PWC Global State of Information Security Survey 2015

Contents
1. Main report
2. Industrial products
3. Financial Services
4. Power & utilities
5. Healthcare payers and
providers
6. Retail and consumer
www.pwc.com/gsiss2015
Managing cyber risks in an

interconnected world
Key findings from The Global State of
Information Security Survey 2015
30 September 2014
Table of contents
01
02
03
p1
p7
p13
Cybersecurity is now a persistent

business risk
Continued year-over-year
rise is no surprise
p3
Figure 2: Security incidents grow

66% CAGR
Nation-states, hackers, and

organized crime groups are
the cybersecurity villains that
everybody loves to hate
And the risks go beyond devices
Figure 3: Larger companies detect

more incidents
p5
Figure 4: Information security

budget by company size (revenue)
Cybersecurity services market

is expanding
p10
Figure 1: Security incidents outpace

GDP and mobile phone growth
Financial losses increase apace
Cyber risks: A severe and

present danger
Incidents and financial

impacts continue to soar
Figure 5: Incidents are more costly

to large organizations
Employees are the mostcited culprits of incidents
Figure 6: Insiders vs. outsiders
p15
High growth in high-profile
crimes
p18
Domestic intelligence: A new
source of concern
04
05
07
p19
p25
p31
Organizations are undoubtedly

worried about the rising tide
of cybercrime
Security practices must keep pace

with constantly evolving threats
and security requirements
Figure 7: Overall, average security

budgets decrease slightly, reversing
a three-year trend.
Figure 9: Failing to keep up with

security threats
As incidents continue to proliferate

across the globe, its becoming
clear that cyber risks will never
be completely eliminated
As incidents rise, security

spending falls
Figure 8: Top spending priorities

over the next 12 months
Declines in fundamental
security practices
Figure 10: At most organizations, the

Board of Directors does not participate
in key information security activities
06
Gains in select security

initiatives
p29
While we found declines in
some security practices, we also
saw gains in important areas
Evolving from security to

cyber risk management
p35
Methodology
p36
Endnotes & sources
p37
Contacts by region
01
present danger
Cybersecurity is
now a persistent
business risk
It is no longer an issue that
concerns only information
technology and security
professionals; the impact
has extended to the C-suite
and boardroom.
Awareness and concern about
security incidents and threats
also has become top of mind among
consumers as well. In short, few
risk issues are as all-encompassing
as cybersecurity.
Media reports of security incidents
have become as commonplace as the
weather forecast, and over the past
12 months virtually every industry
sector across the globe has been hit
by some type of cyber threat.
Following are but a few: As incidents

proliferate, governments are
becoming more proactive in helping
organizations fight cyber crime.
The US Federal Bureau of
Investigation (FBI), for example,
disclosed that it notified 3,000
companiesincluding banks,
retailers, and defense contractors
that they had been victims of
cybersecurity breaches in 2013.1
Subsequently, the US Department of
Justice (DOJ) charged five Chinese
military hackers with conducting
cyber economic espionage against
American companies in the nuclear
power, metals, and solar energy
sectors.2 This marked the first
time that the US has charged state
officials with economic espionage
using external cyber attacks under
section 1831 of the Economic
Espionage Act.
Its a trend that will likely

continue, according to Sean
Joyce, PwC principal and former
deputy director of the FBI. I
think we will see the DOJ and
FBI continue to pursue an
aggressive strategy against
nation-state actors that cause
significant economic damage to
the US economy, says Joyce.
Assaults on major retailers reached

epic levels in the past year, resulting
in the theft of hundreds of millions
of customer payment card records,
a rash of litigation, and a rush to adopt
a new payment card standard in the
US. In the UK, payroll information
and bank account numbers of 100,000
employees of a supermarket chain
were stolen by a company insider
and published online.3
Stock exchanges also have become routine targets

A survey of 46 global securities exchanges conducted by
the International Organization of Securities Commissions
(IOSCO) and the World Federation of Exchanges Office
found that more than half (53%) had experienced
a cyber attack.8
Huge heists of consumer data were

also reported in South Korea, where
105 million payment card accounts
were exposed in a security breach.4
And in Verden, Germany, city officials
announced the theft of 18 million
e-mail addresses, passwords, and
other information.5
The retail attacks did much to elevate

awareness of cyber threats, as did
media coverage of the breach by
former contractor Edward J. Snowden.
The revelations of cyber surveillance
of individuals, businesses, and nations
has also prompted many international
businesses and governments to
reconsider purchase of products and
services from companies that may be
affiliated with government entities.
Other examples of state-sponsored
espionage were uncovered by security
firm Symantec, which discovered
attacks against major European
governments that has been under
way for at least four years. Because
of the chosen targets and sophisticated
malware employed, Symantec believes
a state-sponsored group is coordinating
the attacks.6
Geopolitical discord, most notably
between Russia and Ukraine, resulted
in a volley of cyber attacks between
the two nations that took down and
defaced government websites on both
sides of the conflict, as well as spread
malware to the computers of embassies.
Financial services
companies continued
to be major targets
Cyber thieves plundered more

than $45 million from worldwide
ATM accounts of two banks
in the Middle East.7
Other critical infrastructure

providers are also under attack.
A hacker group successfully infiltrated
a US public utility via the Internet
and compromised its control system
network, although the intrusion
was halted before any damage was
done.9 And sophisticated state-backed
cyber adversaries employed powerful
malware to infect the industrial
control systems of hundreds of
energy companies across the US
and Europe.10
Cyber risks: A severe and present danger
One of the years most far-reaching

incidents was the Heartbleed defect,
which impacted almost two-thirds
of web servers around the world,
including some of the most popular
e-mail and social networking sites.11
It is believed to have compromised
millions of websites, online shopping
destinations, and security applications,
as well as software like instant
messaging, remote access tools,
and networking devices. In the
first intrusion attributed to the
Heartbleed defect, a US hospital
chain reported theft of 4.5 million
patient records in August.12
We also saw increases in attacks
on connected consumer devices
such as baby monitors, home
thermostats, and televisions
that comprise the Internet of Things,
a nascent ecosystem of devices that
interconnect information, operational,
and consumer technologies. These
Internet-connected devices are
vulnerable to attack because they lack
fundamental security safeguards, a
point verified by a recent HP Fortify
on Demand study.
HP reviewed 10 of the most

commonly used connected devices
and found that 70% contain
serious vulnerabilities.13
And the risks go

beyond devices
Security firm IOActive has
published research that
demonstrates in detail
how hackers can control
the Electronic Control Units
of specific automobiles and
proposes mechanisms to
detect attacks.14
Even those reporting the cybersecurity
intrusions were not immune. Some
of the worlds most trusted news
organizations, including The New
York Times, The Financial Times, CNN,
and Reuterswere taken down or
compromised in the past year. Many
of the most prominent attacks were
carried out by hackers tied to a Middle
Eastern government.
This list is by no means exhaustive.
It will always be difficult to know
exactly what organizations have been
compromised because many simply
dont realize that they have been
attacked or are under attack. Others
may be reluctant to reveal known
compromises for very real fear of
reputational damage, lawsuits, and
regulatory investigations.
Indeed, regulators around the world
are beginning to more proactively
address cyber risks.
In an indicator of how the regulatory

landscape is evolving, the US
Securities and Exchange Commission
(SEC Office of Compliance Inspections
and Examinations (OCIE) recently
announced that it plans to examine the
cybersecurity preparedness of more
than 50 registered broker-dealers and
investment advisers.15 In Asia, the
Singapore Personal Data Protection
Act establishes new standards for
the collection, use, and disclosure
of personal data.
Organizations that do not comply

with the act are subject to financial
penalties of up to $1 million (SGD)
or $788,995 (USD).17
The new guidance highlights several

unique requirements, such as
suggesting that organizations have
cyber insurance and be able to produce
a comprehensive inventory of all
security incidents and breaches. SEC
guidance also requires that businesses
implement risk-assessment processes,
as well as more effectively assess
vendor risks and due diligence.
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
It was widely reported that

