PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Transcription

1 PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY Benchmark research sponsored by Raytheon. Independently conducted by Ponemon Institute LLC. February 2018

2 2018 Study on Global Megatrends in Cybersecurity Ponemon Institute, February 2018 Introduction Around the world, cyberattacks on businesses are getting more powerful and harder to stop. Corporate boards aren't being briefed on cybersecurity, and executives don't see it as a strategic priority. Meanwhile, information security officers will become more important yet they aren t always getting the resources they need to protect organizations from growing and more sophisticated threats. Those are among the findings of the 2018 Study on Global Megatrends in Cybersecurity, a survey sponsored by Raytheon and conducted by the Ponemon Institute. The study, conducted in late 2017, looks at commercial cybersecurity through the eyes of those who work on its front lines. More than 1,100 senior information technology practitioners from the United States, Europe, and the Middle East/North Africa region weighed in on the state of the industry today, and where it's going over the next few years. The purpose of this research is to help organizations better understand the changes occurring in the cybersecurity ecosystem that will impact their security posture over the next three years and to elevate the urgency for action when it comes to protecting organizations from cyber threats. According to the research, over the next three years, cyber extortion or ransomware attacks will increase in frequency, as will nation-state attacks and cyber warfare. To improve their preparedness, organizations represented in this research are planning to take the following actions: Expand the CISO s role and responsibility Engage in threat intelligence sharing Require frequent audits and assessments of their security policies and procedures Hire managed security service providers Increase investments in big data analytics, artificial intelligence in cyber defense and threat intelligence feeds The report also highlights megatrends from the 2015 study to show how perceptions about the CISO s role are changing, as well as the growth in the use of certain types of technologies to prevent cyber exploits and data breaches. Following are the seven global megatrends that are problematic for the state of cybersecurity over the next three years. 1. A data breach from an unsecured Internet of Things (IoT) device in the workplace is predicted to be very likely over the next three years. 82% of respondents predict unsecured IoT devices will likely cause a data breach in their organizations. 80% say such a breach could be catastrophic 2. The risk of cyber extortion and data breaches will increase in frequency. CISOs will be faced with a greater risk of cyber extortion, such as ransomware, according to 67% of respondents. 66% of respondents believe data breaches or cybersecurity exploits will seriously diminish their organization s shareholder value. 60% of respondents predict that nation-state attacks against government and commercial organizations will worsen and could potentially lead to a cyber war (That s up from 22% of survey respondents who believe that today.) Page 1

3 3. As a result, IT security practitioners are more pessimistic about their ability to protect their organizations from cyber threats. In this year s study, 54% of respondents believe their cybersecurity posture will either stay the same (35% of respondents) or decline (19% of respondents). In fact, 58% of respondents believe the problem of not having an expert cyber staff will worsen and 46% of respondents believe artificial intelligence will not reduce the need for experts in cybersecurity. 4. Cyber warfare and breaches involving high-value information will have the greatest negative impact on organizations over the next three years. Respondents were asked to rate cyber threats to their organizations from 1 = low risk to 5 = high risk. Today, based on their rating, only 22% of respondents say cyber warfare is a high risk. However, over the next three years, 51% of respondents say it will be a high risk. Today, 43% of respondents rate the risk of breaches involving high-value information as very high and 71% of respondents say the risk will be very high over the next three years. 5. Despite the growing cyber threat, cybersecurity is not considered a strategic priority. IT security practitioners need to make the case that a strong cybersecurity posture protects organizations as they innovate and make important changes to their operations. Only 36% of respondents say their senior leadership believes cybersecurity is a strategic priority, which, in turn, affects funding for investment in technologies and personnel. Based on other Ponemon Institute research, a business with a strong cybersecurity posture can support innovation and lower costs to respond to data breaches and cyber crime, as determined by the deployment of specific practices and technologies. 6. Boards of directors are not engaged in the oversight of their organization s cybersecurity strategy. 68% of respondents say their boards of directors are not being briefed on what their organizations are doing to prevent or mitigate the consequences of a cyberattack. 7. Companies will have to spend more to achieve regulatory compliance and respond to class action lawsuits and tort litigation. Regulations that will have a high cost impact include federal laws regulating data protection and privacy, global data protection laws (such as the EU s General Data Protection Regulation 1 ), state laws regulating data protection and privacy and mandates on critical infrastructure protection. Due to the continuing occurrence of data breaches, respondents predict their organization will be faced with costly class-action lawsuits and tort litigation. Following are the global megatrends that predict improvements in the state of cybersecurity over the next three years. As the threat landscape worsens, organizations will increasingly rely upon the expertise of the CISO. Over the next three years, 72% of respondents believe their responsibilities will not be limited to the IT function and will evolve in importance and span of control. Cybersecurity governance practices are expected to improve. 66% of respondents say they expect their senior IT security leaders to require frequent audits and assessments of the effectiveness of their cybersecurity policies and procedures to protect their most sensitive and confidential data assets. 60% of respondents say their boards of directors are expected to become more involved in overseeing the IT security function. 1 The European Union s General Data Protection Regulation (GDPR) goes into effect on May 25, This new regulation will have a material impact on the ways organization collect, use, store and protect sensitive information. Page 2

