Boardroom Cyber Watch Survey 2013 Report.

Transcription

1 Boardroom Cyber Watch Survey 2013 Report

2 Cyber-security is always a business issue, never just an IT one. An effective cyber-security strategy is one that addresses people, process, technology and compliance. IT Governance Ltd is the single-source provider of books, tools, training and consultancy for IT governance, risk management and compliance. It is a leading authority on data security and IT governance for business and the public sector. IT Governance is nongeek, approaching IT issues from a non-technology background and talking to management in its own language. Its customer base spans Europe, the Americas, the Middle East and Asia. More information is available at

3 Introduction As an advocate for best practice in the field of IT governance, we recognise that cyber-security is about far more than investing in hardware and software. First and foremost, cyber-security is a business matter. We understand that the buck stops with top management, which is accountable for ensuring its organisation s IT strategy and deployment meet business objectives. Our business is committed to engaging with business leaders about developing and implementing IT regulatory compliance and security strategies, through which businesses can compete effectively in the global information economy. As part of our advocacy, we examine a range of IT governance, regulatory compliance and information security issues from the vantage point of the corporate boardroom. The Boardroom Cyber Watch 2013 is the first survey we have undertaken which specifically targets chief executives, board directors and IT professionals. Our aim is to shine new light on how company directors and board members currently perceive IT security issues. To maximise the response rate, we have used brief, direct questions that we believe not only help establish the respondents level of understanding of IT security challenges, but also identify key areas that need to be addressed. We are delighted that 260 respondents have taken part in the survey, representing a wide variety of industry sectors. The sample is truly international: while the majority are from organisations based in the UK and United States, respondents from South America, Central Europe, Africa, the Middle East, Asia, Australia and New Zealand have also contributed. It gives me great pleasure to share our report on the survey. This document summarises the key findings and provides practical guidance on how both board directors and senior IT managers can address relevant challenges. It may also bring a few surprises for business leaders in terms of how they tackle IT security now and in the future. Alan Calder Chief Executive IT Governance

4 Survey Participants By country UK USA Other By job role 67.7% 10.8% 11.2% 11.9% Chief executive/managing director Other board director or company officer IT director with board membership Other IT professional By company s revenue 26.9% 21.2% 11.2% 12.7% 28.1% Less than $5m $5m - $50m $50m - $100m $100m - $500m More than $500m 4

5 By industry sector Charities & Voluntary Organisations 2.3% Education 3.1% Energy & Utilities 3.5% Engineering 3.8% Financial Services 18.5% Government / Local Authorities 12.3% Healthcare 6.5% Law 0.8% Manufacturing 5.4% Retail 4.6% Technology 33.5% Telecommunications 6.0% 5

6 Key Findings At A Glance The threat from within Although businesses tend to focus mainly on the external cyber-threats facing organisations, more than half of respondents say that the greatest threat to their company s data and computer systems in fact comes from their own employees. Cyber-attacks A quarter of respondents say their organisation has received a concerted cyberattack in the past 12 months. However, the true total may be higher, as over 20% are unsure if their organisation has been subject to an attack. Cyber-security and the Board While a majority of respondents say their board receives regular reports on the status of their organisation s IT security, 52% say that such reports are received, at best, annually. Furthermore, despite cyber-threats potentially impacting many mission-critical aspects of a business, only 30% of respondents say an understanding of current IT security threats is a prerequisite for board-level job candidates. 6

7 Security spending A significant minority over 40% of respondents say their company is either making the wrong level of investment in information security or are unsure if their investment is appropriate. Demands for assurance There is clear recognition of the value of proven information security credentials. Fully 74% of respondents say their customers prefer dealing with suppliers with such credentials, while 50% say their company has been asked about its information security measures by customers in the past 12 months. The need for increased compliance Given the above findings, and the fact the existence of best practice information security standard ISO/IEC is known to 87% of respondents, it is striking that only 35% of responding organisations are apparently compliant with the standard. 7

8 Finding 1 More than half of the respondents believe the greatest threat to their company s data and computer systems is their own employees. Despite almost daily media headlines about cyber-threats from malign external forces, the reality is that a company s employees are the number one threat to corporate data security. This is the view of 54% of respondents, who place the infosecurity risk from employees ahead of criminals, competitors and statesponsored cyber-attackers. Certainly, internal threats to an organisation should be taken as seriously as external threats. Creating awareness amongst employees about the consequences of human error for corporate security can help significantly reduce the number of staff-related data breaches. It is also essential to develop policies for user security, covering acceptable and secure use of your organisation s information systems. This should be supported by a staff training programme and a method for maintaining userawareness of cyber-risks. Tip: Staff security-awareness e-learning courses are one of the most effective ways to impart security awareness to your organisation. This training method not only teaches staff the rules, but also enables managers to automatically maintain records of which staff members have completed a course. This systematic recordkeeping is essential for compliance purposes. More information is available at: Do you believe the greatest threat to your company s data and IT systems results from: Criminals 26.9% Competitors 7.7% State -sponsored cyber-attacks Your own employees 11.9% 53.5% 8

