- Security TWENTY
- Women in Security
While information security risks have evolved and intensified, security strategies— historically compliance-based and perimeter-oriented—have not kept pace. The result? That is according to a survey by the audit company PWC.
It claims that organisations often rely on yesterday’s security strategies to fight a largely ineffectual battle against highly skilled adversaries who leverage the threats and technologies of tomorrow. Boots-on-the-ground reality is not of sophisticated attacks, the report suggests. Most respondents attribute security incidents to everyday insiders such as current or former employees. It might not even be that staff are malicious, but are working in an insecure way. Organisations understand that it is no longer practical—or, indeed, possible— to protect all information with equal priority. In a new model of security, the report suggests, businesses should identify and prioritise the information that really matters.
Cloud computing has been around for more than a decade, and is commonplace—if not quite mainstream—in the corporate ecosystem. Almost half (47pc) of respondents use some form of cloud computing. Among those who use cloud services, 59pc of respondents report that their security posture has improved. Yet many organisations have not seriously addressed the security implications of cloud services. For instance, among survey respondents that use cloud services, only 18pc say they have policies governing the use of cloud.
Joshua McKibben, PwC Director, says: “A lack of policies for cloud computing represents a serious security gap for businesses. The proliferation of data being shared, in combination with the increase in the use of mobile devices, creates an environment in which cloud services are more widely used—and potentially abused—by employees. At the same time, it is essential that businesses ensure that third-party cloud providers agree to follow security practices.”
The audit firm’s report sums up:
These sophisticated intruders are bypassing outdated perimeter defences to perpetrate dynamic attacks that are highly targeted and difficult to detect. Many use well-researched phishing exploits that target top executives. Compounding matters, the attack surface—partners, suppliers, customers, and others—has expanded as an ever-greater volume of data flows through interconnected digital channels.
These factors have combined to make information security progressively more complex and challenging. It has become a discipline that demands pioneering technologies and processes, a skill set based on counter-intelligence techniques, and the unwavering support of top executives. A key tenet of this new approach is an understanding that an attack is all but inevitable, and safeguarding all data at an equally high level is no longer practical.
The Global State of Information Security Survey 2014 aims to measure and interpret how global organisations implement practices to combat highly skilled adversaries. This year’s survey indicates that executives are elevating the importance of security. They are heeding the need to fund enhanced security activities and believe that they have substantially improved technology safeguards, processes, and strategies.
But while organisations have raised the bar on security, their adversaries have done even more. This year’s survey shows that detected security incidents have increased 25 per cent over the previous year, while the average financial costs of incidents are up 18pc. The survey also reveals that many organisations have not deployed technologies that can provide insight into ecosystem vulnerabilities and threats, identify and protect key assets, and evaluate threats within the context of business objectives. And for many companies, security is not yet a foundational component of the business strategy, one that is championed by the CEO and board, and adequately funded. Put simply, few organisations have kept pace with today’s escalating risks—and fewer still are prepared to manage future threats.
To view the full 24-page report visit the PWC website – https://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
About the Global State of Information Security Survey 2014
The study was conducted online from February 1, 2013, to April 1, 2013. Clients of PwC were invited via e-mail to take the survey. The results are based on the responses of more than 9,600 executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 115 countries. Thirty-six percent (36 per cent) of respondents were from North America, 26pc from Europe, 21pc from Asia Pacific, 16pc from South America, and 2pc from the Middle East and Africa.
Meanwhile PwC has signed the World Economic Forum’s (WEF) Partnering for Cyber Resilience (PCR) commitment. In supporting this initiative the PwC network joins other global organisations, across the financial services, telecommunications and retail and consumer sectors.
The PCR is designed to promote a coordinated approach to managing the risks and opportunities that face the global networked economy by securing the commitment of participants in the PCR to a set of common shared principles for the management of cyber risk.
Dennis Nally, chairman of PricewaterhouseCoopers International Ltd, said: “We are fully supportive of this initiative. In the hyperconnected digital age, cyber risk and resilience is a fundamental issue facing the global economy. We are committed to supporting these global principles which will contribute to global economic stability and prosperity by helping businesses better manage the risk of ever increasing threats to their data.”