automobiles, which contain dozens
of computers that are often linked
to one another and, in some cases,
communicate wirelessly with the
outside world, can be hacked to
control the brakes, steering, and
even engines.
Executives of multinational
organizations are keeping an eye
on European Union Data Protection
Regulation, which is on track to be
finalized in 2015. The regulation is
expected to add new requirements
for breach notification to individuals,
require organizations that handle
personal data to conduct risk
assessments and audits, and increase
fines for compromised businesses.16
The EU General Data Protection
Regulations breach notification
requirements may increase disclosure
of security incidents in Europe,
according to John W. Woods, Jr.,
co-leader of the global cybersecurity
practice for the law firm Baker &
McKenzie LLP. In the US, state
data-breach notification statutes
have resulted in the disclosure of
a significant number of security
breaches which in turn has raised the
consciousness around cybersecurity
issues, Woods says. It will be
interesting to see if the proposed EU
data-breach notification has a similar
impact. If it parallels the experience
in the US, I think we very well may
see a proliferation of incidents
reported in Europe.
We have also seen new

government efforts to help
organizations improve
their cybersecurity posture
on a voluntary basis.
In the US, the Presidents 2013
Executive Order on improving
cybersecurity produced the National
Institute of Standards and Technology
(NIST) Cybersecurity Framework.
Version 1.0 of the voluntary standard
is being implemented by individual
companies to assess and improve
cybersecurity, as well as to create a
common language for discussion and
collaboration on security intelligence
and response tactics.
Private-sector efforts to advance
security include the launch of Googles
Project Zero initiative, which aims to
advance security by identifying and
stopping zero-day threats (unknown
and unpatched code flaws) before
hackers can exploit them. Google
says Project Zero researchers will
work to enhance the security of
widely used software, as well as study
the motivations and techniques of
attackers and conduct research into
effective monitoring and mitigation
of cyber compromises.18
Cybersecurity
services market
is expanding
In the wake of increased
incidents and heightened
regulations, corporations
and government agencies
are scrambling to safeguard
their data and networks
a push that is catalyzing
growth in the market for
cybersecurity solutions
and technologies.
Research firm Gartner predicts that

global IT security spending will
increase 7.9% to $71.1 billion in 2014,
and grow an additional 8.2% to reach
$76.9 billion in 2015, according to
The Wall Street Journal.19
The upsurge in security incidents
and the resulting media coverage
has helped unleash a flood of venture
capital investment in companies that
provide cybersecurity software,
solutions, and services.
During the first six months of 2014,
venture capital firms invested $894
million in US cybersecurity startups,
almost the same amount invested in
all of 2013.20 That puts the sector on
track to post the highest investments
in more than a decade. At the same
time, the market capitalizations of
some security firms hit new highs
in the past year.
Network security provider FireEye,

after a $304 million initial public
offering (IPO) in 2013, now has a
market cap of approximately
4.6
billion
21
Enterprise firewall specialist Palo

Alto Networks raised $260 million
in a 2012 IPO and now has a
market cap of approximately
6.2
billion
21
Figure 1
Security incidents outpace GDP and mobile phone growth

Year-over-year growth, 20132014
48%
Global security incidents

(GSISS 2015)
Global smartphone users

(eMarketer)
Global GDP
(OECD)
22%
21%
Sources: OECD, Economic Outlook No. 95, May

2014; eMarketer, Smartphone Users Worldwide
Will Total 1.75 Billion in 2014, January 16, 2014;
The Global State of Information Security
Survey 2015
At the height of the venturefunding boom, the valuation

of some cybersecurity
companies was five-to-ten
times their annual revenues
in 2013.
The market is starting to self-adjust,
however, as investment in cybersecurity
companies has cooled in recent months.
As a result, some prominent firms have
lost more than half of their previous
market caps.
We believe the cybersecurity software,
solutions, and services market is likely
to remain a growth sector because
executives and Boards recognize that
cyber threats will never be completely
eliminated, and regulatory and
compliance requirements will likely
become more stringent.
Against this backdrop of elevated risks,
regulation, and market activity, we
present the results of this years survey.
Venture capital investments
It has also been an active year
in cybersecurity firms are
for mergers and acquisitions
also accelerating in Europe.
of cybersecurity firms.
London-based C5 Capital launched
FireEye purchased Mandiant
a cybersecurity-focused fund of
for approximately
125 1.0
million
22
billion
and announced an investment
Cisco Systems acquired
in IT security firm Balabit
22
of
Sourcefire for
8.0 2.7
million
22
billion
24
Index Ventures, another venture

capital firm, created a fund to invest
in technology start-ups in Europe,
Israel, and the US totalling
550
million
23
02
Incidents and financial impacts
continue to soar
Continued yearover-year rise
is no surprise
Given the nature and
number of very prominent
security breaches over the
past year, it comes as no
surprise that incidents
reported by respondents
to The Global State of
Information Security
Survey 2015 continued a
year-over-year rise.
The annual survey of more than 9,700

security, IT, and business executives
found that the total number of
security incidents detected by
respondents climbed to 42.8 million
this year, an increase of 48% over
2013. Thats the equivalent of 117,339
incoming attacks per day, every day.
Taking a longer view, our survey
data shows that the compound annual
growth rate (CAGR) of detected
security incidents has increased 66%
year-over-year since 2009.
These numbers are by no means

definitive, however; they represent
only the total incidents detected and
reported. As noted, many organizations
are unaware of attacks, while others
do not report detected incidents for
strategic reasons or because the attack
is being investigated as a matter
of national security.
2014
42.8
million
Figure 2
Security incidents grow 66% CAGR

Total number of detected incidents
2013
2012
2011
22.7
million
2009
3.4
million
2010
9.4
million
24.9
million
28.9
million
13,138
9,155
2014
Figure 3
Larger companies detect more incidents

Detected security incidents by company
size (revenue)
2014
2,581
1,151 1,091
2013
It seems certain, given the technical

sophistication of todays well-funded
threat actors, that a substantial
number of incidents are successful
but not discovered. In fact, one
cybersecurity firm recently estimated
that as many as 71% of compromises
go undetected.25
When it comes to
discovering incidents, one
thing is very clear: Large
companies have the edge
over smaller firms.
Among our global survey sample,
large organizations (those with gross
annual revenues of $1 billion or
more) detected 44% more incidents
compared with last year. The fact
that big companies detect more
incidents is not surprising.
2013
4,227
2013
2014
Small
Medium
Large
Revenues less than

$100 million
Revenues $100 million

$1 billion
Revenues more than

$1 billion
Threat actors often target large

organizations because they typically
offer a rich trove of information
including trade-strategy documents,
intellectual property related to
product design, and large volumes
of consumer datathat can be
exploited, sold, or used for economic
or military gain. Larger companies
also typically have more mature
security processes and technologies
in place, which allows them to
uncover more incidents.
As larger companies continue to
implement more effective security
safeguards, threat actors are
increasingly stepping up their assaults
on middle-tier companies, many of
which may not have security practices
that match the maturity of bigger
businesses. That, in part, explains
the 64% jump in the number of
incidents detected by medium-size
organizations (those with revenues
of $100 million to $1 billion).
Small organizations proved the

exception in discovering compromises.
Companies with revenues of less
than $100 million detected 5% fewer
incidents this year. The reasons are not
immediately clear, but one explanation
may be that small companies are
investing less in information security,
which may leave them both incapable
of detecting incidents and a more
tempting target to cyber adversaries.
Small firms often consider themselves
too insignificant to attract threat
actorsa dangerous misperception.
Its also important to note that
sophisticated adversaries often target
small and medium-size companies
as a means to gain a foothold on the
interconnected business ecosystems
of larger organizations with which
they partner. This dangerous reality
is compounded by the fact that big
companies often make little effort to
monitor the security of their partners,
suppliers, and supply chains.
Incidents and financial impacts continue to soar
The lack of due diligence into third

parties has become so prevalent that
an increasing number of regulators
now require assessment of partner
and supply-chain security capabilities.
To catch up, small businesses might
consider outsourcing elements of
their cybersecurity programs to take
advantage of economies of scale.
While big corporations may have the
expertise and resources to build a
sophisticated cybersecurity fusion
center that enables sharing of threat
intelligence and response techniques,
that is not practical for smaller firms.
But they can obtain the same benefits
through managed security services.
Another option to address risks might
be purchase of cyber insurance.
Looking at security incidents across

geographic regions, cybercrime is
rising significantly in Europe, which
reported a 41% jump in the number
of incidents detected over 2013.
To improve their security posture,

one option that small and medium
companies might pursue is
consideration of managed security
services. This can enable them to
employ sophisticated technologies
and processes to detect security
incidents in a cost-effective manner.
It very well may be that Europe

