I. Introduction 1. II. Information Security Infrastructure and Environment 2. III. Information Security Incident Prevention and Responses 6

Transcription

1

2 I. Introduction 1 II. Information Security Infrastructure and Environment 2 1. Information policy 2 2. Information organizations and officers 3 3. Information education 4 4. Information budget 5 III. Information Security Incident Prevention and Responses 6 1. Information products and services 6 2. Information outsourcing 9 3. Information system inspection Security patches System log and data backup 12 IV. Responses to Security Incidents Security incident experiences Responses to incidents 14 V. Protection of Personal Information Purposes of collecting personal Prevention of personal incidents 16

3 VI. Information Security Awareness Threats to Factors threatening personal leakage Obstacles in 19 VII. New Service Information Security Investment in on new services Wireless LAN policy Response plan against mobile threats Security concerns relate to Cloud Threats to the Internet of Things (IoT) 24 <Appendix> Present Condition of Information Security Investments Present condition of Information expenses Investment tendencies and purposes of Reasons for not investing in 27 The report is produced by the Korea Internet & Security Agency. When citing the statistic data in this report, the quotation must identify KISA as its source. The report can also be found on the homepage of the Korea Internet & Security Agency (

4 I. Introduction Population A business with the computers connected to a network (one or more employees) Sample Size 8,121 businesses Data Collection Face to Face interview Fieldwork Period Aug. 1-Sep. 30, 2015 Sampling Method Multi-stage stratified sampling Sampling Error The appointment rate of Chief Information Security Officer (CISO) ±0.68%p(95% confidence interval) Sampling design Primary sampling frame : The target businesses for 2013 Census on Establishments Secondary sampling frame : Entities with a network (at least one employee) among the target businesses for 2014 Yearbook of Information Society Statistics Glossary Malicious Code : A software program designed for malicious activities such as system destruction and leakage (virus, worm, adware, spyware, etc.) Security patch : A piece of software designed to improve the vulnerabilities of the operating system or application program Computer Emergency Response Team (CERT) : A unit organized to respond to incidents such as intrusion into & communication network systems, handling the following duties: reception and handling of incidents within the supervision territory; prevention of incidents; restoration of damage The Internet of Things (IoT) : An abbreviation for Internet of things, IoT is an intelligent technology or service that connects all things, and allows mutual communication between people and objects, objects and other objects. (Smart automobile, smart refrigerator, etc.) 1

5 2015 Survey on Information Security Business II. Information Security Infrastructure and Environment 1. Information policy 13.7% of businesses have established policy or privacy policy 13.7% of businesses have an official written policy or privacy policy (increase by 2.4%p from the prior year) 11.3% of businesses have both policy and privacy policy [Figure 1] Information Security Policy (%) Information policy & privacy policy establishment 2.4%p Both policy and privacy policy establishment Information policy only establishment Privacy policy only establishment 2

6 2. Information organizations and officers A. Information organizations More than 50% of the businesses with at least 50 employees operate Information Security Task Force 7.9% of businesses run official task forces More than half of the businesses with at least 50 employees operate task forces (71.0% in businesses with 250 employees or more, 52.3% in businesses with employees) [Figure 2] Information Security Organizations (%) Not available (92.1) Currently in operation(7.9) employees 5-9 employees employees employees 250 or more employees B. Information officers One out of 10 businesses has a CISO 11.0% of businesses have appointed CISO (increase by 3.3% from the previous year) 46.2% of businesses have appointed CPO (increase by 21.4% from the previous year) [Figure 3] Percentage of Information Security Officer Appointment and Full Charge (%) 3. 3%p 0. 7%p 21.4%p 2. 9%p Appointment Full Charge Appointment Full Charge *Business which collect personal 3

7 2015 Survey on Information Security Business 3. Information education 14.9% of businesses provide education 14.9% of businesses provide education (including privacy education) in 2014; in terms of the subject of education, 91.2% for general employees and 70.4% for IT and managers [Figure 4] Information Security Education (%) 1.7%p The management in cluding the CEO Information officer-level employees IT and managers General employees using a computer * Businesses providing education 4

