budgets fall
given the recent high-profile breaches. It’s likely that
This finding seems counter-intuitive, given the upsurge organizations had finalized their 2014 budgets before
Data governance is lacking in detected compromises. December 2013, when the first mega-breach was
announced. Afterward, some businesses we know revisited
Increasing third-party In part, the discrepancy may be attributed to a 61% rise their budgets and reallocated more funds for cybersecurity.
threats in security spending in 2013, which may have enabled We expect to see a spike in security spending in the
organizations to more quickly detect and mitigate incidents. coming year.
What’s more, as businesses implement monitoring and
New technologies and logging technologies they will detect more incidents that are
their risks
benign, such as viruses that do not result in costly damage.
66% 67%
54% 54%
Information brokers Organized crime Foreign entities and Activists/hacktivists Foreign nation-states
organizations
Incidents rise while Many businesses emphasize regulatory compliance at the expense of a framework prev
Increasing third-party
threats
Contacts
Attrition in data governance safeguards
Retailers, in particular, often take a compliance- Good data governance will require that businesses develop
checklist approach to information security, a framework and policies for the creation, use, storage,
and deletion of information. It will also demand that retail
focusing on Payment Card Industry Data
and consumer companies know where their data is stored,
Security Standard (PCI DSS) requirements manage access to sensitive information, and govern the use
while disregarding implementation of and security of valuable data by third-party partners.
adequate data governance to protect valuable
information assets.
A basic foundation of data governance is Furthermore, many companies seem to know very little about next
Introduction the sensitive data they hold or allow third parties to access.
centralized data storage, which enables
Consider, for instance, that the number of respondents who
organizations to consolidate, manage, and
Incidents rise while say they have an accurate inventory of where personal data prev
secure their information. for employees and customers are collected, transmitted, and
budgets fall
stored dropped to 54% this year, down from 60% in 2013.
This is becoming increasingly essential as the use of
Data governance is lacking smartphones and social media accelerate the creation and A sound data governance program also will limit the data that
sharing of data. Yet organizations seem to be falling short is stored to only what is needed. It’s a practice that many do
Increasing third-party of fundamentals: Just 55% of respondents say they have not follow: Only 54% say they limit the collection, retention,
threats centralized user data storage, down from 63% in 2013. and access of personal information to the minimum necessary
to accomplish a legitimate business purpose.
Other security basics include safeguards to limit access
New technologies and to data and systems, and monitoring for anomalous
their risks
network activity.
Contacts secure access control measures. Because adversaries often access tools in place,
target employees with extensive access to systems and down from 67% 53%
data, privileged user access technologies are key. last year.
2014
Incidents rise while Data breaches often start with the compromise of suppliers, contractors, and vendors. prev
budgets fall
Increasing third-party In the past year, several retailers that have While retail and consumer companies are adopting the EMV An effective vendor-management program
been hit by costly, high-impact breaches have standard, many have not yet taken more basic precautions will require more than individual policies
threats
to protect themselves from breach via the systems of third
had one thing in common: Criminals gained and processes, however.
parties. Consider, for instance, that only 54% of survey
New technologies and access to their networks and POS systems respondents say they have established security standards
their risks through attacks on third-party suppliers and for external partners, suppliers, and vendors. And just 44% What’s also needed is a tiered framework that assesses,
segments, and manages third-party partners based on the
contractors, resulting in the compromise of conduct risk assessments on third-party vendors, down from
Toward a more strategic 55% last year. risks they present to the business. This is critical because
millions of payment card accounts.
approach large organizations may have thousands of vendors that
Furthermore, we asked if organizations have implemented have access to their systems and data; a tiered approach will
These breaches resulted in heavy financial and reputational or plan to implement a program that monitors third-party help them focus on the most serious risks.
