You are on page 1of 58

Contents

1. Power & utilities

2. Public sector

3. Retail and consumer

4. Technology
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction At risk and unready in an interconnected world next

Skilled threat actors Key findings from The Global State of Information Security® Survey 2015 prev

Financial losses decline

A more strategic approach


is needed

Guidelines for advancing


Power and utilities
20+
Detected incidents soared
to more than 20 per day,
security
per organization.
Cyber attacks against power and utilities
Gearing up for convergence organizations have transitioned from theoretical
to indisputable.
Contacts
Over the past year, sophisticated cyber adversaries have Yet as attempts to compromise supervisory control and data 20

infected the industrial control systems of hundreds of energy acquisition (SCADA), industrial control, and information
companies in the US and Europe; others successfully infiltrated technology systems have soared, information security spending
a public utility via the Internet and compromised its control has not kept pace. Power and utilities respondents say security
system network. spending in 2014 increased by a comparatively modest 9%. 15

In 2013, by contrast, survey respondents reported a significant


The volume of incidents increased dramatically in the past 25% boost in security investments, which very well may account
year. Power and utilities respondents to The Global State of for a portion of this year’s increase in detected incidents.
Information Security® Survey (GSISS) 2015, report the average After all, organizations that spend more on security typically 10
number of detected incidents skyrocketed to 7,391, a six-fold discover more incidents.
increase over the year before. (We define a security incident
as any adverse incident that threatens some aspect of
computer security.)

Introduction // 1
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending

Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. 7,391
8K
is needed We also found some noteworthy improvements in security
practices, but it’s worth pointing out that these advances were
Guidelines for advancing fewer and comparatively incremental.
security
6K 3M

Gearing up for convergence


$ 2.4M

Contacts
4K 2M

All things considered, many $ 1.2M


power and utilities companies
seem to be unready for the 1,179 1M

increasing risks of today’s


interconnected world.
2013 2014 2013 2014

Average number of detected incidents Estimated total financial losses

Introduction // 2
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending

Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. 38%
37%
is needed We also found some noteworthy improvements in security 40%

practices, but it’s worth pointing out that these advances were
Guidelines for advancing fewer and comparatively incremental. 31% 30%
security 29%
30%

Gearing up for convergence


20%
Contacts
17%
20%
14%
All things considered, many
power and utilities companies
seem to be unready for the
increasing risks of today’s
interconnected world.
2013 2014 2013 2014 2013 2014 2013 2014

Current employees Former employees Hackers Current service providers/


consultants/contractors

Introduction // 3
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Even though businesses have invested more GSISS 2015: Power and utilities next
Introduction
heavily in previous years, security spending results at a glance
has been stalled at 4% or less of the total IT
Skilled threat actors ➻ Click or tap each title to view data Incidents Sources of Security prev
budget for the past five years. incidents spending

Financial losses decline This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
A more strategic approach strategies, processes, technologies, and awareness programs. $ 3.7M
4M
is needed We also found some noteworthy improvements in security
practices, but it’s worth pointing out that these advances were
$ 3.4M
Guidelines for advancing fewer and comparatively incremental.
security
3M 6%

Gearing up for convergence


4.0% 3.9%
Contacts
2M 4%

All things considered, many


power and utilities companies
seem to be unready for the 2%

increasing risks of today’s


interconnected world.
2013 2014 2013 2014

Average annual IS budget IS spend as percentage of IT budget

Introduction // 4
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction Skilled threat actors next

Skilled threat actors The primary threat actors—those who perpetrate security incidents—remained relatively prev

constant in the past year.


Financial losses decline

A more strategic approach


is needed Current and former employees are once Attacks by these threat actors remain Often these groups employ powerful distributed denial of
again the most-frequent culprits of among the least frequent, but they service (DDoS) attacks in an attempt to embarrass organizations
are also among the fastest-growing 14% for social or political ends, rather than to exfiltrate data or
Guidelines for advancing security incidents, cited by 38% and
incidents. intellectual property. Similarly, the number of respondents
security 30%, respectively, of respondents. who cited organized criminals as the source of attacks
increased 31% over last year.
Gearing up for convergence While incidents caused by employees often fly under the radar
of the media, those committed by organized crime groups,
activists, and nation-states typically do not. Cyber incidents attributed to nation-states
Contacts 10% continue to garner the lion’s share of attention.

They are keenly interested in energy, and they often target


This year, 14% of respondents attributed security incidents critical infrastructure providers and suppliers to steal IP and
to activists and hacktivists, a 40% jump over 2013. trade secrets as a means to advance their own political and
economic advantage.

This year, incidents attributed to nation-states more than


doubled over 2013. Given the ability of nation-state adversaries
to carry out attacks without detection, we believe the volume
of compromises is very likely under-reported.

Skilled threat actors // 5


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

The fastest-growing sources of security incidents next


Introduction
Increase over 2013
prev
Skilled threat actors

Financial losses decline

A more strategic approach


is needed

Guidelines for advancing


security

Gearing up for convergence


118% 48% 40% 31%
Contacts

Foreign nation-states Information brokers Activists/activist Organized crime


organizations/hacktivists

Security executives of power and utilities companies have told That, in part, may account for the 43%
us that they also see security-incident patterns in which criminals
seem to be indiscriminately “exploring” the network to find any
rise in respondents who report that data
data of any value. Once they find data, they quickly siphon it was exploited as a result of security
off and try to sell it.
incidents, the most cited impact.

Skilled threat actors // 6


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction Financial losses decline next

Skilled threat actors While the number of detected incidents increased dramatically, organizations say the financial prev

impact of these security compromises lessened.


Financial losses decline

A more strategic approach


Power and utilities respondents say total financial losses
is needed
resulting from security incidents declined to an average
of $1.2 million, a 51% drop over 2013. In part, the discrepancy may be attributed to the
Guidelines for advancing
security This finding seems counter-intuitive, given the huge 25% rise in security spending in 2013, which
upsurge in detected compromises. may have enabled organizations to more quickly
Gearing up for convergence
detect and mitigate incidents before they caused
Contacts real financial harm.

Another explanation may be that, while adversaries have been We also looked into how power and utilities respondents
able to gain access to power and utilities companies’ networks, calculate the financial consequences of security incidents,
they are typically stopped before they can wreak havoc on and found that many do not consider a full range of possible
operational and SCADA systems. And unlike the retail sector, impacts, including costs associated with legal defense fees,
which has been hit by a barrage of breaches, power and utilities court settlements, forensics, and reputational damage.
companies hold comparatively few payment card records and
therefore are not liable for costly mitigation of card theft and
customer data.

Financial losses decline // 7


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction A more strategic approach is needed next

Skilled threat actors As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies prev

may need to take a more strategic approach to information security.


Financial losses decline

A more strategic approach


is needed At the core of this initiative should be a risk-
Power and utilities companies seem to
based cybersecurity program that enhances
be falling short of the fundamentals:
Guidelines for advancing the ability to identify, manage, and respond
Only 54% say they have a unified security
security to privacy and security threats.
and controls framework and/or enterprise risk-
management framework to address cybersecurity
Gearing up for convergence It all starts with an information security strategy—or at least risks. Last year that number was 61%.
it should. However, we found the number of organizations
that have an overall information security strategy dropped
Contacts
to 70% this year, down from 79% in 2013. Moreover, those
that have a security strategy that is aligned with the specific
needs of the business declined to 45%, from 65% last year.

An effective security strategy will allocate spending to the assets


that are most valuable to the business. Power and utilities A basic tenet of an effective information
respondents show a more solid, if incomplete, commitment
in this area: 62% say their security investments are allocated security strategy is that it should be founded
to the organization’s most profitable lines of business. on risk management.

A strategic approach is lacking // 8


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities


79% 65% 59%
Many key security safeguards next
Introduction 2013 2013 2013
70% 57% 56% weaken
prev
Skilled threat actors 2014 2014 2014

Have information security strategy Secure access-control measures Patch-management tools

Financial losses decline


66% 68% 63%
A more strategic approach
2013 2013 2013 Before resources can be allocated, however, it will
is needed 55% 55% 55%
be necessary to first identify the organization’s
2014 2014 2014 most valuable assets and determine who owns
Guidelines for advancing responsibility for them. This is an area in which we
Intrusion-detection tools Privileged user access Vulnerability scanning tools
security found great potential for improvement: Only 54%
of respondents have a program to identify sensitive
Gearing up for convergence 50% 63% 39% assets, and the same number (54%) have an
inventory of all third parties that handle personal
2013 2013 2013
54% 49% 48% data of customers and employees.
Contacts
2014 2014 2014

Inventory of all third parties that handle personal Active monitoring/analysis of information Risk assessments of third-party vendors
Cybersecurity and privacy should
data of employees and customers security intelligence be embedded into an organization’s
57% 50% 58% core, with a top-down commitment
to security and ongoing employee
2013
47% 2013
44% 2013
43% training programs.
2014 2014 2014
The number of organizations that have employee
Employee awareness and training program Established security standards for external partners, Require employees to complete privacy training security-awareness training programs (47%)
suppliers, vendors and customers
actually declined over last year, as did those
that require personnel to complete training on
56%
privacy practices and policies (43%). Considering
2013 that employees are the leading source of security
43%
incidents, we believe that training should be
2014 universal and that accountability should cascade
from the C-suite to every employee and third-
Security-event correlation tools
party vendor and supplier.