leads in detecting incidents because
the Continent reports a healthy 12%
bump in security spending, among
the highest of all regions.
In North America, respondents
detected 11% more incidents this
year. Asia Pacific respondents
seem less adept at discovering
incidents, reporting a 5% increase
in detections.
South America was the only region
to show a decline in the detection
of compromises: The number of
incidents dipped 9%. Its worth noting
that information security spending
dropped 24% in South America,
significantly more than other regions.
2014
10.8
million
2013
10.3
Figure 4
Information security budget by company size (revenue)
million
20132014
2013
2013
0.92
million
2014
0.73
2014
3.0
million
million
2.8
million
Small
Medium
Large
Revenues less than $100 million
Revenues $100 million$1 billion
Revenues more than $1 billion
Financial losses
increase apace
As security incidents grow
in frequency, the costs of
managing and mitigating
breaches also are rising.
Globally, the annual estimated
reported average financial loss
attributed to cybersecurity incidents
was $2.7 million, a jump of 34%
over 2013.
Not surprising in light of last years
prominent breaches, is the finding
that big losses are more common:
Organizations reporting financial hits
of $20 million or more increased
92% over 2013.
The rise in security incidents would

account for some of this increase in
financial losses, of course. But another
explanation might be that todays
more sophisticated compromises
often extend beyond IT to other areas
of the business, according to William
Boni, corporate information security
officer for T-Mobile US.
Financial losses may now

include remediation for
monitoring of external customer
impacts, as opposed to just
operational distruptions inside
an organizations firewall,
says Boni.
As with the total number of incidents,

the global cost of cybercrime is
ultimately unknowable because
many attacks are not reported
and the value of certain types of
information, intellectual property
in particular, is difficult to calculate.
A recent study by the Center for
Strategic and International Studies
noted the difficulties in estimating
financial impact but estimated that
the annual cost of cybercrime to the
global economy ranges from $375
billion to as much as $575 billion.26
If that figure seems high, it doesnt even
approach the estimates of losses that
can result from theft of trade secrets
and intellectual property. The impact
of this type of information loss can
be measured by financial and nonfinancial indicators.
Figure 5
Incidents are more costly to large organizations

Average financial losses due to security incidents,
20132014
2014
5.9
$
2013
3.9
$
2013
2013
0.65
million
2014
0.41
1.0
2014
million
million
1.3
million
million
million
Small
Medium
Large
10
Financial impact may include

decreased revenues, disruption of
business systems, regulatory penalties,
and erosion of customers.
Non-financial impact may include
reputational damage, the pirating
of products, diversion of research and
development information, impacts
to innovation, stolen product designs
or prototypes, theft of business and
manufacturing processes, as well
as loss of sensitive information such
as M&A plans and corporate strategy.
Using the World Banks annual

global GDP estimate of $74.9 trillion
in 2013, loss of trade secrets may
range from $749 billion to as high
as $2.2 trillion annually.28
Measured across these

vectors, financial damages
can be significantly
higher than traditional
measures.
Consider that the Center for
Responsible Enterprise And Trade
(CREATe.org), in conjunction with
PwC, estimated that the impact
of trade-secret theft ranges from
1% to 3% of a nations annual gross
domestic product (GDP).27 Potential
losses seem even more menacing
when the likelihood of cybersecurity
compromise is factored in.
In its 2014 global risk report, the World

Economic Forum rated cyber attacks among
its top five risks in terms of likelihood.29 The
possibility of compromise is a threat that is
not lost on many senior executives.
11
Almost half (48%) of respondents

to PwCs 2014 Global Economic
Crime Survey said the perception of
cybercrime risk to their organization
had increased in the past year, up
from 39% in 2011.30 In other words,
executives clearly recognize that
cyber threats have become a serious
enterprise risk-management issue.
While risk has become universal, our

security survey found that financial
losses due to security incidents vary
widely by organizational size. To
understand these discrepancies,
we looked into how organizations
measure the financial impact of
security incidents. Large companies
typically spend more on information
security and have a more mature
program.
As a result, they are more likely to
have the processes and knowledge
to accurately calculate financial
losses. Accordingly, they may consider
a full range of possible impacts,
including costs associated with loss
of customer business, legal defense
fees, court settlements, forensics,
and reputational damage.
53%
Larger organizations also take a

more strategic approach to security
by identifying sensitive assets and
allocating spending to their most
valuable data, and they are likely
to understand third-party risks
through the use of security baselines
for partners.
Large companies tend to have the
processes and technologies in place
to actively monitor and analyze
security intelligence; should
anomalies be detected, they are in
a better position to have an incidentresponse process at the ready.
And big organizations more frequently
cultivate a culture of security through
employee awareness and training
programs, as well as by ensuring
that senior executives broadcast the
importance of cybersecurity across
the enterprise.
Small companies report that the cost

of incidents actually decreased 37%
compared with last year, while large
companies report a 53% jump in
financial damages. Medium-size
37%
organizations landed somewhere in

the middle, reporting that the costs
of incidents rose 25% over the
year before.
25%
12
03
Employees are the most-cited
culprits of incidents
Nation-states,
hackers, and
organized crime
groups are the
cybersecurity
villains that
everybody
loves to hate
10%
The percentage of respondents who

point the finger at current employees
jumped over 2013.
While theres no doubt that these

actors are a force to be reckoned
with, insiderscurrent and former
employees, in particularhave
become the most-cited culprits of
cybercrime. Thats not to say that
all employees exhibit malicious
behavior, however. In many cases,
they may unwittingly compromise
data through loss of mobile devices
or targeted phishing schemes.
The jump in insider

incidents may carry
serious implications.
In the 2014 US State of Cybercrime
Survey, we found that almost onethird (32%) of respondents said
insider crimes are more costly or
damaging than incidents perpetrated
by outsiders.31 Yet many companies do
not have an insider-threat program in
place, and are therefore not prepared
to prevent, detect, and respond to
internal threats.
Its a risk that PwCs Joyce has

seen first hand. Based on my
experience with the [Chelsea]
Manning and Snowden leaks,
and with managing one of the
leading insider programs within
the intelligence community,
I have seen that organizations
sometimes overlook the threat
from within their own business
ecosystem, says Joyce. The
effects can be devastating.
Another threat lies in the fact that

organizations often handle remediation
of insider cybercrime internally. In
fact, 75% of respondents to the US
cybercrime survey said they did not
involve law enforcement or bring legal
charges in compromises committed
by insiders.32 In doing so, they may
leave other organizations vulnerable
to risks because those that hire these
individuals in the future have no way
to assess their threat potential.
Insiders
Outsiders
31%
35%
Current employees
27%
8%
10%
Terrorists
30%
12%
15%
Former employees
Organized crime
16%
10%
18%
16%
Current service providers/consultants/contractors
Activists/activist organizations/hacktivists
13%
10%
15%
16%
Former service providers/consultants/contractors
Information brokers
12%
14%
13%
Suppliers/business partners
Competitors
10%
6% 9%
11%
Customers
24%
Foreign entities & organizations
4% 7%
Foreign nation-states
Figure 6
6%
Insiders vs. outsiders

Sources of security incidents, 20132014
Domestic intelligence service
32%
24%
Hackers
24%
18%
Do not know
Employees are the most-cited culprits of incidents
14
Employees are not the

only source of rising insider
threats, however.
The percentage of incidents attributed
to current and former service providers,
consultants, and contractors increased
to 18% and 15%, respectively, in 2014.
Among retailer and consumer

companies, we found a noticeable
jump in those who attribute
security incidents to current
service providers and
contractors (23%) as well as
former partners (45%).
This is a threat that has been made

all too apparent by a rampage of attacks
on US retailers over the past year, some
of which were achieved by criminals
who gained access to the networks
and point-of-sale systems of retailers
through compromises of third-party
suppliers and contractors.
15
Cyber incidents that garner

the most attention
compromises by nationstates, organized crime,
and competitorsremain
among the least frequent.
Thats of little comfort, however,
considering that our survey results
show these attacks are among the
fastest-growing threats.
Labeling 2013 as the year of the

retailer breach, Verizon counted 467
retailer breaches around the world in
its annual Data Breach Investigations
Report, noting that payment card data
was the primary target in 95% of
incidents within the retail industry.33
It looks as if 2014 will be another year
of unprecedented breaches. As we
prepared this report, news broke of
another US retailer heist that resulted
in the loss of 56 million payment
card records.34
High growth
in high-profile
crimes
If there is an upside to these

compromises, its that they have
spurred stakeholders in the US payment
card industry to move from the existing
magnetic-stripe technology to EMV,
a more secure microprocessor-based
standard that is less vulnerable
to compromise.
Its a growing concern for many

organizations, according to Lisa
J. Sotto, a partner of the legal
firm Hunton & Williams who
specializes in cybersecurity and
privacy issues. I have seen a huge
increase in the number of nationstate attackers who are seeking
IP, blueprints, M&A data, and
R&D, says Sotto. The number of
attacks by organized crime rings
also appears to be at an all-time
high, and the level of organization
and infrastructure of these crime
rings is unprecedented.
Nation-states often target critical infrastructure providers
Oil and gas
and suppliers to steal IP and trade secrets as a means to

advance their own political and economic advantages. It
Aerospace and defense
isnt surprising, therefore, to find that nation-state incidents

are most frequent among sectors such as oil and gas
(11%), aerospace and defense (9%), technology (9%),
Technology
and telecommunications (8%).

