business unit security & authentication - an industry perspective cca strictly private and...
TRANSCRIPT
Business Unit
Security & Authentication - An industry perspectiveCCA
Strictly Private and Confidential
October 2014
PwCOctober 2014
Endangering the present
Cyber security threats today have become increasingly sophisticated and complex. As organisations embrace new technologies without fully comprehending the implications these have on the entire enterprise, they are rendering themselves susceptible to an array of cyber-security threats.
An efficient and executable strategy, which encompasses the key levers of people, processes and technology is needed to confront the changing threat landscape, as a few risk issues are as all-encompassing as cyber-security.
2Security & Authentication - An industry perspective • CCA
Cyber security attacks in the news
Stuxnet worm infects critical infrastructure facilities in Gujarat and Haryana, ONGC off-shore oil rig also affected
US Department of Justice (DOJ) sentences five Chinese military hackers for cyber economic espionage against American companies in the nuclear power, metals and solar energy sectors
Instances of state–sponsored espionage against major European bank uncovered by Symantec
The Heartbleed defect, impacts over two-thirds of web servers in the world, including those of popular e-mail and social networking sites
PwCOctober 2014
Are budgets keeping up with the rising costs?
With the increase in the average cost per security incident from $194 to $414 (113%) and a 20% increase in the average losses as a consequence of security breaches, an increase in the information security budget would be anticipated.
However, the average information security budgets actually declined by almost 17%. It seems counter-intuitive that, even though threats have become more frequent and damaging, organisations have not increased their security spending.
3Security & Authentication - An industry perspective • CCA
What drives information security expenditure?
Change and business transformation
Business continuity or disaster recovery
Outsourcing
Company reputation
Merger or acquisition activity
Regulatory compliance
Internal policy compliance
Hacktivism (e.g. WikiLeaks)
Theft of customer or employee information
20% 25% 30% 35% 40% 45% 50%
$4.8 million
$4 million
Drop in total average information security budgets in
India
2013
2014
Key drivers for information security spending in India
PwCOctober 2014
The constantly evolving cyber-threat landscape is driving the increase in security incidents The marked increase in the number of detected incidents, in our view, is likely driven by the changing cyber-threat landscape. As the digital channel in financial services continues to evolve, cybersecurity has become a business risk, rather than simply a technical risk.
4Security & Authentication - An industry perspective • CCA
Nation-states
Cyber criminals
Hacktivists
Cyber terrorists/individual hackers
• Global competition• National security• Fraud
• Illicit profit• Fraud• Identify theft
• Ideological• Political• Disenfranchised • Malicious havoc
• Political cause rather than personal gain
• Ideological
Motivators
• Targeted, long-term cyber campaigns with strategic focus
• Insider• Third-party service
providers• Individual identity theft• Data breaches and
intellectual property theft• Insider• Third-party service
providers• Opportunistic
vulnerabilities • Insider• Third-party service
providers• Targeted organizations that
stand in the way of their cause
• Insider• Third-party service
providers
Threat vectors
• Loss of intellectual property
• Disruption to critical infrastructure
• Monetary loss• Regulatory• Loss of identity• Monetary loss• Intellectual property
loss• Privacy• Regulatory • Destabilize, disrupt
and destroy cyber assets of financial institutions
• Regulatory• Disruption of
operations• Destabilization• Embarrassment• Public relations• Regulatory
Impact
Lin
es
betw
een
th
e t
hre
ats
are
b
lurr
ing
PwCOctober 2014
Insiders are the most likely perpetrators
Current and former employees have been cited by respondents as the most common causes of incidents. This, however, does not imply that most users exhibit malicious behaviour, a lack of awareness of common dos and don’ts may lead to instances in which users compromise data through the loss of mobile devices or through targeted phishing attacks.
Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from 3rd parties, is largely responsible.
4Security & Authentication - An industry perspective • CCA
Insider threat
Estimated likely sources of incidents (insiders)
0%
10%
20%
30%
40%
50%
2014
2013
PwCOctober 2014
External sources garner most attention
Cyber incidents that garner the most attention are compromises caused by nation states and organised crime and are among the least frequent. However, the fact that there has been a two-fold increase in information security incidents caused by foreign nation-states is alarming.
