Security in the age of digital disruption. An Australian and New Zealand perspective

Transcription

1 Security in the age of digital disruption An Australian and New Zealand perspective

2 Contents Foreword 3 Introduction 4 Investment in emerging technologies is on the rise 5 Organisation-wide approach to digital 6 Stepping up cybersecurity s significance 7 Identifying cybersecurity attacks and threats 10 Cost of cybersecurity breaches 13 Getting on the front foot with cybersecurity services 14 Recommendations 18 About this report 19

3 Foreword Welcome to the new era of digital disruption. Today, CEOs and boards are constantly under pressure to ensure their organisations are both relevant and resilient in the face of rapid technological and social change. The constant evolution of cybersecurity threats and shortage of cybersecurity skills coupled with the introduction of the Australian Government s Notifiable Data Breaches scheme and the EU s General Data Protection Regulation has made cybersecurity an organisational-wide challenge at the top of every business leader s agenda. Seelan Nayagam Managing Director DXC Technology Australia & New Zealand It is against this backdrop that DXC Technology is pleased to contribute a new perspective on the challenge of security in the age of digital disruption and how Australian and New Zealand organisations can adopt best practice to thrive in this unprecedented time of change, all backed by independently produced research from Telsyte. DXC Technology believes it is time to advocate a more holistic approach to digital transformation. Telsyte s local research of more than 240 IT decision makers in Australian and New Zealand organisations shows organisations need an aligned digital transformation and security strategy. With this I am pleased to introduce you to Security in the age of digital disruption. I hope the findings in this research study will help your organisation take on today s security challenges and thrive now and in the future.

4 Introduction Australian organisations are investing strongly in emerging technologies and digital business initiatives. A wave of digital transformation is aimed at modernising legacy systems and building new platforms to remain relevant in the face of increasing global competition. Everything from the Internet of Things to big data analytics and artificial intelligence, are being applied for process improvement and new customer service options. As these new technologies appear, so are new cybersecurity risks, which, if not managed prudently, can result in loss of revenue-generating capability and significant reputation damage. DXC Technology commissioned Australian emerging technology research firm Telsyte to investigate how cybersecurity investments and strategies are keeping pace with wider digital agendas. This report, Security in the age of digital disruption: An Australia and New Zealand perspective, presents the key findings of the research and how IT and business leaders across Australia and New Zealand can measure the cost of low or poor cybersecurity investments and the resulting impact on digital transformation programs. Despite heavy investments in emerging technologies, organisations are still lagging when it comes to cybersecurity spending, and this lack of commitment poses a real business risk. IT and business leaders in the region must align their cybersecurity strategy and spending with emerging technology investments, to ensure digital transformation programs are executed with confidence. With a solid investment strategy, cybersecurity will become an enabler of new business innovation. 4

5 Key Points Balancing emerging technologies and security Investments in new technology is growing strong Any new technology or service brings risk Organisations must push ahead with digital transformation to remain relevant Agile organisations will mitigate risk as it appears Investment in emerging technologies is on the rise Organisations in Australia and New Zealand are now at the forefront of new technology adoption. Developments in various emerging technology areas, such as artificial intelligence (AI) and big data, have forced government agencies and businesses to adapt to the wave of digital disruption. Digital-only businesses have also entered new markets outside the US and Asia, and local organisations are now forced to deal with their disruptive threats alongside traditional competitors. Investments in emerging technologies is a means to remain competitive and to gain an edge over industry laggards. To quantify the uptake of emerging technology, and how cybersecurity investments are keeping up with the changes, Telsyte conducted a study of more than 200 ICT decision makers from Australia and New Zealand. The research found at least one in three organisations across the region intend to adopt emerging technologies such as AI, cellular machine-to-machine (M2M) or big data and analytics, with New Zealand organisations having higher adoption intention overall. What technologies are you planning to adopt? New Zealand (%) Australia (%) Artificial intelligence Cellular machine-to-machine (M2M) Big Data and Data Analytics Table 1. Examples of emerging technology adoption intentions in Australia and New Zealand A high level of investment in emerging technologies is poised to support enterprisewide digital strategies. More than 70 per cent of organisations surveyed have an organisation-wide digital strategy, which, according to Telsyte s research is strategically important to prevent fragmented projects and a lack of intelligence on the success of digital spending. 5

