Rethink The Risk - ICT security


Published on

Presentation on rethink the risk in security by Ray Stanton, given at the occasion of the BT Business Day 2012.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rethink The Risk - ICT security

  1. 1. BT Assure: ‘Rethink the Risk’Research SummaryRay StantonVice President BT AdviseThe Professional Services Unit of BT Global Services7th June 2012Amsterdam BT Assure. Security that matters
  2. 2. Agenda & Objective of session • Insight into key research findings • BYOD phenomenon • Key Themes • Key Findings • Take-a-ways & BT opinion • Objective • Bring new research to table • Table Independent views • Put forward BT Opinion • Stimulate more informed discussion.© BT plc 2012 2
  3. 3. Objective of Research: Examine current priorities in corporate IT security on key topics of ‘bring-your-own-device’, cyber-security and on- demand services. Key out takes: a) Pressure to take advantage of new technologies for productivity & competitive advantage, shows BYOD has shown most significant development; b) Excitement over possibilities and benefits, but limited awareness of security implications; c) IT departments see risks, but struggle to manage within established corporate security frameworks.© BT plc 2012 3
  4. 4. Research methodology • 2,000+ online questionnaires carried out by Vanson Bourne in March / April 2012 commissioned by BT • Contrast views and expectations of employees with plans and priorities of IT decision- makers in enterprises across public and key private sectors. • Enterprise size organisations (>1,000 employees) across five sectors: • FMCG • Finance • Logistics • Pharmaceuticals • Government • Four audience types: Office workers (1,000), IT decision makers (860), Finance decision makers (150) and HR decision makers (150). • Eleven countries: UK, France, Germany, Spain, Italy, Benelux, USA, Brazil, China, India and Singapore.© BT plc 2012 4
  5. 5. The risk landscape continues changing,fast...© BT plc 2012 5
  6. 6. Emerging threats already rank alongside established cyber-security challenge• Employees leaking data, BYOD and a mobile workforce are in the same threat league as cyber-security Cybersecurity 68% Preventing data leaked by employees 68% Increasing use of personally-owned 61% devices and social media sites Preventing or fixing weaknesses within our 57% business systems Security in our supply chain systems 57% Industrial or state-sponsored espionage 53% Number of respondents rating each of these threat areas as “„challenging” or “very challenging‟ (BASE: IT respondents)© BT plc 2012 6
  7. 7. Focussing on why BYOD presentsunprecedented challenges© BT plc 2012 7
  8. 8. Priority concerns before introducing BYOD• IT decision-makers need to tackle a range of issues before they feel able to introduce a BYOD policy. 74% 50% 42% 30% Security issues (malware, viruses The complexity/cost of the set up The potential threat to our IP Increased data usage/mobile etc) for multiple devices expenditureQuestion Asked:Which of these factors/concerns did you have to deal with before being able to allow employees to use their personally-owned devices forwork purposes? (BASE: IT respondents)© BT plc 2012 8
  9. 9. Employees recognise the rewards but not the risks• 42% of employees using their own device for work believe they are more efficient and productive, but… • 1 in 3 employees see “no risk” in using their • Only 1 in 10 IT decision-makers think all BYOD own device in a work context users recognise the risks 11% 9% 25% 32% 43% 80% No not at all Not all of them Yes, all of them do No risk Neutral A significant risk How big a risk to company security do you perceive using Do employees generally recognise the risk to company security your personal device in a work context to be? that using a personal device in a work context could represent? (BASE: Employees) (BASE: IT respondents) © BT plc 2012 9
  10. 10. Global perspectives on BYOD© BT plc 2012 10
  11. 11. Research without insight is useless, so context… Source: Gartner Reimagining IT - The 2011 CIO Agenda© British Telecommunications plc 11