Linking security and risk losses, but they also encouraged some retailers to more partners and service providers to ensure they comply with
rapidly migrate to the EMV system. security and data-protection policies. This tiered approach also will enable organizations to
Contacts hold third parties to different levels of accountability. For
Today, a very small percentage of payment and debit cards The responses are not encouraging: instance, businesses that share sensitive information of
in the US employ EMV technology, which is more resistant customers with external marketing partners should ensure
to compromise and counterfeit than magnetic-stripe cards. that those firms adhere to the very highest level of security,
That’s changing, however, as several major card networks while those that have access to less sensitive information
Only 29% say they have this type of monitoring program
have begun migration to the chip-based EMV system and need not be held to the most rigorous standards.
in place, and 37% say they plan to add one.
have set an October 15, 2015 deadline for implementation
of EMV technologies. (Gas station owners will have until But one in five say they have no
October 1, 2017 to migrate to EMV.) Thereafter, fraud plans to implement a program
liability will shift to the party that is not EMV-compliant.6 to monitor third parties.
Key safeguards for third-party security and privacy are lacking next
Introduction
prev
Incidents rise while
budgets fall 60% 59%
54% 55% 55%
Data governance is lacking 52%
51%
49% 48%
Increasing third-party 44%
threats 2013
2013
2013 2013
New technologies and 2014
2013
2014
their risks 2014
2014
2014
Toward a more strategic
Established security baselines/
approach standards for external partners/
Require third parties to comply
with privacy policies
customers/suppliers/vendors Have incident response process Perform risk assessments on
Have an inventory of all third to report and handle breaches to third-party vendors
Linking security and risk parties that handle personal data third parties that handle data
of employees and customers
Contacts
Incidents rise while Retail and consumer goods companies are embracing new technologies to connect with customers, prev
Increasing third-party
threats
New technologies and 2013 2014 2013 2014 2013 2014 2013 2014 2013 2014
their risks
Have secure remote Security strategy for Security strategy for Security strategy for Security strategy for
access (VPN) mobile devices BYOD cloud computing social media
Toward a more strategic
approach
Linking security and risk As workers become increasingly more mobile, employees Employees can inadvertently disclose sensitive data via It’s worth noting, however, that no payment system will
access the network, data, and applications remotely via social networking sites, and cyber criminals can mine be 100% secure. Determined threat actors will very likely
Contacts laptops, smartphones, and tablets. So it was worrisome to accounts to obtain valuable information that can be used find ways to circumvent technologies that underpin digital
find that the number of respondents who have secure remote in targeted phishing attacks. Despite these very real risks, payment systems. In fact, compromises already have
access software like virtual private networks is low and only 45% of respondents have a security strategy for social been reported.
shrinking: Only 56% have this essential technology, down media, a number that decreased considerably over last year.
from 69% in 2013. The success of mobile payments will require a wide
Finally, this year’s game-changing technology may be mobile constellation of retailers that are capable of accepting these
Another technological juggernaut is social networking, which payment systems or “digital wallets.” The capability to make digital payments, of course, and that’s not yet a given. One-
enables retail and consumer companies to attract and engage payments from smartphones is not new, but it is gaining quarter (25%) of retail and consumer respondents say they
customers, improve the customer experience, and manage momentum as more devices support payment systems have implemented systems for digital wallets, and an additional
brand images. The benefits are many, but so are the risks. like Apple Pay, the Merchant Customer Exchange (MCX) 36% say they plan to implement them in the future.
CurrentC, and Google Wallet. And given the recent rash of
retailer breaches, consumers may prefer to whip out their
smartphones and leave their payment cards in their wallets.
Incidents rise while Our survey results show that many retail and consumer companies need to take a more strategic prev
budgets fall approach to help identify, manage, and respond to privacy and security threats.
Data governance is lacking
40%
201
201
201
201
201
4
4
3
201
201
3
201
201
3
4
201
4
201
3
3
A senior executive communicates Information security strategy Program to identify sensitive Collaborate with others to Have cyber insurance Have employee security training
importance of security to entire is aligned with specific business assets improve security and awareness program
enterprise needs
next
Introduction
More than ever, senior executives should proactively ensure
that the Board understands how the organization will detect,
prev
Incidents rise while
budgets fall
defend against, and respond to cyber threats.
