The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Path to cyber resilience:
Sense, resist, react

EY’s 19th Global Information Security Survey 2016-17

The state of cyber resilience

Threats of all kinds continue to evolve, and today’s organizations find that the threat landscape changes and presents new challenges every day.

Organizations have learned over decades to defend themselves and respond better, moving from very basic level measures and ad hoc responses to sophisticated, robust and formal processes.

In this report, we look at the findings of our latest Global Information Security Survey. From the responses of the 1735 CIOs, CISOs and other executives, we can see where organizations are in the strength and maturity of their cybersecurity capabilities and suggest three steps to achieve cyber resilience:

Sense

Organizations need to use cyber threat intelligence and active defense to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. They need to know what will happen, and they need sophisticated analytics to gain early warning of a risk of disruption.

Resist

First, an organization determines how much risk to take across its ecosystem, followed by establishing the three lines of defense:

  1. Executing control measures in the day-to-day operations
  2. Deploying monitoring functions such as internal controls, the legal department, risk management and cybersecurity
  3. Using a strong internal audit department

React

If sense and resist fail, organizations need incident response capabilities to manage the crisis. They need to be ready to preserve evidence in a forensically sound way and investigate the breach to satisfy critical stakeholders – and also be prepared to bring the organization back to business as usual in the fastest possible way, learn from what happened, and adapt and reshape the organization to improve cyber resilience going forward.

Let us not get blindsided and think that cyber agility automatically results in a positive answer to the main boardroom question of “Are we cyber resilient?”

Sense

Organizations have become more confident in their ability to predict and detect a sophisticated cyber attack; this year, 50% of organizations thought it was likely they would be able to do so, which is the highest level of confidence we have seen since 2013.

But there is still work to do related to the basic sense capabilities given the following findings in this year’s survey:

  • 44% do not have a Security Operating Center (SOC)
  • 64% do not have, or only have an informal, threat intelligence program
  • 55% do not have, or only have an informal, vulnerability identification capability

In addition, there are four specific areas which need special attention:

A breach has happened but there appears to be no harm

Of the organizations in our survey, 62% would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm.

Cyber criminals often make “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to.

Securing your ecosystem

In our digital and connected world, events in the organizations’ network can go on to impact the organization itself, yet:

  • 68% of responders would not increase their information security spending even if a supplier was attacked.
  • 58% would not increase their spending if a major competitor was attacked.

An organization’s sensory system is much stronger when events in the surrounding ecosystem are taken into account.





The impact of the Internet of Things (IoT)

The explosion in the number of connected devices is going to put more pressure on the sense capabilities of an organization:

  • 73% are concerned about poor user awareness and behavior around mobile devices.
  • Organizations doubt that they are going to be able to continue to identify suspicious traffic over their networks (49%), to track who has access to their data (44%) or to be able to find hidden and unknown zero-day attacks (40%).
  • As connectivity to other organizations expands, many organizations expect difficulties with monitoring the perimeter of their ecosystems (34%).

Information sharing and collaboration are on the rise

Industry-specific regulations relating to cyber risks are gathering momentum, and legislative interest is increasing. So be prepared to report and look for opportunities to share and collaborate today:

  • 49% of our respondents SOCs collaborate and share data with others in the same industry
  • 38% of our respondents SOCs collaborate and share data with other public SOCs





The atmosphere today will lead regulators, stakeholders, business partners and even customers to want to know more about your cybersecurity.

Resist

Attacks take many different, increasingly complex forms and organizations are not performing as well as they should against the sophisticated attacks cyber criminals are launching against their targets every day.

Last year, 88% of survey respondents said their cybersecurity function did not fully meet their organization’s needs. This year it is 86%, which does not represent a significant improvement.

In our survey, nearly half (48%) of responders say their outdated information security controls or architecture are a high area of vulnerability.

Activate your defenses

Our survey reveals that 57% have had a recent significant cybersecurity incident, showing there is still more work to do to strengthen the corporate shield. Maturity levels are still too low in many critical areas.

Percentage who would rate these information security management processes as mature:

  • Software security: 29%
  • Security monitoring: 38%
  • Incident management: 38%
  • Identity and Access Management: 38%
  • Network security: 52%

Every year budgets increase, but is it enough?

Between 2013 and 2016 we have seen year on year increases in budgets. The amounts being spent are also rising: in 2013, 76% of responders were spending less than $2m in total; today only 64% are spending less than $2m and there has been a rise in organizations spending $10m–$50m.

Still, organizations say that more funding is needed, with 61% citing budget constraints as a challenge and 69% of responders saying they need up to 50% more budget.

The role of leadership

Cyber resilience requires senior executives to actively take part and lead the React phase. Since 2013, 31%–32% of responders say there is a lack of executive awareness and support which is challenging the effectiveness of cybersecurity.

This year on year consistency suggests not enough is being done to address this, or attempts have reached a deadlock and the message is not getting through.

The importance of reporting

Among our responders, 75% say that those responsible for information security do not have a seat on the board, so the board has to rely on reporting instead:

  • Only 25% of reporting provides an overall threat level
  • Only 35% of reporting showed where improvements were needed in the organization’s information security
  • 89% of organizations do not evaluate the financial impact of every significant breach and of those that have had a cyber incident in the last year, nearly half (49%) have no idea what the financial damage is or could be

With the quality of reporting being so low, it is no surprise that 52% of responders think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place.

