the global state of information security survey 2018

2020-02-27 188浏览

  • 1.www.pwc.com/gsiss Cybersecurity and Privacy Strengthening digital society against cyber shocks Key findings from The Global State of Information Security® Survey 2018
  • 2.Table of contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 How cyber interdependence drives global risk . . . . . . . . . . . . . . . . . 5Resilience:The cyber-shock absorber businesses need. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Next steps for global business leaders . . . . . . . . . . . . . . . . . . . . . . . 12 Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Contacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 B Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 3.Massive cybersecurity breaches have become almost commonplace, regularly grabbing headlines that alarm consumers and leaders. But for all of the attention such incidents have attracted in recent years, many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society. As our reliance on data and interconnectivity swells, developing resilience to withstand cyber shocks—that is, large-scale events with cascading disruptive consequences—has never been more important. 2 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 4.There have been no reported deaths from cyberattacks and relatively little destruction.1 But the disruptive power of cyberattacks is increasingly clear, particularly in geopolitical threats. For example, a December 2015 cyberattack in Turkey impacted networks used by the country’s banks, media, and government.2 Later that month, the first known cyberattack to take down a power grid targeted Ukraine’s power distribution systems, cutting electricity to 230,000 residents.3 That attack also targeted the country’s phone system, preventing customers from reporting outages and thereby hindering power-restoration efforts.4 In June 2017, the Petya cyberattack, aimed at Ukrainian computers, disrupted business operations across the globe. Massive data breach risks are raising concerns about the power of cyberattacks to ripple through the global economy.5 Anticipated results of a successful cyberattack against automation and/or robotics systems 40% 39% Disruption of operations/ manufacturing Loss or compromise of sensitive data 32% 29% 22% Negative impact to quality of products produced Damage to physical property Harm to human lifeSource:PwC, CIO and CSO, The Global State of Information Security® Survey 2018, October 18, 2017.Base:9,500 respondents 1 2 3 4 The Cipher Brief, Cyber Deterrence Is Working – So Far, July 23, 2017 Harvard University Belfer Center for Science and International Affairs, Too Connected To Fail, May 2017 Wired, Inside the cunning, unprecedented hack on Ukraine’s power grid, March 3, 2016 US Homeland Security Advisory Council, Final Report of the CybersecuritySubcommittee:Part I - Incident Response, June 2016 5 The Wall Street Journal, The Morning Download, Sept. 11, 2017 3 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 5.Executives worldwide acknowledge the increasingly high stakes of cyber insecurity. In our 2018 Global State of Information Security® Survey (GSISS), leaders of organizations that use automation or robotics indicate their awareness of the potentially significant fallout of cyberattacks. Forty percent of survey respondents cite the disruption of operations as the biggest potential consequence of a cyberattack, 39% cite the compromise of sensitive data, 32% cite harm to product quality, 29% cite damage to physical property, and 22% cite harm to human life. “Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable.” – Sean Joyce, US Cybersecurity and Privacy Leader, PwC Yet despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them. Forty-four percent of the 9,500 executives in 122 countries surveyed by the 2018 GSISS say they do not have an overall information security strategy. Fortyeight percent say they do not have an employee security awareness training program, and 54% say they do not have an incidentresponse process. “Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PwC’s US Cybersecurity and Privacy Leader. Business leaders are not well served by cybersecurity commentary that veers into either hyperbole about “cyber armageddon” or the countervailing viewpoint that most cyber threats are mundane. Much more productive would be a robust global conversation that gives business leaders actionable advice to build resilience against cyber shocks. In this paper—the first in our series on the key findings of the 2018 GSISS—we attempt to do just that. 4 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 6.How cyber interdependence drives global risk According to the World Economic Forum (WEF), the rising cyber interdependence of infrastructure networks is one of the world’s top risk drivers. The WEF 2017 Global Risks Report found that cyberattacks, software glitches, and other factors could spark systemic failures that “cascade across networks and affect society in unanticipated ways.”6 The US National Intelligence Council’s recent global trends report similarly cautioned that society faces “imminent” risk of cyber disruption—potentially on a massive scale with “lethal consequences”—due to the vulnerability of critical infrastructure.7 Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power—and many systems are impacted instantaneously or within one day, meaning there is generally precious little time to address the initial problem before it cascades.8 Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes.9 Many people worldwide—particularly in Japan, the United States, Germany, the United Kingdom, and South Korea—are concerned about cyberattacks from other countries.10 Tools for conducting cyberattacks are proliferating worldwide. Smaller nations are aiming to develop capabilities like those used by larger countries. And the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.11 When cyberattacks occur, most victimized companies say they cannot clearly identify the culprits. In our 2018 GSISS, only 39% of survey respondents say they are very confident in their attribution capabilities. 