4 Many respondents are optimistic they will be promoted to a better position with greater authority and responsibility. 52% of respondents are positive that they will stay in their organization and advance to a position with greater authority and responsibilities, an increase from 45% of respondents in the previous study. 36% of respondents say they have no plans to change jobs, a slight increase from 34% of respondents in Companies will invest in enabling security technologies and managed security service providers as part of their cybersecurity strategy. Technologies expected to increase in importance are artificial intelligence, threat intelligence feeds and analytics in cyber defense. It is predicted that more companies will invest in big data analytics, threat intelligence sharing and the engagement of managed service providers (60%, 56% and 52% of respondents, respectively). Companies are expected to improve collaboration and reduce the complexity of business and IT operations. Companies will be more successful in reducing the complexity of their business and IT operations. Organizational barriers such as a lack of cybersecurity leadership and a lack of collaboration among the various functions are expected to improve. Part 2. Sampling of key findings In this section, we provide a deeper analysis of key megatrends that will affect the cybersecurity posture of organizations. The complete detailed findings including regional analysis and methodology for the entire study are available for review at Raytheon.com/cybertrends2018 Let s dive into two specific key megatrend predictions: The future state of cybersecurity The changing threat landscape The future state of cybersecurity IT security practitioners are more pessimistic about their ability to protect their organizations from cyber threats. As shown in Figure 1, in 2015, 59% of respondents believed that their organization s cybersecurity posture would improve and only 11% said it would decline. In this year s study, 54% of respondents expect their cybersecurity posture to stay the same (35%) or decline (19%). As discussed later in the report, the lack of suitable technologies and inability to hire and retain expert staff are the two factors most respondents see as barriers to a stronger cybersecurity posture. Page 3

5 Figure 1. Will your organization s cybersecurity posture improve in the next three years? 70% 59% 60% 50% 46% 40% 30% 20% 10% 35% 30% 19% 11% 0% Improve Stay at about the same level Decline To improve cybersecurity posture over the next three years, companies should invest in enabling technologies and staffing. This year, improvements in technology and staffing are considered most supportive of a strong cybersecurity posture (47% and 45% of respondents, respectively), according to Figure 2. In contrast, respondents in 2015 were more concerned about the need to increase funding, improve cyber intelligence and minimize employee-related risks (47%, 47% and 36% of respondents, respectively). Figure 2. Success factors that can strengthen your organization s cybersecurity posture in the next three years More than one response allowed Improvement in technologies Improvement in staffing Increase in funding Cyber intelligence improvements Improvement in threat sharing Reduction in the compliance burden Ability to minimize employee-related risk Reduction in complexity Increase in C-level support Cybersecurity leadership Other 1% 0% 10% 19% 16% 17% 19% 23% 22% 21% 25% 27% 30% 34% 33% 36% 41% 40% 47% 45% 47% 47% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Page 4