9 Finding 2 At least one in four respondents has received a concerted cyber-attack in the past 12 months. The high level of today s cyber-threat is clear: 25% of respondents confirm their organisation has been subject to an attack within the past 12 months. In fact, the true level of threat may be higher, as a further 21% of respondents do not know if their organisation has come under attack. (This high level of don t knows is interesting in itself. The primary respondents in this study are board directors, senior IT management and other information security professionals, all of whom might be expected to have detailed knowledge of their organisation s defences against the rising tide of cyber-threats. The fact that so many were unsure about actual incidents seems to indicate an area for improvement in IT governance.) Has your business received a concerted cyber-attack in the past 12 months? Yes No 25% 54.2% This high level of confirmed hostile online activity underlines that cyber-attacks are not what happens to other people, but are very real. Cyber-attacks are widespread, usually automated and often indiscriminate any organisation accessing the internet can potentially be targeted. Some prominent organisations may be prioritised because of their prestige, intellectual property or quantity of customer records. However, even small organisations may be subject to deliberate or opportunistic attacks: the respondents in our survey range from organisations with revenues of less than $5m to those turning over more than $500m. Tip: A notable weakness in corporate defences is the use of removable media, such as USB sticks, tablets and smartphones, through which malware can be transferred to a network. Ensure you use adequate software to detect and disable malware. Deploy one of the available range of data leakage prevention (DLP) and disk encryption tools. Use encryption software to manage access to removable media and documentation, as well as to prevent a data breach in the event of loss or theft of devices. More information is available at: aspx Don t know 20.8% 9

10 Finding 3 The majority of respondents say they have methods of detecting and reporting cyberattacks. The great majority (77%) of respondents say their organisation has a method for detecting and reporting cyber-attacks or cyber-incidents. Effective cyber security depends on coordinated, integrated preparations for rebuffing, responding to, and recovering from a range of possible attacks. In order to better protect themselves from cyber-attacks, organisations should: Implement a monitoring strategy and supporting policy Maintain a secure configuration for all ICT systems Establish anti-malware defences that are applicable and relevant to all business areas, supported by suitable policies and procedures Ensure that the network perimeter is suitably managed to minimise risk of penetration Regularly monitor and test their security controls Tip: A penetration test, or pen test, is the easiest and most effective way to ensure exploitable vulnerabilities in your internetfacing resources are adequately patched. The exercise also helps you implement appropriate technical security controls to guard against cyber-intrusions. More information is available at: Does your organisation have any method of detecting and reporting cyber-attacks or cyber-incidents? Yes 76.9% No 16.5% Don t know 6.5% 10

11 Finding 4 While more than half of respondents say their boards receive regular reports on IT security, more than half of such reports are delivered, at best, annually. Board commitment is vital to effective information security. Indeed, with information technology now integral to virtually every business process, it seems inconceivable that board directors should pay any less attention to cyber-defences than to the accuracy of financial statements, effectiveness of marketing or correct drafting of legal contracts. Superficially, our findings provide grounds for optimism, as 58% of respondents say board directors receive regular reports on the status of their company s IT security. However, a less reassuring picture is presented when respondents are asked about the frequency of such reporting. Given that cybercrime is one of the most dynamic and rapidly evolving fields of human activity, with fresh threats emerging almost daily, one would hope that board-level oversight would be carried out frequently. Yet, this appears to be the case in only a minority of organisations: only 5% say reports are submitted daily, with 11% being submitted weekly and 33% monthly. In fact, those saying reports are submitted only annually (17%) or less than annually (35%) together represent the majority of respondents in our study. Tip: Board directors should not only be obtaining frequent reports from their CIOs and CISOs, but they should be insisting on appropriate information security risk management strategies. Information security management decisions must be informed by a risk assessment of information assets. Such an assessment enables expenditure on controls to be balanced against the business harm likely to result from security failures. More information is available at: Do your company s board directors receive regular reports on the status of your company s IT security? If yes, are these reports received: Daily 4.6% Yes 58.1% Weekly 10.8% No 29.6% Monthly 32.7% Don t know 12.3% Annually 17.3% Less than annually 34.6% 11