6 7 8 9 World Economic Forum, 2017 Global Risks Report, January 2017 US National Intelligence Council, GlobalTrends:Paradox of Progress, January 2017 CascEff, Cascadingeffects:What are they and how do they affect society? July 31, 2017 Internet outages after the Sept. 11, 2001, terrorist attacks were caused by a chain ofevents:lack of electric power required a major data center to use backup generators that relied on fuel; poor air quality in the city due to the attack hindered data-center cooling, hastening fuel consumption; normal fuel delivery was blocked by emergency traffic limits; and without fuel, the generators could not function. See Harvard University Belfer Center for Science and International Affairs, Too Connected To Fail, May 2017 10 The Pew Research Center, Spring 2017 Global Attitudes Survey, August 2017 11 PwC, Bold Steps to Manage Geopolitical Cyber Threats, 2017 5 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 7.39% say they are very confident in their cyberattack attribution capabilities. The soaring production of insecure internet-of-things (IoT) devices is creating widespread cybersecurity vulnerabilities.12 Rising threats to data integrity could undermine trusted systems and cause physical harm by damaging critical infrastructure.13 In May 2017, G-7 leaders pledged to work together and with other partners to tackle cyberattacks and mitigate their impact on critical infrastructure and society. Two months later, G-20 leaders reiterated the need for cybersecurity and trust in digital technologies. The task ahead is huge. As the United Nations’ International Telecommunication Union wrote in its 2017 Global Cybersecurity Index report, global interconnectivity could expose “anything and everything” to cyber risks and “everything from national critical infrastructure to our basic human rights can be compromised.”14Source:PwC, CIO and CSO, The Global State of Information Security® Survey 2018, October 18, 2017 There is a wide disparity in cybersecurity preparedness among countries around the world—both “between and within regions,” according to the UN’s 2017 Global Cybersecurity Index.15 The UN found that only 38% of member states have a published cybersecurity strategy, and only 11% have a dedicated standalone strategy. Only 12% have a cybersecurity strategy in development. Although 61% of member states have an emergency response team with national responsibility, only 21% of states publish metrics on cybersecurity incidents. 12 PwC, Uncovering the Potential of the Internet of Things, 2017 13 Then-US Director of National Intelligence James Clapper told Congress in 2016, “Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decision-making, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI—in settings such as public utilities and health care—will only exacerbate these potential effects.” 14 United Nations International Telecommunication Union, Global Cybersecurity Index report, 2017 15 The report ranked Singapore, the United States, Malaysia, Oman, Estonia, Mauritius, Australia, France, Georgia, and Canada as the most committed member states. 6 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 8.In our 2018 GSISS, we found that the frequency of organizations possessing an overall cybersecurity strategy is particularly high in Japan (72%), where cyberattacks are seen as the leading national security threat16, and Malaysia (74%), which scored very well in the UN cybersecurity index. Both countries are in East Asia and the Pacific, a region where the World Economic Forum says cyberattacks are among the top five business risks.17 High preparedness does not necessarily mean low risk. The UN’s 2017 Global Cybersecurity Index ranked the United States among the member states most committed to cybersecurity, second only to Singapore. But US infrastructure is still vulnerable to what the World Economic Forum deems the No. 1 business risk in NorthAmerica:“large-scale cyberattacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the internet.”18 The US Department of Homeland Security has identified more than 60 entities in US critical infrastructure where damage, caused by a single cyber incident, could reasonably result in $50 billion in economic damages, or 2,500 immediate deaths, or a severe degradation of US national defense.19 For many people, the risk is real. A Pew Research Center survey found that a substantial majority of Americans expect major cyberattacks in the next five years on US public infrastructure or banking and financial systems. Most information security professionals believe that US critical infrastructure will suffer a cyberattack within the next two years.20 16 17 18 19 20 7 The Pew Research Center, Spring 2017 Global Attitudes Survey, August 2017 World Economic Forum, 2017 Global Risks Report shareable infographics, January 2017 World Economic Forum, 2017 Global Risks Report, January 2017 “Additional views” statement by Sen. Susan Collins (R-ME) in US Senate Report 114-32, April 15, 2015 Black Hat, The 2017 Black