II. Information Security Infrastructure and Environment 2. III. Information Security Incident Prevention 6. Ⅳ. Security Incidents Responses 13

Transcription

1

2 I. Introduction 1 II. Information Security Infrastructure and Environment 2 1. Information Security Policy 2 2. Information Security Organizations and Officers 3 3. Information Security Education 4 4. Information Security Budget 5 III. Information Security Incident Prevention 6 1. Information Security Products and Services 6 2. Information Security Outsourcing 9 3. Information System Security Inspection Security Patches System Logs and Data Backup 12 Ⅳ. Security Incidents Responses Security Incident Experiences Security Incidents Response 14 Ⅴ. Personal Information Protection Purposes of Personal Information Collection (Usage) Prevention of Infringement on Personal Information 16

3 Ⅵ. Information Security Awareness Threats to Information Security Threats to Personal Information Leakage Obstacles to Information Security 19 Ⅶ. Information Security of New Services Investment in Information Security of New Services Wireless LAN Security Policy Response to Mobile Security Threats Security Concerns Related to Cloud Threats to the Internet of Things (IoT) 24 <Appendix> Status of Information Security Investment Trends and Objectives of Investment in Information Security Reasons for Not Investing in Information Security 26 This report is produced by the Korea Internet & Security Agency (KISA). When citing statistic data in this report, the quotation must identify KISA as its source. The report can also be found on the homepage of KISA (

4 I. Introduction Population Businesses with computers connected to networks (one or more employees). Effective Sample Size 9,586 businesses Data Collection Face-to-face interview Period Aug. 1 Oct. 31, 2016 Sampling Method Multi-stage Stratified Sampling Sampling Error Rate of information policies ±0.70%p (95% confidence level) Sampling design Primary sampling frame : Target businesses of the 2014 Report on the Census on Basic Characteristics of the Establishments. Secondary sampling frame : Businesses with established networks and have more than one employee among target businesses of the 2015 Yearbook of Information Society Statistics. Glossary Malicious code : A software program designed for malicious activities such as system destruction and information leakage (virus, worm, adware, spyware, etc.). Security patch : A piece of software designed to improve the vulnerabilities of the operating system or application program. Computer Emergency Response Team (CERT) : A unit organized to respond to incidents such as intrusion into information & communication network systems, handling the following duties: reception and handling of incidents within the supervision territory; prevention of incidents; restoration of damage. Internet of Things (IoT) : Abbreviation for Internet of things, IoT is an intelligent information technology or service that connects all things, and allows mutual communication between people and objects, objects and other objects (smart automobile, smart refrigerator, etc.). 1

5 II. Information Security Infrastructure and Environment 1. Information Security Policy 17.1% of domestic businesses established information policies or personal information protection policies. 17.1% of businesses established information policies or personal information protection policies in a form of official document. The rate of businesses with information or personal information protection policies is increasing from 11.3% in 2014 to 13.7% in 2015 and 17.1% in (A 3.4%p increase compared to the year 2015.) In terms employees size, 86.4% of businesses with more than 250 employees and 68.3% of businesses with employees have information or personal information protection policies. [Figure 1] Information Security Policy (%) Information Security or Privacy Policy establishment %p or more 2

6 2. Information Security Organizations and Officers A. Information Security Organizations More than 60% of businesses with more than 50 employees operate information teams. 11.0% of businesses run official information teams. The rate of operating information teams is on the rise from 2.8% in 2014 to 7.9% in 2015 and 11.0% in (A 3.1%p increase compared to the year 2015.) In terms of business size, 84% of businesses with more than 250 employees operate information teams followed by businesses with employees (61.7%) and businesses with more than 50 employees (more than 60%). [Figure 2] Information Security Teams (%) Operation of Information Security Task Force %p or more B. Information Security Officers One out of two businesses that collect personal information designate and manage Chief Privacy Officer (CPO). The rate of appointing CISO is 8.9% which is a 2.1%p decrease from the previous year. The rate of appointing CPO is 50.5% which is a 4.3% increase from the previous year. [Figure 3] Appointment and Full Responsibilities of CISO (%) [Figure 4] Appointment and Full Responsibilities of CPO (%) - Business that Collect Personal Information 2.1% p 0.7% p 4.3% p 3.8% p 임명 Appointment 전담 Full Charge Appointment 임명 Full 전담 Charge 3

