business unit security & authentication - an industry perspective cca strictly private and...

Business Unit

Security & Authentication - An industry perspectiveCCA

Strictly Private and Confidential

October 2014

PwCOctober 2014

Endangering the present

Cyber security threats today have become increasingly sophisticated and complex. As organisations embrace new technologies without fully comprehending the implications these have on the entire enterprise, they are rendering themselves susceptible to an array of cyber-security threats.

An efficient and executable strategy, which encompasses the key levers of people, processes and technology is needed to confront the changing threat landscape, as a few risk issues are as all-encompassing as cyber-security.

2Security & Authentication - An industry perspective • CCA

Cyber security attacks in the news

Stuxnet worm infects critical infrastructure facilities in Gujarat and Haryana, ONGC off-shore oil rig also affected

US Department of Justice (DOJ) sentences five Chinese military hackers for cyber economic espionage against American companies in the nuclear power, metals and solar energy sectors

Instances of state–sponsored espionage against major European bank uncovered by Symantec

The Heartbleed defect, impacts over two-thirds of web servers in the world, including those of popular e-mail and social networking sites

PwCOctober 2014

Are budgets keeping up with the rising costs?

With the increase in the average cost per security incident from $194 to $414 (113%) and a 20% increase in the average losses as a consequence of security breaches, an increase in the information security budget would be anticipated.

However, the average information security budgets actually declined by almost 17%. It seems counter-intuitive that, even though threats have become more frequent and damaging, organisations have not increased their security spending.


What drives information security expenditure?

Change and business transformation

Business continuity or disaster recovery

Outsourcing

Company reputation

Merger or acquisition activity

Regulatory compliance

Internal policy compliance

Hacktivism (e.g. WikiLeaks)

Theft of customer or employee information

20% 25% 30% 35% 40% 45% 50%

$4.8 million

$4 million

Drop in total average information security budgets in

India

2013

2014

Key drivers for information security spending in India

PwCOctober 2014

The constantly evolving cyber-threat landscape is driving the increase in security incidents The marked increase in the number of detected incidents, in our view, is likely driven by the changing cyber-threat landscape. As the digital channel in financial services continues to evolve, cybersecurity has become a business risk, rather than simply a technical risk.


Nation-states

Cyber criminals

Hacktivists

Cyber terrorists/individual hackers

• Global competition• National security• Fraud

• Illicit profit• Fraud• Identify theft

• Ideological• Political• Disenfranchised • Malicious havoc

• Political cause rather than personal gain

• Ideological

Motivators

• Targeted, long-term cyber campaigns with strategic focus

• Insider• Third-party service

providers• Individual identity theft• Data breaches and

intellectual property theft• Insider• Third-party service

providers• Opportunistic

vulnerabilities • Insider• Third-party service

providers• Targeted organizations that

stand in the way of their cause

• Insider• Third-party service

providers

Threat vectors

• Loss of intellectual property

• Disruption to critical infrastructure

• Monetary loss• Regulatory• Loss of identity• Monetary loss• Intellectual property

loss• Privacy• Regulatory • Destabilize, disrupt

and destroy cyber assets of financial institutions

• Regulatory• Disruption of

operations• Destabilization• Embarrassment• Public relations• Regulatory

Impact

Lin

es

betw

een

th

e t

hre

ats

are

b

lurr

ing

PwCOctober 2014

Insiders are the most likely perpetrators

Current and former employees have been cited by respondents as the most common causes of incidents. This, however, does not imply that most users exhibit malicious behaviour, a lack of awareness of common dos and don’ts may lead to instances in which users compromise data through the loss of mobile devices or through targeted phishing attacks.

Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from 3rd parties, is largely responsible.


Insider threat

Estimated likely sources of incidents (insiders)

0%

10%

20%

30%

40%

50%

2014

2013

PwCOctober 2014

External sources garner most attention

Cyber incidents that garner the most attention are compromises caused by nation states and organised crime and are among the least frequent. However, the fact that there has been a two-fold increase in information security incidents caused by foreign nation-states is alarming.

As nation-states can carry out sophisticated attacks without detection, we believe that the volume of compromises is, in all probability, are under-reported. Indian organisations also reported twice as many attacks from competitors when compared with the global average.


Outsiders

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%2014 2013

a1f9118b2c894b8795d9e806e8067666

62d67dba499e402fae711167854b3906

58f95ea816054c5f-b2fcf4128662458b

Line

Estimated likely sources of incidents

PwCOctober 2014

How do attacks impact organisations?

The breach of employee (45%) and customer records (42%) remained the most cited impacts of cyber attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization.


Employee and Customer records continue to be the top targets of cyber attacks

Impact of cyber attacks on business

0%

5%

10%

15%

20%

25%

30%

35%

40%2014 2013

PwCOctober 2014

The ‘human parameter’

Employee training and awareness is a fundamental component of every programme, as the weakest link in the security chain is often the human resource. However, compared to last year’s 61%, fewer respondents (56%) require their employees to complete training on privacy policy and practices.