As nation-states can carry out sophisticated attacks without detection, we believe that the volume of compromises is, in all probability, are under-reported. Indian organisations also reported twice as many attacks from competitors when compared with the global average.
5Security & Authentication - An industry perspective • CCA
Outsiders
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%2014 2013
a1f9118b2c894b8795d9e806e8067666
62d67dba499e402fae711167854b3906
58f95ea816054c5f-b2fcf4128662458b
Line
Estimated likely sources of incidents
PwCOctober 2014
How do attacks impact organisations?
The breach of employee (45%) and customer records (42%) remained the most cited impacts of cyber attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization.
6Security & Authentication - An industry perspective • CCA
Employee and Customer records continue to be the top targets of cyber attacks
Impact of cyber attacks on business
0%
5%
10%
15%
20%
25%
30%
35%
40%2014 2013
PwCOctober 2014
The ‘human parameter’
Employee training and awareness is a fundamental component of every programme, as the weakest link in the security chain is often the human resource. However, compared to last year’s 61%, fewer respondents (56%) require their employees to complete training on privacy policy and practices.
7Security & Authentication - An industry perspective • CCA
Require our employees to certify in writing that they comply with our privacy policies
Require our employees to complete training on privacy policy and practices
Impose disciplinary measures for privacy program violations
Employee security awareness training program
A cross-organizational team (including leaders from finance, legal, risk, human resources, IT, and/or security) that regularly meets to coordinate and communicate information security issues
64.4%
56.2%
54.7%
53.6%
50.3%b6d5cecb5480459dad6b0d44365523e9
c64d39ffa-ba64aa999f4b0b33db792b9
Bar Regular
How respondents are addressing the ‘human parameter’
PwCOctober 2014
Data privacy safeguards
Many organisations have implemented the following data privacy safeguards, however, to prepare themselves better to the changing threat landscape, all organisations should consider implementing these data privacy safeguards.
8Security & Authentication - An industry perspective • CCA
Data privacy safeguards currently in place
People
Require our employees to complete training on privacy policy and practices 56.2%
Impose disciplinary measures for privacy program violations 54.7%
Conduct personnel background checks 58.1%
Processes
Have an information security strategy that is aligned to the specific needs of the business 60.9%
Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information
52.9%
Inventory of all third parties that handle personal data of employees and customers 50.2%
Technology
Privileged user access 62.6%
Malware or virus-protection software 67.9%
Security information and event management (SIEM) technologies 61.2%
Security-event-correlation tools 56.2%
PwCOctober 2014
Dynamic security practices – Need of the hour
Even with the increase in the average cost per incident and the overall financial losses as a consequence of security incidents, organisations are still reluctant in adopting technologies and processes that can help safeguard the organisation against these incidents.
9Security & Authentication - An industry perspective • CCA
46.4% 45.6%
52.1%
41.2%45.0%
48.2%43.2% 44.7%Col-
umn Regular
55db9a3a735f4b939bde05effd4-da46c
Respondents who answered security safeguards are not currently in place
PwCOctober 2014
Are organisations taking identity management seriously?
10Security & Authentication - An industry perspective • CCA
A large number of organisations have identified access controls and identity management as one of the top security challenges
Over 25% of organisations describe Biometrics for authentication as a top priority in the next 12 months
35%
50% Of organisations have solutions for automated provisioning & de-provisioning of user accounts already in place
50% Of organisations have identity management solutions already in place
Current and former employees continue to be cited as the main causes of security
breaches, with over 65% of incidents being attributed to the group. In the light of these findings, the need for identity and access management solutions now is greater than ever.
PwCOctober 2014
Are organisations moving towards newer authentication methods?
11Security & Authentication - An industry perspective • CCA
Of organisations plan to adopt tokenisation as an emerging technology for data protection41%
Newer techniques such as risk based authentication and behavioural profiling are quickly gaining popularity. Behavioural profiling is used to accurately predict and profile the characteristics of users that may cause breaches.