Telecommunications
Survey results square with that

assessment from the field. This year, we
found an 86% increase in respondents
who say they have been compromised
by nation-states. Given the ability of
nation-state adversaries to carry out
attacks without detection, we believe
the volume of compromises is very
likely under-reported.
The boost in incidents attributed to
nation-states may be due, in some
part, to geopolitical events in Eastern
Europe and the Middle East, which
have coincided with an increase in
distributed denial of service (DDoS)
attacks and the use of sophisticated
espionage spyware.
The battle against nation-state crime
is compounded by the fact that timely
sharing of cyber-threat intelligence is
a challenge for most countries. Only
a few, such as the US, Canada, the
United Kingdom, Australia, and New
Zealand, have the ability to effectively
share cyber-attack information with
companies headquartered in their
respective countries.
Improvement of security intelligencesharing capabilities could prove a

significant economic advantage to
both nations and their businesses.
Whats more, the combination of
effective information sharing and the
security research being conducted
by private companies like Google
may eventually make cybercrime less
lucrative for adversaries by requiring
that they invest more in technology
and attack-process capabilities.
We also found a striking 64% jump

in security incidents attributed to
competitors, some of whom may be
backed by nation-states. Nowhere
was this problem more acute than
in Asia Pacific, and specifically
in China. Almost half (47%) of
respondents from China pointed
to competitors as the source of
security incidents, higher than any
other nation.
The reason for this increase may be

that companies are discovering that,
as information is increasingly stored
in digital formats, it is easier, cheaper,
and quicker to steal IP and trade
secrets than to develop capabilities
themselves. In carrying out attacks,
competitors often fuse sophisticated
high-tech techniques with other
methods such as recruiting employees
of the targeted company, bribery,
extortion, and the promise of a new
job. The rise in cybercrimes attributed
to nation-states and competitors is
concurrent with an increase in theft
of intellectual property and other
types of sensitive information.
This year, IP theft increased 19%
over 2013. Almost one-in-four (24%)
respondents report theft of soft
intellectual property, which includes
information on processes and
institutional knowledge. Fewer (15%)
say hard intellectual property,
such as strategic business plans, deal
documents, and sensitive financial
documents, was stolen.
16
This year, 15% of survey respondents cited

organized crime as a source of incidents, up from
12% last year. By region, theft by organized
criminals was particularly high in Malaysia (35%),
India (22%), and Brazil (18%).
IP theft is highest among respondents

from aerospace and defense, an
industry whose trade secrets can
include sensitive information
that may be critical to a countrys
national security.
This year, aerospace and defense

respondents reported a 97%
increase in hard IP theft and a
66% jump in soft IP compromise
higher by far than any other sector.
Compromises by organized
crime also are on the rise.
Organized crime groups are typically
motivated by financial gain. A
successful cyber attack can net
millions of payment card records
that can be quickly monetized.
In addition to credit and debit card
data, these criminals increasingly
target patient health care data or other
personally identified information
that has considerable value in the
underworld of information resellers.
In the US alone, financial losses due
to personal identity theft, which
includes misuse of payment cards,
bank accounts, and personal
information, totaled $24.7 billion in
2012, according to the Bureau of
Justice Statistics.35 The recent theft
of more than a billion user credentials
by organized criminals illustrates that
these attacks are growing in scope.
17
In response, law-enforcement
agencies across the world are
beginning to band together
to fight organized criminals,
according to cybersecurity
attorney Woods. There has
been an increased cross-border
recognition of the need for more
coordinated law-enforcement
efforts to identify incidents
caused by organized crime, he
says. I think this will accelerate
in the coming years through
organizations like Interpol.
Domestic
intelligence:
A new source
of concern
As a result, organizations in some

nations report they are reconsidering
the procurement of equipment from
certain manufacturers. In fact,
42% of respondents say the purchase
of products and services originating
in certain nations is under review,
and 29% say they now purchase
fewer products and services from
some nations.
Globally, 59% of respondents

say their organizations executives
are worried about government
surveillance. Concerns are
markedly higher in China (93%),
India (83%), and Brazil (77%).
Edward J. Snowdens
disclosures of government
surveillance have added a
new adversary to the threat
environment: domestic
intelligence services.
As a result of the Snowden leaks,
nations, businesses, and society in
general have become increasingly
skeptical of domestic surveillance and
are concerned about potential impact
on data privacy and security.
The headline-making nature of the
Snowden revelations has resulted in
considerable awareness and concern
among business executives. Not only
are they raising questions about
government surveillance, but also
regarding the telecommunications
and technology companies that may
have provided government access
to data.
This concern carries potentially

broad implications for some
telecommunications and hightechnology companies. Firms in the
US, in particular, and Europe have
traditionally dominated the market
for telecommunications and corporate
networking equipment. But Asian
companies are making inroads, and
their prospects brightened after it was
disclosed that the US government
had collected sensitive information
from some domestic technology
and telecom firms.
The Snowden effect, which helped

consumers understand the concept
of Big Data analytics, has also raised
a red flag among individuals. In fact,
the Snowden leaks and the proliferation
of Big Data have elevated the issue of
personal privacy to a matter of public
debate. The White House responded
by publishing this year two highprofile papers on the impact of Big
Data to the privacy of consumer
information. These government
studies underscore the importance
of integrating a strategy for Big
Data security and consumer privacy
to protect information and gain
competitive advantages.36
The issues that most worry executives?

The privacy of personal data, potential legal
risks, and loss of intellectual property.
18
04
spending falls
Organizations
are undoubtedly
worried about
the rising tide of
cybercrime
PwCs Global Economic
Crime Survey 2014 found
that almost half (48%)
of global respondents
said their perception of
cybercrime risk increased,
up from 39% in 2011.37
At the same time, PwCs 2014 Annual

CEO Survey reported that 48% of
global CEOs are concerned about
cyber threats to their organization,
including a lack of data security.38
Despite elevated concerns, our survey
found that global IS budgets actually
decreased 4% compared with 2013. In
fact, security spending as a percentage
of IT budget has remained stalled at
4% or less for the past five years.
Information security is a risk
issue, not an IT issue, Sotto says.
Information security should be
a distinct function, with a separate
governance structure and a separate
budget so that appropriate resources
are given to information security.
Having CISOs report to the head
of IT is a vestige.
No matter where the security function

reports, it seems counter-intuitive that,
as threats become more frequent and
costly, organizations have not stepped
up investment in security initiatives.
This finding is also puzzling in light of
Gartners forecast for a 7.9% increase
in security spending for 2014.39
We found one explanation for the
spending slow-down by looking at
investment levels reported in last
years survey. In 2013, organizations
reported very significant increases
in spending over 2012, expanding
IT investments by 40% and security
spending by an even more substantial
51%. It could be that this years
respondents were hard-pressed
to continue investments at that
accelerated pace.
4.3
million
2.7
2.2
million
4.1
million
2.8
million
Looking at security
investment by company
size also sheds some light
on the anemic funding.
This year, companies with revenues
less than $100 million say they
reduced security investments by
20% over 2013, while medium
and large companies report a 5%
increase in security spending.
That represents a significant level
of spending, according to T-Mobiles
Boni. One variable is a reluctance
to increase spending during the
recent economic recovery, says
Boni. I think a 5% increase is a
pretty substantial level of attention
since companies are starving other
corporate areas and want to keep
costs tightly under control.
2013
3.8 %
2012
3.8 %
3.5 %
3.8 %
3.6 %
2011
Overall, average security budgets

decrease slightly, reversing a
three-year trend
The average information security budget
dipped to $4.1 million, down 4% over last
year. Security spending remains stalled
at only 3.8% of the overall IT budget.
million
2010
Figure 7
% of IT budget spent on information security