Data governance is lacking
Increasing third-party
threats
An effective security program will require Despite the discussion following recent retailer breaches, Finally, sharing information about security—internally and
top-down commitment and communication many companies have not yet elevated security to a Board- externally—is essential to the success of security programs
New technologies and
their risks level discussion. Consider, for instance, that only 39% of as cyber threats, technologies, and vulnerabilities evolve
of information security fundamentals and
respondents say their Board participates in the overall at lightning speed. Employee training and awareness is
priorities. security strategy, and 35% say the Board participates in the particularly important because the weakest link in the security
Toward a more strategic security budget. Fewer (22%) say their Board is involved chain is often human. So it was a bit worrisome to find that
approach Organizations have made some progress in this measure: 61% in reviews of current security and privacy risks—a crucial the number of respondents who have an employee training
of respondents have a senior executive who communicates the component of any effective security program. program in place dropped to 49%, from 59% in 2013.
Linking security and risk importance of information security to the entire enterprise.
Many organizations are finding that cyber insurance can be Externally, sharing information among public and private
Information security communications also must cascade an effective way to help manage risks and mitigate financial entities has enabled businesses to gain better intelligence on
Contacts upward to the Board of Directors to ensure that members losses of cyber attacks. It has been widely reported, in fact, threats and response tactics. To this end, US retailers recently
have the information they need to manage risks and protect that several retailers breached over the past year recovered formed the Retail Cyber Intelligence Sharing Center (R-CISC)
the company from cyber adversaries. Boards are increasingly tens of millions of dollars in mitigation costs through to serve as an Information Sharing and Analysis Center
concerned about having the right risk intelligence, and they insurance coverage. (ISAC) as well as a forum for education, and training and
may also be worried that their personal reputations could research on future threats. Among our survey respondents,
be tarnished by a high-profile compromise. Earlier this This year, 50% of respondents say they have purchased more than half (52%) say they collaborate with others to
year, several directors of a prominent retailer came under cybersecurity insurance, up from 40% last year. share security intelligence and tactics. That’s an improvement
public scrutiny after the company suffered a very public over last year. Consumer packaged goods companies may not
Perhaps more significant is the finding that some companies
data breach that also resulted in the resignations of several have a dedicated ISAC, but they tend to share information
are leveraging cyber insurance as a way to improve their
C-suite executives. more readily. Among consumer products respondents, 65%
security program. Almost one-third say they have taken
say they collaborate with others to improve security.
steps to enhance their security posture in order to lower
insurance premiums.
Incidents rise while As incidents continue to proliferate, it’s becoming clear that cyber risks can never prev
Incidents rise while To have a deeper conversation about cybersecurity, please contact: prev
budgets fall
Increasing third-party
threats
Retail and consumer
New technologies and
their risks United States
Alexander Coassin G. Christopher Hall Ron Kinghorn Gary Loveland Bryan Oberlander Paul Ritters
Toward a more strategic Principal Principal Principal Principal Principal Director
approach 415 498 5282 412 355 6183 617 530 5938 949 437 5380 617 530 4125 612 596 6356
alexander.t.coassin@us.pwc.com g.christopher.hall@us.pwc.com ron.kinghorn@us.pwc.com gary.loveland@us.pwc.com bryan.s.oberlander@us.pwc.com paul.j.ritters@us.pwc.com
Contacts
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.
© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
Contacts // 16
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Technology
Key findings from The Global State of Information Security® Survey 2015
Sources and impact of
compromise
Insider threat programs In the past year, hackers infiltrated the servers of a global
are lacking Technology software company and stole not only source code but
also personal information of tens of millions customers.