Over 47% of organisations have employed behavioural profiling tools to strengthen their information security programme
Of organisations already use multi-factor authentication to strengthen information security
53%
PwCOctober 2014
How prevalent is the use of smart cards and tokens for authentication?
12Security & Authentication - An industry perspective • CCA
Security tokens are physical devices that are provided to users to introduce an additional level of security in authentication.
There are three factors to authentication :-Something the user knows-Something the user has-Something the user is/ does
Traditional methods use the first factor for authentication, smart cards and tokens are used to introduce the second factor (something the user has) to enhance security.
49%
Of organisations use disposable passwords or smart cards or tokens for authentication
PwCOctober 2014
Are organisations adopting user activity monitoring tools?
13Security & Authentication - An industry perspective • CCA
To ensure strong control over the activity of users, organisations are moving towards user activity monitoring tools.The use of these tools is more prevalent in the commercial & consumer banking, insurance, aerospace & defence, pharmaceutical and consumer packaged goods sector.
Aerospace & Defense
Consumer Packaged
Goods
Commercial banking
Consumer banking
Insurance Pharmaceutical58.0%
60.0%
62.0%
64.0%
66.0%
68.0%
70.0%
72.0%
Adoption of user activity monitoring (sector wise)
PwCOctober 2014
Organisations are increasingly adopting risk based authentication
14Security & Authentication - An industry perspective • CCA
Risk based authentication solutions enhance traditional authentication methods by assigning a risk value to the user trying to gain access. Such solutions use additional parameters such as behaviour profiling, geo-locations etc. to evaluate the user’s risk profile
Adoption of risk based authentication (sector wise)
Aerospace & Defense
Agriculture
Consulting / Professional Services
Oil & Gas
Utilities
Pharmaceutical
Automotive
Telecommunications
Software
Electronics
Transportation & Logistics
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%
PwCOctober 2014
How is authentication on mobile devices being managed?
15Security & Authentication - An industry perspective • CCA
One area that organisations are increasingly focusing on is enterprise mobility, which enables employees, partners and customers to access and work on the organisation’s technology platforms through any secure enabler (laptops, tablets or smartphones).
How are organisations ensuring security mobile devices?
30%
34%
38%
42%
46%
50%
Initiatives organisations have taken to address mobile security risks
PwCOctober 2014
Challenges to security
Even with the growing impact that cyber security incidents can have on the entire enterprise, boards of organizations in the country remain oblivious and continue to treat cyber security as an IT problem.
The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the biggest obstacles in improving the overall strategic effectiveness of information security.
16Security & Authentication - An industry perspective • CCA
Challenges from within
Leadership: CEO, President, Board, or equivalent
Leadership: CIO or equivalent
Leadership: CISO, CSO, or equivalent
Lack of an effective information security strategy
Lack of an actionable vision or understanding of how future business needs impact information security
Insufficient capital expenditures
Insufficient operating expenditures
Absence or shortage of in-house technical expertise
Poorly integrated or overly complex information and IT systems
0% 5% 10% 15% 20% 25% 30% 35% 40%
Obstacles in improving overall strategic
effectiveness
PwCOctober 2014
Challenges to security
Given today’s interconnected business ecosystem, where the amount of data generated and shared with business partners and suppliers is exponentially greater, due diligence of third parties has become a concern. It is worrisome that the focus on third-party security weakened in the past year in some very key areas; even as the number of incidents attributed to ‘insiders’ increased.
17Security & Authentication - An industry perspective • CCA
Increased dependence on 3rd parties
Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information
Maintain inventory of all third parties that handle personal data of employees and customers
Have established security baselines/standards for external partners/customers/suppliers/vendors
Require third parties (including outsourcing vendors) to comply with our privacy policies
52.9%
50.2%
53.8%
48.9%051589683d47433dab48f1751537cc84
c64d39ffa-ba64aa999f4b0b33db792b9
Bar Regular
How respondents are safeguarding relationships with 3rd parties
PwCOctober 2014
Security initiatives
The applications of SMAC (social, mobile, analytics and cloud) technologies have been debated for long, but it is about time that Indian companies started leveraging them.