6 Organisation-wide approach to digital With new technology comes risk and prudent IT and business leaders will identify and mitigate risks during the adoption phase. In the case of big data, Telsyte identified a standard, organisation-wide approach as the fastest-growing challenge for CIOs. This challenge must be addressed for the company to be successful with an organisation-wide digital strategy. Q. Does your organisation have a digital strategy? No, but we are investigating 3% Yes, it varies across business units 25% Yes, organisation wide 72% Telsyte Cybersecurity Study, 2019, n=243 Figure 1. An organisation-wide approach to digital is now seen as best practice. Most organisations have digital strategies to improve legacy non-digital processes and explore new revenue opportunities. As digital became a business driver, individual business units developed their own business strategies to benefit their own interests, such as marketing, operations or customer service. The challenge with a siloed approach to digital is a lack of an organisation-wide strategy to transform the entire business, not just one department. Telsyte research shows an organisation-wide approach is now overwhelmingly favoured by CIOs across Australia and New Zealand. Digital impacts the whole business and getting the highest return requires a holistic strategy. 6

7 Stepping up cybersecurity s significance On average, organisations only spend 6% of their digital budget on cybersecurity. Big investments in emerging technologies are advancing digital initiatives; however, cybersecurity spending is failing to keep up with this trend. The study found organisations on average only spend 6 per cent of their digital budget on cybersecurity. This level of funding indicates cybersecurity is still an afterthought, despite many well-publicised breaches in recent years. Furthermore, this alarming finding is at odds with the overall importance of cybersecurity as an IT challenge. Telsyte s recent Digital Workplace study of 403 Australian ICT decision makers found cybersecurity ranked as the top IT challenge for organisations in Q. What are your organisation's top IT challenges? 1. Cybersecurity 2. Keeping up with new technolgies 3. IT infrastructure management 4. Skills shortages or management 5. Managing service delivery Source: Telsyte Australian Digital Workplace Study 2018, n 403 Figure 2. The cybersecurity challenge is not resulting in more investment. Cybersecurity issues affect all levels of the business, starting at the digital strategy level. Telsyte s cybersecurity study found nearly one-third of organisations across Australia and New Zealand have had their digital strategy impacted by cybersecurity factors. A lack of collaboration between digital teams and the technologies and processes used by cybersecurity teams is adding to the challenge. Having a limited scope for a whole-of-business cybersecurity strategy is equally to blame for an impact on the wider digital strategy. Key points Security critical, but spending low Cybersecurity is seen as the top ICT challenge - but only 6% of digital budgets go to cybersecurity Lack of collaboration between security teams remains a challenge Emerging areas like cloud and big data leading to cybersecurity gaps 7

8 Q. Has your organisation's digital strategy been impacted by its cybersecurity? Q. How has your organisation's digital strategy been impacted by its cybersecurity? (multiple choice) Don't know 14% Yes 31% Technologies/Processes used by cybersecurity and digital teams are not compatible 28% Cybersecurity strategy is limited in scope 28% No 55% Cybersecurity personnel are not familiar with digital strategy implementation Cybersecurity team is siloed from digital strategy team Cybersecurity strategy development is not aligned to digital strategy 24% 24% 25% Telsyte Cybersecurity Study, 2019, n=243 n=109, Base: Orgs that have digital strategy impacted by cybersecurity strategy Figure 3: How cybersecurity is impacting digital strategy. Not sure 24% Adding to the concern is that 14 per cent of IT leaders are not aware if digital strategies are being impacted by cybersecurity. On the security professional side, the research found 25 per cent are not familiar with digital strategy implementation. With nearly one quarter (24%) of cybersecurity teams siloed from the digital strategy team, and the same rate of organisations with no alignment between the two strategies, there is a significant disconnect between security and digital. The lack of investment and collaboration between cybersecurity and digital strategy has led to organisations identifying cybersecurity gaps among the different technologies adopted. 74 per cent of New Zealand, and 89 per cent of Australian organisations reported that some of their technologies have cybersecurity "gaps". These kinds of cybersecurity challenges can impact almost all emerging technologies and their applications. Cloud-based services top the list with 43 per cent of Australia and New Zealand organisations identifying related cybersecurity challenges, followed by other emerging technologies like IoT, big data, machine learning and AI. IT and business leaders who bridge these "gaps" from the start will enable more applications of emerging technology, without the associated risk. 8