A strategic approach is lacking // 9


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Strategic processes are often lacking next


Introduction

Skilled threat actors 45% 2014 61% 2014 65% 2014 65% 2014 54% 2014 52% 2014
prev

2013 2013 2013 2013 2013 2013


54 54 45 46 36 33
% % % % % %

Financial losses decline

A more strategic approach


is needed

Guidelines for advancing


security Program to identify sensitive assets Have a unified security and controls Information security strategy is A senior executive communicates Collaborate with others to improve Have cyber insurance
framework for cybersecurity risks aligned with specific business needs importance of security to entire security
enterprise
Gearing up for convergence

Contacts
An effective security program will require To do so, senior executives should proactively ensure that the Finally, cyber threats, technologies, and vulnerabilities are
top-down commitment and communication. Board of Directors understands how the organization will evolving at lightning speed, and sharing information among
detect, defend against, and respond to cyber threats. Despite public and private entities has become central to a strong
all the discussion following high-profile retailer breaches, cybersecurity program.
Yet fewer than half (46%) of organizations have a senior
many power and utilities companies have not elevated security
executive who communicates the importance of information More than half (55%) of overall survey respondents across
to a Board-level discussion.
security to the entire enterprise. That’s a substantial drop from industries say they collaborate with others to share security
last year (65%) and demonstrates that the executive team may Consider, for instance, that only 26% of respondents say their intelligence and tactics. Among power and utilities sector,
not be taking adequate ownership of cyber risks. Board of Directors participates in the overall security strategy. however, the number of organizations that collaborate sank
Fewer (23%) say their Board is involved in reviews of current to 36% this year, a sharp drop over 2013.
security and privacy risks—a crucial component of any
effective security program. The area in which Boards are most
likely to participate is the security budget (40%).

A strategic approach is lacking // 10


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction Guidelines for advancing security next

Skilled threat actors This year’s survey indicates that power and utilities organizations are falling behind in key practices. prev

Financial losses decline

A more strategic approach


is needed For many, it may be necessary to reposition This comparatively low implementation rate is not Among those that have, most (54%) say they have
the security strategy by more closely linking necessarily discouraging; it’s a matter of timing. leveraged the Framework to determine their risk based on
The Framework was released in February 2014, Implementation Tiers, which are designed to help companies
Guidelines for advancing technologies, processes, and tools with the
and our survey was conducted from March 27, 2014 understand the maturity of their current cybersecurity
security organization’s broader risk-management to May 25, 2014, giving organizations little time risk-management capabilities. It seems very likely that
activities. to embrace the Framework. organizations with mature security practices may have adopted
Gearing up for convergence some of the Framework’s controls and standards, while not
International standards provide a good measure to gauge formally implementing the entire set of guidelines.
preparedness and build a strong cybersecurity program. Some
Contacts No matter whether companies have adopted the Framework
of the most widely used include ISO/IEC 27001, COBIT 5,
and ISA 62443. A new set of guidelines from the US National fully or partially, it seems to be elevating the discussion on
cybersecurity. We believe that organizations across industries
Institute of Standards and Technology (NIST) compiles these
global standards into one framework, providing an up-to-date
22% and even geographies can gain significant benefits by
model for implementing and improving risk-based security. adopting the guidelines at the highest possible risk-tolerance
level. As the world’s sophisticated organized criminals and
nation-states devise new ways to compromise systems and
steal intellectual property of power and utilities companies,
the Framework provides the right foundation for proactive,
The voluntary NIST Cybersecurity Framework, which targets risk-based cybersecurity.
critical infrastructure providers and suppliers, has been 11%
adopted by 11% of US power and utilities respondents;
an additional 22% say adoption is a future priority.

Guidelines for advancing security // 11


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction Gearing up for convergence next

Skilled threat actors The convergence of information, operational, and consumer technologies will very likely introduce prev

tremendous benefits for businesses and significant conveniences for their customers.
Financial losses decline

A more strategic approach


is needed It also will create a new world of security When asked to name primary drivers for security spending,
risks, a possibility that power and utilities this year 17% of respondents cited modernization of field
assets such as IP-connected process control systems,
Guidelines for advancing respondents are beginning to address.
compared with 6% last year. This increased focus on
security connected field assets suggests that power and utilities
In fact, 25% of respondents say they have already implemented respondents are gearing up for the Internet of Things.
a security strategy for the convergence of information,
Gearing up for convergence
operational, and consumer technologies, most often referred
to as the Internet of Things. An additional 27% say they are
Contacts working on a strategy.

Gearing up for convergence // 12


At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

Introduction Contacts next

Skilled threat actors To have a deeper conversation about cybersecurity, please contact: prev

Financial losses decline

A more strategic approach


is needed
Power and utilities
Guidelines for advancing
security
United States
Gearing up for convergence Brad Bauch Darren Highfill
Principal Director
713 356 4536 678 419 1323
Contacts brad.bauch@us.pwc.com darren.highfill@us.pwc.com

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.

© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

Contacts // 13
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction Cybersecurity challenges next

Incidents and security


spending decline in an interconnected world prev

Key findings from The Global State of Information Security® Survey 2015
Insider threat programs
are lacking

A need for monitoring Politically motivated hacktivists took down the website of personal information of an estimated 40,000 federal
and diagnostics Public sector the German parliament as well as the chancellor’s page.1 workers was breached in an attack on another background
State-sponsored threat actors infiltrated the systems of check contractor.2 Throughout the year, activists reacted to
a third-party firm that conducts personnel background perceived social injustices by launching powerful distributed
Why identity management If the recent string of high-profile cyber checks for US government agencies, resulting in theft denial of service (DDoS) attacks that defaced and disabled
is essential
attacks has proved anything, it’s that no of information of 25,000 employees; four months later, the websites of smaller city governments.
industry or organization is immune from risk.
The importance of
In particular, compromises by nation-states,
sharing information
social activists and hacktivists, and
employees have increased markedly in
Contacts
the past year.

And the threat extends from the


most powerful nation-state actors
to the smallest municipal agencies.
Consider, for instance, the past 12 months
in cyber attacks.

1 CNET, Political hackers take on Germany over Ukraine-Russia issues,


January 7, 2015
2 SC Magazine, 40,000 federal employees impacted by contractor breach,
December 19, 2014

Introduction // 1
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

“The threat from insiders, hacktivists, and nation-states GSISS 2015: Public sector results next
Introduction continues to challenge government agencies as they deal
with shrinking budgets and increased connectivity issues,”
at a glance
Incidents and security said John Hunt, a Principal in PwC’s Cybersecurity Practice. ➻ Click or tap each title to view data Incidents Sources of prev

“Government agencies must step up their efforts to invest in incidents


spending decline
security personnel, processes, and technologies that address
holistic information security strategies.” 3,105
Insider threat programs
are lacking There’s every reason to believe these risks to data,
3K
applications, and networks will continue to accelerate
A need for monitoring as governments continue to shift more services and data
and diagnostics online. Yet according to key findings from The Global State 2,317
of Information Security® Survey (GSISS) 2015, many public
Why identity management sector organizations are not taking decisive action to address
cyber threats and improve their security programs.
is essential 2K

The importance of
sharing information

Contacts
1K

2013 2014

Average number of detected incidents

Introduction // 2
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

“The threat from insiders, hacktivists, and nation-states GSISS 2015: Public sector results next
Introduction continues to challenge government agencies as they deal
with shrinking budgets and increased connectivity issues,”
at a glance
Incidents and security said John Hunt, a Principal in PwC’s Cybersecurity Practice. ➻ Click or tap each title to view data Incidents Sources of prev

“Government agencies must step up their efforts to invest in incidents


spending decline
security personnel, processes, and technologies that address
holistic information security strategies.”
Insider threat programs
are lacking There’s every reason to believe these risks to data,
applications, and networks will continue to accelerate
40%
A need for monitoring as governments continue to shift more services and data 35%
and diagnostics online. Yet according to key findings from The Global State
of Information Security® Survey (GSISS) 2015, many public
Why identity management sector organizations are not taking decisive action to address 27%
30% 26% 27%
cyber threats and improve their security programs. 25%
is essential

The importance of 19%


sharing information 20
15%
Contacts 11%

2013 2014 2013 2014 2013 2014 2013 2014

Current employees Former employees Hackers Activists/hacktivists

Introduction // 3
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction Incidents and security spending decline next

Incidents and security Employees remain the most-cited culprits. prev

spending decline

Insider threat programs


are lacking
Despite overwhelming evidence that cyber It is unsurprising that current personnel remain the most-
A need for monitoring risks continue to multiply, the number of cited culprits of security incidents, followed by former
and diagnostics employees. Increasingly, government agencies are also
security incidents detected by public sector
concerned about threats posed by insiders like service
respondents declined 25% in 2014 to a providers, consultants, and contractors who have trusted
Why identity management three-year low. (We define a security incident access to an organization’s network and sensitive data. It’s a
is essential
as any adverse incident that threatens some risk that continues to inch up year over year.
aspect of computer security.)
The importance of While incidents attributed to insiders often fly under the
sharing information radar of the media, compromises by nation-states, activists,
Against a global backdrop of escalating cyber attacks, a and hacktivist organizations are among the most avidly
drop in detected compromises is not necessarily a good covered. These threat actors are also increasingly active:
Contacts thing. One explanation may be that intrusions by advanced Attacks by nation-states soared 77% in 2014 over the year
adversaries like nation-states often go undiscovered. It’s also before, while those carried out by activists and hacktivists
worth pointing out that more than a quarter of respondents climbed 39%.
(26%) did not know the number of compromises, and
slightly more could not determine the source of incidents.
What’s more, many agencies are reluctant to discuss the
risks and repercussions of security events, which could
explain the drop in incidents that are disclosed.
Nation-states and activists/hacktivists are
the fastest-growing sources of security incidents.