 

Executive leadership and support is critical for effective cyber resilience.

React

Business continuity management (BCM) has been the first or second key area of cybersecurity in our survey since 2013, so the importance of having some React capabilities is understood. Again this year, 57% of organizations rated it their joint top priority, alongside data leakage/data loss prevention.

However, looking at where organizations want to spend more, BCM ranks 9th. Organizations may feel that BCM has been well funded in the past and now they are investing in other React capabilities.

Other React capabilities

Security information and event management (SIEM) together with security operation centers (SOCs), ranked 7th, with 46% of the respondents say that they are going to spend more in these two areas over the coming 12 months, ranking it second after security awareness and training.

Despite outdated information security controls or architecture being the second highest vulnerability, 74% say that an information security transformation (fundamental redesign) is a medium or low priority and 75% say a security architecture redesign is a medium or low priority.

When reacting to an attack, the board must show leadership

The key to recovering from a cyber attack is to communicate and lead the communications before the strength of the traditional news media and social media takes over. Too many organizations are still unprepared.

  • 42% do not have an agreed communications strategy or plan in place in the event of a significant attack
  • In the first seven days after an attack:
    • 39% say they would make a public statement to the media
    • 70% would notify regulators and compliance organizations
    • 46% would not notify customers, even when it is customer data that has been compromised
    • 56% would not notify suppliers, even when it is supplier data that has been compromised

Leading the recovery of the organization

For the CIO or CISO to be able to support the business during recovery, they need to fully understand the organization’s strategic direction, risk appetite and operations. By bringing together the corporate strategists, and the corporate security team, the cybersecurity solution and the organization’s overall strategy can be aligned.

However, our survey shows that there is not a good connection between the cybersecurity function and the organization’s strategy and planning:

  • Only 5% of responders have recently made a significant change to their organization’s strategy and plans, after sensing they were exposed to too much risk
  • Only 22% say that they have fully considered the information security implications of their organization’s current strategy and plans

Asking tougher questions and closing the gaps

Organizations like to rely upon themselves to test or manage their own cybersecurity:

  • 79% do their own self-phishing
  • 64% do their own penetration testing
  • 81% do their own incident investigation
  • 83% do their own threat intelligence analysis

Our survey also found gaps that need to be addressed. Despite careless employees, phishing and malware being such major and known threats, only 24% have an incident response plan that would help them recover from malware and employee misbehavior.

Although React capabilities perform well in the priority ratings, the absolute amounts of money spent in this area are still relatively low. The more it becomes clear that the corporate shield cannot resist all threats, the more attention the React capabilities will get.

Cyber resilient enterprise key characteristics

Understands the business

Cyber resilience begins with an in-depth understanding of the operational landscape, to know which workflows must be preserved so the organization can continue to operate and safeguard people, assets and overall brand equity, despite the cyber attack.

Understands the cyber ecosystem

Map and assess the relationships the organization has across the cyber ecosystem and identify what risks exist. Perform a risk assessment of the organization’s cyber presence in the ecosystem, determining those factors that affect the extent of the organization’s control over its ecosystem.

Determines the critical assets – the crown jewels

Most organizations over-protect some assets and under-protect others:

  • 51% ranked customer personal identifiable information as the first or second information most valuable to cybercriminals in the organization
  • Only 11% rated patented IP the first or second most valuable information
  • Senior executive/board member personal information was considered more valuable than R&D information, patented IP and non-patented IP, and broadly on a par with corporate strategic plans

Determines the risk factors

Sharing information about the risk and threat landscape of all the business functions allows the organization to understand their broader risk and expose any security gaps. Organizations then need to ask the following:

  • How much can we do to manage any residual risk?
  • Are we prepared to accept a certain level of risk?
  • What can we attempt to control and what do we need to accept is out of our control?

Manages the human element with exceptional leadership

Individuals need to be prepared and trained on how to respond and behave after a cyber attack. Clear communication, direction and example-setting from leadership will be essential, as well as clearly defined roles or tasks to help the organization become operational again.

Creates a culture of change readiness

Organizations that develop superior, integrated and automated response capabilities can activate non-routine leadership, crisis management and coordination of enterprise-wide resources. Organizations should develop and implement tailor-made war games including a review of any command and control center, cyber resilience manuals and plans.

Conducts formal investigations and prepare for prosecution

To protect the interests of the organization in the event of a major cyber-breach, the CIO and CISO should be prepared to liaise with the most senior executives from Security, General Counsel, External Counsel, Investigations and Compliance to:

  • Collect evidence in a forensically sound way to support a wider investigation
  • Establish if the attackers still have footholds in the organization’s networks and systems, and if harmful malware or ransom-ware could sabotage the organization again
  • Investigate who carried out the attack, how they performed it, for whom and why
  • Be able to bring a claim against the attacker, those who aided and abetted the attack and product and service providers who failed to meet contractual obligations to build, operate, test or maintain cybersecurity