9 Q. Which of the following does your organisation see having cybersecurity challenges or "gaps" with interactions of different systems? Total of those that face cybersecurity challenges or gaps Cloud computing Internet of Things Big Data and Data Analytics Chatbots Machine learning/deep learning Artificial Intelligence Augmented Reality (AR)/Virtual Reality (VR) Cellular machine-to-machine (M2M) Cognitive computing Blockchain Robotic Process Automation Biometrics Telsyte Cybersecurity Study, 2019, n=243 Figure 4: Emerging technologies producing cybersecurity gaps. 43% 32% 24% 24% 22% 21% 19% 15% 15% 12% 10% 9% 87% 9

10 Key Points Cybersecurity attacks continue unabated Cybersecurity attacks continue and emerging technologies is not immune 20% of Australia and New Zealand organisations have experienced at least one breach across key emerging technologies One quarter of breaches are successful and onethird of attacks have no discernible pattern to them Waiting for a breach to drive change is too risky Identifying cybersecurity attacks and threats A disparity between cybersecurity, digital strategies and investments will not stop the relentless pace of attacks and breaches. The prevalence of cybersecurity attacks continues to grow and emerging technologies are not immune to the problem. The research found more than one in five organisations have experienced at least one breach per month across key emerging technologies. Experience breaches at least once per month. Cloud Computing 29% Internet of Things 27% Big Data and Analytics 28% Block Chain 25% Artificial Intelligence 21% Telsyte Cybersecurity & Privacy Study, 2018, n=243, base: total respondents Figure 5. The alarming rate of cyber breaches relating to emerging technologies. The high rate of breaches across various emerging technologies indicates a need for a more proactive approach to cybersecurity, as opposed to a reactive one. This need is underscored by the alarming amount of attacks which are successful. Telsyte s research shows that one in six known cybersecurity attacks are successful and the rate is even higher for organisations which have had security breaches, where 26 per cent claim the breaches were successful. CIOs must identify the potential exposure emerging technologies bring and align their teams and funding to meet the challenges. Waiting for a public breach to drive change is simply too risky. 1 in 5 organisations have at least one breach per month 10

11 Q. Approximately, what proportion of attempts have successfully breached your organisation's security? >60% 3% None 37% 40% 60% 15% Less than 20% 36% 1 in 6 known attacks are SUCCESSFUL 20% 40% 9% Of organisations that have had security breaches (excluding none), 26% claim they are successful Telsyte Cybersecurity Study, 2019, n=243 Figure 6. The alarming rate of successful security breaches. The success of cybersecurity attacks can be attributed to their diverse nature. Telsyte s study found more than one-third of cyber attacks have no discernible pattern and 28 per cent occur after work hours in Australia, indicating their global nature. Q. What are the patterns of the attack? No discernible pattern After work hours in Australia Every time we update software On weekends On a Public Holiday During work hours in Australia Don't know/not sure Telsyte Cybersecurity Study, 2019, n=243 Figure 7. The diverse nature of cyber attacks know no limits. 37% 26% 18% 14% 13% 13% 10% Well-aligned digital and cybersecurity strategies must prepare for non-stop attacks outside traditional operating hours. An e-commerce initiative will face cyber attacks well after the shop doors have closed for the day. The research also investigated trends in the type of threats organisations face. Telsyte s cybersecurity study found almost half of all Australia and New Zealand organisations have been exposed to a cyber attack in the form of malware and malicious s during the past 12 months. 11

12 Q. Which of the following types of cyber-attacks incidents did your organisation experience in the last 12 months? Malicious Malware Spyware Spear phishing Ad-Fraud Ransomware Spambot Scanning or brute force Cryptocurrency Miner Distributed Denial of Service Application borne attack Keylogger Stolen credentials Botnet attack Social engineering Figure 8. The diverse nature of ongoing cyber attacks. 42% 40% 24% 22% 14% 13% 13% 13% 12% 12% 10% 10% 10% 8% 7% Telsyte Cybersecurity Study, 2019, n=243, Multiple Choice Cybersecurity attacks of high frequency, unpredictable nature and varied forms, can cost an organisation significantly in productivity, reputation, time and financial loss. To quantify the problem, the research estimated an average loss of $60 million due to cybersecurity breaches. Moreover, only 40 per cent of organisations measure the financial cost of cybersecurity attacks, indicating the average cost might be much higher. 12

13 Cost of cybersecurity breaches Q. Approximately how much did cybersecurity breaches or attacks cost your organisation financially in the last 12 months? Less than $5M 56% >$500M 6% $100M $499M 7% Average annual measured loss: $60M $50M $99M 8% $20M $49M 9% On an average, each adopted technology used by organisations is attacked at least once a month Only 40% of organisations measure the financial cost of cybersecurity attacks Of those, only 20% claimed they have not lost any revenue due to attacks, with another 19% not knowing $6M $19M 14% Telsyte Cybersecurity Study, 2019, n=140, Base: the average from organisations surveyed and experienced losses, and have systems to measure losses (min 50 employees) Figure 9: The huge cost of cybersecurity breaches. 13

14 Key points: Help fight the battle with a cybersecurity partner Organisations are struggling to keep on top of cyber threats There are many options for cybersecurity services to help manage risk More than 30% of IT leaders are investigating a cybersecurity outsourcing provider Compatible cybersecurity frameworks among providers help overcome integration challenges Getting on the front foot with cybersecurity services With cybersecurity challenges so prevalent and diverse, organisations are struggling to keep on top of the threats. The research shows the clear mismatch between new digital projects and spending, and this lack of alignment can lead to basic operational challenges like failing to defend against network service attacks. There is a growing opportunity for local organisations to engage with a specialist cybersecurity provider to enable more capability and proactive mitigation. The study found one-third of respondents are investigating using a cybersecurity outsourcing provider, with 10 per cent of the market still unsure. Q. Which of the following best represents your organisation when it comes to outsourcing cybersecurity? We do not have an outsourced provider, and do not intend to use one 28% Don't know/not sure 10% We do not have an outsourced provider, but intend to use one 33% We have an outsourced provider that manages our cybersecurtiy 29% Telsyte Cybersecurity Study, 2019, n=243 Figure 10. The strong intention to use a cybersecurity outsourcing provider technologies. The rise of cloud-based security services has resulted in many options for enterprises to engage with a third-party for cybersecurity support. According to Telsyte s research, among organisations that have outsourced their cybersecurity, almost half are engaging third-parties for security monitoring. Nearly 40 per cent outsource incident response. IT and business leaders can get support with everything from denial of service prevention to identity management. Taking more operational tasks away from inhouse staff will lead to better strategic alignment between cybersecurity and digital transformation activities. 14

15 Q. What parts of your organisation's cybersecurity capabilities are currently outsourced to third parties? Security monitoring Incident response Network perimeter management Cloud security management Identity and access management Endpoint solution management and web security management Denial of service control 25% 21% 39% 35% 33% 31% 30% Telsyte Cybersecurity Study, 2019, n=96, base: Those that have an outsourced provider that manages their cybersecurity Figure 11: A range of cybersecurity requirements can be outsourced to specialist providers. 49% The range of cybersecurity services that can be outsourced is quite extensive; however, often challenges getting outsourcers to work together to deliver a comprehensive security service remain. Q. Do your multiple separate outsourcers have compatible security frameworks that work together? Don't know/not sure 22% Some of them do not have any security frameworks 2% All of them are not compatible 2% Yes, all of them are compatible 44% Yes, but only some of them are compatible 30% Telsyte Cybersecurity Study, 2019, n=96, Base: Those that outsource cybersecurity Figure 12: The challenge of incompatible cybersecurity frameworks. 15