Information security budget for 2014
2014
Another explanation could be that

more targeted security practices
has enabled organizations to
strategically optimize spending.
I think we are heading toward
a paradigm shift in the way we
spend on information security,
says Fernando Camarotti, chief
information security officer of
Vale, a global metals and mining
company based in Rio de Janeiro.
In the past, the big spending
projects tended to lock down all
the data, but thats no longer
seen as effective. In addition to
traditional information security
controls for the entire company,
we worked to find where we
had confidential information
that needed to be protected.
When you do that, the security
investment can be more effective
and much smarter.
This diminished spending among

small organizations begs the
question: Are they simply giving
up on cybersecurity? We cant be
sure, but we certainly hope not.
As noted, smaller businesses often
believe they are too insignificant to
draw the attention of serious hackers
and organized crime. It also may be
that rising risks, combined with an
overabundance of security solutions,
has resulted in analysis paralysis,
leaving smaller firms unable to make
decisions and take action.
It could also be fatigue, says
cybersecurity attorney Sotto.
The entire issue of cybersecurity
is so daunting, particularly for
small companies that dont have
the appropriately skilled people,
or credentialed people at the helm
of the IS function, Sotto says.
As incidents rise, security spending falls
20
Its also possible that, due to the

ongoing shortage of experienced
security professionals, the most
skilled candidates are hired by bigger
organizations with hefty budgets.
Among larger companies, an
explanation for limited growth of
security spending might be that, as the
global economy continues to recover,
more corporations are hoarding
more cash and investing less in IT
and security. Its obvious, however,
that businesses are spending in
some areas, most notably research
and development.
Annual expenditures among the

worlds 1,000 biggest R&D spenders
hit a record $638 billion in 2013, a
6% increase over the year before.40
We also believe many organizations

struggle to understand how much
to spend on security and how to
determine the return on investments
of their security outlay. In part, thats
because there is no definitive data on
current security risks to help inform
a security spending strategy.
It also seems likely that, since only

40% of respondents say their
Board is involved in security budget
decisions, many may have trouble
achieving robust funding in security.
And, we also hear that many senior
executives and Boards often find it
difficult to understand how security
technology works and identify the
related tactical risks.
Looking at security
investments by industry
shows that spending is down
in most sectors, with a
few notable exceptions.
While the revenues and spending
among airline manufacturers are
up, for instance, defense spending
is dropping among developing
nations. This is particularly true in
the United States after its pullout
from Afghanistan and Iraq and
subsequent defense budget cuts.
And while the decline in the retail
and consumer industry spending
may seem puzzling given widely
reported breaches, consider that
2014 security budgets may have
been in place for the year before
the incidents were reported.
Information security
budgets are declining
steeply among organizations
in the aerospace and defense
(-25%), technology (-21%),
automotive (-16%), and retail
and consumer products
(-15%) industries. In some
sectors, overall business trends
account for these drops.
The typical CIO or CFO will spend money when there is

documented proof a problem may result in real hurt, says Boni
of T-Mobile. When that is lacking, its very difficult to accurately
quantify the business impact of new technologies and unknown
threats. Organizations must be very judicious about every
nickel they spent on information security.
21
Industries reporting the most

significant increases in security
spending include healthcare providers
and payers (66%), oil and gas (15%),
and utilities (9%). The increase in
spending among healthcare providers
and payers is particularly striking
but certainly justifiable given current
risks and trends. This year, healthcare
providers and payers report a 60%
increase in detected incidents, with
financial losses skyrocketing 282%
over 2013.
The explanation for this snowballing
volume of incidents and financial
losses may be that threat actors are
targeting healthcare providers and
payers for their increasingly valuable
patient health data. A health record
often comprises a full complement
of informationfinancial, medical,
family, and personalthat can be
used to construct a complete identity.
A complete identity-theft kit containing
comprehensive health insurance
credentials can be worth hundreds
of dollars or even $1,000 each on the
black market, and health insurance
credentials alone can fetch $20 each;
stolen payment cards, by comparison,
typically are sold for $1 each.41
These black markets for

stolen data are growing
in size and complexity.
While the number of websites on
which data is sold is not known, the
number of criminals who participate
in these dark bazaars is likely to
increase because it is becoming easier
to get involved, according to the
RAND Corp.42 In part, thats because
todays black market comprises
increasingly more websites, forums,
and chat channels in which goods
can be bought and sold.
Healthcare providers and payers also

may be boosting security investments
to prepare for connected healthmonitoring devices and the explosion
of data that the Internet of Things
will bring. Indeed, for healthcare
providers and payers, the Internet of
Things is not futuristic, nor are the
risks theoretical.
Consider that almost half (47%)
of healthcare provider and payer
respondents say they have integrated
consumer technologies such as
wearable health-monitoring devices
or operational technologies like
automated pharmacy-dispensing
systems with their IT ecosystem.
Yet they have not been as quick
to ensure the security of these
connected devices.
Just more than one-third (34%) have

contacted device manufacturers to
understand the equipments security
capabilities and risks, and 58% have
performed a risk assessment of the
devices or technologies. Only 53%
have implemented security controls
for these connected devices.
22
Figure 8
Top spending priorities over the next 12 months

Prevent, protect, detect, respond
24%
Account provisioning/
deprovisioning
22%
19%
Employee security
awareness training
program
Role-based
access controls
23%
Behavioral profiling
and monitoring
23
Encryption
of smartphones
27%
Prevent
19%
18%
Privileged user
access
21%
20%
Tools to discover
unauthorized access
Data loss
prevention tools
Protect
Patch
management
tools
18%
Malicious
code detection
tools
17%
Security information
and event management
(SIEM) technologies
20%
Mobile malware
detection
20%
Tools to discover
unauthorized access
Detect
18%
22%
Vulnerability
scanning tools
22%
Active monitoring/
analysis of information
security intelligence
20%
Unauthorized use
or access monitoring
tools
Threat assessments
14%
Incident management
response process
18%
21%
Malicious
code detection
tools
Security event
correlation tools
Respond
24
05
security practices
Security
practices must
keep pace with
constantly
evolving threats
and security
requirements
Doing so will demand
investments in the right
processes and technologies
to prevent, protect, detect,
and respond to security
risks. Overall, many
organizations are failing
to do so.
Given todays interconnected

business ecosystem, in which
exponentially more data is generated
and shared with business partners
and suppliers, an area of specific
concern is the lack of policies and
due diligence regarding third
parties. It is worrisome that the focus
on third-party security actually
weakened in the past year in some
very key areaseven as the number
of incidents attributed to these
insiders increased.
We are seeing third-party vendors
as a very significant source of
cyber risk, says attorney Sotto.
You could have a moat around a
heavily fortified castle but if the
bridge is down to your vendors,
then your fortifications become
worthless. Sotto says organizations
should anchor their third-party due
diligence on three key practices:
Perform appropriate protections of

vendors to ensure that they have the
ability to safeguard the information,
have robust contractual protection,
and conduct ongoing monitoring to
ensure the third party is protecting
the data.
Based on these criteria, many
respondents are behind the curve.
For instance, only 50% say they
perform risk assessments on thirdparty vendors (down from 53% in
2013), and just 50% say they have
conducted an inventory of all third
parties that handle personal data of
employees and customers. Just over
half (54%) of respondents say they
have a formal policy requiring third
parties to comply with their privacy
policies, down from 58% in 2013.
Prevent
Protect
Detect
59%
55%
55%
Respond
Figure 9
Failing to keep up with

security threats
Prevent, protect, detect,
respond
Secure access
control measures
56%
Privileged user
access
51%
Employee security
awareness training
program
54%
Require third parties
to comply with our
privacy policies
Encryption of
e-mail messages
55%
Intrusion
prevention tools
Intrusion
detection tools
59%
Malicious code
detection tools
55%
Security event
correlation tools
61%
Business continuity/
disaster recovery
plans
52%
55%
52%
Data loss prevention