12 Finding 5 Less than a third of respondents believe an understanding of current security threats is a prerequisite for a board-level job candidate, although the majority consider their knowledge of IT governance to be adequate. Concern about the ability of current and future board directors to keep pace with the emerging cyber-threat environment is also supported by a further finding. Asked if an understanding of current IT security threats is required of a board-level job candidate, only 30% say Yes, while 50% said No and a further 20% do not know. Top-level managers have moved in a single generation from relying upon fax, telephone and paper to having to contend with sophisticated network architecture that forms the central nervous system of their business. The required skill-set for a board director has consequently expanded to include knowledge of technology that was once the preserve of socalled boffins in the IT department. My knowledge of IT governance is adequate given today s cyber threats. Agree Disagree 30.4% 69.6% Based on the findings in our study, it appears that many organisations have yet to implement the necessary training and candidate screening to ensure that current and future leaders are properly equipped to meet their IT governance obligations. However, we take a degree of comfort from the fact that 70% of survey respondents also indicate that their knowledge of IT governance is felt adequate. Tip: A number of issues prevent the board from exercising appropriate governance over information security. One significant factor is that CISOs, generally speaking, still do not have the understanding of business drivers they need to help boards fully assess the pros and cons of proposed information security strategies. CIOs and CISOs must be able to talk to the board about the need to reduce costs or generate business value out of an investment in information security. Unless they can do this, they will be unable to have a productive engagement with their senior colleagues. IT governance is a framework which deals with aligning corporate IT with an organisation s strategic objectives. Board directors, CIOs, CISOs and CTOs should therefore be expected to have a good understanding of IT governance. More information is available at: 12

13 Finding 6 Nearly half of respondents admit they don t make the right level of investment in information security or don t know. In addition, a quarter of respondents admit they have lost sleep worrying about their company s IT security. It is striking that a significant minority (43%) of respondents believe their organisation is not making the correct level of investment in IT security (31%), or do not know if it is correct (12%). Against this, 57% of respondents believe that their level of investment is appropriate. IT security seems expensive to some eyes, but, as the saying goes, just see how expensive it is not to invest in this area. Therefore, the key to ensuring business continuity and data protection is the ability to gauge just how much investment is necessary for your particular business. Tip: Conducting a cyber-security risk assessment, for example, will help identify the gaps and provide a better understanding of which areas need to be addressed. When equipped with a detailed report, the board and senior managers can then make an informed decision on how to spend their budget. More information is available at: A failure to maintain appropriate cyberdefences inevitably puts an organisation at risk. And yet, difficult investment decisions must, of course, be taken given that financial resources are limited. For our size of business, we are making the right level of investment in information security. I have lost sleep in the past 12 months because of worries about my company s IT security. Agree Disagree 57.3% Agree 25.8% 30.8% Disagree 74.2% Don t know 11.9% 13

14 Finding 7 Almost 75% of respondents say their customers prefer to deal with suppliers with proven IT security credentials. 50% say customers have enquired about their company s security measures in the past 12 months. When deciding on IT investments, it is important to recognise that information security should be seen as a competitive advantage, rather than an unwelcome cost. Asked whether their customers prefer to deal with suppliers who have proven IT security credentials, an overwhelming majority of our sample (74%) says Yes. ISO/IEC 27001, together with the international code of practice ISO/IEC 27002, provides a globally-recognised best practice framework for addressing the entire range of risks associated with systems, people and technology. Accredited certification to ISO gives an organisation internationally acknowledged proof that its system for managing information security is of an acceptable, independently audited and verified standard. Proof of the commercial value of ISO certification is apparent in the 50% of respondents who say they have been asked by customers about their company s IT security measures within the past 12 months. Tip: The serious customer demand for organisations with cast-iron security credentials underlines the importance of implementing and maintaining compliance with an internationallyrecognised information security standard such as ISO If you can show that your company is ISO compliant, this can open the door to more business - while also allowing you to sleep more soundly at night. Everything you need for understanding ISO and tackling your project is available at: Do your customers prefer to deal with suppliers with proven IT security credentials? Have any of your customers enquired about your company s IT security measures in the past 12 months? Yes 74.2% Yes 50.4% No 7.3% No 34.6% Don t know 18.5% Don t know 15% 14

15 Finding 8 There is a high level of awareness of ISO 27001, but only 35% of respondents are compliant. Organisations are increasingly seeing the direct benefits of ISO certification for their own operations, as well as the assurance it offers to their customers. The existence of the standard is clearly no secret, as 87% of respondents say they are aware of it. However, despite the considerable benefits of certification, only 35% of respondents said their organisation is compliant. For example, ISO certification enables an organisation in the UK to demonstrate to a potential customer in continental Europe, North America, Japan or elsewhere that its approach to selecting information security controls and managing its overall approach to information security is in line with internationally recognised best practice. In the current economic climate, many companies are inevitably focusing daily on maximising revenues, controlling overheads and managing cash-flow. However, unless you also focus on computer and data security, you are placing your entire business at risk. No organisation should delay in implementing an IT security improvement programme. Tip: If you are not really sure if your business is as secure as possible, there is every chance that you are actually far short of requirements. ISO is the default means for organisations to demonstrate compliance with data protection laws. Start implementation now by finding everything you need, from professional advice to books, tools, training and consultancy, at: Do you know what ISO is? Is your business compliant with ISO 27001? Yes 87.3% Yes 34.6% No 9.2% No 45.8% Unsure 3.5% No 19.6% 15

16 IT Governance Ltd Unit 3, Clive Court Bartholomew s Walk Cambridgeshire Business Park Ely, Cambs CB7 4EA T: + 44 (0) E: servicecentre@itgovernance.co.uk W: Protect Comply Thrive