Incidents and financial losses decline // 4


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Despite mounting concerns about cyber risks, many agencies GSISS 2015: Public sector security next
Introduction seem mired in a pattern of fiscal austerity—at least when it
comes to cybersecurity. Global public sector organizations
spending at a glance
Incidents and security in fact cut information security budgets by 6% in 2014 prev

spending decline compared with the year before. Nowhere was this tendency
clearer than among small agencies (those with revenues of
$100 million or less), which slashed security spending by
Insider threat programs
25%. Large entities (revenues of $1 billion or more) trimmed
are lacking 4M $ 3.7M 3.7% 4%
security investments by a modest 1% while medium-size 3.6%
$ 3.5M
organizations increased spending by 39%.
A need for monitoring
and diagnostics

3M 3%
Why identity management
is essential

The importance of
sharing information
2M 2%

Contacts

2013 2014 2013 2014

Average annual information security budget Information security spend as percentage


of IT budget

Incidents and financial losses decline // 5


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction Insider threat programs are lacking next

Incidents and security Employee awareness programs and data access controls are key. prev

spending decline

Insider threat programs


are lacking
In the wake of the data leak by US approach needs to be holistic in nature, and include other Another essential process is thorough background
A need for monitoring government contractor Edward J. Snowden, security concerns like physical security, personnel security, investigation of potential employees. More than a third
and diagnostics information security, as well as cyber-threat intelligence.” of respondents do not perform any background checks of
most executives understand that security
potential employees, among the most basic of precautions
breaches by insiders—whether employees Take employee awareness and training. The weakest link in and one that has weakened from the year before.
Why identity management or trusted business partners—can be even a security program is very often human, and staff education
is essential should form the spine of every information security
more damaging than those attributed to
program. So it did not inspire optimism to find that only
external adversaries.
The importance of 57% of public sector respondents have a security awareness
sharing information and training program—a number that is down significantly
That’s why the sizable increase in insider incidents this year from the year before. We also saw a decline in staff training
could have critical implications for the security stance of on privacy policies. The truth is, public sector agencies often
Contacts public sector agencies. As the ability to limit and control focus on the latest security technologies at the expense of
employee access to key data assets becomes increasingly employee awareness and training.
pivotal, safeguards to manage insider threats will be a
hallmark of successful cybersecurity.

Battling these risks will demand a new focus on employee


security training, airtight control of data access, and the
right technologies to continuously monitor network activity.
There is evidence that many agencies have not addressed
these imperatives. “Never before has there been a greater Battling insider risks will also demand a new focus on the
need to develop a risk-based approach to cybersecurity,” right technologies to continuously monitor network activity.
said Jack L. Johnson Jr., a Principal in the PwC Public Sector
and the National Security Practice Leader. “This risk-based

Insider threat programs are lacking // 6


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Tools to manage insider threats are often not deployed next


Introduction

Incidents and security prev

spending decline

Insider threat programs 65% 63% 61% 59%


are lacking 57% 54%
49%
A need for monitoring
and diagnostics

Why identity management


is essential
2014 2014 2014 2014 2014 2014 2014

The importance of
Conduct personnel Privileged user access User activity Unauthorized use or Employee training & Threat intelligence Behavioural profiling
sharing information background checks monitoring tools access monitoring tools awareness program subscription services & monitoring

Contacts

Enterprise-wide awareness of security risks will not be One ascendant risk that can be mitigated by employee as software to discover malicious code and anti-malware
achieved by the IT function alone. It will require a training is spear phishing, a tactic that adversaries often use solutions can also help prevent phishing attacks. They are
cross-functional approach that includes IT, information to launch an advanced attack. Increasingly, external threat also under-utilized.
security, corporate security, human resources, legal counsel, actors mount spear phishing campaigns to steal credentials
audit, and privacy, as well as leadership from lines of of employees with privileged access to data and networks, Similarly, threat-intelligence subscription services can help
business. Yet only 52% of respondents told us they have a then use that information to infiltrate the agency’s network. agencies understand current spear phishing campaigns and
cross-functional team that coordinates security strategy Staff training is the best defense, but technologies such targeted attack techniques. It’s an approach that only 54% of
and practices. public sector respondents have adopted.

Insider threat programs are lacking // 7


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction A need for monitoring and diagnostics next

Incidents and security Anticipating risks, understanding threat actors, and rapid response are seen as prev

spending decline key benefits.


Insider threat programs
are lacking
Increasingly, governments are encouraging— The benefits of continuous monitoring and diagnostics We believe that a monitoring and diagnostics program will
A need for monitoring and sometimes mandating—that agencies are clear-cut, but so are the challenges. The multitude require that agencies first identify their most valuable data
and diagnostics of information systems and applications in place today assets and prioritize protection. This initial step is critical
implement processes and tools to
make visibility and analysis progressively complex and because most organizations do not have the resources to
continuously monitor and analyze IT assets time-consuming. For many agencies, the austere spending protect every asset with equal vigor. It is also under-utilized:
Why identity management and activity. They understand that doing so environment makes it difficult to secure funding for any new Just over half (54%) told us they have a program to identify
is essential
can help anticipate risks and inform decision- security initiative. And there are no precise guidelines as to sensitive data, a number that is down from the year before.
making, provide intelligence on threat actors’ what constitutes the right processes and technologies.
The importance of
techniques, and facilitate rapid response
sharing information
to compromises.
Contacts

One example of this type of initiative is the Continuous Diagnostics and


Mitigation (CDM) program launched by the US Department of Homeland
Security. The CDM program aims to improve the cybersecurity of
federal agencies by providing them with capabilities and tools that help
identify cybersecurity risks, prioritize these threats based on potential
impacts, and mitigate the most significant problems first.

A need for monitoring and diagnostics // 8


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Implementation of monitoring & diagnostics tools falls short next


Introduction

Incidents and security 68% 60%


prev

spending decline

2014

2014
Insider threat programs Malicious code detection tools Vulnerability scanning tools

are lacking

62% 57%
A need for monitoring
2014

2014
and diagnostics
Intrusion detection tools Security-event correlation tools
Why identity management
is essential
61% 52%
2014

2014
The importance of
sharing information User activity monitoring tools Penetration testing

Contacts

Similarly, a commitment to monitor and analyze data and A look at specific tools for monitoring and analysis reveals a
Some governments are networks seems to be slipping. In 2014, 61% of agencies told similar tendency: Adoption of technologies like
beginning to require that their us they have implemented processes to monitor and assess security-event correlation software, vulnerability scanning,
security intelligence such as log files, network activity, and penetration testing, and monitoring of user activity declined
agencies deploy processes and vulnerability reports. The year before, 73% said they have in 2014. Overall, there seems to be a disconnect between
tools to monitor and analyze these processes, indicating that the trend appears to be voicing support for these tools and actual implementation.
heading in the wrong direction.
valuable data assets.

A need for monitoring and diagnostics // 9


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction Why identity management is essential next

Incidents and security Automated identity and access controls are fundamental tools—yet are often not deployed. prev

spending decline

Insider threat programs


are lacking
Identity and access management is a core respondents said they leverage biometrics, up from 18% Many agencies do not use
component of information security, one two years ago, and 58% said they have implemented
A need for monitoring multifactor log-ins.
identity management tools
and diagnostics
that is progressively essential to an effective
program. Yet many public sector agencies The next step may be linking physical and logical access 69%
Why identity management continue to grapple with automated solutions. with identity management tools. Among European nations,
Secure access control measures
for instance, there is a movement to build centralized
is essential
identity management systems that leverage electronic 60%
In 2014, only half (50%) of respondents told us they have identity cards.3 The cryptographic cards, which contain
The importance of implemented identity management tools. Other technologies an embedded chip that stores an individual’s personal Role-based authorization
sharing information that are central to managing access and monitoring data, employ the Extended Access Control Protocol. This
employee behavior are also sparsely deployed. These include combination of chip and software provides a foundation 60%
Contacts automated account provisioning and de-provisioning, upon which public sector agencies could overlay IT security
Automated password reset
role-based authorization, and user recertification. controls to better enforce access to systems and data.

Many believe centralized identity management can yield a


58%
More advanced organizations are starting to use
number of benefits that include improved secure access to
biometrics—such as a fingerprint scanner to log onto a Multifactor authentication
multiple networks and applications, operational efficiencies,
computer—and multifactor authentication to improve
identity and access management. In 2014, 37% of survey
lower costs of access control administration, and a better 55%
audit trail. It’s a trend we will continue to monitor.
User recertification

54%
Half of public sector respondents tell us they have not implemented
identity management tools. Automated account provisioning/de-provisioning

47%

Risk-based authorization/authentication
3 IEEE Security & Privacy, Electronic Identity Cards for User Authentication—
Promise and Practice, February 2012

Why identity management is essential // 10


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction The importance of sharing information next

Incidents and security Increasingly, governments are encouraging public and private entities to share cyber-threat prev

spending decline intelligence.


Insider threat programs
are lacking
It’s good news that many industries are But much remains to be done in the public sector. Despite In the US, recent initiatives to advance public-private
A need for monitoring embracing external collaboration to improve calls for increased public-private collaboration, government information sharing have centered on safeguarding critical
and diagnostics agencies remain somewhat reluctant to share information. infrastructure. To that end, the National Institute of
cybersecurity threat awareness and response
In 2014, only 43% of respondents told us they work Standards and Technology (NIST) in April 2014 issued a
techniques. But much more could be done to with others to improve security, down from 48% the voluntary standard to assess and improve cybersecurity of
Why identity management leverage the power of collaboration across year before. What’s more, industries such as technology, critical infrastructure providers, as well as create a common
is essential
industries and governments—local, regional, telecommunications, and financial services are considerably language for discussion and collaboration. Already, 21%
and global. more likely to collaborate with others. of US public sector respondents say they have adopted the
The importance of NIST Cybersecurity Framework, and 11% say it is a future
sharing information For many, a lack of a unified framework for information priority. Even though the Framework targets US critical
Over the past several years, government, regulatory and sharing between private and public sectors remains a infrastructure providers, it offers an effective model for
law-enforcement bodies have proposed guidelines and significant barrier to information sharing. Certain guidelines
Contacts risk-based security and information sharing that could
legislation to promote information sharing. Recently, the exist, such as the ISO/IEC 27032 standard, which includes benefit organizations across industries and across the globe.
US and United Kingdom announced an agreement on some details on information sharing. But a lack of a We believe it’s well worth adopting.
cybersecurity cooperation that includes threat information specific, detailed standard has undoubtedly hobbled the
sharing and educational exchanges.4 And industry-specific adoption of collaboration.
initiatives known as Information Sharing and Analysis
Centers (ISAC) have been created across sectors—including
finance, healthcare, energy, and public transit, to name a
few—and now have a global reach. Despite calls for increased information sharing, only 43% of public sector
respondents say they collaborate with others.