6 Over the next three years, companies that do not have suitable technologies and expert staff, as shown in Figure 3, could face a decline in their cybersecurity posture (both 53% of respondents). In the previous study, decline was also attributed to the inability of having skilled security professionals. However, a lack of actionable intelligence and employee-related risks was a concern. This may indicate that respondents in this year s study see improvements in these two areas. Figure 3. Factors that could cause a decline in your organization s cybersecurity posture in the next three years More than one response allowed Lack of suitable technologies Inability to hire and retain expert staff Lack of actionable intelligence Lack of funding Increase in compliance burden Increase in complexity and external applications hosting Inability to minimize employee-related risk Lack of C-level support Lack of cybersecurity leadership 11% 33% 45% 38% 44% 37% 34% 33% 19% 31% 31% 25% 43% 19% 29% 22% 53% 53% 0% 10% 20% 30% 40% 50% 60% IT security practitioners need to make the case that a strong cybersecurity posture protects organizations as they innovate and make important changes to their operations. According to Figure 4, only 36% of respondents say their senior leadership believes cybersecurity is a strategic priority. Based on other Ponemon Institute research, business innovation and lower costs to respond to data breaches and cyber crime can be supported by a strong cybersecurity posture, as determined by the deployment of specific practices and technologies. Furthermore, only 32% of respondents say their boards of directors are being briefed on organizations cybersecurity strategy, an increase from 22% of respondents in Page 5

7 Figure 4. Is cybersecurity a strategic priority? Yes responses Does your organization s senior leadership view cybersecurity as a strategic priority? 36% 34% Has your organization s Board of Directors been briefed on the organization s cybersecurity strategy in the past 12 months? 22% 32% 0% 5% 10% 15% 20% 25% 30% 35% 40% The changing threat landscape Cyber threats and the availability of enabling technologies will continue to have the greatest impact on the overall state of an organization s cybersecurity. As shown in Figure 5, compliance costs are expected to have a lower impact, conversely while organizational factors such as the integration of third parties into internal networks and the inability to recruit and retain qualified ITS personnel are predicted to have a bigger impact on the overall state of cybersecurity. Figure 5. Cyber threats continue to impact the overall state of cybersecurity 100 points in total, allocated according to the impact of the megatrend Cyber threats Enabling technologies Human factors Organizational factors Disruptive technologies Compliance costs Page 6

8 The risk of cyber extortion and data breaches that affect shareholder value will increase in frequency. As shown in Figure 6, CISOs will face a greater risk of cyber extortion, such as ransomware (67% of respondents) and data breaches or cybersecurity exploits that will seriously diminish their organization s shareholder value (66% of respondents). 60% of respondents predict nation-state attacks against government and commercial organizations will worsen and could potentially lead to a cyber war. Only 41% of respondents say their organizations will be able to minimize IoT risks by requiring the integration of security into the devices we build or use in the workplace. Figure 6. Predictions about cyber threats Strongly agree and Agree responses combined The risk of cyber extortion (such as ransomware) will increase in frequency and payout 67% My organization will experience a data breach or cybersecurity exploit that will seriously diminish our shareholder value 66% Nation-state attacks against government and commercial organizations will worsen and potentially lead to a cyber war 60% My organization will be able to minimize IoT (IoT) risks by requiring the integration of security into the devices we build or use in the workplace 41% 0% 10% 20% 30% 40% 50% 60% 70% 80% Cyber extortion threats will increase in frequency. Respondents were asked to rate how specific cyber threats will increase in frequency from a scale of 1 = low frequency to 5 = high frequency. Table 1 presents the cyber threats that are expected to increase significantly in the next three years. Today, 19% of respondents rate cyber extortion as very frequent, but over the next three years, 42% of respondents say this threat will be very frequent. Nation-state attacks and attacks against industrial controls and SCADA will become a more frequent and serious threat to both public and private-sector companies. Table 1. Megatrends: Frequency of cyber threats Cyber threats Today Future Difference Cyber extortion 19% 42% 23% Nation-state attacks 26% 45% 19% Attacks against industrial controls and SCADA 40% 54% 13% Compromised third parties 50% 58% 8% DDoS attacks 61% 69% 8% Android malware/targeted attacks 35% 42% 6% Clickjacking 19% 24% 5% Compromised supply chain 32% 36% 5% Page 7

9 Cyber warfare and cyber terrorism and breaches involving high-value information will have the greatest impact on organizations over the next three years. Respondents were asked to rate cyber threats from 1 = low risk to 5 = high risk. Table 2 shows the cyber threats that pose the greatest threat today and how they are expected to increase over three years. Today, 22% of respondents say cyber warfare is a high risk, but, over the next three years, 51% of respondents say it will impact their organization and the risk will be very high (a difference of 29%). Today, 43% of respondents rate the risk of breaches involving high-value information as very high, and, over the next three years, 71% of respondents say these breaches will increase in the risk they pose to organizations. Table 2. Megatrends: Cyber threats with the greatest risk Cyber threats Today Future Difference Cyber warfare or cyber terrorism 22% 51% 29% Breaches involving high-value information 43% 71% 29% Nation-state attackers 30% 58% 28% Breaches that damage critical infrastructure 37% 64% 28% Breaches that disrupt business and IT processes 41% 62% 21% Emergence of cyber syndicates 42% 60% 18% Stealth and sophistication of cyber attackers 43% 55% 12% Emergence of hacktivism 27% 36% 10% Breaches involving large volumes of data 46% 53% 7% Malicious or criminal insiders 36% 38% 1% Negligent or incompetent employees 31% 29% -3% Evolution in the use of enabling technologies and practices Companies will need to be prepared to deal with privacy and data security regulations that resemble GDPR. As Figure 7 demonstrates, 66% of respondents believe that, whether or not they operate in the EU, they will need to be prepared to comply with regulations that resemble the GDPR. More companies will invest in big data analytics, threat intelligence sharing and the engagement of managed service providers (60%, 56% and 52% of respondents, respectively). Figure 7. Predictions about technologies and practices Strongly agree and Agree responses combined The U.S. and other countries will adopt privacy and data security regulations that will resemble the European Union s (EU) General Data Protection Regulation (GDPR) 66% My organization will increase its investment in big data analytics for cyber defense 60% Sharing of threat intelligence will become a more valuable tool in our organization s security arsenal 56% My organization will increasingly rely upon managed service providers to help improve its security posture 52% 0% 10% 20% 30% 40% 50% 60% 70% Page 8

10 More companies will be hiring managed security services (MSS) to address the lack of skilled in-house staff. As discussed previously, more companies are predicted to engage MSS providers. As shown in Figure 8, almost all companies represented in this research believe these services will become an important part of the overall IT security strategy (80% of respondents). Figure 8. Predictions about the importance of MSS Essential, Very important and Important responses combined How important will your MSS be to your organization s overall IT security strategy in the next three years? 80% How important is MSS to your organization s overall IT security strategy today? 68% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Artificial intelligence in cyber defense will increase in importance. Respondents were asked to rank the importance of specific technologies today and in three years on a scale of 1 = low importance to 5 = high importance. Table 3 shows the technologies rated high in importance today and those rated high in importance in three years. Consistent with previous findings in this report, artificial intelligence in cyber defense, threat intelligence feeds and analytics in cyber defense will increase in importance. Table 3. Megatrends: Technologies that will increase in importance Enabling security technologies Today Future Difference Artificial intelligence in cyber defense 31% 71% 40% Threat intelligence feeds 44% 73% 29% Analytics in cyber defense 33% 59% 26% Block chain technologies 28% 46% 18% Unified threat management (UTM) 31% 44% 13% Next generation firewalls (NGFW) 33% 44% 11% Identity & access management 70% 81% 11% Forensics (automated tools) 23% 33% 10% Incident response tools 45% 55% 10% Page 9