(DLP) tools
Unauthorized use
or access monitoring
tools
Incident responseprocess to report

and handle breaches
to third parties that
handle data
53%
52%
Patch management
tools
55%
49%
Conduct personnel
background checks
Protection/detection
solution for advanced
persistent threats
(APTs)
Active monitoring/
analysis of information
54%
Vulnerability
scanning tools
Declines in fundamental security practices
26
Employee training and awareness is

a fundamental component of every
program because the weakest link
in the security chain is often human.
Frequently, the disconnect comes down
to how organizations engage their
employees and generate awareness
through their communications
programs.
This year, 51% of respondents said
they have a security awareness and
training program, down from 60%
last year. A slightly higher number,
57%, say they require employees to
complete training on privacy policies.
Consider that 84% of CEOs believe

their strategic priorities will deliver on
goals, but only 41% say their employees
understand the strategy well enough
to inform decision-making.43
Large organizations are more likely to
recognize and act upon the importance
of employee training. We found that
58% of big companies do so, compared
with 47% of small firms.
Security training is most prevalent

in North America and Asia Pacific,
and is most likely to be embraced
by organizations in the healthcare,
industrial products, and financial
services sectors.
Effective security awareness will also
demand top-down commitment and
communication, a tactic that is often
lacking. Only 49% of respondents
say their organization has a crossorganizational team that regularly
convenes to discuss, coordinate, and
communicate information security
issues. It also will require that the
C-suite and Board be directly involved.
Effective security awareness will require adequate funding, but perhaps

more importantly it also will demand a commitment to maturity, says
Gary Hayes, chief information officer of CenterPoint Energy, an electric
and natural gas utility based in Houston. Accelerating investments
is not enough he says. You have to mature your organization, your
people, and your technologies, and that can be a more restraining
factor than the availability of capital.
27
It is incumbent upon the executive

team to take ownership of cyber risk
and ensure that the Board understands
how the organization will defend
against and respond to cyber risks.
The barrage of incidents over the past
year has resulted in a lot of discussion
about Board involvement in security.
Yet for all the chatter, organizations
clearly have not elevated security to
a Board-level discussion.
We know because we asked: Only

42% of respondents say their Board
actively participates in the overall
security strategy and 36% say the
board is involved in security policies.
Just 25% say Boards are involved in
review of current security and privacy
threatsa crucial component of
effective information security.
As does he. I report to the broader

Board twice a year, and I also report
to the audit committee on a quarterly
basis, Hayes says. The Board
definitely requests information about
whats going on and how we are
responding because cyber risks have
been identified as among our top three
enterprise risk-management issues.
That may be starting to change,

however. Hayes of CenterPoint
Energy notes that he attends regular
meetings with CIOs of 22 large utility
companies, and virtually all deliver
security reports to the Board.
40%
Security budget
Review roles and responsibilities

of security organization
20%
36%
Security policies
30%
Security technologies
42%
Overall security strategy
Review of current security and privacy risks
25%
Figure 10
At most organizations, the Board of Directors does not

participate in key information security activities.
Despite the high-profile security breaches in the past year, the Board
of Directors is often not involved in critical initiatives such as security
strategy, budget, and review of risks.
Declines in fundamental security practices
28
06
Gains in select security
initiatives
While we found
declines in
some security
practices, we
also saw gains
in important
areas
Cyber risks, technologies,
and vulnerabilities evolve
at lightning speed, and
sharing information among
public and private entities
regarding cyber threats
and responses is central
to a strong cybersecurity
program.
Increasingly, organizations are

embracing external collaboration
to improve security and threat
intelligence. Hayes of CenterPoint
says his company actively collaborates
with several Information Sharing and
Analysis Centers (ISACs) and industry
associations, as well as government
agencies, an initiative that has proven
to be invaluable.
If you are not connected to the
conversations, you are going to
be lost, he says. In todays threat
environment, there is no reason
for not collaborating.
Survey respondents are

starting to see the value of
working with others.
This year, 55% of respondents say
they collaborate with others to
improve security, an increase of 12%
over 2013. The larger the company,
the more likely it is to collaborate with
others: 66% of large organizations
do so, compared with 49% of small
firms. Collaboration is more common
in regions in which growth in the
development of IT infrastructure
has been rapid over the past decade.
Respondents from South America and
Asia Pacific, for instance, are more
likely to work with others to advance
security intelligence.
As smartphones and tablets become

ubiquitous, organizations have
historically lagged in implementing
security safeguards to counter mobile
threats. This year we saw some
notable advances. At the most basic
level, 54% of respondents say they
have implemented a mobile security
strategy. Given the risks of mobility,
that is still low but it represents an
improvement over the 42% that had
a mobile security strategy in 2013.
Similarly, mobile device management
(MDM) and mobile application
management (MAM) solutions are
essential to securing a fleet of devices,
whether owned by the enterprise
or the individual. This year, 47% of
respondents say they employ MDM/
MAM solutions, an improvement
from last years 39% who did so.
Nonetheless, there remains much
opportunity for improvement.
Another area of
improvement can be seen
in the adoption of cyber
insurance as a tool to
help manage the risks
of cybercrime.
In the US, as noted, the SEC
OCIE guidance has suggested that
financial services organizations
purchase cyber insurance as part of
an effective cyber-risk management
strategy. Given todays elevated
threat environment and escalating
costs of cybercrime, we believe that
protecting against financial losses
from cyber risks should rank as high
as other insurable risks.
Its an approach that many

organizations seem to understand.
More than half (51%) of respondents
say they have purchased cybersecurity
insurance, up from 45% last year.
Perhaps more significant is the finding
that some companies are leveraging
cyber insurance as a way to improve
their security program. More than
a third (36%) say they have taken
steps to enhance their security
posture in order to lower their
insurance premium. Aerospace and
defense, automotive, entertainment
and media, and financial services
companies are most likely to purchase
cyber insurance.
Not surprisingly, advances in mobile

security are more prominent among
larger organizations, which tend to
have more mature overall security
programs in place. Financial services,
telecommunications, and industrial
products organizations have made
the most progress in advancing their
mobile security practices.
South America leads in adoption of cyber

insurance, with 58% of respondents saying
they have purchased policies. The US,
at 44%, is the region least likely to have
invested cyber insurance.
Gains in select security initiatives
30
07
Evolving from security to cyber
risk management
As incidents
continue to
proliferate
across the globe,
its becoming
clear that cyber
risks will never
be completely
eliminated
Todays interconnected
business ecosystem requires
a shift from security that
focuses on prevention and
controls to a risk-based
approach that prioritizes
an organizations most
valuable assets and its most
relevant threats.
It also will be critical to focus on rapid
detection of security intrusions
and an effective, timely response.
To get there, businesses should
reposition their security strategy by
more closely linking technologies,

processes, and people skills with
the organizations broader riskmanagement activities. This remains
a challenge for many businesses,
according to Boni of T-Mobile.
Its rare that organizations have
the practioners, tools, and executive
leadership required to understand
and respond to security challenges,
Boni says. Too many people still see
information security as a principally
technical problem and believe that
simply buying the right software
will cause the problem to go away.
Information security involves people,
processes, and technologiesgetting
all three in the right measure is the
real art of a successful security
program.
It also can help guide spending on information security. There is

a lot of uncertainty in return on investment for security. Companies
often do not know if they are doing a good job, says Boni. There
is no generally accepted accounting procedure equivalent for baseline
cybersecurity. Over time, the NIST standard should help create a
common language and framework to help companies understand
if theyre doing a good job with their information security
investments and programs.
Organizations seeking to implement

the correct mix of people, processes,
and technologies should consider
the NIST Cybersecurity Framework.
Even though the Framework targets
US critical infrastructure providers,
it offers an effective model for riskbased security for organizations across
industries and across the globe.
29%
We believe it is well worth adopting

solely for its stated goal of improving
security. The NIST Framework is a
great example of the public and private
sector collaboration that provides
an excellent agnostic framework
to cybersecurity, says PwCs Joyce,
who helped develop the executive
order that mandated creation of
the Framework.
25%
Adoption of the Framework also

can deliver ancillary benefits that
include enhanced collaboration
and communication of security
posture among executives and
industry organizations, as well as
potential future improvements in
legal exposure and even assistance
with regulatory compliance.44
US organizations are already beginning to embrace

the NIST Framework. We found that 29% of American
respondents say they have adopted the Framework,
and an additional 25% say adoption is a future priority.
Evolving from security to cyber risk management
32
Organizations that participated in the