16 Implementing compatible cybersecurity frameworks among separate outsourced service providers can go a long way to overcoming these challenges. Telsyte s cybersecurity study found one in three organisations with multiple outsourcing providers have suppliers that are not compatible with each other in terms of a security framework. Adding to the challenge is nearly 25 per cent of respondents do not know, or are unsure, if their outsourcers have compatible security frameworks. This lack of knowledge limits the organisation s ability to assess how well the security service providers are performing. This compatibility problem also extends to between the organisation and the service provider. Telsyte s research found that among organisations whose outsourcers have a security framework, almost 32 per cent are only partially compatible with their outsourcer at best. A further 13 per cent are unsure about framework compatibility. Q. Is your organisation's security framework and your outsourcer's framework compatible, or do they work together? Don't know/not sure 13% Not compatible 2% Fully compatible 55% Partial 30% Telsyte Cybersecurity Study, 2019, n=84, Base: Those whose outsourcer have a security framework Figure 13: Organisations must also work towards compatible frameworks with suppliers. 16

17 These compatibility issues can be avoided by engaging with a cybersecurity service provider that can deliver a comprehensive service, including any existing requirements. The closer you can align frameworks from the start, the more time you will save time and resources in liaising between multiple providers to come to an agreed cybersecurity framework. Furthermore, a comprehensive outsourcer is more likely to apply the same cybersecurity framework across all its services, making management and reporting for cybersecurity services easier. The study found that 69 per cent of cybersecurity outsource service providers engaged by organisations across Australia and New Zealand have a security framework. Q. Do your organisation's outsourcers have a security framework? Don't know 18% No 13% Yes 69% Telsyte Cybersecurity Study, 2019, n=96, Base: Those that outsource Figure 14: Engage with a provider which has a comprehensive cybersecurity framework. CIOs should investigate rationalising their cybersecurity providers to limit framework compatibility issues and gain consolidated threat detection and risk mitigation strategies. 17

18 Recommendations To ensure organisations across Australia and New Zealand can innovate with confidence, Telsyte research found a number of recommendations: Balance cybersecurity spending. Organisations in Australia and New Zealand are investing in emerging technologies to support digital transformation programs. This trend is positive; however, cybersecurity spending must reflect these investments and not be viewed as an afterthought. Bridge cybersecurity and digital teams. With nearly one quarter of cybersecurity teams siloed from the digital strategy team, it is time for more collaboration to curb emerging risks. Australia and New Zealand' organisations also need more alignment between the two strategies in general. Identify capability gaps. Lack of investment and collaboration between cybersecurity and digital has led to many cybersecurity gaps. It is important to identify where the organisation is exposed among the different emerging technologies being adopted. Be prepared for emerging threats. Organisations are already experiencing a high rate of breaches across various emerging technologies. This indicates a need for a more proactive approach to cybersecurity, as opposed to a reactive one. Attackers will not wait for you to catch up on a new vulnerability. Investigate cybersecurity services. CIOs do not need to take on the expanding burden of cybersecurity services in-house. There are many options for outsourcing cybersecurity tasks across a number of applications. Outsourcing cybersecurity helps in-house staff be more strategic with digital initiatives. Avoid incompatible security frameworks. Telsyte s research found one-in-three organisations with multiple outsourcing providers have suppliers with incompatible security frameworks. Align frameworks from the start to limit time liaising between multiple providers to arrive at an agreed cybersecurity framework. IT and business leaders across Australia and New Zealand are faced with many challenges managing emerging technology adoption with the need for better cybersecurity. Taking a collaborative approach with cybersecurity and digital, combined with the prudent use of service providers, will position organisations to be more innovative and resilient. 18

19 About this report In preparing this report, Telsyte used the results of an online survey of 243 IT decision makers across Australian and New Zealand organisations with greater than 50 employees. Sampling was conducted to reflect the largest organisations in Australia and New Zealand, with 77% of respondents coming from organisations with greater than 200 employees. The respondent was required to have a strong understanding of their organisation s IT cybersecurity policies and processes, and was not limited to just the CIO or IT department. The survey took around 25 minutes to complete. The survey had a confidence interval of +/-6.23 at a confidence level of 95%. Interviews were conducted via an online survey completed by respondents on computers, tablets and smartphones. 19

20 About Telsyte Telsyte is Australia s leading emerging technology analyst firm. Telsyte analysts deliver market research, insights and advisory into enterprise and consumer technologies. Telsyte is an independent business unit of DXC Technology. Visit for more information. Learn more at About DXC Technology DXC Technology (DXC: NYSE) is the world's leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company's technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognised among the best corporate citizens globally. For more information, visit dxc.technology DXC Technology Company. All rights reserved. MD_8777a-19. August 2018