Require our employees to certify in writing that they comply with our privacy policies

Require our employees to complete training on privacy policy and practices

Impose disciplinary measures for privacy program violations

Employee security awareness training program

A cross-organizational team (including leaders from finance, legal, risk, human resources, IT, and/or security) that regularly meets to coordinate and communicate information security issues

64.4%

56.2%

54.7%

53.6%

50.3%b6d5cecb5480459dad6b0d44365523e9

c64d39ffa-ba64aa999f4b0b33db792b9

Bar Regular

How respondents are addressing the ‘human parameter’

PwCOctober 2014

Data privacy safeguards

Many organisations have implemented the following data privacy safeguards, however, to prepare themselves better to the changing threat landscape, all organisations should consider implementing these data privacy safeguards.


Data privacy safeguards currently in place

People

Require our employees to complete training on privacy policy and practices 56.2%

Impose disciplinary measures for privacy program violations 54.7%

Conduct personnel background checks 58.1%

Processes

Have an information security strategy that is aligned to the specific needs of the business 60.9%

Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information

52.9%

Inventory of all third parties that handle personal data of employees and customers 50.2%

Technology

Privileged user access 62.6%

Malware or virus-protection software 67.9%

Security information and event management (SIEM) technologies 61.2%

Security-event-correlation tools 56.2%

PwCOctober 2014

Dynamic security practices – Need of the hour

Even with the increase in the average cost per incident and the overall financial losses as a consequence of security incidents, organisations are still reluctant in adopting technologies and processes that can help safeguard the organisation against these incidents.


46.4% 45.6%

52.1%

41.2%45.0%

48.2%43.2% 44.7%Col-

umn Regular

55db9a3a735f4b939bde05effd4-da46c

Respondents who answered security safeguards are not currently in place

PwCOctober 2014

Are organisations taking identity management seriously?


A large number of organisations have identified access controls and identity management as one of the top security challenges

Over 25% of organisations describe Biometrics for authentication as a top priority in the next 12 months

35%

50% Of organisations have solutions for automated provisioning & de-provisioning of user accounts already in place

50% Of organisations have identity management solutions already in place

Current and former employees continue to be cited as the main causes of security

breaches, with over 65% of incidents being attributed to the group. In the light of these findings, the need for identity and access management solutions now is greater than ever.

PwCOctober 2014

Are organisations moving towards newer authentication methods?


Of organisations plan to adopt tokenisation as an emerging technology for data protection41%

Newer techniques such as risk based authentication and behavioural profiling are quickly gaining popularity. Behavioural profiling is used to accurately predict and profile the characteristics of users that may cause breaches.

Over 47% of organisations have employed behavioural profiling tools to strengthen their information security programme

Of organisations already use multi-factor authentication to strengthen information security

53%

PwCOctober 2014

How prevalent is the use of smart cards and tokens for authentication?


Security tokens are physical devices that are provided to users to introduce an additional level of security in authentication.

There are three factors to authentication :-Something the user knows-Something the user has-Something the user is/ does

Traditional methods use the first factor for authentication, smart cards and tokens are used to introduce the second factor (something the user has) to enhance security.

49%

Of organisations use disposable passwords or smart cards or tokens for authentication

PwCOctober 2014

Are organisations adopting user activity monitoring tools?


To ensure strong control over the activity of users, organisations are moving towards user activity monitoring tools.The use of these tools is more prevalent in the commercial & consumer banking, insurance, aerospace & defence, pharmaceutical and consumer packaged goods sector.

Aerospace & Defense

Consumer Packaged

Goods

Commercial banking

Consumer banking

Insurance Pharmaceutical58.0%

60.0%

62.0%

64.0%

66.0%

68.0%

70.0%

72.0%

Adoption of user activity monitoring (sector wise)

PwCOctober 2014

Organisations are increasingly adopting risk based authentication


Risk based authentication solutions enhance traditional authentication methods by assigning a risk value to the user trying to gain access. Such solutions use additional parameters such as behaviour profiling, geo-locations etc. to evaluate the user’s risk profile

Adoption of risk based authentication (sector wise)

Aerospace & Defense

Agriculture

Consulting / Professional Services

Oil & Gas

Utilities

Pharmaceutical

Automotive

Telecommunications

Software

Electronics

Transportation & Logistics

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%

PwCOctober 2014

How is authentication on mobile devices being managed?


One area that organisations are increasingly focusing on is enterprise mobility, which enables employees, partners and customers to access and work on the organisation’s technology platforms through any secure enabler (laptops, tablets or smartphones).

How are organisations ensuring security mobile devices?

30%

34%

38%

42%

46%

50%

Initiatives organisations have taken to address mobile security risks

PwCOctober 2014

Challenges to security

Even with the growing impact that cyber security incidents can have on the entire enterprise, boards of organizations in the country remain oblivious and continue to treat cyber security as an IT problem.

The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the biggest obstacles in improving the overall strategic effectiveness of information security.


Challenges from within

Leadership: CEO, President, Board, or equivalent

Leadership: CIO or equivalent

Leadership: CISO, CSO, or equivalent

Lack of an effective information security strategy

Lack of an actionable vision or understanding of how future business needs impact information security

Insufficient capital expenditures

Insufficient operating expenditures

Absence or shortage of in-house technical expertise

Poorly integrated or overly complex information and IT systems

0% 5% 10% 15% 20% 25% 30% 35% 40%

Obstacles in improving overall strategic

effectiveness

PwCOctober 2014

Challenges to security

Given today’s interconnected business ecosystem, where the amount of data generated and shared with business partners and suppliers is exponentially greater, due diligence of third parties has become a concern. It is worrisome that the focus on third-party security weakened in the past year in some very key areas; even as the number of incidents attributed to ‘insiders’ increased.


Increased dependence on 3rd parties

Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information

Maintain inventory of all third parties that handle personal data of employees and customers

Have established security baselines/standards for external partners/customers/suppliers/vendors

Require third parties (including outsourcing vendors) to comply with our privacy policies

52.9%

50.2%

53.8%

48.9%051589683d47433dab48f1751537cc84

c64d39ffa-ba64aa999f4b0b33db792b9

Bar Regular

How respondents are safeguarding relationships with 3rd parties

PwCOctober 2014

Security initiatives

The applications of SMAC (social, mobile, analytics and cloud) technologies have been debated for long, but it is about time that Indian companies started leveraging them.


Emerging technologies

Social Media

The ambiguity in calculating the return on social media investments, coupled with the difficulty in understanding the applications of social media in business and leveraging them to generate a profit stream has led to a slow adoption

54% d9d4af7c70644128b6bea60bf5ff3a0f

66ad7f2c1ea54ede9b74a90d8453739d

Doughnut

Respondents that audit or monitor

employee postings to external blogs or social networking

sites

Mobile

Organisations are now widely adopting enterprise mobility, while taking initiatives to address risks from its adoption as well, over 65% respondents already have a mobile security strategy in place

54%

41%48%

56%50%

41%Column Regular

5cf80c3b94b84cd0b83f4b5ac25a5d52

Mobile security initiatives taken by organisations

PwCOctober 2014



Analytics

As organisations adopt social media and mobile platforms and the digital footprint of its customers increases, the shear amount of data that is available for organisations to analyse and use increases exponentially. More and more organisations are using big data analytics for data driven insights

0%10%20%30%40%50%60% 57%

19% 20%

Column Regular

41caa595749e4da7b2ba756ea9adaf56

Impact of big data analytics on information security

Over 69% respondents employ big data analytics to model for and identify information security threats. Almost one-third respondents use big data analytics as a cloud service.

47%

22%

20%

8%3%

Currently in place

Currently outsourced

Not in place but is a priority over the next 12 months

No plans to adopt

Do not know

4d60712b4c124e69a22d1aab2eb0081d

88bab05a940247e88fe92af1b927d5b1

Pie

How organizations employ big data analytics

PwCOctober 2014


Almost 68% respondents already use cloud services in some form (SaaS or PaaS or Iaas), although the use of cloud services for file storage and sharing remains the most popular.


20%

30%

40%

50%

60%

70%

80%

Global Indiafdb909e30741457db9415a1a894a41a9

62d67dba499e402fae711167854b3906

Area

How are organisations using cloud services? India vs Global average

Cloud

Migrating to cloud based services marks a fundamental shift in the way business is done, with a variety of deployment & service models available, organisations need to develop a sound strategy to manage cloud services

PwCOctober 2014

Cyber risk managementOrganisations in India have been focused on perimeter security. It is only now that there are visible signs of organisations moving from the asset and technology centered paradigm for information security to comprehensive cyber-risk management. The first step for all organisations will be to align security spending with the organisation’s strategic assets


Safeguards that are a top priority for respondents in the next 12 months

Procedures dedicated to protecting intellectual property (IP) 19.2%

Program to identify sensitive assets 23.0%

Centralized security information-management processes 22.6%

Classification of business value of data 16.3%

Risk assessments (on internal systems) 19.2%

Risk assessments (on third-party vendors) 26.8%

Active monitoring/analysis of information security intelligence (e.g., vulnerability reports, log files) 20.5%

Governance, risk, and compliance (GRC) tools 26.0%

Enterprise content-management tools 22.9%

Protection/detection management solution for advanced persistent threats (APTs) 28.3%

Security information and event management (SIEM) technologies 24.2%

PwCOctober 2014

Demographics

Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30% (approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base.


29.5%

29.5%

32.6%

3.1%

5.3%

Large (> 1 billion USD)

Medium (100 million USD to 1 billion USD)

Small (< 100 million USD)

Non-Profits, gov-ernment, educa-tionalUnknown

37%

47%

7%

3%7%

CIPSTICEFSGovtOthers

Respondents by annual gross revenues Respondents by industry sector

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Private Limited, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2014 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Thank you.

business unit security & authentication - an industry perspective cca strictly private and...

Documents

security incidents

information security

state of information

presentcyber security

marked increase

changing threat landscape

average losses

average cost