  12. 12. The BYOD „genie‟ is out of the bottle• 60% of employees companies allow them to connect personally-owned devices & for work purpose • The UK however, drops to 37% & increases to 80% in India and 92% in China.• 46% of remainder, would like to be able to use their personal devices for work.• More importantly: • The level of use stated by employees is higher than IT decision-makers acknowledge in company sanctioned BYOD adoption.• Interestingly in China (53%), Brazil (51%) and the USA (50%) organisations show to have formal BYOD policies in place, • in countries shown least likely to already have a policy - Italy (25%), UK (31%) and Germany (34%) have policies in place.© BT plc 2012 12
  13. 13. Understanding further the BYOD Challenge • Providing focussed security infrastructure to support has had the greatest impact in the USA • with every aspect scoring between 62% and 89%; • 15% say the cost of BYOD is unclear • This more than doubles in the UK and Benelux to 38%. • 31% of total surveyed reported a net cost, in China and India this reaches 53% and 50% respectively; • so while they may appear to be top of the game, it is costing them. • 47% Globally, think BYOD may threaten auditing and compliance obligations – this reaches 60% in the UK and 65% in India. • 73% (almost double the average of 39%) of IT decision-makers in India admit they have had a security breach due to an unauthorised device. This is also high in Singapore (58%) and Brazil (49%).© BT plc 2012 13
  14. 14. Varying levels of oversight • Only 43% are actively monitoringSingapore for people using their own device India on the network. China • A third (33%) can tell immediately if Brazil an authorised user misuses their USA device Benelux • IT decision-makers in China have Italy the greatest vigilance on their Spain corporate network. 79% say they can tell immediately if anGermany unauthorised device is connected to France their network and 71% can tell if an UK authorised user misuses their device. 0% 20% 40% 60% 80% 100% No Yes – but not immediately Yes – immediately Can you tell if someone is using an unauthorised device on the system? (BASE: IT respondents with a BYO policy)© BT plc 2012 14
  15. 15. It‟s not just our own network anymore… • Connectivity and ubiquitous access have changed the landscape of business and therefore, security perimeters, dramatically; • What was once not permitted & unthinkable is now routine; • The adoption of innovative new tools is being pulled through from our most senior executives, rather pushed by IT • The risk of abuse and attack has multiplied along with this massive expansion; Our response has to be, adaptive, flexible, agile and responsible. Saying no, it no longer an option. We must Rethink the risk Source: Source: KPMG Data Loss Barometer best-practices/intel-it-annualperformance-report-2011-12.pdf© BT plc 2012 15
  16. 16. Some simple, real tips in our opinion • Carry out real surveys on your business needs with regards to BYOD, do not ignore the obvious; • Adapt interim policies for usage – engage user community in developing, these; • Provide focussed security infrastructure to support; • Drive awareness campaigns which engage the user community, not the „thou shall not do‟ approach; • Adapt, improvise, overcome.© British Telecommunications plc 16
  17. 17. In summary, an opinion and take-a-waysOur opinion Take-aways / food for thought:• Information risk frontier management is • Impact of lack of engagement of business lines even more essential to controlling business is clearly an issue, we all need to address; risk: and those risks related to ensuring agility; • Without proactive relationship & stakeholder• Compliance management will focus more on management, the ability to engage the business compliance with established security stakeholders, CISOs will have a passive role & program expectations as external forces are voice in business/orgainsaitional direction. incorporated into the fabric of corporate • Exploiting change to drive security, will require security services; new thinking, new approaches, and trust in• Capability maturity management of security strategic providers. operations will be necessary to ensure full realisation of business investments. © BT plc 2012 17
  18. 18. But before I go….just in-case you‟re worried… Hot of the press….you can read.. • was-leaked • And you can (could!) downloaded the file (note 115mb); • Common view at this moment, you can try and check if your password was one of those leaked (it‟s bit of a fiddle as its hashed and needs reverse engineering, but can be done); • Good practice says change password and anywhere else you have & think you‟ve used it!© British Telecommunications plc 18
  19. 19. BT Assure Security that