8 4. Information budget 18.6% of businesses have complied budget (increase by 8.1%p from the prior year) 18.6% of businesses have drawn up budget among IT budget (increase by 8.1%p from the prior year) 1.4% of businesses with over 5% have drawn up budget among IT budget (increase by 0.2%p from the prior year) In terms of budget spending, purchase of items (51.2%) is the highest, followed by acquisition of services (37.7%) and labor costs (11.2%) [Figure 5] Information Security Budget (%) Less than 1%(6.2) Less than 1%(11.8) No budget (89.5) over 5% (1.2) Between 1-5% (3.2) No budget (81.4) over 5% Between (1.4) 1-5% (5.4) [Figure 6] Information Security Budget Spending Businesses with Information Security Budget (%) Purchase of products (ex: Network, system, authentication products, etc.) Acquisition of services Information labor costs 5

9 2015 Survey on Information Security Business III. Information Security Incident Prevention and Responses 1. Information products and services A. Use of products and services 86.1% of businesses utilize products and 24.2% of them utilize services 86.1% of businesses use products and 24.2% of businesses use services In terms of the products, system product (81.9%) is the highest, followed by network product (62.7%) and control (40.2%) In terms of the services, maintenance (20.0%) is the highest, followed by consulting (8.0%) and education/training (7.6%) [Figure 7] Utilization of Information Security Products (Multiple Responses, %) Use of products Network System Prevention of contents / leakage Encryption / authentication Security control Others [Figure 8] Utilization of Information Security Services (Multiple Responses, %) Use of services Security consulting Maintenance Security control Education / training Authentication services 6

10 B. Utilization of products: In detail 72.4% of businesses use anti-malware products Specifically, anti-malware (72.4%) is mostly utilized, followed by network firewall (44.8%) and web firewall (42.7%). [Figure 9] Utilization of Information Security Items: in detail (Multiple Responses, %) Network Network (system) firewall Web firewall Mobile network Intrusion Detection System (IDS), Intrusion Prevention System (IPS) DDoS defense system Integrated system (United Threat Management: UTM) Network Access Control (NAC) Virtual Private Network (VPN) Network partition (physical, logical) System (terminal) Anti-malware (vaccine, anti-spyware) Anti-spam software System access control (including PC firewall) Secure operating system Prevention of contents/ leakage DB encryption DB (access control) Secure USB Network Data Loss Prevention (DLP) Digital Rights Management (DRM) Terminal Data Loss Prevention (DLP) One-Time Password (OTP) Authentication Security smart card Biometrics (fingerprint, iris recognition, etc.) Integrated Account Management (IM/IAM) Hardware Security Module (HSM) Public Key Infrastructure (PKI) Extranet Access Management (EAM), Single Sign-On (SSO) Security control Backup and recovery management system Enterprise Security Management (ESM) Log management/analysis system Threat Management System (TMS) Patch Management System (PMS) Resource Management System (RMS) Vulnerability Assessment Tool System Digital forensic system Others Data backup products (external hard disk, etc.) Offsite data backup (cloud, etc.) Etc

11 2015 Survey on Information Security Business C. Utilization of services: Specific services 20.0% of businesses use maintenance services In terms of specific services, maintenance (20.0%) is the highest, followed by education/training services (7.6%) and authentication services (7.2%). [Figure 10] Utilization of Information Security Services: Specific Services (Multiple Responses, %) Security Consulting Maintenance Security/ Monitoring Education /Training Authentication Services Privacy consulting Authentication of management system Integrated consulting Infrastructure Diagnosis & hacking simulation Information Maintenance Remote audit (internal monitoring services leakage prevention& consulting, etc.) Dispatched monitoring services Education/ Training Authentication services 8

12 2. Information outsourcing 8.6% of businesses outsource 8.6% of businesses outsource (increase by 5.5%p from the prior year) In terms of services, maintenance (90.6%) is the highest, followed by education/training services (29.6%) and authentication services (27.6%). [Figure 12] Information Security Outsourcing (%) 5.5%p Maintenance Education /Training Services Authentication Services Security Monitoring Security Consulting Etc. * Businesses outsourcing 9