7 3. Information Security Education 18.0% of businesses provide information education. 18.0% of businesses provide information education (including personal information protection education) to employees during In terms of the target of education, ordinary employees accounted for 86.6% while personal information managers accounted for 52.2%. The rate of information education is rising from 13.2% in 2014 to 14.9% in 2015 and 18.0% in (A 3.1%p increase compared to the year 2015.) [Figure 5] Information Security Education (%) %p The management including the CEO Information officer-level employees Personal information protection officer Personal information handlers IT and information managers Regular staff using a computer * Multiple answers allowed; Businesses providing information education 4

8 4. Information Security Budget 32.5% of businesses allocated information budget. The figure increased by 13.9%p from the previous year. 32.5% of businesses allocated information budget out of the IT budget. The figure grew 13.9%p from the previous year. 1.1% of businesses assigned 5% of their IT budget to information which is a 0.3%p decrease from the previous year. In terms of information budget spending, purchase of information services (42.9%) was the highest followed by purchase of information products (41.2%) and salary of information personnel (15.9%). [Figure 5] Information Security Budget (%) Less than 1% (11.8) Less than 1% (23.3) No information budget (81.4) Over 5% (1.4) Between 1~5% (5.4) No information budget (67.5) Between 1~5% (8.1) Over 5% (1.1) [Figure 7] Information Security Budget Spending Businesses with Information Security Budget (%) Purchase of information products (ex: Network, system, authentication products, etc.) Acquisition of information services Information labor costs 5

9 III. Information Security Incident Prevention 1. Information Security Products and Services A. Use of Information Security Products and Services 89.8% of businesses utilize information products and 40.5% of them use information services. 89.8% of businesses use information products and 40.5% of businesses use information services. The rate of using information products and information services both increased by 3.7%p and 16.3%p respectively compared to the previous year. Among the line of products, network products (82.4%) were the most used by businesses followed by system products (74.1%) and management products (28.3%). In terms of service, maintenance (32.5%) was the highest followed by certification service (11.5%). [Figure 8] Utilization of Information Security Products (Multiple Answers, %) Use of Information Security products Network System Prevention of contents / information lekage Encryption/ authentication Security control Others [Figure 9] Utilization of Information Security Services (Multiple Answers, %) Use of information services Security consulting Maintenance Security control Education / training Authentication services [Figure 10] Use of Information Security Products and Services by Business Size (%) Product Service Overall 1 4 employees employees employees 250 or more employees 6

10 B. Utilization of Information Security Products: By Products 74.1% of domestic businesses use web firewall products. Among the products, web firewall (74.1%) was the most utilized followed by anti-malware (62.7%) and network firewall (62.0%). [Figure 11] Utilization of Information Security Products: By Products (Multiple Answers, %) Network Security Web firewall Network (system) firewall Wireless network Breach detection and prevention system (IDS/IPS) DDoS blocking system Unified threat management (UTM) Network access control (NAC) Virtual personal network (VPN) Network separation (physical/logical) System (Device) Security Anti-malware (vaccine, Anti-spyware) System access control (PC firewall) Spam blocking S/W Secure OS Contents/Data Theft Prevention and Security DB passwords Security USB DB (access control) Digital rights management (DRM) Network DLP(Data Loss Prevention) Device DLP(Data Loss Prevention) Certification One-time password (OTP) Secure smart card H/W token (HSM) Integrated account management (IM/IAM) Public key infrastructure (PKI) Bio-certification (fingerprint, retina recognition, etc.) Enterprise access management (EAM)/Single sign-on (SSO) Security Management Others Backup/restore management system Log management/analysis system Enterprise management (ESM) Patch management system (PMS) Resource management system (RMS) Threat management system (TMS) Weakness analysis tool system Digital forensic system Data backup products (external hard drive, etc.) Data backup on off-site (cloud, etc.) Other

11 C. Utilization of Information Security Services: By Service 32.5% of domestic businesses use maintenance services. In terms of specific services, maintenance (32.5%) was the most utilized followed by certification service (11.5%) and remote control service (6.2%). [Figure 12] Utilization of Information Security Services: By Services (Multiple Answers, %) Security Consulting Maintenance Security/ Monitoring Education /Training Authentication Services Privacy consulting Authentication of information management system Integrated consulting Information audit (internal information leakage prevention& consultin etc.) Diagnosis& hacking simulation Infrastructure Maintenance Remote monitoring services Dispatched monitoring services Education/ Training Authentication Service Note) Maintenance : Services that address problems after selling system and network information products 8

12 2. Information Security Outsourcing 15.4% of businesses outsource information work. 15.4% of businesses outsource information related work. The figure increased by 6.8%p from the previous year. The outsourcing rate has increased from 3.1% in 2014 to 8.6% in 2015 and 15.4% in (A 6.8%p increase compared to the year 2015.) In terms of outsourcing services, maintenance (94.3%) was the largest followed by control (17.2%) and consultation (13.8%.). [Figure 12] Information Security Outsourcing (%) Information Security Outsourcing 6.8%p Maintenance Overall or More Security Monitoring Overall or More Security Consulting Overall or More Authentication Overall Service or More Education/Training Overall Services or More * Multiple answers allowed; Businesses outsourcing operations 9

13 3. Information System Security Inspection 55.5% of domestic businesses carry out inspections, and 14.2% of them conduct it regularly. 55.5% of businesses carry out inspections on their information systems, and 14.2% of the businesses conduct it on a regular basis. The rate of regular inspection is on the rise from 11.2% in 2014, 12.3% in 2015 and 14.2% in (A 1.9%p increase compared to the year 2015.) In terms of inspection items, PC vulnerability (73.2%) was the highest followed by network vulnerability (43.2%) and vulnerability of an OS in a server (33.8%). [Figure 14] Information System Security Inspection (Multiple Answers, %) Security Inspections 10.0%p Regular (At least once a year) Irregular [Figure 15] Information System Vulnerability Inspection (Multiple Answers, %) Businesses That Conduct Security Inspection PC vulnerability Network vulnerability Vulnerability in server OS Web vulnerability Application program vulnerability DB vulnerability Not available 10

14 4. Security Patches 83.9% of businesses apply patches. 83.9% of businesses apply patches on their PCs, servers and systems. Among the equipment configured to be automatically and manually updated, Network servers connected to the outside accounted for the largest proportion in both updates at a rate of 53.1% and 13.3% respectively. [Figure 16] Use of Security Patch (Multiple Answers, %) Businesses that Have the Following Equipment Security patches Employee s PC Server connected with the outside Local server Information system [Figure 17] Use of Security Patch (Multiple Answers, %) Businesses that Have the Following Equipment Auto-Update Manual Update Updates when Problem Occur No Update Employee s PC Server connected with the outside Local server Information system

15 5. System Logs and Data Backup Approximately 40% of businesses backup system logs or important data. 38.3% of businesses backup system logs or important data. 30.3% of businesses backup system logs while 35.5% of businesses backup important data. [Figure 18] System Logs and Data Backup (Multiple Answers, %) Backup System Log Backup Important Data Backup 12

16 IV. Security Incidents Response 1. Security Incident Experiences Only 9.2% of businesses among which experienced incidents reported to relevant agencies. 3.1% of businesses experienced incidents which is a 1.3%p increase from the previous year. 9.2% out of the businesses that went through incidents either consulted or reported to relevant agencies. 66.0% of businesses that reported had serious losses from the incidents. 63.1% of businesses that did not report had somewhat moderate damage from the incidents. Attacks caused by malicious codes (91.0%) were the most common type of incidents. [Figure 19] Security Incident Experiences (%) Reported (9.2) Light Damage Serious Damage %p 3.1 Not reported (90.8) * Businesses having experienced incidents [Figure 20] Types of Security Incidents (Multiple Answers, %) - Businesses that Experienced Security Incidents Attack by Adware/spywa malicious code re infection Ransomware Hacking Leakage of important information from internal personnel Dos/DDoS attack APT attack 13

17 2. Security Incident Response 17.1% of businesses take actions against incidents. 17.1% of businesses responded to incidents which is a 0.4%p decrease from the previous year. To be more specific about countermeasures, create a network of emergency contacts (7.2%) was the largest in proportion followed by consign response activities to external organizations (5.8%) and organize an incident recovery team (5.7%). ISPs (23.2%) turned out to be the most used external cooperation channel for incidents by businesses followed by system development and maintenance service provider (10.3%) and information vendors (7.0%). [Figure 21] Security Incidents Response (Multiple Answers, %) Response to Information Security Incident 0.4%p Created network of emergency contacts for incidents Consigned incident handling to an external organization Organized an incident recovery team Formulated incident response plans Established and operated an incident Response team (CERT) Purchase of information incident related insurance Among the specific questions, Purchase of information incident related insurance were included in [Figure 22] External Cooperation Channel for Security Incidents (Multiple Answers, %) Utilization of External Cooperation Channels %p Internet service provider System development/ maintenance service provider Information service provider CERT information related organization/ association Business related organization/ association Entity in the same business Etc. Response value in 2014 is not expressed in time series as the survey questions changed in

18 V. Personal Information Protection 1. Purposes of Personal Information Collection (Usage) Businesses mostly collect personal information for customer management and authentication. Among the purposes of personal information collection and usage, customer management (75.8%) was the highest followed by user authentication for membership (63.5%), finding ID and passwords (43.7%) and PR and marketing (35.2%). [Figure 23] Purposes of Personal Information Collection and Usage (Multiple Answers, %) Businesses that Collect Personal Information Customer counseling& member management User authentication at joining membership Finding ID/password PR & marketing Payment Event Analysis of operation (ex customer Enrollment characteristics check, etc.) (socio demographic analysis) Customer purchase pattern analysis Adult authentication Etc. 15

19 2. Prevention of Infringement on Personal Information Technical and managerial measures are increasingly implemented to prevent infringement of personal information. The rate of implementing managerial and technical measures to prevent infringement of personal information is 82.0% and 86.2% respectively. Managerial measures include creation of manuals (64.2%), establishment of follow-up management policies (49.5%) and setting an internal response and a reporting system (37.6%). In the case of technical measures to safely handle personal information, installation and operation of access control equipment (62.3%) was the largest in proportion followed by response to infringement of personal information caused by computer virus (61.8%). [Figure 24] Managerial Measures to Prevent Infringement of Personal Information (Multiple Answers, %) Businesses that Collect Personal Information Managerial Actions to Prevent Personal Information Security Incidents %p Created incident prevention manual Established incident follow-up management policy Devised internal incident response and reporting system Reported personal information incidents to the authorities Created and managed list of signs of infringement Formulated procedures to inspect damage and collect evidence caused by infringements Maintained an emergency contact network to external professionals Introduced and operated personal information management system [Figure 25] Technical Measures to Safely Manage Personal Information (Multiple Answers, %) Businesses that Collect Personal Information Technical Actions to Handle Personal Information %p Installation and operation of access control system Prevention of incidents caused by computer virus Security actions using related technologies such as encryption technology Measures preventing the forgery & alternation of access records Offline data storage (USB, external hard disk, etc.) 16

20 VI. Information Security Awareness 1. Threats to Information Security Major threats to information include Internet incidents and personal information leakage. Among the threats to information, Internet incidents (46.5%) was the most concerning followed by personal information leakage (25.8%) and failure of an information system (11.2%). In terms of man-made threats to information, outsiders (33.4%) was the highest in proportion followed by employees (21.8%) and retirees (19.8%). [Figure 26] Threats to Information Security (%) Internet incident (hacking, malware, DDoS, etc.) Personal Information leakage Failure of Information system Threat to information by personnel Natural disaster None [Figure 27] Man-made Threats to Information Security (%) Outsider (visitors, etc.) Current employee Retiree Current employee from the ousourced firm Retiree from the outsourced firm None 17

21 2. Threats to Personal Information Leakage The most worried threats to personal information leakage are hacking by outsiders and poor management. Businesses responded hacking by outsiders (45.7%) was the most concerning threat followed by poor management (34.4%). [Figure 28] Threats to Personal Information Leakage (%) Hacking Leakage by poor information control Intentional leakage by insider Leakage by Outsourced firm 18

22 3. Obstacles to Information Security The biggest obstacles to information are securing information budget or 'information experts. 49.9% of the businesses answered securing information budget was the biggest hindrance followed by securing information professionals (34.0%) and managing information personnel (28.1%). 46.6% of the businesses faced difficulties in securing and managing information personnel. The bigger the size of businesses turned out to experience more difficulties. [Figure 29] Obstacles to Information Security (Multiple Answers, %) Securing budget for information Securing information professionals Operation of information personnel Difficulties in finding information related products and services Operation of information education program Increased in businesses responsibility though deregulation Satisfying the requirements of government regulations None Experienced Difficulties in Securing and Operating Information Security Personnel Overall or more 19

23 VII. Information Security of New Services 1. Investment in Information Security of New Services 13.9% of businesses invest in information of new services. 13.9% of businesses responded they invest in information of new services like wireless LAN (12.2%), mobile (2.8%) and cloud (1.4%). 11.5% of businesses have a plan to invest in information of new services such as wireless LAN (7.6%) and mobile (2.7%). [Figure 30] Investment in Information Security of New Services (Multiple Answers, %) Present Planned Investment in information for new services Wireless LAN Mobile Cloud SNS Big data IoT 20

24 2. Wireless LAN Security Policy 7 out of 10 businesses that established internal wireless LAN have information policies. 69.8% of businesses that created internal wireless LAN turned out to have information policies for it. Among the measures for wireless LAN, setting a password for access to wireless LAN (69.9%) accounted for the largest proportion followed by data transfer and encryption (20.1%) and separation of internal wired and wireless networks (19.7%). [Figure 31] Wireless LAN Security Policy (%) Businesses with Wireless LAN In-Company Wireless LAN Security Measures %p Set password for wireless LAN access control Data & encryption Separation of internal wired and wireless networks Wireless LAN access control & filtering Restrictions on the use of external wireless LAN Cutoff of SNS access through wireless LAN * Multiple answers allowed; Businesses with internal wireless LAN plan 21

25 3. Response to Mobile Security Threats Among the countermeasures to mobile threats, compulsory installation of software is the most implemented. 44.4% (increased by 5.1%p from the previous year) of businesses using work related mobile devices have response plans for mobile. Among the countermeasures for mobile, compulsory installation of software on mobile devices (21.1%) was the most used followed by drawing policies on mobile device utilization (19.5%) and compulsory backup of mobile device data (14.1%). [Figure 32] Response to Mobile Security Threats (Multiple Answers, %) Businesses Using Work Related Mobile Devices Responses Plan against Mobile Security Threats 5.1%p Compulsory installation of moble device software Mobile device utilization related policy planning Compulsory backup of mobile device data In/out control on mobile devices Mobile management staffing Development of management system such as storage of mobile device access records. 22

26 4. Security Concerns Related to Cloud 47.4% of businesses worry about information leakage due to outsourcing of data storage and diversification of terminals. 5.4% of businesses using cloud. The figure increased by 1.2%p from the previous year. Information leakage from outsourced data storage (47.4%) was the most concerning factor followed by information leakage from diverse terminals (29.7%), massive damage caused by service failure due to resource sharing and concentration (13.9%) and difficulties in applying such as encryption and access control after distributed processing (4.5%). [Figure 33] Security Concerns Related to Cloud (%) Cloud Utilization %p Information leakage after the outsourcing of data storage Information leakage due to the diversification of terminals Large damage at failure of services due to the sharing and concentration of resources Difficulties in the application of information such as encryption and access control after distributed processing 23

27 5. Threats to the Internet of Things (IoT) Information leakage is the biggest threat to businesses when they adopt the IoT. Businesses answered the biggest threat to adoption of the IoT is information leakage (57.5%) followed by hacking and malware infection (56.4%), mobile signal interference and failure (51.8%) and device lost and theft (48.6%). [Figure 34] Concerns Over Threats to the IoT (Multiple Answers, %) Not Worried at All Not Very Worried Average Somewhat Worried Very Worried Worried Information leakage Hacking and malware infection Mobile signal interference and failure Loss and theft of device

28 <Appendix> Status of Information Security Investment 1. Trends and Objectives of Investment in Information Security Most businesses invest in information for corporate value (36.2%) rather than compliance with obligations (22.2%). 44.3% of businesses spare a certain amount of money to invest in information regardless of changes in threats and budget while 39.9% of businesses flexibly change their budget of information according to changes in threats. A higher number of businesses invest in information for protection and improvement of corporate value (36.2%) rather than compliance with obligations like legal responsibilities (22.2%). [Figure 35] Trends of Information Security Budget Spending (%) Businesses that Have Information Security Budget Spends a certain amount regardless of changes in circumstances and their budget conditions Spends in a more flexible manner according to changes in circumstances Spends the money for a more productive project Makes a decision after analyzing the effects of the information budget spending [Figure 36] Purposes of Information Security Investment (%) Businesses that Have Information Security Budget Fulfillment of obligations Corporate Values Fulfillment of legally required obligations Neutral Protection and Improvement of Company Value 25

29 2. Reasons for Not Investing in Information Security Few businesses recognize importance of securing information budget. 58.4% of businesses that did not secure information budget don't recognize a need to do so as they hardly experience information incidents. 29.% of the businesses responded they have no idea about information while 6.8% of them said that information is not their top priority when securing budget. [Figure 37] Reasons for Not Investing in Information Protection (%) - Businesses without information Security Budget No necessity of the budget because they hardly suffer from an information related incident No idea about information Information is not top priority in budgeting There has already been enough spending for information Etc. 26