development of the NIST Framework
are typically early adopters of the
guidelines. Hayes says CenterPoint
personnel attended NIST workshops
and developed a cyber incident
response plan in tandem with creation
of the Framework. With this head start,
the company quickly adopted and
enhanced its approach by leveraging
the NIST Framework. The process
enabled us to enhance aspects
of cybersecurity that we feel are
applicable to our space, Hayes says.
Weve used it to understand what
we need to do, and to act on that.
Among the first steps NIST suggests

is that organizations identify and
classify their most valuable information
assets, as well as determine where
high-value data are located across the
ecosystem and who has access to them.
For mining company Vale, this initial
process created a solid foundation
for its information security program.
One of the first things we did was to
identify our confidential information
and determine where it is stored. says
Camarotti. That gave us huge insights
into the business side of information
security, as well as an understanding
of how our employees use confidential
data. It also enabled us to determine
specific levels of protection, and to
understand areas in which we can be
more lenient and areas in which we
should be more strict.
Many of our survey respondents have

not yet taken these steps, however:
Only 54% have a program to identify
sensitive assets, and just 56% have
taken the effort to inventory the
collection, transmission, and storage
of sensitive data for employees
and customers. This type of strategic
approach to spending is most common
among aerospace and defense,
technology, telecommunications, and
financial services organizations.
Regionally, respondents from South
America and Asia Pacific are more
likely to allocate security spending
to their most valuable data. It is also
essential that organizations align
their security strategy with specific
business needs, a step that 40%
of respondents forgo. Industries
most likely to link security and
business strategies include industrial
products, healthcare providers
and payers, and financial services.
Regionally, respondents from Asia
Pacific and North America lead in
this approach.
Another fundamental step is aligning security spending with the organizations

strategic assets. Yet 34% of respondents do not allocate security spending to
their most profitable lines of business.
33
Strategic security spending also will

demand that businesses identify
and invest in cybersecurity practices
that are most relevant to todays
advanced attacks. It is essential to
fund processes that fully integrate
predictive, preventive, detective,
and incident-response capabilities
to minimize the impact.
Also critical is adequate investment
in the people and process capabilities
that allow businesses to rapidly
respond to and mitigate incidents.
Cybersecurity attorney Sotto says
many of her clients are taking steps
to improve response and mitigation.
It will also be necessary to ensure
adequate funding for comprehensive,
ongoing employee training and
awareness programs. The US
State of Cybercrime Survey clearly
demonstrated the merit of security
awareness programs.
Businesses that have

security awareness report
significantly lower average
financial losses from
cybersecurity incidents.
And the savings can be significant:
We found companies that do not
have security training for new hires
reported annual financial losses that
are four times greater than those
that do have training.45
Effective security also will require
a certain amount of knowledge about
existing and potential adversaries,
including their motives, resources,
and methods of attack. This will not
happen without a budget for threat
analysis and monitoring, as well as
a commitment of time and resources
for collaborating with government
agencies, peers, law enforcement, and
other third parties to gain understanding
of leading cybersecurity practices. In
the current environment of proliferating
threats, risk-based security practices
should be a primary component of an
organizations overall enterprise riskmanagement framework.
We have been approached many

times since December to help
companies develop together proactive
programs to minimize the impact of
a cyber attack should it happen, says
Lisa Sotto, cybersecurity attorney.
Previously, that kind of proactive
preparation was much more sparse.
While a well-designed cyber-risk
management program will not
totally eliminate risk, it can enable
organizations to manage threats
through an informed decisionmaking process, increase efficiencies
in security practices, and create a
more resilient security practice.
In the coming years, we believe that
advances in computer science will
help organizations better manage
the risks and repercussions of cyber
threats. Technology breakthroughs
will likely help organizations reduce
the complexity of cybersecurity, more
quickly detect and remediate incidents,
and improve their abilities to monitor
and analyze digital activity. Until then,
it is imperative that organizations, large
and small, commit to understanding
and managing the cybersecurity
risks that have become top of mind
for executive leaders, boards, and
consumers across the globe.
Evolving from security to cyber risk management
34
Methodology
The Global State of
Information Security
Survey 2015 is a
worldwide study by
PwC, CIO, and CSO
The 2015 survey was conducted online
from March 27, 2014 to May 25, 2014;
readers of CIO, CSO, and clients of PwC
from around the globe were invited
via e-mail to take the survey.
All figures and graphics in this report,
unless noted otherwise, are sourced
from The Global State of Information
Security Survey 2015 results. The
margin of error is less than 1%.
35
The results discussed in this report

are based on the responses of more
than 9,700 CEOs, CFOs, CIOs,
CISOs, CSOs, VPs, and directors
of IT and security practices across
more than 154 countries.
35%
34%
North America
Europe
14%
13%
4%
Asia Pacific
South America
Africa, Middle East
Endnotes & sources

01

present danger
1 PwC, The FBI says youve been breached
by a nation-state. Now what?, April 24, 2014
2 US Department of Justice, U.S. Charges
Five Chinese Military Hackers for Cyber
Espionage Against U.S. Corporations
and a Labor Organization for Commercial
Advantage, May 19, 2014
3 BBC, Wm Morrison supermarket suffers
payroll data theft, March 14, 2014
18 Google Online Security Blog, Announcing

Project Zero, July 15, 2014
33 Verizon, 2014 Data Breach Investigations

Report, April 2014
19 The Wall Street Journal, Global Security

Spending to Grow 7.9% in 2014, Gartner Says,
August 22, 2014
34 The Financial Times, Home Depot attack

bigger than Targets, September 19, 2014
20 The Wall Street Journal, The Daily Startup:

Venture Funding Soars for Cybersecurity
Startups, August 6, 2014
21 Quotes from wsj.com as of August 8, 2014
22 The Financial Times, Europes first cyber
security-focused fund to launch,
June 18, 2014
4 Symantec Corp., Internet Security Threat

Report 2014, April 2014
23 TechCrunch, Index Ventures Raises New

$550M Early-Stage Fund For Europe,
The US And Israel, June 10, 2014
5 TechWeek Europe, Germany Investigating

Data Breach Affecting 18 million, April 7, 2014
24 The Financial Times, Investors flock to cyber

security start-ups, March 12, 2014
6 Symantec Corp., Turla: Spying tool targets

governments and diplomats, August 7, 2014
7 Cnet.com, U.S. charges 8 in $45M global
cybercrime scheme, May 9, 2013
8 IOSCO and the World Federation of
Exchanges Office, Cyber-crime, securities
markets and systemic risk, July 2013
9 Department of Homeland Security,
ICS-CERT Monitor, JanuaryApril 2014,
May 2014
10 Financial Times, Energy companies hit by
cyber attack from Russia-linked group,
June 30, 2014
11 Ars Technica, Critical crypto bug exposes
Yahoo Mail, other passwords Russian
roulette-style, April 8, 2014
02
Incidents and financial impact

continue to soar
25 Trustwave Holdings, 2014 Trustwave Global
Security Report, May 2014
26 Center for Strategic and international
Studies, Net Losses: Estimating the Global
Cost of Cybercrime, June 2014
27 Create.org and PwC, Economic Impact
of Trade Secret Theft, February 2014
28 World Bank, World Development Indicators
Database, July 2014; PwC calculations
29 World Economic Form, Global Risks 2014,
Ninth Edition, December 2013
12 TrustedSec, CHS Hacked via Heartbleed

Vulnerability, August 19, 2014
30 PwC, Economic Crime: A threat to business

globally, February 2014
13 HP Fortify on Demand, Internet of Things

State of the Union Study, July 2014
31 2014 US State of Cybercrime Survey, cosponsored by CSO magazine, CERT Division

of the Software Engineering Institute at
Carnegie Mellon University, PwC, and the
US Secret Service, MarchApril 2014
14 IOActive, Adventures in Automotive

