The document summarizes the results of a CIOnet survey on cyber security. Over 50 respondents from 6 countries completed the survey, mostly from Belgium, Italy, and the UK. The survey found that while most organizations have assessed their cyber liabilities, ongoing risks still exist around applicable regulations, theft of trade secrets, and the impact of attacks. Respondents identified increased complexity of identity management as a top threat. However, many organizations still lack adequate security staffing and regular vulnerability assessments. The summary recommends treating cyber security as an ongoing risk management process and ensuring controls for incident response.

1. CIOnet survey on
Cyber Security
The results
Chris Verdonck
EMEA Leader, Deloitte Enterprise Risk Services
Brussels, October 12th 2010

2. “It's the great irony of our Information Age - the very technologies that
empower us to create and to build also empower those who would
disrupt and destroy.”
USA President Barack Obama on "Securing Our Nation's Cyber Infrastructure “
2 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

3. Agenda.
3 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

4. Agenda
 Survey context
 Respondents
 Results
4 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

5. Survey Context
Cyber culture is growing faster than
cyber security, so everything that
depends on cyber space is at risk
 Information is ubiquitous - Our society
and economy have become critically
dependent on digital connectivity and
services;
 Cyber security threats are continuously
increasing in complexity and occurrence;
thus they require more management
attention;
 CIOnet members were surveyed on 16
questions regarding cyber security until
September 26th 2010.
5 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

6. Respondents.
6 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

7. Response demographics
Countries
 53 respondents from 6 different
countries;
 Most responses from Belgium
(35,8%) followed by Italy and UK
(each 18,8%)
Sectors
 Responses spread over different
sectors
 Most respondents in Financials
(24,5%), and Industrial &
Manufacturing (20,7%)
7 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

8. Response company types
Company type
 67.9% of respondents
representing their company’s
headquarters.
Number of employees
 In terms of company size, over
half of the survey responders has
more then 1000+ employees.
8 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

9. Results.
9 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

10. Cyber liabilities
 Almost 85% responded that
they analyzed their cyber
liabilities in a thorough way;
 However there is still
uncertainty on what
regulations are applicable. EU
DPA and ISO 27001 may not
be enough to comply with;
 Despite that respondents
indicate to have assessed
their liabilities, further
responses in the survey
indicate a need for stronger
action.
10 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

11. Applicable legislation
 Over 76% of the survey
respondents is confident that
their organization have an
overview of applicable laws in
the context of cyber security;
 A large part of them only
operates in one country, but
legal aspect with regards to
cyber security can differ
greatly between countries.
11 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

12. Theft of trade secrets
 Almost 18% of the
respondents’ organizations
have not assessed the risk of
loosing trade secrets;
 For the respondents that
claim they have, the question
is how comprehensive such
assessment was;
 It is essential to ensure that
the risks regarding theft of
trade secrets are frequently
re-assessed and appropriate
actions taken to mitigate
them.
12 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

13. Impact of internal or external cyber attacks
 All respondents indicated their
organisation could be
impacted in at least one
domain;
 Over 81% of respondents
believes cyber attacks would
impact the brand and image of
their organization.
Stakeholders expect cyber
security challenges to be
addressed appropriately;
 Respondents indicate that
internal attacks are more likely
to cause critical operation
disruption, and external
attacks could affect market
share more.
13 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

14. Cyber Security threats
 Over 35% of respondents see
a primary threat in the
increased complexity of
identity and access
management;
 It is interesting to note that
almost 22% of the
respondents indicate that
their current controls are
struggling to keep pace;
 Inadequate network access
control and the uptake of
social networks also raises
cyber security concerns.
Other:
• User and management awareness of cyber risks,
• Unpatched and unsupported legacy applications and systems
• Crimeware will be the biggest threat over workstations, mobile operators and
eventually mobile phones
14 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

15. Security Staff
 Over 35% of the respondents’
organizations have no policy
regarding maintaining a
security staff;
 There is a risk of critical
information exposure and
knowledge drain as people
rotate in and out of
organizations;
 The increasingly complexity
of technology and the cyber
threats which organizations
face require adequate
security staff and skills.
15 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

16. Cyber Security awareness
 82% of respondents indicate to
increase cyber security
awareness through security
audits. These typically present
a partial snapshot of the risk
posture to the stakeholders;
 Furthermore respondents
indicate specific training and
awareness initiatives (72%),
provisions in the disciplinary
policy (68%), while 56%
indicate to have been
implementing a security
framework that contributed to
the general awareness.
16 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

17. Preventing legal exposure
 Respondents indicate how
monitoring and audit of
compliance is the most
common action to prevent
legal exposure (82%);
 Half of the survey candidates
also monitors and requests
audit reports from your third
party business partners as
some of the risk scope is
outsourced.
Other:
• Vulnerability assessments and penetration testing;
• Defining security controls;
• Ensuring good contracting practices.
17 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

18. Assessing vulnerabilities
 About 20% of all
organizations do not regularly
assess their biggest
vulnerabilities, implying they
do not have a view on the
most critical cyber risks they
face;
 Organizations need a
consolidated risk overview in
order to define funded actions
and manage risk
appropriately.
Comment:
• “It is more a day to day job whereby risks are constantly monitored and
priorities adapted overtime”
18 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

19. Incident response
 Over 35% of all organizations
do not regularly review and
update their incident
response plans. Several
respondents commented
update action was ongoing;
 As the nature of cyber
incidents in function of threats
and vulnerabilities is
constantly evolving, one can
debate if yearly updates on
incident response plans is
even enough.
19 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

20. Incident communication
 Over 82% of the responding
organizations are convinced of
the importance of appropriate
communication during and after
a Cyber Security incident;
 In almost 18% of the
respondents companies,
inadequate awareness is in
place regarding the significance
of controlled incident
communications with internal
and external stakeholders.
20 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

21. Business continuity management
 While many respondents
commented on the limited scope of
their current business continuity
plans (BCP), a surprising 76%
indicated such plans are in place;
 This does conflict with the fact that
only 50% have a crisis
communications plan, which is an
essential part of a continuity
planning;
 Some respondents referred to their
third party service agreements, but
should keep in mind their own
responsibilities to ensure business
continuity.
21 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

22. Insurance
 Almost 72% indicates not
having insurance coverage
for cyber security incidents.
Typically expert evidence is
needed to calculate the
financial and other damages
that need to be covered;
 If an insurance policy is in
place, 83.3% have third party
damage coverage;
 Of all respondents, less than
10% is insured for first party
losses due to cyber security
incidents.
22 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

23. Final thoughts
 Don’t think of cyber security as merely protecting IT systems as it is
ultimately about protecting a broader interest of the organization.
Understand your regulatory context and possible liabilities, and take
appropriate measures to mitigate the risk to your business;
 Approach cyber security as the ongoing management of continuously
evolving risk in function of value to the organization, and the likelihood of
threats and vulnerabilities;
 Ensure adequate and appropriate controls are implemented to coordinate
and communicate actions in the case of cyber security incidents.
 The increasingly complexity of technology and the cyber threats which
organizations face require adequate security staff, as well as broad
awareness and skills;
 Align cyber security with other related activities in the business to create
leverage and resource efficiencies – e.g. business continuity.
23 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

24. Thank you.
24 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010

25. Contact
Deloitte Enterprise Risk Services
Berkenlaan 8 b
B-1831 B-1831 Diegem
Chris Verdonck Belgium
Partner
Tel: + 32 2 800 24 20
cverdonck@deloitte.com
Member of
Deloitte Touche Tohmatsu
25 UNCLASSIFIED - CIOnet survey on Cyber Security © 2010