13 2015 Survey on Information Security Business 3. Information system inspection 45.5% of businesses carry out a inspection, and 12.3% of them conduct it regularly 45.5% of businesses carry out a inspection on their system, while 12.3% of businesses conduct it on a regular basis. In terms of category of vulnerability check, PC vulnerability (77.9%) is the highest, followed by network vulnerability (47.3%) and vulnerability in the server OS (37.3%). [Figure 13] Information System Security Inspection (Multiple Responses, %) Regular Inspection Security Inspection %p Regular (At least once a year) Irregular (Less than once a year, when a problem is detected, etc.) Not available [Figure 14] Information System Vulnerability Check (Multiple Responses, %) Businesses conducting inspection PC vulnerability Network vulnerability Vulnerability in server OS Application program vulnerability Web vulnerability DB vulnerability Not available 10

14 4. Security patches 86.2% of businesses perform patch 86.2% of businesses perform patch on their PCs, servers and systems As to the items with auto-update setting, employees PC (61.1%) is the highest. In terms of the items with manual-update setting, on the other hand, server connected with the outside (16.4%) is the highest. [Figure 15] Use of patch Businesses with equipment (Multiple Respon ses, %) Security patch Employee s PC Server connected with the outside Local server Information system [Figure 16] Use of patch Businesses with equipment (%) Auto-update Manual update Update when a problem occurs Not available Employee s PC Server connected with the outside Local server Information system

15 2015 Survey on Information Security Business 5. System log and data backup Approximately 40% of businesses carry out system log and data backup. 39.9% of businesses perform system log or important data backup 23.5% of businesses carry out system log and 37.0% of businesses conduct important data backup [Figure 17] System Log and Data Backup (Multiple Responses, %) Backup System Log Backup Important Data Backup 12

16 IV. Responses to Security Incidents 1. Security incident experiences Among the businesses having experienced incidents, 8.2% of businesses have reported 1.8% of businesses have experienced incidents (decrease by 0.4%p from the prior year) Among the businesses having experienced the incident, 8.2% have reported the incident. [Figure 18] Security incident experiences (%) 0.4%p Reported (8.2) Not reported (91.8) * Businesses having experienced incidents 13

17 2015 Survey on Information Security Business 2. Responses to incidents 17.5% of businesses respond to incidents 17.5% of businesses respond to incidents (increase by 9.9%p from the previous year) To be specific, 'created network of emergency contacts for incidents (9.5%) is the highest response. Formulated incident response plans (7.4%) and Consigned incident handling to an external organization (5.8%) is followed. The Internet service provider (15.6%) is the primary external cooperation channel to handle incidents, followed by system development & maintenance service provider (13.0%) and service provider (7.7%). [Figure 19] Responses to Security Incidents (Multiple Responses, %) Implementation of Security Incident Responses 9.9%p Created network of emergency contacts for incidents Formulated incident response plans Consigned incident handling to an external organization Established and operated an incident response team (CERT) Organized an incident recovery team Purchase of incident-related insurance policies [Figure 20] External Cooperation Channels to Handle Security Incidents (Multiple Responses, %) Utilization of External Cooperation Channels 18.8%p Internet service provider System developm ent & maintenan ce service provider Informatio n service provider CERT Informatio n related organizati on/associa tion Businessrelated organizati on/associa tion Entity in the same business Etc. 14

18 V. Protection of Personal Information 1. Purposes of Collecting Personal Information In general, purposes of collecting personal are user authentication and finding login The most of purposes which collecting and using personal, user authentication at joining membership (73.1%) is the highest followed by finding ID/password (60.0%), customer counseling & member management (45.0%) and PR & marketing (18.9%). [Figure 21] Purposes of Collecting Personal Information (Multiple Responses, %) Businesses Collecting Personal Information User authentication at joining membership Finding ID/password Customer counseling& member management PR & marketing Payment Analysis of Event customer operation (ex: characteristics Enrollment (sociodemographic check, etc.) analysis) Analysis of customer purchase patterns Adult authentication Etc. 15

19 2015 Survey on Information Security Business 2. Prevention of personal incidents Technical and managerial actions to prevent personal incidents have increased The percentage of businesses taking managerial and technical measures to prevent personal incidents are 64.5% and 69.5% respectively In managerial actions, created incident prevention manual (53.2%), follow-up management policy (43.3%) and devised internal incident response and reporting system (33.6%) are in order In technical measures to keep personal safe, anti-virus plan (55.2%) is the highest, followed by installation and operation of access-control system (43.0%). [Figure 22] Managerial Actions for Prevention of Personal Information Security Incidents collecting Personal Information (Multiple Responses, %) Managerial Actions to Prevent Personal Information Security Incidents Businesses 22.7%p Created incident prevention manual Established incident follow-up management policy Devised internal incident response and reporting system Formulated procedures to inspect damage and collect evidence caused by infringements Created and managed list of signs of infringement Reported personal incidents to the authorities Maintained an emergency contact network of external professionals Introduced and operated personal management system [Figure 23] Technical Actions for Safety of Personal Information Information (Multiple Responses, %) Businesses collecting Personal Technical Actions to Handle Personal Information %p Prevention of incidents caused by computer virus Installation and operation of accesscontrol system Security actions using related technologies such as encryption technology Measures preventing the forgery & alternation of access records Offline data storage (USB, external hard disk, etc.) 16

20 VI. Information Security Awareness 1. Threats to The primary threats to include the Internet incidents and personal leakages. In terms of threats to, the Internet incidents (38.3%) is the highest, followed by personal leakages (36.5%) and failure of system (14.1%). In terms of threats to by personnel, outsider (34.7%) is most responded, followed by current employee (27.2%) and retiree (21.2%). [Figure 24] Threats to Information Security (%) Internet incidents(hacking, malware, DDoS, etc.) Personal leakages Failure of system Threat to by personnel Natural disaster None [Figure 25] Threats to Information Security by Personnel (%) Outsider (ex: visitor, etc.) Current employee Retiree Current employee from the outsourced firm Retiree from the outsourced firm None 17

21 2015 Survey on Information Security Business 2. Factors threatening personal leakage Factors threatening personal leakage include hacking and poor control. In terms of the factors threatening personal leakage, hacking (46.0%) is most responded, followed by poor control (37.5%). [Figure 26] Factors Threatening Personal Information Leakage (%) Hacking Leakage by poor control Intentional leakage by insider Leakage by outsourced firm 18

22 3. Obstacles in The biggest obstacle in is to secure budget for or experts. In terms of obstacles in, securing budget for is most responded with 42.3%, followed by securing professionals (35.6%) and operation of personnel (26.1%). [Figure 27] Obstacles in Information Security (Multiple Responses, %) Securing budget for Securing professionals Operation of personnel Difficulties in finding related products and services Operation of education program Increase in businesses responsibility through deregulation Satisfying the requirements of government regulations None 19

23 2015 Survey on Information Security Business VII. New Services Information Security 1. Investment in on new services 22.5% of businesses have invested in on new services 22.5% of businesses have invested in on new services (18.5% in wireless LAN, 6.2% in mobile, 1.6% in cloud ) 12.6% of businesses have a plan to invest in on new services (8.6% in wireless LAN, 4.8% in mobile ) [Figure 28] Investment in Information Security on New Services (Multiple Responses, %) Present Planned Investment in for new services Wireless LAN Mobile Cloud Big data SNS IoT 20

24 2. Wireless LAN policy Six out of 10 internal wireless LAN developers have an plan. 61.3% of the businesses with internal wireless LAN have an plan for the wireless LAN. In terms of wireless LAN, password setting for access to wireless LAN (84.6%) is the highest, followed by data & encryption (21.5%) and wireless LAN access control & filtering (15.7%). [Figure 29] Wireless LAN Security Policy (%) Businesses with Wireless LAN 84.6 Not available (38.7) Available (61.3) Encryption for wireless LAN access control Data Wireless LAN & encryption access control & filtering * Businesses with internal wireless LAN plan Separation of internal wired and wireless networks Cutoff of SNS access through wireless LAN Restrictions on the use of external wireless LAN 21

25 2015 Survey on Information Security Business 3. Response plan against mobile threats In terms of response plan against mobile threats, compulsory installation of software is most widely implemented. 39.3% (increase by 12.6%p from the previous year) of the businesses using mobile devices for their businesses have a response plan for mobile. In terms of response plan for mobile, compulsory installation of mobile device software (22.3%) is the highest, followed by mobile device utilization-related policy planning (15.8%) and compulsory backup of mobile device data (12.5%). [Figure 30] Response Plan against Mobile Security Threats Business (Multiple Responses, %) Response Plan against Mobile Security Threats Businesses Using Mobile Devices for their 12.6%p Compulsory installation of mobile device software Mobile device utilizationrelated policy planning Compulsory In/out control on backup of mobile devices mobile device data Mobile management staffing Development of management system such as storage of mobile device access records 22

26 4. Security concerns relate to cloud 40.3% of businesses concern about leakage due to outsourcing of data storage or diversification of terminals. In terms of Security concerns relate to cloud, leakage after outsourcing of data storage (40.3%) is most responded, followed by leakage due to diversification of terminals (29.6%), large damage at failure of services due to the sharing and concentration of resources (13.5%) and difficulties in the application of such as encryption and access control after distributed processing (6.1%). [Figure 31] Security concerns relate to cloud (%) Information leakage after the outsourcing of data storage Information leakage due to the diversification of terminals Large damage at failure of services due to the sharing and concentration of resources Difficulties in the application of such as encryption and access control after distributed processing 23

27 2015 Survey on Information Security Business 5. Threats to the Internet of Things (IoT) In terms of threats to the IoT, leakage is most responded. In terms of threats to the IoT, leakage is the highest with 56.8%, followed by hacking and malware infection (52.2%), 'mobile signal interference & failure (51.4%) and loss and theft of device (48.5%). [Figure 32] The Level of Concern by Threat to the IoT (%) Never concerned Not much concerned Neither concerned or unconcerned Slight concerned Very concerned Concerned Loss and theft of device Hacking & malware infection Mobile signal interference & failure 51.4 Information leakage

28 <Appendix> Present Condition of Information Security Investments 1. Present condition of expenses The budget is usually paid in the 1st quarter. 12.2% of businesses have increased budget from the prior year in 2014 (2.2% in 2015) 97.7% of businesses are no change in expenditure differences compared to the budget plan in 2015 In terms of the time of budget spending, 1st quarter was highest in 2014 (53.9%) and 2015 (61.4%). [Figure 33] Increase/Decrease in Information Security Budget from the Previous Year Information Security Budget (%) Businesses with No change (83.9) Increase (12.2) Decrease (3.9) No change (97.1) Increase (2.2) Decrease (0.7) [Figure 34] Information Security Expenditures Compared to the Budget Plan (%) Increase (1.8) Decrease (0.5) No change (97.7) [Figure 35] Time of Information Security Budget Spending Budget Plan (%) Businesses with Information Security 1st Quarter 2nd Quarter 3rd Quarter 4th Quarter Time of Budget Spending (2014) Time of Budget Spending (2015)

29 2015 Survey on Information Security Business 2. Investment tendencies and purposes of In terms of investment tendency, improvement of corporate values (40.8%) is higher than fulfillment of obligations (26.6%). 42.7% of businesses make a certain amount of investments regardless of changes in circumstances and their budget conditions; 36.6% of businesses make investments in a more flexible manner according to changes in circumstances Businesses tend to make investments for protection and improvement of corporate values (40.8%) than fulfillment of obligations (26.6%) [Figure 36] Information Security Budget Spending Trends Budget (%) Businesses with Information Security Spends a certain amount regardless of changes in circumstances and their budget conditions Spends in a more flexible manner according to changes in circumstances Makes a decision after analyzing the effects of the budget spending Spends the money for a more productive project [Figure 37] Purposes of Information Security Investments Budget (%) Businesses with Information Security Fulfillment of obligations Corporate values Fulfillment of legally required obligations Neutral Protection and improvement of corporate values 26

30 3. Reasons for not investing in A few businesses are aware of a necessity of budget Among the businesses without budget, 60.1% do not feel a necessity of the budget because they hardly suffer from an -related incident. 21.4% responded that they have no idea about. 9.8% said that is not their top priority in budgeting. [Figure 38] Reasons for not Investing in Information Security Security Budget (%) Businesses without Information No necessity of the budget because they hardly suffer from an related incident No idea about is not top priority in budgeting There has already been enough spending for Etc. 27