18Security & Authentication - An industry perspective • CCA
Emerging technologies
Social Media
The ambiguity in calculating the return on social media investments, coupled with the difficulty in understanding the applications of social media in business and leveraging them to generate a profit stream has led to a slow adoption
54% d9d4af7c70644128b6bea60bf5ff3a0f
66ad7f2c1ea54ede9b74a90d8453739d
Doughnut
Respondents that audit or monitor
employee postings to external blogs or social networking
sites
Mobile
Organisations are now widely adopting enterprise mobility, while taking initiatives to address risks from its adoption as well, over 65% respondents already have a mobile security strategy in place
54%
41%48%
56%50%
41%Column Regular
5cf80c3b94b84cd0b83f4b5ac25a5d52
Mobile security initiatives taken by organisations
PwCOctober 2014
Security initiatives
19Security & Authentication - An industry perspective • CCA
Analytics
As organisations adopt social media and mobile platforms and the digital footprint of its customers increases, the shear amount of data that is available for organisations to analyse and use increases exponentially. More and more organisations are using big data analytics for data driven insights
0%10%20%30%40%50%60% 57%
19% 20%
Column Regular
41caa595749e4da7b2ba756ea9adaf56
Impact of big data analytics on information security
Over 69% respondents employ big data analytics to model for and identify information security threats. Almost one-third respondents use big data analytics as a cloud service.
47%
22%
20%
8%3%
Currently in place
Currently outsourced
Not in place but is a priority over the next 12 months
No plans to adopt
Do not know
4d60712b4c124e69a22d1aab2eb0081d
88bab05a940247e88fe92af1b927d5b1
Pie
How organizations employ big data analytics
PwCOctober 2014
Security initiatives
Almost 68% respondents already use cloud services in some form (SaaS or PaaS or Iaas), although the use of cloud services for file storage and sharing remains the most popular.
20Security & Authentication - An industry perspective • CCA
20%
30%
40%
50%
60%
70%
80%
Global Indiafdb909e30741457db9415a1a894a41a9
62d67dba499e402fae711167854b3906
Area
How are organisations using cloud services? India vs Global average
Cloud
Migrating to cloud based services marks a fundamental shift in the way business is done, with a variety of deployment & service models available, organisations need to develop a sound strategy to manage cloud services
PwCOctober 2014
Cyber risk managementOrganisations in India have been focused on perimeter security. It is only now that there are visible signs of organisations moving from the asset and technology centered paradigm for information security to comprehensive cyber-risk management. The first step for all organisations will be to align security spending with the organisation’s strategic assets
21Security & Authentication - An industry perspective • CCA
Safeguards that are a top priority for respondents in the next 12 months
Procedures dedicated to protecting intellectual property (IP) 19.2%
Program to identify sensitive assets 23.0%
Centralized security information-management processes 22.6%
Classification of business value of data 16.3%
Risk assessments (on internal systems) 19.2%
Risk assessments (on third-party vendors) 26.8%
Active monitoring/analysis of information security intelligence (e.g., vulnerability reports, log files) 20.5%
Governance, risk, and compliance (GRC) tools 26.0%
Enterprise content-management tools 22.9%
Protection/detection management solution for advanced persistent threats (APTs) 28.3%
Security information and event management (SIEM) technologies 24.2%
PwCOctober 2014
Demographics
Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30% (approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base.
22Security & Authentication - An industry perspective • CCA
29.5%
29.5%
32.6%
3.1%
5.3%
Large (> 1 billion USD)
Medium (100 million USD to 1 billion USD)
Small (< 100 million USD)
Non-Profits, gov-ernment, educa-tionalUnknown
37%
47%
7%
3%7%
CIPSTICEFSGovtOthers
Respondents by annual gross revenues Respondents by industry sector
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Private Limited, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2014 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Thank you.