Hat AttendeeSurvey:Portrait of an Imminent Cyberthreat, July 2017 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 9.This underscores the need for all organizations, no matter how prepared they think they might be, to verify whether strategic cybersecurity goals are being executed. The White House’s National Infrastructure Advisory Council wrote in an August 2017 report that many US infrastructure companies are not practicing basic cyber hygiene despite the availability of effective tools and practices.21 In fact, the report’s authors note, many companies are unaware of available federal tools for scanning, detecting, mitigating, and defending against cyber threats.Resilience:The cyber-shock absorber businesses need “Tomorrow’s successful states,” the US National Intelligence Council wrote in 2017, “will probably be those that invest in infrastructure, knowledge, and relationships resilient to shock— whether economic, environmental, societal, or cyber.” The same idea applies to tomorrow’s successful companies—those that are resilient will be best positioned to sustain operations, build trust with customers, and achieve high economic performance. So how can organizations achieve the toughness required to absorb the disruption caused by a cyberattack? The results of our 2018 GSISS suggest some answers. Leaders must assume greater responsibility for building cyber resilience. In the private sector, those driving business results must also be held accountable for the associated risks of doing business. Boards must exercise effective oversight and proactive risk management. Strategies for business continuity, succession planning, strategic alignment, and data analytics are key. Yet the 2018 GSISS found that most corporate boards are not proactively shaping their companies’ security strategies or investment plans. 21 National Infrastructure Advisory Council, Securing Cyber Assets, August 2017 8 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 10.Only 44% of GSISS respondents say their corporate boards actively participate in their companies’ overall security strategy. “Many boards still see it as an IT problem,” said Matt Olsen, cofounder and president of business development and strategy for IronNet Cybersecurity and former head of the US National Counterterrorism Center. According to the National Association of Corporate Directors’ 2016-2017 surveys of public- and privatecompany directors, few board members feel very confident that their companies are properly secured against cyberattacks.22 Often a result of boards’ lack of involvement in security measures, such doubt should come as no surprise. Just under half of all GSISS respondents agree that risk alone drives security spending. About 30% disagree, and the remainder are on the fence. Most GSISS respondents (66%) say their organizations’ security spending is aligned with the revenues of each line of business, but a sizeable remainder (34%) say that is not the case or they are not sure. The chief information security officer (CISO) is increasingly important. According to the 2018 GSISS, it is more common for a company’s CISO or chief security officer to report directly to the CEO or the board of directors than to the chief information officer. “The CISO must help the board understand where the company stands in providing cybersecurity for the company networks,” said Keith Alexander, the founder and CEO of IronNet Cybersecurity, who formerly led US Cyber Command and the National Security Agency as a four-star general. “The information provided should include any cyberattacks that have occurred, as well as shortfalls in training, equipment, and tools in the cyber domain. The CISO must highlight shortfalls so the board can execute their responsibilities in understanding and addressing risks facing the company.” 22 Only 5% of public-company directors and 4% of private-company directors said they were “very confident.” Most said they were only “moderately confident” (42% of public-company directors and 39% of privatecompany directors), according to survey data included in the National Association of Corporate Directors’ 2017 Cyber-Risk Oversight Handbook 9 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 11.To whom does the CISO, CSO, or equivalent senior information security executive directly report? 40% 27% 24% CEO Board of Directors CIO (Chief Information Officer) 17% 15% CSO (Chief Security Officer) Chief Privacy OfficerSource:PwC, CIO and CSO, The Global State of Information Security® Survey 2018, October 18, 2017.Base:9,500 respondents Organizations must dig deeper to uncover risks. Achieving greater cyber resilience as a society and within organizations will require a more concerted effort to uncover and manage new risks inherent in emerging technologies. Organizations must have the right leadership and processes in place to drive the security measures required by digital advancements. Many businesses are just beginning this journey. For example, relatively few respondents say their organizations plan to assess IoT risks across the business ecosystem. The ownership of responsibility for IoT security varies depending on the organization—29% say the duty belongs to the CISO, while others point to the engineering staff (20%) or the chief risk officer (17%). Cybersecurity executives, meanwhile, are still absent in many organizations. Only about half (52%) of respondents say 10 Key findings from The Global State of Information Security® Survey 2018 © 2017 PwC
  • 12.34% say their organizations plan to assess IoT risks across the business ecosystem.Source:'>Source: