20101012 CIOnet Cyber Security Final Results

  • 565 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
565
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
21
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. CIOnet survey on Cyber Security The results Chris Verdonck EMEA Leader, Deloitte Enterprise Risk Services Brussels, October 12th 2010
  • 2. “It's the great irony of our Information Age - the very technologies that empower us to create and to build also empower those who would disrupt and destroy.” USA President Barack Obama on "Securing Our Nation's Cyber Infrastructure “ 2 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 3. Agenda. 3 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 4. Agenda  Survey context  Respondents  Results 4 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 5. Survey Context Cyber culture is growing faster than cyber security, so everything that depends on cyber space is at risk  Information is ubiquitous - Our society and economy have become critically dependent on digital connectivity and services;  Cyber security threats are continuously increasing in complexity and occurrence; thus they require more management attention;  CIOnet members were surveyed on 16 questions regarding cyber security until September 26th 2010. 5 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 6. Respondents. 6 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 7. Response demographics Countries  53 respondents from 6 different countries;  Most responses from Belgium (35,8%) followed by Italy and UK (each 18,8%) Sectors  Responses spread over different sectors  Most respondents in Financials (24,5%), and Industrial & Manufacturing (20,7%) 7 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 8. Response company types Company type  67.9% of respondents representing their company’s headquarters. Number of employees  In terms of company size, over half of the survey responders has more then 1000+ employees. 8 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 9. Results. 9 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 10. Cyber liabilities  Almost 85% responded that they analyzed their cyber liabilities in a thorough way;  However there is still uncertainty on what regulations are applicable. EU DPA and ISO 27001 may not be enough to comply with;  Despite that respondents indicate to have assessed their liabilities, further responses in the survey indicate a need for stronger action. 10 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 11. Applicable legislation  Over 76% of the survey respondents is confident that their organization have an overview of applicable laws in the context of cyber security;  A large part of them only operates in one country, but legal aspect with regards to cyber security can differ greatly between countries. 11 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 12. Theft of trade secrets  Almost 18% of the respondents’ organizations have not assessed the risk of loosing trade secrets;  For the respondents that claim they have, the question is how comprehensive such assessment was;  It is essential to ensure that the risks regarding theft of trade secrets are frequently re-assessed and appropriate actions taken to mitigate them. 12 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 13. Impact of internal or external cyber attacks  All respondents indicated their organisation could be impacted in at least one domain;  Over 81% of respondents believes cyber attacks would impact the brand and image of their organization. Stakeholders expect cyber security challenges to be addressed appropriately;  Respondents indicate that internal attacks are more likely to cause critical operation disruption, and external attacks could affect market share more. 13 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 14. Cyber Security threats  Over 35% of respondents see a primary threat in the increased complexity of identity and access management;  It is interesting to note that almost 22% of the respondents indicate that their current controls are struggling to keep pace;  Inadequate network access control and the uptake of social networks also raises cyber security concerns. Other: •  User and management awareness of cyber risks, •  Unpatched and unsupported legacy applications and systems •  Crimeware will be the biggest threat over workstations, mobile operators and eventually mobile phones 14 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 15. Security Staff  Over 35% of the respondents’ organizations have no policy regarding maintaining a security staff;  There is a risk of critical information exposure and knowledge drain as people rotate in and out of organizations;  The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff and skills. 15 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 16. Cyber Security awareness  82% of respondents indicate to increase cyber security awareness through security audits. These typically present a partial snapshot of the risk posture to the stakeholders;  Furthermore respondents indicate specific training and awareness initiatives (72%), provisions in the disciplinary policy (68%), while 56% indicate to have been implementing a security framework that contributed to the general awareness. 16 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 17. Preventing legal exposure  Respondents indicate how monitoring and audit of compliance is the most common action to prevent legal exposure (82%);  Half of the survey candidates also monitors and requests audit reports from your third party business partners as some of the risk scope is outsourced. Other: •  Vulnerability assessments and penetration testing; •  Defining security controls; •  Ensuring good contracting practices. 17 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 18. Assessing vulnerabilities  About 20% of all organizations do not regularly assess their biggest vulnerabilities, implying they do not have a view on the most critical cyber risks they face;  Organizations need a consolidated risk overview in order to define funded actions and manage risk appropriately. Comment: •  “It is more a day to day job whereby risks are constantly monitored and priorities adapted overtime” 18 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 19. Incident response  Over 35% of all organizations do not regularly review and update their incident response plans. Several respondents commented update action was ongoing;  As the nature of cyber incidents in function of threats and vulnerabilities is constantly evolving, one can debate if yearly updates on incident response plans is even enough. 19 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 20. Incident communication  Over 82% of the responding organizations are convinced of the importance of appropriate communication during and after a Cyber Security incident;  In almost 18% of the respondents companies, inadequate awareness is in place regarding the significance of controlled incident communications with internal and external stakeholders. 20 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 21. Business continuity management  While many respondents commented on the limited scope of their current business continuity plans (BCP), a surprising 76% indicated such plans are in place;  This does conflict with the fact that only 50% have a crisis communications plan, which is an essential part of a continuity planning;  Some respondents referred to their third party service agreements, but should keep in mind their own responsibilities to ensure business continuity. 21 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 22. Insurance  Almost 72% indicates not having insurance coverage for cyber security incidents. Typically expert evidence is needed to calculate the financial and other damages that need to be covered;  If an insurance policy is in place, 83.3% have third party damage coverage;  Of all respondents, less than 10% is insured for first party losses due to cyber security incidents. 22 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 23. Final thoughts  Don’t think of cyber security as merely protecting IT systems as it is ultimately about protecting a broader interest of the organization. Understand your regulatory context and possible liabilities, and take appropriate measures to mitigate the risk to your business;  Approach cyber security as the ongoing management of continuously evolving risk in function of value to the organization, and the likelihood of threats and vulnerabilities;  Ensure adequate and appropriate controls are implemented to coordinate and communicate actions in the case of cyber security incidents.  The increasingly complexity of technology and the cyber threats which organizations face require adequate security staff, as well as broad awareness and skills;  Align cyber security with other related activities in the business to create leverage and resource efficiencies – e.g. business continuity. 23 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 24. Thank you. 24 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010
  • 25. Contact Deloitte Enterprise Risk Services Berkenlaan 8 b B-1831 B-1831 Diegem Chris Verdonck Belgium Partner Tel: + 32 2 800 24 20 cverdonck@deloitte.com Member of Deloitte Touche Tohmatsu 25 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010