11 The changing threat landscape Disruptive technologies, such as the IoT and acceptance of virtual technologies, will pose the greatest cyber risk over the next three years. Respondents were asked to rate the risk of disruptive technologies in Table 4 and how they would impact their organization from 1 = low risk to 5 = high risk. Disruptive technologies that can increase the possibility of a security incident are the IoT, acceptance of virtual currencies, use of artificial intelligence, big data analytics, use of drones and use of cloud services (SaaS). However, participants predict their ability to minimize the risks created by employees use of personal devices, employees use of insecure connectivity (such as Wi-Fi), organizations use of digital identities and organizations use of document collaboration tools will improve. Table 4. Megatrends: The impact of disruptive technologies on cyber risk Disruptive technologies Today Future Difference Participation in the IoT 38% 63% 25% Acceptance of virtual currencies 16% 36% 20% Use of artificial intelligence 18% 37% 19% Use of big data analytics 22% 34% 12% Use of drones 21% 33% 12% Use of cloud services (SaaS) 26% 34% 8% Use of mobile payments 23% 28% 5% Use of personal mobile apps 38% 43% 5% Use of IT virtualization technologies 37% 35% -2% Use of cloud infrastructure (IaaS) 27% 25% -2% Use of social media in the workplace 28% 26% -2% Use of personal devices (BYOD) 35% 26% -9% Use of insecure connectivity (such as Wi-Fi) 37% 27% -10% Use of digital identities 47% 32% -15% Use of document collaboration tools 58% 35% -23% Page 10

12 Respondents predict that a data breach caused by an unsecured IoT device is likely. Figure 9 reveals that 82% of respondents say it is very likely, likely and somewhat likely that their organization will experience a data breach caused by an unsecured IoT device in the workplace; 80% believe this type of data breach could be catastrophic. Figure 9. An IoT data breach is likely and it could be catastrophic Very likely, Likely and Somewhat likely responses combined How likely will your organization experience the loss or theft of data caused by an unsecured IoT device or application over the next three years? 82% Likelihood a security incident related to an unsecured IoT device or application could be catastrophic 80% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Companies will be spending more to achieve compliance. Respondents were asked to rate various regulations and requirements on a scale from 1 = low cost burden to 5 = high cost burden. Table 5 shows the regulations that are costly today and will remain costly over the next three years. Regulations that will have a high cost impact are federal laws regulating data protection and privacy, global data protection laws (including GDPR), state laws regulating data protection and privacy, class action and tort litigation and mandates on critical infrastructure protection. Those that will have less of a cost impact are self-regulatory programs such as PCI or NIST. Companies also will be in a better position to manage the costs of e-discovery requirements, cybersecurity governance practices and national cyber defense strategies. Table 5. Megatrends: The compliance cost burden Compliance Today Future Difference Federal laws regulating data protection and privacy 40% 60% 20% Global data protection laws (including GDPR) 47% 67% 20% State laws regulating data protection and privacy 40% 55% 15% Class action and tort litigation 31% 45% 14% Mandates on critical infrastructure protection 18% 25% 7% Self-regulatory programs (such as PCI or NIST) 31% 34% 3% E-Discovery requirements 18% 15% -3% Cybersecurity governance 36% 26% -10% National cyber defense strategies 27% 11% -15% Page 11

13 Risks created by organizational factors are expected to mainly decrease. Respondents were asked to rate the risk of organizational factors from 1 = low risk to 5 = high risk. Table 6 shows the organizational factors that pose a high risk today and predictions of those that will be a high risk over the next three years. The integration of third parties into internal networks and applications and the inability to recruit and retain qualified IT security personnel will create greater risks. However, there are positive indications that companies are becoming much better at reducing organizational barriers. Improvements will be made in reducing the complexity of business and IT operations, ability to budget for cyber defense and ability to integrate disparate technologies. Organizational risks such as the lack of cybersecurity leadership and silos and lack of collaboration are expected to improve. Table 6. Megatrends: Organizational risks Organizational factors Today Future Difference Integration of third parties into internal networks and applications 43% 59% 16% Inability to recruit and retain qualified ITS personnel 48% 62% 13% No participation in threat sharing 32% 37% 5% Inability to secure access rights to data, systems and physical spaces 42% 39% -4% Inability to integrate necessary data sources for actionable cyber intelligence 43% 36% -6% Silos and the lack of collaboration 50% 38% -12% Growth of unstructured data assets 53% 39% -14% Inability to convince leadership to make cybersecurity a priority 38% 22% -15% Lack of cybersecurity leadership 51% 35% -16% Inability to integrate disparate technologies 53% 35% -18% Lack of funding to support cyber defense 58% 38% -20% Complexity of business and IT operations 69% 32% -38% Page 12