4 White House Office of the Press Secretary, FACT SHEET: US-United Kingdom
Cybersecurity Cooperation, January 16, 2015

The importance of sharing information // 11


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

How the public sector partners & collaborates next


Introduction

Incidents and security prev

spending decline 20 20 20
14 14 14

Insider threat programs


are lacking 52% 52% 43%
A need for monitoring
and diagnostics

Why identity management


is essential
Have a senior executive who communicates Have a cross-organizational team that Collaborate with others to improve security
importance of security coordinate & communicates security issues
The importance of
sharing information

Contacts Facing the future of cyber attacks The precedent has clearly been set for the elevation of a
cyber attack to a matter of national significance. That’s
As threats from nation-states shift, cybersecurity could very something that governments now recognize: Many are
well evolve into cyber warfare. creating IT cybersecurity departments that are modeled
on military defense, a trend that we expect will continue.
You need only consider the punishing assault on a US-based This will be particularly pertinent to nations whose critical
entertainment company to understand the potential. The infrastructure is owned and operated by the government.
attack, which was purportedly carried out by a nation-state,
was variously described as cyber vandalism, terrorism, and As governments continue to use the Internet for their own
an act of war. purposes, cyberspace could very well become a combat
zone. If it does, the risks and repercussions of cyber attacks
will extend far beyond data security.

The importance of sharing information // 12


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Public sector

Introduction Contacts next

Incidents and security To have a deeper conversation about cybersecurity, please contact: prev

spending decline

Insider threat programs


are lacking

A need for monitoring


and diagnostics Public sector

Why identity management United States


is essential
Jack L. Johnson Jr. John Hunt
Principal Principal
The importance of 703 918 1303 703 918 3767
johnson.jack@us.pwc.com john.d.hunt@us.pwc.com
sharing information

Contacts

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organizations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.

© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

LA-15-0019

Contacts // 13
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Cybersecurity challenges in an interconnected world next

Incidents rise while Key findings from The Global State of Information Security® Survey 2015 prev

budgets fall

Data governance is lacking

Increasing third-party
Our research shows that retail and consumer goods “Threats to retail and consumer goods companies continue
threats
Retail and consumer companies are most likely to report cybercrime incidents to become more persistent and dynamic, and by all indicators
than businesses from any other industry except these threats will only increase,” says G. Christopher Hall,
New technologies and financial services.4 an Advisory principal focused on cybersecurity and privacy.
their risks Over the past year, the phrase “data breach” “Companies must step up their efforts to invest in security
These breaches have resulted in global negative publicity, loss
has become closely associated with the word personnel, processes, and technologies that address holistic
of shareholder value, reduced profits, and millions of dollars
Toward a more strategic “retailer” as attacks reached epic levels. information security strategies and go beyond any industry-
approach in breach-mitigation expenses. They also may have eroded specific mandates.”
customer trust, which is indispensable to any retailer and
The most notable “mega-breaches” occurred in the US, brand. Our research shows, for instance, that concerns about
Linking security and risk where cyber compromises resulted in the loss of information the security of personal and payment data are top reasons
for more than 100 million payment cards. The trend is not why some consumers still do not shop online.5 These breaches
Contacts limited to America, however. In the UK, payroll and bank have very likely increased shopper concerns about in-store
account numbers of 100,000 employees of a supermarket security as well.
chain were stolen.1 And hackers employed a new version 467
of the point-of-sale (POS) malware known as ChewBacca
to pluck payment card data from numerous retailers in
95% of incidents were
within the retail industry
11 nations, including Russia, Canada, and Australia.2

Labeling 2013 as “the year of the retailer breach,” Verizon counted 467 retailer compromises around the
world in its annual Data Breach Investigations Report, noting that payment card data was the primary target
in 95% of incidents within the retail industry.3

1 Networkworld, Morrisons supermarket suffers major pay-roll data breach after 3 Verizon, 2014 Data Breach Investigations Report, April 2014
insider attack, March 14, 2014. 4 PwC, Global Economic Crime Survey 2014, February 2014
2 Networkworld, Tor-enabled malware stole credit card data from PoS systems at 5 PwC, Global Total Retail Survey 2014, February 2014
dozens of retailers, January 30, 2014
Introduction // 1
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

GSISS 2015: Retail and consumer next


Introduction If there is an upside, it’s that the compromises have spurred
stakeholders in the US payment card industry to move from the
results at a glance
existing magnetic-stripe technology to EMV (short for Europay, ➻ Click or tap each title to view data prev
Incidents rise while Incidents Sources of Security
MasterCard, and Visa), a more secure microprocessor-based incidents spending
budgets fall
standard that is less vulnerable to compromise.

Data governance is lacking


4K

Increasing third-party 3,207


threats
2,702
3K 3M
New technologies and
their risks
The breaches have also increased awareness of cyber
Toward a more strategic risks across industries and elevated the cybersecurity
$ 1.9M
approach discussion to top executives and Boards of Directors. 2K 2M

While it’s no longer possible to protect all data, networks,


Linking security and risk
and applications at the highest level, a proactive cybersecurity $1.0M
program will enable retail and consumer goods manufacturers
Contacts to prioritize protection and more quickly react to incidents 1M
that are all but inevitable.

2013 2014 2013 2014

Average number of detected incidents Estimated total financial losses

Introduction // 2
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

GSISS 2015: Retail and consumer next


Introduction If there is an upside, it’s that the compromises have spurred
stakeholders in the US payment card industry to move from the
results at a glance
existing magnetic-stripe technology to EMV (short for Europay, ➻ Click or tap each title to view data prev
Incidents rise while Incidents Sources of Security
MasterCard, and Visa), a more secure microprocessor-based incidents spending
budgets fall
standard that is less vulnerable to compromise.

Data governance is lacking


47%
50%
Increasing third-party
threats
37%
New technologies and 40% 34%
their risks 30% 30%
29% 29%
The breaches have also increased awareness of cyber
Toward a more strategic risks across industries and elevated the cybersecurity 30%
approach discussion to top executives and Boards of Directors.
20%
While it’s no longer possible to protect all data, networks,
Linking security and risk
and applications at the highest level, a proactive cybersecurity
program will enable retail and consumer goods manufacturers
Contacts to prioritize protection and more quickly react to incidents
that are all but inevitable.

2013 2014 2013 2014 2013 2014 2013 2014

Current employees Former employees Service providers/contractors/ Hackers


suppliers/partners

Introduction // 3
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

GSISS 2015: Retail and consumer next


Introduction If there is an upside, it’s that the compromises have spurred
stakeholders in the US payment card industry to move from the
results at a glance
existing magnetic-stripe technology to EMV (short for Europay, ➻ Click or tap each title to view data prev
Incidents rise while Incidents Sources of Security
MasterCard, and Visa), a more secure microprocessor-based incidents spending
budgets fall
standard that is less vulnerable to compromise.

Data governance is lacking 3.7%


4M 3.6%
3.5%
Increasing third-party
threats $ 3.0M

3M 3%
New technologies and
their risks
The breaches have also increased awareness of cyber
Toward a more strategic risks across industries and elevated the cybersecurity
approach discussion to top executives and Boards of Directors. 2M 2%

While it’s no longer possible to protect all data, networks,


Linking security and risk
and applications at the highest level, a proactive cybersecurity
program will enable retail and consumer goods manufacturers
Contacts to prioritize protection and more quickly react to incidents 1%
that are all but inevitable.

2013 2014 2013 2014

Average annual information security budget Information security spend as percentage


of IT budget

Introduction // 4
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Incidents rise, while budgets fall next

Incidents rise while The number of detected incidents may be rising because many organizations have deployed network prev

budgets fall monitoring and logging technologies in recent years.


Data governance is lacking

Increasing third-party The Global State of Information Security® It’s also worth noting that adversaries appear to be While the total number of survey respondents who link
Survey (GSISS) shows that, among 836 targeting retailers more frequently than consumer products incidents to sophisticated threat actors like nation-states,
threats
manufacturers. Consumer products companies detected an hacktivists, and organized crime are comparatively low,
worldwide retail and consumer goods
average of 2,065 incidents, fewer than the 3,447 incidents they are among the fastest growing sources. Respondents
New technologies and respondents, the number of detected detected by retailers, and a decline of 14% over 2013. who cited foreign nation-states as the cause of incidents
their risks incidents in 2014 increased 19% over 2013. increased 115% in 2014.
Current employees (34%) and former employees (30%)
Toward a more strategic (We define a security incident as any adverse incident that account for the most incidents, with a notable increase in Customer and employee data are the target of most
approach threatens some aspect of computer security.) retail and consumer goods respondents who point the finger incidents—not surprising, considering that threat actors often
at current employees. We also saw a 27% jump in incidents set their sites on payment card information. Among consumer
While this proliferation undoubtedly reflects the increased attributed to third-party service providers, contractors, goods manufacturers, theft of intellectual property (IP) is a
Linking security and risk suppliers, and business partners, which often have trusted larger concern. That’s because manufacturers often produce
activity of cyber adversaries, the number of detected
incidents also may be rising because many organizations access to the company’s network and data. products for other smaller businesses, and they often store
Contacts have deployed network monitoring and logging technologies these clients’ IP and research and development information.
in recent years. Use of these technologies will result in
discovery of more incidents.