Computers of prominent multinational Internet companies
Identity management Technology organizations tend to were compromised as a result of watering-hole attacks.
and the cloud
have comparatively robust and mature Hackers employed key-logging software to steal the user
cybersecurity programs. It makes sense, credentials of more than 2 million social media and
Gearing up for the Internet e-mail accounts from companies that dominate the Web. A
given that many have been in the vanguard
of Things prominent social networking and entertainment website
of developing the systems and tools that was taken down by a massive distributed denial of service
The security safeguards have forever altered how businesses (DDoS) attack. And European Internet service providers
that matter operate, market products, and interact were prominent targets of an extremely complex and
with customers. stealthy espionage tool that has been in use for more than
six years.
Contacts
The bad news? Cyber-threat actors seem to have the
advantage. Consider the following:
Introduction // 1
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Technology
These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev
Introduction // 2
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Technology
These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev
Introduction // 3
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Technology
These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev
Introduction // 4
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Technology
Security incidents and Technology companies are detecting fewer incidents, despite evidence that attacks are rising prev
Technology
Technology
Security incidents and Incidents attributed to sophisticated threat actors are escalating. prev
budgets decline
The security safeguards among the least frequent, but they are also mood of the technology industry, almost two-thirds (65%) of
the fastest growing. respondents say they are somewhat or very concerned about
that matter
government surveillance.
Many businesses are particularly worried about attacks by This type of espionage is prompting some businesses
Contacts
nation-states, which often target tech companies to steal IP to reconsider their relationships with certain solutions
and trade secrets as a means to advance their own economic providers. More than one-quarter of respondents (28%)
advantage. With good reason: Incidents attributed to nation- say they are purchasing fewer products and services from
states soared by 80% over 2013. technology companies based in certain nations, and 9% say
they no longer procure products and services from those
The jump in nation-state incidents may also explain the
in specific countries. Given that this type of surveillance is
rising theft of intellectual property, including source code
most closely associated with the US, the implications for Compromises by foreign nation-states are the fastest
of products and services, designs for products like chipsets
American technology companies are potentially serious. growing type of threats.
and networking equipment, and proprietary manufacturing
processes. This year, 42% of technology respondents
Technology
Security incidents and Many technology companies have not deployed basic identity and access technologies. prev
budgets decline
Technology
budgets decline
Identity management
and the cloud
Gearing up for the Internet 2013 2014 2013 2014 2013 2014 2013 2014
of Things
Have network access User activity monitoring Have employee training and Have behaviorial profiling
The security safeguards control software tools awareness program and monitoring
that matter
Contacts
Technology
Security incidents and More businesses are adopting cloud-based security services. prev
budgets decline
Technology
Security incidents and Half of respondents say they have a strategy for the convergence of information, prev
Technology
budgets decline
Identity management
and the cloud
Security strategy for BYOD Security strategy for mobile Security strategy for cloud Security strategy for social Security strategy for big data
devices computing media
Gearing up for the Internet
of Things
Identifying sensitive assets and determining ownership of The Internet of Things will also require that technology
Contacts
data will become increasingly arduous as the Internet of companies improve fundamental security processes like user
Things expands and more electronic information is shared access controls, patch management, and third-party risk
among new business partners and consumers. For many assessments. Privacy of consumer data is also critical—and
tech companies, that’s already a challenge. Just 57% of represents an opportunity for improvement considering that
respondents have a program to identify sensitive assets only 55% of respondents require third parties to comply
and fewer (51%) have an inventory of all third parties that with their privacy policies.
handle personal data.
Technology
Security incidents and How technology companies are taking a more strategic approach to security. prev
budgets decline
Technology
Many businesses are embracing guidelines developed by Linking information security and risk next
Introduction the US National Institute of Standards and Technology
(NIST) to more closely link their technologies, processes, As security incidents continue to proliferate, it’s becoming
Security incidents and and personnel skills with the organization’s broader risk- clear that cyber risks can never be completely eliminated.
prev
Technology
Security incidents and To have a deeper conversation about cybersecurity, please contact: prev
budgets decline
Contacts
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
Contacts // 15