This year, one in four consumer goods


respondents say they lost “soft” IP
(information such as processes and
institutional knowledge), a 27% jump
over last year.

Incidents rise while budgets fall // 5


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Despite the rise in detected incidents, retail It is troubling, however, to find that information security next
Introduction budgets are down 15% over 2013. Retailers cut their security
and consumer companies report that total
investments more sharply than consumer goods companies.
financial losses resulting from security prev
Incidents rise while
incidents declined 46% in 2014. The decline in security spending initially seems puzzling,
budgets fall
given the recent high-profile breaches. It’s likely that
This finding seems counter-intuitive, given the upsurge organizations had finalized their 2014 budgets before
Data governance is lacking in detected compromises. December 2013, when the first mega-breach was
announced. Afterward, some businesses we know revisited
Increasing third-party In part, the discrepancy may be attributed to a 61% rise their budgets and reallocated more funds for cybersecurity.
threats in security spending in 2013, which may have enabled We expect to see a spike in security spending in the
organizations to more quickly detect and mitigate incidents. coming year.
What’s more, as businesses implement monitoring and
New technologies and logging technologies they will detect more incidents that are
their risks
benign, such as viruses that do not result in costly damage.

Toward a more strategic


approach

The fastest-growing sources of security incidents


Linking security and risk
Increase over 2013 115%
Contacts

66% 67%
54% 54%

Information brokers Organized crime Foreign entities and Activists/hacktivists Foreign nation-states
organizations

Incidents rise while budgets fall // 6


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Data governance is lacking next

Incidents rise while Many businesses emphasize regulatory compliance at the expense of a framework prev

budgets fall that governs information.


Data governance is lacking

Increasing third-party
threats

New technologies and


their risks 51%
55% 54% 54% 53%
57% 57% 57%
60% 2014
Toward a more strategic 63% 2014 2014 2014 2014

approach 67% 2014


2013
2013 67% 2013
2013
Limit collection, retention, and Have a written security policy for
2013 Have an accurate inventory of 2013
Have centralized user data store access of personal information off-premises storage, access, and
where personal data for customers
Linking security and risk Have secure-access control to the minimum necessary to Have privileged user access tools transport of personal data
and employees are collected, accomplish purpose
measures transmitted, and stored

Contacts
Attrition in data governance safeguards

Retailers, in particular, often take a compliance- Good data governance will require that businesses develop
checklist approach to information security, a framework and policies for the creation, use, storage,
and deletion of information. It will also demand that retail
focusing on Payment Card Industry Data
and consumer companies know where their data is stored,
Security Standard (PCI DSS) requirements manage access to sensitive information, and govern the use
while disregarding implementation of and security of valuable data by third-party partners.
adequate data governance to protect valuable
information assets.

Data governance is lacking // 7


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

A basic foundation of data governance is Furthermore, many companies seem to know very little about next
Introduction the sensitive data they hold or allow third parties to access.
centralized data storage, which enables
Consider, for instance, that the number of respondents who
organizations to consolidate, manage, and
Incidents rise while say they have an accurate inventory of where personal data prev
secure their information. for employees and customers are collected, transmitted, and
budgets fall
stored dropped to 54% this year, down from 60% in 2013.
This is becoming increasingly essential as the use of
Data governance is lacking smartphones and social media accelerate the creation and A sound data governance program also will limit the data that
sharing of data. Yet organizations seem to be falling short is stored to only what is needed. It’s a practice that many do
Increasing third-party of fundamentals: Just 55% of respondents say they have not follow: Only 54% say they limit the collection, retention,
threats centralized user data storage, down from 63% in 2013. and access of personal information to the minimum necessary
to accomplish a legitimate business purpose.
Other security basics include safeguards to limit access
New technologies and to data and systems, and monitoring for anomalous
their risks
network activity.

Toward a more strategic


approach
Yet only 53% of 67%
Linking security and risk Only 47% of respondents say they have identity- respondents say they
management tools in place, and just 57% say they have have privileged user 2013

Contacts secure access control measures. Because adversaries often access tools in place,
target employees with extensive access to systems and down from 67% 53%
data, privileged user access technologies are key. last year.
2014

Data governance is lacking // 8


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Increasing third-party threats next

Incidents rise while Data breaches often start with the compromise of suppliers, contractors, and vendors. prev

budgets fall

Data governance is lacking

Increasing third-party In the past year, several retailers that have While retail and consumer companies are adopting the EMV An effective vendor-management program
been hit by costly, high-impact breaches have standard, many have not yet taken more basic precautions will require more than individual policies
threats
to protect themselves from breach via the systems of third
had one thing in common: Criminals gained and processes, however.
parties. Consider, for instance, that only 54% of survey
New technologies and access to their networks and POS systems respondents say they have established security standards
their risks through attacks on third-party suppliers and for external partners, suppliers, and vendors. And just 44% What’s also needed is a tiered framework that assesses,
segments, and manages third-party partners based on the
contractors, resulting in the compromise of conduct risk assessments on third-party vendors, down from
Toward a more strategic 55% last year. risks they present to the business. This is critical because
millions of payment card accounts.
approach large organizations may have thousands of vendors that
Furthermore, we asked if organizations have implemented have access to their systems and data; a tiered approach will
These breaches resulted in heavy financial and reputational or plan to implement a program that monitors third-party help them focus on the most serious risks.
Linking security and risk losses, but they also encouraged some retailers to more partners and service providers to ensure they comply with
rapidly migrate to the EMV system. security and data-protection policies. This tiered approach also will enable organizations to
Contacts hold third parties to different levels of accountability. For
Today, a very small percentage of payment and debit cards The responses are not encouraging: instance, businesses that share sensitive information of
in the US employ EMV technology, which is more resistant customers with external marketing partners should ensure
to compromise and counterfeit than magnetic-stripe cards. that those firms adhere to the very highest level of security,
That’s changing, however, as several major card networks while those that have access to less sensitive information
Only 29% say they have this type of monitoring program
have begun migration to the chip-based EMV system and need not be held to the most rigorous standards.
in place, and 37% say they plan to add one.
have set an October 15, 2015 deadline for implementation
of EMV technologies. (Gas station owners will have until But one in five say they have no
October 1, 2017 to migrate to EMV.) Thereafter, fraud plans to implement a program
liability will shift to the party that is not EMV-compliant.6 to monitor third parties.

6 PwC, Securing the card payments infrastructure: Where are we headed?,


July 2014

Increasing third-party threats // 9


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Key safeguards for third-party security and privacy are lacking next
Introduction

prev
Incidents rise while
budgets fall 60% 59%
54% 55% 55%
Data governance is lacking 52%
51%
49% 48%
Increasing third-party 44%
threats 2013
2013

2013 2013
New technologies and 2014
2013
2014
their risks 2014
2014

2014
Toward a more strategic
Established security baselines/
approach standards for external partners/
Require third parties to comply
with privacy policies
customers/suppliers/vendors Have incident response process Perform risk assessments on
Have an inventory of all third to report and handle breaches to third-party vendors
Linking security and risk parties that handle personal data third parties that handle data
of employees and customers

Contacts

Increasing third-party threats // 10


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction New technologies and their risks next

Incidents rise while Retail and consumer goods companies are embracing new technologies to connect with customers, prev

budgets fall build operational efficiencies, and enable collaboration.


Data governance is lacking

Increasing third-party The trouble is, many businesses adopt


threats these technologies before they effectively
secure them.
New technologies and
their risks Consider cloud computing, perhaps the decade’s most
transformative technology trend.
Toward a more strategic
approach
Yet only 45% of respondents have a security strategy for
More than half of respondents cloud computing—an astonishing finding—and just 33%
Linking security and risk say they are “very prepared” to protect sensitive data in the
say they use some form of cloud. Given that 29% of respondents say they use cloud
Contacts cloud computing for file storage services for e-commerce, that’s certainly disquieting.

and sharing, and hosting of


databases, applications, e-mail,
Mobility continues to transform how companies and Another risk lies in the rise in employee use of personal
and websites. their employees operate. The use of mobile devices also devices in the workplace, a trend known as bring your own
introduces new risks, including data loss, device theft, and devices or BYOD. This year, 69% of respondents either plan
accidental leakage. In fact, 23% of respondents say mobile to allow or already do allow use of employee-owned devices
devices were exploited this year. While many retail and to access the corporate network, yet most organizations are
consumer companies have made progress in strengthening ill-prepared to secure their assets. The number that have a
their mobile security practices, there remains considerable security strategy for BYOD dropped to 49% this year, down
room for improvement. For instance, only 51% say they considerably from 2013.
have a mobile security strategy, and fewer (43%) use mobile
device management software to safeguard their fleet of
mobile devices.

New technologies and their risks // 11


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Attrition in safeguards for next


Introduction 69%
new technologies
Incidents rise while 59% prev
56% 56%
budgets fall 54%
51% 49% 47% 45% 45%
Data governance is lacking

Increasing third-party
threats

New technologies and 2013 2014 2013 2014 2013 2014 2013 2014 2013 2014
their risks
Have secure remote Security strategy for Security strategy for Security strategy for Security strategy for
access (VPN) mobile devices BYOD cloud computing social media
Toward a more strategic
approach

Linking security and risk As workers become increasingly more mobile, employees Employees can inadvertently disclose sensitive data via It’s worth noting, however, that no payment system will
access the network, data, and applications remotely via social networking sites, and cyber criminals can mine be 100% secure. Determined threat actors will very likely
Contacts laptops, smartphones, and tablets. So it was worrisome to accounts to obtain valuable information that can be used find ways to circumvent technologies that underpin digital
find that the number of respondents who have secure remote in targeted phishing attacks. Despite these very real risks, payment systems. In fact, compromises already have
access software like virtual private networks is low and only 45% of respondents have a security strategy for social been reported.
shrinking: Only 56% have this essential technology, down media, a number that decreased considerably over last year.
from 69% in 2013. The success of mobile payments will require a wide
Finally, this year’s game-changing technology may be mobile constellation of retailers that are capable of accepting these
Another technological juggernaut is social networking, which payment systems or “digital wallets.” The capability to make digital payments, of course, and that’s not yet a given. One-
enables retail and consumer companies to attract and engage payments from smartphones is not new, but it is gaining quarter (25%) of retail and consumer respondents say they
customers, improve the customer experience, and manage momentum as more devices support payment systems have implemented systems for digital wallets, and an additional
brand images. The benefits are many, but so are the risks. like Apple Pay, the Merchant Customer Exchange (MCX) 36% say they plan to implement them in the future.
CurrentC, and Google Wallet. And given the recent rash of
retailer breaches, consumers may prefer to whip out their
smartphones and leave their payment cards in their wallets.

New technologies and their risks // 12


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Toward a more strategic approach next

Incidents rise while Our survey results show that many retail and consumer companies need to take a more strategic prev

budgets fall approach to help identify, manage, and respond to privacy and security threats.
Data governance is lacking

Increasing third-party In many cases, commitment to strategic


threats security safeguards seems to be diminishing.
Before resources can be allocated, however, it will be necessary to
New technologies and It all starts with an information security strategy that is first identify the organization’s most valuable assets and determine
their risks aligned with the specific needs of the business. This year,
59% of respondents say they have united their security
who owns responsibility for them. This is an area in which we found
Toward a more strategic
strategy and business goals. An effective security program significant potential for improvement: Only 52% of respondents
also should apportion spending to the data assets that
approach
have the highest business value. Respondents show a more
have a program to identify sensitive assets.
solid, if incomplete, commitment in this area: 67% say their
Linking security and risk security investments are allocated to the organization’s
most profitable lines of business.
Contacts Strategic processes are often lacking
65%
61% 59% 59%
56% 53% 52% 52% 50% 49%
45%
201

40%
201
201

201
201

201
4
4

3
201

201
3

201

201
3

4
201

4
201
3

3
A senior executive communicates Information security strategy Program to identify sensitive Collaborate with others to Have cyber insurance Have employee security training
importance of security to entire is aligned with specific business assets improve security and awareness program
enterprise needs

Toward a more strategic approach // 13


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

next
Introduction
More than ever, senior executives should proactively ensure
that the Board understands how the organization will detect,
prev
Incidents rise while
budgets fall
defend against, and respond to cyber threats.
Data governance is lacking

Increasing third-party
threats
An effective security program will require Despite the discussion following recent retailer breaches, Finally, sharing information about security—internally and
top-down commitment and communication many companies have not yet elevated security to a Board- externally—is essential to the success of security programs
New technologies and
their risks level discussion. Consider, for instance, that only 39% of as cyber threats, technologies, and vulnerabilities evolve
of information security fundamentals and
respondents say their Board participates in the overall at lightning speed. Employee training and awareness is
priorities. security strategy, and 35% say the Board participates in the particularly important because the weakest link in the security
Toward a more strategic security budget. Fewer (22%) say their Board is involved chain is often human. So it was a bit worrisome to find that
approach Organizations have made some progress in this measure: 61% in reviews of current security and privacy risks—a crucial the number of respondents who have an employee training
of respondents have a senior executive who communicates the component of any effective security program. program in place dropped to 49%, from 59% in 2013.
Linking security and risk importance of information security to the entire enterprise.
Many organizations are finding that cyber insurance can be Externally, sharing information among public and private
Information security communications also must cascade an effective way to help manage risks and mitigate financial entities has enabled businesses to gain better intelligence on
Contacts upward to the Board of Directors to ensure that members losses of cyber attacks. It has been widely reported, in fact, threats and response tactics. To this end, US retailers recently
have the information they need to manage risks and protect that several retailers breached over the past year recovered formed the Retail Cyber Intelligence Sharing Center (R-CISC)
the company from cyber adversaries. Boards are increasingly tens of millions of dollars in mitigation costs through to serve as an Information Sharing and Analysis Center
concerned about having the right risk intelligence, and they insurance coverage. (ISAC) as well as a forum for education, and training and
may also be worried that their personal reputations could research on future threats. Among our survey respondents,
be tarnished by a high-profile compromise. Earlier this This year, 50% of respondents say they have purchased more than half (52%) say they collaborate with others to
year, several directors of a prominent retailer came under cybersecurity insurance, up from 40% last year. share security intelligence and tactics. That’s an improvement
public scrutiny after the company suffered a very public over last year. Consumer packaged goods companies may not
Perhaps more significant is the finding that some companies
data breach that also resulted in the resignations of several have a dedicated ISAC, but they tend to share information
are leveraging cyber insurance as a way to improve their
C-suite executives. more readily. Among consumer products respondents, 65%
security program. Almost one-third say they have taken
say they collaborate with others to improve security.
steps to enhance their security posture in order to lower
insurance premiums.

Toward a more strategic approach // 14


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Linking security and risk next

Incidents rise while As incidents continue to proliferate, it’s becoming clear that cyber risks can never prev

budgets fall be completely eliminated.


Data governance is lacking

Increasing third-party Protective measures remain important,


threats but they may not stop determined and
highly skilled adversaries.
New technologies and
their risks
Case in point: Most of the retailers impacted in recent
data breaches were compliant with PCI regulations.
Toward a more strategic
approach
In addition to regulatory compliance, effective
Linking security and risk cybersecurity will require up-to-date processes,
trained personnel, and tools to detect, analyze, and
Contacts respond to incidents.

To make this adjustment, retail and consumer


companies should reposition their security strategy
by more closely linking technologies, processes,
and tools with the firm’s broader risk-management
activities. Doing so will result in a cyber-resilient
program that can effectively manage risks based on
the business’s individual tolerance for risk.

Linking security and risk // 15


Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Retail and consumer

Introduction Contacts next

Incidents rise while To have a deeper conversation about cybersecurity, please contact: prev

budgets fall

Data governance is lacking

Increasing third-party
threats
Retail and consumer
New technologies and
their risks United States
Alexander Coassin G. Christopher Hall Ron Kinghorn Gary Loveland Bryan Oberlander Paul Ritters
Toward a more strategic Principal Principal Principal Principal Principal Director
approach 415 498 5282 412 355 6183 617 530 5938 949 437 5380 617 530 4125 612 596 6356
alexander.t.coassin@us.pwc.com g.christopher.hall@us.pwc.com ron.kinghorn@us.pwc.com gary.loveland@us.pwc.com bryan.s.oberlander@us.pwc.com paul.j.ritters@us.pwc.com

Linking security and risk

Contacts

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.

© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

Contacts // 16
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Improving cyber readiness in an next

Security incidents and


budgets decline interconnected world prev

Key findings from The Global State of Information Security® Survey 2015
Sources and impact of
compromise

Insider threat programs In the past year, hackers infiltrated the servers of a global
are lacking Technology software company and stole not only source code but
also personal information of tens of millions customers.
Computers of prominent multinational Internet companies
Identity management Technology organizations tend to were compromised as a result of watering-hole attacks.
and the cloud
have comparatively robust and mature Hackers employed key-logging software to steal the user
cybersecurity programs. It makes sense, credentials of more than 2 million social media and
Gearing up for the Internet e-mail accounts from companies that dominate the Web. A
given that many have been in the vanguard
of Things prominent social networking and entertainment website
of developing the systems and tools that was taken down by a massive distributed denial of service
The security safeguards have forever altered how businesses (DDoS) attack. And European Internet service providers
that matter operate, market products, and interact were prominent targets of an extremely complex and
with customers. stealthy espionage tool that has been in use for more than
six years.
Contacts
The bad news? Cyber-threat actors seem to have the
advantage. Consider the following:

Increasingly, cyber criminals target technology companies to lift intellectual


property, sabotage websites and reputations, and modify source code.

Introduction // 1
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev

target technology companies to lift intellectual property, incidents spending


budgets decline
sabotage websites and reputations, and modify source code.
The result has been worldwide negative publicity, loss of
Sources and impact of
shareholder value, reduced profits, and millions of dollars in
compromise
breach-mitigation expenses—not to mention an erosion of
customer trust. 5K 4,529
Insider threat programs
are lacking “Businesses and people are becoming more and more connected
and empowered by technology, and technology companies in 3,777
Identity management particular—and the customers they serve and products and 4K
services they produce—are becoming increasingly valuable
and the cloud
targets,” says Mark Lobel, Principal in PwC’s Advisory practice
focused on cybersecurity and privacy. “At the same time, the
Gearing up for the Internet 3K
$ 2.5M 3M
complexities of the global business ecosystem and the evolving
of Things threat and compliance landscape are forcing technology $ 2.0M
companies to re-imagine security. To do so, organizations
The security safeguards should invest in security personnel, processes, and technologies 2M
that matter that address holistic information security strategies and go
beyond outdated, ineffective security models.”
Contacts Clearly, it’s no longer possible to protect all data, networks, 1M
and applications at the highest level. But a proactive
cybersecurity program will enable businesses to prioritize
protection and more quickly react to attacks that are all but 2013 2014 2013 2014

inevitable—even against the most tech-savvy of businesses.


Average number of detected incidents Estimated total financial losses

Introduction // 2
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev

target technology companies to lift intellectual property, incidents spending


budgets decline
sabotage websites and reputations, and modify source code.
The result has been worldwide negative publicity, loss of
Sources and impact of
shareholder value, reduced profits, and millions of dollars in
compromise
breach-mitigation expenses—not to mention an erosion of
customer trust. 50%
Insider threat programs
are lacking “Businesses and people are becoming more and more connected 40%
and empowered by technology, and technology companies in
particular—and the customers they serve and products and 36% 35%
Identity management 40% 34%
and the cloud services they produce—are becoming increasingly valuable 32% 31%
targets,” says Mark Lobel, Principal in PwC’s Advisory practice
28%
focused on cybersecurity and privacy. “At the same time, the
Gearing up for the Internet complexities of the global business ecosystem and the evolving 30%
of Things threat and compliance landscape are forcing technology
22%
companies to re-imagine security. To do so, organizations
The security safeguards should invest in security personnel, processes, and technologies
that matter that address holistic information security strategies and go
beyond outdated, ineffective security models.”
Contacts Clearly, it’s no longer possible to protect all data, networks,
and applications at the highest level. But a proactive
cybersecurity program will enable businesses to prioritize
protection and more quickly react to attacks that are all but 2013 2014 2013 2014 2013 2014 2013 2014

inevitable—even against the most tech-savvy of businesses.


Current employees Former employees Hackers Competitors

Introduction // 3
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

These are just a few of many attacks against technology GSISS 2015: Technology results next
Introduction companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
at a glance
Security incidents and more maleficent in intent. Increasingly, cyber criminals ➻ Click or tap each title to view data Incidents Sources of Security prev

target technology companies to lift intellectual property, incidents spending


budgets decline
sabotage websites and reputations, and modify source code.
The result has been worldwide negative publicity, loss of
Sources and impact of $ 5.2M
shareholder value, reduced profits, and millions of dollars in
compromise
breach-mitigation expenses—not to mention an erosion of
customer trust. 5M
Insider threat programs
are lacking “Businesses and people are becoming more and more connected
$ 4.1M
and empowered by technology, and technology companies in 3.7% 3.7%
Identity management particular—and the customers they serve and products and 4M
services they produce—are becoming increasingly valuable
and the cloud
targets,” says Mark Lobel, Principal in PwC’s Advisory practice
focused on cybersecurity and privacy. “At the same time, the
Gearing up for the Internet complexities of the global business ecosystem and the evolving 3M 3%
of Things threat and compliance landscape are forcing technology
companies to re-imagine security. To do so, organizations
The security safeguards should invest in security personnel, processes, and technologies 2%
that matter that address holistic information security strategies and go
beyond outdated, ineffective security models.”
Contacts Clearly, it’s no longer possible to protect all data, networks, 1%
and applications at the highest level. But a proactive
cybersecurity program will enable businesses to prioritize
protection and more quickly react to attacks that are all but 2013 2014 2013 2014

inevitable—even against the most tech-savvy of businesses.


Average annual information security budget Information security spend as percentage of IT budget

Introduction // 4
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Security incidents and budgets decline next

Security incidents and Technology companies are detecting fewer incidents, despite evidence that attacks are rising prev

budgets decline across industries.


Sources and impact of
compromise
The Global State of Information Security® Against a global backdrop of escalating cyber attacks, this
Insider threat programs Survey (GSISS) 2015 shows that the finding seems counter-intuitive. One explanation might
are lacking be that technology companies boosted security spending
technology sector leads most industries
by a hefty 39% in 2013, which may have enabled them to
in implementation of the technologies, implement solutions and processes to help prevent attacks.
Identity management processes, and personnel skills that are vital What’s more, as businesses deploy monitoring and logging
and the cloud
to protecting data and quickly responding technologies they will detect more incidents that are benign
to incidents. and do not result in costly damage. Another interpretation
Gearing up for the Internet may lie in the increased use of outsourced or cloud services,
of Things which is shifting some responsibility and potentially making
But even among these technologically sophisticated
it more difficult to gain visibility into events.
companies, there are troubling trends. Our survey
The security safeguards of 1,892 technology industry executives reveals that Taking another view, one might assume that technology
that matter respondents reported 17% fewer security incidents in the companies are simply not detecting many incidents. Today’s
past year—despite overwhelming evidence that insider as sophisticated adversaries, particularly foreign nation-states
Contacts well as targeted threats continue to multiply. (We define a and organized crime, make it their business to carry out
security incident as any adverse incident that threatens some sustained attacks without detection. Consequently, the
aspect of computer security.) volume of incidents may very well be under-reported.

Information security budgets declined significantly this year,


particularly among smaller businesses.

Security incidents and budgets decline // 5


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Security budgets by company size next


Introduction 2013
If the decrease in incidents leaves room for
interpretation, there is no positive way to spin the
$12.5 2014
Security incidents and million
11.3
prev
steep 21% decrease in information security $
budgets decline spending in 2014. Looking at security spending million
by company size sheds some light on the spending
Sources and impact of patterns. Small companies (those with revenues of
compromise $100 million or less) reduced security spending by
36% in 2014, while large companies (revenues of
Insider threat programs $1 billion or more) trimmed investments by 9%.
Medium-size firms (revenues of $100 million to
are lacking
$1 billion) reported a 3% drop in security budgets.
2013 2014
Identity management
and the cloud
$3.6 $3.5
The decreased commitment to information security among million million
2013
small businesses is downright alarming—and a bit puzzling. 2014
Gearing up for the Internet
of Things
One explanation may be that small businesses often consider
$1.4 $ 893
themselves unworthy of serious cyber adversaries. We could million
thousand
also posit that the over-abundance of security solutions has
The security safeguards resulted in an “analysis paralysis” that has rendered small
that matter companies unable to take action. And the current shortage Small Medium Large
of experienced security professionals may mean that the Revenues less than $100 million Revenues $100 million–$1 billion Revenues more than $1 billion

Contacts most skilled candidates go to larger organizations with


hefty budgets. Nonetheless, these declining investments in
security do not bode well for future cyber readiness.

Security incidents and budgets decline // 6


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Sources and impact of compromise next

Security incidents and Incidents attributed to sophisticated threat actors are escalating. prev

budgets decline

Sources and impact of


compromise
Current and former employees are report loss of intellectual property. Many, it seems, are
Insider threat programs once again the most-frequent culprits not prepared: Almost half of tech respondents have no
are lacking procedures in place to protect intellectual property.
of security incidents, cited by 36% and
32% of respondents, respectively. While Edward J. Snowden’s disclosures of government surveillance
Identity management compromises caused by employees often have added a new adversary to the list of threat actors:
and the cloud domestic intelligence services. This year we included this
fly under the media radar, those committed
option as a response to our question regarding the source
by organized crime groups, activists/
Gearing up for the Internet of incidents, and 8% of technology respondents attributed
hacktivists, and nation-states typically do incidents to domestic surveillance agencies, a rate that is
of Things
not. Attacks by these threat actors remain higher than the global sample. In a finding that reflects the

The security safeguards among the least frequent, but they are also mood of the technology industry, almost two-thirds (65%) of
the fastest growing. respondents say they are somewhat or very concerned about
that matter
government surveillance.
Many businesses are particularly worried about attacks by This type of espionage is prompting some businesses
Contacts
nation-states, which often target tech companies to steal IP to reconsider their relationships with certain solutions
and trade secrets as a means to advance their own economic providers. More than one-quarter of respondents (28%)
advantage. With good reason: Incidents attributed to nation- say they are purchasing fewer products and services from
states soared by 80% over 2013. technology companies based in certain nations, and 9% say
they no longer procure products and services from those
The jump in nation-state incidents may also explain the
in specific countries. Given that this type of surveillance is
rising theft of intellectual property, including source code
most closely associated with the US, the implications for Compromises by foreign nation-states are the fastest
of products and services, designs for products like chipsets
American technology companies are potentially serious. growing type of threats.
and networking equipment, and proprietary manufacturing
processes. This year, 42% of technology respondents

Sources and impact of compromise // 7


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Insider threat programs are lacking next

Security incidents and Many technology companies have not deployed basic identity and access technologies. prev

budgets decline

Sources and impact of


compromise
When it comes to cybercrime, many top Nonetheless, many technology companies are still grappling employee training forms the spine of an effective insider
Insider threat programs executives know that security breaches by with automated identity and access management, a program. So it was worrisome to find that the percentage of
are lacking fundamental tool for preventing and managing insider organizations that have an employee training and awareness
insiders—employees as well as contractors
incidents. Consider, for instance, that just over half (53%) program dropped to 51% this year.
and business partners with trusted access— of respondents have implemented identity management
Identity management can be even more damaging than those Internal threats represent a people issue, not a technology
tools and only 54% employ multifactor authentication.
and the cloud problem, and an insider-threat program cannot be addressed
attributed to external adversaries. Other technologies that are central to managing
access and monitoring employee behavior are also not by the IT function alone. Effective management will require
Gearing up for the Internet adequately deployed. a disciplined, cross-functional approach that includes IT,
In the 2014 US State of Cybercrime Survey, we found that
of Things information security, corporate security, human resources,
almost one-third (32%) of respondents said insider crimes
Employees and managers are vital to insider-threat legal counsel, audit, and privacy, as well as leadership from
are more costly or damaging than incidents perpetrated by
management because they are often in a position to notice lines of business. Just half of technology respondents have a
The security safeguards outsiders.1 In part, that’s because internal threat actors hold
suspicious behavior or risk indicators. Consequently, cross-functional team that coordinates security issues.
that matter the advantage since they are more likely to know where
valuable data is stored and what processes and technologies
Contacts are in place to protect this information and prevent theft.

The increase in insider incidents, particularly among


employees, could have critical implications for technology Almost half of respondents have not implemented
companies. Increasingly, external threat actors employ identity and access management tools.
social engineering techniques such as spear phishing to
steal credentials of employees with privileged access to data
and networks, then use that information to infiltrate the
company’s network. Limiting and controlling access to key
data assets is increasingly pivotal to information security
and privacy.

1 2014 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT


Division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and the US Secret Service, March-April 2014

Insider threat programs are lacking // 8


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Many companies lack tools to manage insider threats next


Introduction

Security incidents and prev

budgets decline

Sources and impact of 66%


compromise 60%
56% 58%
54%
Insider threat programs 46%
45% 44%
are lacking

Identity management
and the cloud

Gearing up for the Internet 2013 2014 2013 2014 2013 2014 2013 2014

of Things
Have network access User activity monitoring Have employee training and Have behaviorial profiling
The security safeguards control software tools awareness program and monitoring
that matter

Contacts

Insider threat programs are lacking // 9


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Identity management and the cloud next

Security incidents and More businesses are adopting cloud-based security services. prev

budgets decline

Sources and impact of


compromise
It’s official: The cloud is now mainstream. In particular, we have seen growing interest in cloud-based Adoption of cloud computing by
Insider threat programs This year 64% of technology respondents say identity and access management (IAM) solutions. While
small and medium-size businesses were among the first
company size
are lacking they use some form of cloud computing.
to adopt cloud-based security as a means to extend their
IAM capabilities, larger organizations are also beginning to
Identity management Tentative early implementations of cloud services have given embrace the concept, often as a replacement for on-premises
and the cloud way to large-scale deployments of business functions such solutions. In fact, 28% of respondents who employ cloud-
as customer relationship management, talent management, based security are big businesses, while 19% are small.
Gearing up for the Internet payroll, and enterprise communications. As organizations
of Things are becoming more familiar with the cloud and as cloud No matter the size, enterprises that move sensitive data
providers are maturing, the perception that providers’ and mission-critical workloads to the cloud should do so
security practices are incapable of protecting sensitive data following a carefully considered cloud strategy and due
The security safeguards
and mission-critical workloads is beginning to shift. In fact, diligence. But many do not. In fact, only 52% of respondents
that matter
our research shows that the majority of organizations that have a security strategy for cloud computing, and just 54%
use cloud services report that doing so has improved their perform risk assessments on third-party vendors, including
Contacts information security program. cloud providers.

It was somewhat surprising to find that big enterprises


are most likely to employ cloud services. More than three
quarters (77%) of large companies employ cloud, as
compared with 74% of medium-size businesses and 55%
Large businesses are leading the way to the cloud and to 55% 74% 77%
of small firms. Another intriguing finding: One in four
cloud-based security services.
technology respondents use cloud-based security services,
Small Medium Large
a solution that is gaining favor as providers offer more Revenues less Revenues $100 Revenues more
sophisticated, secure services. than $100 million million–$1 billion than $1 billion

Identity management and the cloud // 10


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Gearing up for the Internet of Things next

Security incidents and Half of respondents say they have a strategy for the convergence of information, prev

budgets decline operational, and consumer technologies.


Sources and impact of
compromise
The convergence of information, operational, Yet a closer look at the data reveals that many respondents Doing so will demand that companies assess how technology
Insider threat programs and consumer technologies—typically do not yet have security strategies for technologies convergence will affect the individual organization,
are lacking that underpin the Internet of Things—and most likely and then establish goals for securing information and
referred to as the Internet of Things—will
do not an have integrated plan for the convergence of operations for future convergence. A disciplined, enterprise-
introduce tremendous business opportunities these technologies. wide assessment of the scope of valuable assets that are
Identity management for companies that produce technologies. It potentially at risk will be a key step.
and the cloud
also will create a new world of security risks.
Gearing up for the Internet As more devices are connected, exponentially more data
of Things will traverse an expanded constellation of enterprise
Consider, for instance, that only 52% of respondents have
ecosystems, increasing risks to sensitive corporate data
a security strategy for cloud computing, and the same
The security safeguards and private consumer information. It’s a risk that many
number have a security strategy for mobile devices. We
that matter technology companies seem to recognize. In fact, half of
believe technology businesses are beginning to develop
respondents say they have already implemented a security
a strategy for convergence, but have not yet integrated
Contacts strategy for the convergence of information, operational,
disparate components into a holistic strategy.
and consumer technologies; an additional 28% say they are
developing a strategy.

Gearing up for the Internet of Things // 11


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Strategies for technologies that underpin the Internet of Things next


Introduction
A closer look at the data reveals that many companies lack security strategies for mobile, social,
and cloud technologies.
Security incidents and prev

budgets decline

Sources and impact of


compromise
54% 52% 52% 52% 52%
Insider threat programs
are lacking

Identity management
and the cloud
Security strategy for BYOD Security strategy for mobile Security strategy for cloud Security strategy for social Security strategy for big data
devices computing media
Gearing up for the Internet
of Things

The security safeguards


that matter

Identifying sensitive assets and determining ownership of The Internet of Things will also require that technology
Contacts
data will become increasingly arduous as the Internet of companies improve fundamental security processes like user
Things expands and more electronic information is shared access controls, patch management, and third-party risk
among new business partners and consumers. For many assessments. Privacy of consumer data is also critical—and
tech companies, that’s already a challenge. Just 57% of represents an opportunity for improvement considering that
respondents have a program to identify sensitive assets only 55% of respondents require third parties to comply
and fewer (51%) have an inventory of all third parties that with their privacy policies.
handle personal data.

Gearing up for the Internet of Things // 12


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction The security safeguards that matter next

Security incidents and How technology companies are taking a more strategic approach to security. prev

budgets decline

Sources and impact of


compromise
Technology companies continue to bolster Exposing security leaders to the executive level is critical
Insider threat programs their security programs as cyber risks evolve. to risk governance. In the wake of recent massive breaches,
are lacking directors are asking for the risk intelligence necessary to
But much remains to be done.
make informed cybersecurity decisions and help protect
the organization from cyber attacks. Board participation in
Identity management As the frequency and severity of cyber attacks grows, it has security is stronger among technology businesses than in
and the cloud become clear that every business should have an executive- many other sectors, but leadership from the very top is not
level officer in charge of the security program. For most yet the norm. Only 46% of respondents say their Board is
Gearing up for the Internet technology companies, that person is the Chief Information involved in the overall security strategy and fewer (27%)
of Things Security Officer (CISO). Demand for CISOs is at an all- say directors participate in reviews of current security and
time high: In the past two years, the number of technology privacy risks.
companies that employ a security executive has climbed
The security safeguards
46%, and today more than three-quarters of organizations While a very large margin of technology companies have
that matter
have a CISO in charge of information security. a formal strategy for information security, the number
that have a security strategy that is specifically aligned
Contacts We believe it is imperative that the CISO report up to the with unique business needs slipped this year. That’s a key
CEO, Chief Financial Officer, Chief Privacy Officer, or component of a risk-based security strategy.
the Board, rather than to the Chief Information Officer.
Information security is, after all, a business risk issue and,
as such, it should have a separate governance structure and
budget to ensure that sufficient resources are allocated.
77% of technology companies have hired a CISO to oversee
their security program.

The security safeguards that matter // 13


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Many businesses are embracing guidelines developed by Linking information security and risk next
Introduction the US National Institute of Standards and Technology
(NIST) to more closely link their technologies, processes, As security incidents continue to proliferate, it’s becoming
Security incidents and and personnel skills with the organization’s broader risk- clear that cyber risks can never be completely eliminated.
prev

management activities. The NIST Cybersecurity Framework, Identify


budgets decline Protective measures remain important, of course, but they
which targets critical infrastructure providers and suppliers, cannot reliably be guaranteed to stop determined and highly
has been adopted by 41% of US technology respondents; an
Sources and impact of skilled adversaries.
additional 28% say the Framework is a future priority.
compromise
Consequently, many technology businesses may need to
In addition to improving risk-based cybersecurity, the Protect
reposition their security strategy by more closely linking
Insider threat programs Framework also aims to create a common language to technologies, processes, and tools with broader risk-
are lacking facilitate collaboration and communications among management activities. Effective cybersecurity will require
internal executives and external industry and government Detect
up-to-date processes, trained personnel, and tools to detect,
Identity management organizations. Sharing of threat intelligence and response analyze, and respond to today’s incidents.
tactics has become an indispensable tool to advance
and the cloud
cybersecurity, one that the tech sector has readily adopted. While a well-designed cybersecurity program will not totally
This year, 62% of technology respondents say they work eliminate risk, it can enable businesses to better manage
Gearing up for the Internet with others to improve security, compared with 55% of the
Respond
threats through an informed decision-making process, boost
of Things overall survey sample. efficiencies in security practices, and create a more resilient
security practice.
The security safeguards Finally, many organizations are finding that cyber insurance
that matter can be effective in helping manage risks and mitigate
financial losses of cyber attacks that are all but inevitable.
In fact, cyber insurance has received considerable attention
Contacts over the past year as victims of high-profile breaches
Recover
reported that they recovered tens of millions of dollars
in mitigation costs through insurance coverage. Among
technology respondents, 59% say they have purchased
cybersecurity coverage. Perhaps more significant is the 41% of respondents say they have adopted the risk-
finding that some companies are leveraging cyber insurance based NIST Cybersecurity Framework.
as a way to improve their security program. More than one-
third say they have taken steps to enhance their security
posture in order to lower insurance premiums.

The security safeguards that matter // 14


Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Technology

Introduction Contacts next

Security incidents and To have a deeper conversation about cybersecurity, please contact: prev

budgets decline

Sources and impact of


compromise

Insider threat programs


are lacking Technology

Identity management United States


and the cloud
Shafeeq Banthanavasi Mark Lobel
Managing Director Principal
Gearing up for the Internet 408 534 2487 646 471 5731
shafeeq.banthanavasi@us.pwc.com mark.a.lobel@us.pwc.com
of Things

The security safeguards


that matter

Contacts

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

Contacts // 15