Networks and Control Units, August 2013
15 Securities and Exchange Commission,
National Exam Program Risk Alert,
April 15, 2014
16 Vormetric Data Security, Security measures
to go under spotlight as new Data Protection
Directive approaches, July 8, 2014
17 Singapore Personal Data Protection
Commission, Personal Data Protection Act
Overview, accessed August 23, 2014
03
Employees are the most-cited

culprits of incidents
35 Bureau of Justice Statistics, Victims of

Identity Theft, 2012, December 2013
36 PwC, Big Data: Big benefits and imperiled
privacy, June 2014
04

spending falls
37 PwC, Economic Crime: A threat to business
globally, February 2014
38 PwC, Fit for the future: Capitalizing on
global trends, April 2014
39 The Wall Street Journal, Global Security
Spending to Grow 7.9% in 2014,
Gartner Says, August 22, 2014
40 Booz & Co., Highlights from the 2013 Global
Innovation 1000 Study, October 2013
41 Dell SecureWorks, Hackers Sell Health
Insurance Credentials, Bank Accounts, SSNs
and Counterfeit Documents, for over $1,000
Per Dossier, July 15, 2013
42 RAND Corp., Markets for Cybercrime Tools
and Stolen Data, 2014
05
security practices
43 PwC, 16th Annual Global CEO Survey,
January 2013
07
Evolving from security to cyber

risk management
44 PwC, Why you should adopt the NIST
Cybersecurity Framework, May 2014
Endnotes & sources
36
Contacts by region
Australia
Denmark
Japan
Andrew Gordon
Partner
andrew.n.gordon@au.pwc.com
Christian Kjaer
Director
christian.x.kjaer@dk.pwc.com
Maki Matsuzaki
Partner
maki.matsuzaki@jp.pwc.com
Steve Ingram
Partner
steve.ingram@au.pwc.com
Mads Nrgaard Madsen

Principal
mads.norgaard.madsen@dk.pwc.com
Naoki Yamamoto
Director
naoki.n.yamamoto@jp.pwc.com
Belgium
France
Luxembourg
Floris Ampe
Partner
floris.ampe@be.pwc.com
Philippe Trouchaud
Partner
philippe.trouchaud@fr.pwc.com
Vincent Villers
Partner
vincent.villers@lu.pwc.com
Brazil
Germany
Middle East
Edgar DAndrea
Partner
edgar.dandrea@br.pwc.com
Derk Fischer
Partner
derk.fischer@de.pwc.com
Taha Khedro
Partner
taha.khedro@ae.pwc.com
Canada
Wilfried Meyer
Partner
wilfried.meyer@de.pwc.com
Waddah Salah
Partner
waddah.salah@sa.pwc.com
India
Netherlands
Sivarama Krishnan
Partner
sivarama.krishnan@in.pwc.com
Erwin de Horde
Partner
erwin.de.horde@nl.pwc.com
Israel
Gerwin Naber
Partner
gerwin.naber@nl.pwc.com
Salim Hasham
Partner
s.hasham@ca.pwc.com
China
Ramesh Moosa
Partner
ramesh.moosa@cn.pwc.com
Kenneth Wong
Partner
kenneth.ks.wong@hk.pwc.com
Yaron Blachman
Partner
yaron.blachman@il.pwc.com
Italy
Otto Vermeulen
Partner
otto.vermeulen@nl.pwc.com
Fabio Merello
Partner
fabio.merello@it.pwc.com
37
New Zealand
South Africa
Switzerland
Adrian Van Hest

Partner
adrian.p.van.hest@nz.pwc.com
Pierre Dalton
Partner
pierre.dalton@za.pwc.com
Thomas Koch
Director
thomas.koch@ch.pwc.com
Norway
Mark Telfer
Partner
mark.telfer@za.pwc.com
Jan Schreuder
Partner
jan.schreuder@ch.pwc.com
Sidriaan de Villiers
Partner
sidriann.de.villiers@za.pwc.com
Turkey
Tom Remberg
Director
tom.remberg@no.pwc.com
Poland
Rafal Jaczynski
Director
rafal.jaczynski@pl.pwc.com
Piotr Urban
Partner
piotr.urban@pl.pwc.com
Russia
Christopher Gould
Partner
chirstopher.gould@ru.pwc.com
Singapore
Vincent Loy
Partner
vincent.j.loy@sg.pwc.com
Kok Weng Sam
Partner
kok.weng.sam@sg.pwc.com
South Korea
Sung-Bae Cho
Director
sung-bae.cho@kr.pwc.com
Jae Hyeong Joo
Partner
jae-hyeong.joo@kr.pwc.com
Spain
Elena Maestre
Partner
elena.maestre@es.pwc.com
Javier Urtiaga Baonza
Partner
javier.urtiaga@es.pwc.com
Burak Sadic
Senior Manager
burak.sadic@tr.pwc.com
United Kingdom
Richard Horne
Partner
richard.horne@uk.pwc.com
Grant Waterfall
Partner
grant.waterfall@uk.pwc.com
United States
David Burg
Principal
david.b.burg@us.pwc.com
Sweden
Sean Joyce
Principal
sean.joyce@us.pwc.com
Emil Gullers
Partner
emil.gullers@se.pwc.com
Mark Lobel
Principal
mark.a.lobel@us.pwc.com
Jacob Henricson
Partner
jacob.henricson@se.pwc.com
Methodology & Contacts
38
www.pwc.com/gsiss2015
www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 184,000
people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by
visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should
not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express
or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC
does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act,
in reliance on the information contained in this publication or for any decision based on it.
2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
Addressing security risks in an interconnected world

Key findings from The Global State of Information Security Survey 2015
next
prev
Advances in key security

initiatives
Toward a more strategic
approach
Business partners under
scrutiny
Contacts
Industrial products
Cybersecurity has become top of mind for
most industrial products executives.
In the past year, the US Department of Justice charged five
Chinese military hackers with conducting economic cyberespionage against six American organizations that included
major manufacturers.1 And the seemingly relentless assaults
on major retailers, banks, and entertainment companies
have heightened the awareness of cybersecurity risks
across sectors and across the world.
Most industrial products companies dont have sensitive

consumer information to protect, but adversaries are interested
in their intellectual property, says Quentin Orr, an Advisory
principal focused on cybersecurity and privacy. Were seeing
IP sector clients wake up to this threat and take action.
Current and former employees remain the mostcited sources of security incidents.
In 2014, we noted a considerable jump in incidents attributed
to competitors, which more than doubled over 2013. Increasingly,
industrial products executives believe that sophisticated
international competitors are infiltrating their networks
to pilfer trade secrets and manufacturing processes.
While employees are

the most-cited culprits
of security incidents,
compromises
attributed to
competitors more
than doubled
this year.
Among industrial products respondents, the average number of

detected security incidents climbed 17% over 2013, according
to The Global State of Information Security Survey (GSISS)
2015. This increase in security incidents comes at great cost:
Our study of 557 industrial products executives found that total
financial losses attributed to security compromises jumped
38% over the year before.
1 US Department of Justice, U.S. Charges Five Chinese Military Hackers

for Cyber Espionage Against U.S. Corporations and a Labor Organization
for Commercial Advantage, May 19, 2014
Introduction // 1
Industrial products
Introduction
spending
initiatives
approach
scrutiny
Contacts
While incidents caused by employees often

fly under the media radar, those committed
by organized crime groups, activists, and
nation-states typically do not. Attacks by these
adversaries remain among the least frequent,
but they are also among the fastest growing.
Cyber incidents attributed to nation-states, such as the
Chinese hackers indicted by the US government, continue to
garner the lions share of attention. Nation-states are keenly
interested in manufacturing processes and they often attempt
to steal intellectual property and trade secrets as a means
to advance their own political and economic advantage.
In 2014, compromises by foreign nation-states and foreign
organizations increased 65% over 2013. Given the ability
of nation-state adversaries to carry out attacks without
detection, we believe the volume of incidents is very likely
under-reported.
GSISS 2015: Industrial products

results at a glance
next
Click or tap each title to view data
Incidents
Sources of
incidents
Security
spending
prev
5K
4K
2.8M
3K
3M
1,756
2,051
2.0M
2M
1M
In 2014, 13% of respondents attributed security incidents to

activists and hacktivists, a 61% jump over 2013. Similarly,
the number of respondents who cited organized criminals
as the source of attacks soared 54% over last year.
2013
2014
Average number of detected incidents
2013
2014
Estimated total financial losses
Introduction // 2
Industrial products
Introduction
spending
initiatives
approach
scrutiny
Contacts

under-reported.

results at a glance
next
Incidents
Sources of
incidents
prev
Security
spending
50%
40%
36%
33%
30%
24%
30%
26%
28%
26%
13%

2013
2014
Current employees
2013
Former employees
2014
2013
Competitors
2014
2013
2014
Hackers
Introduction // 3
Industrial products
Introduction
spending
initiatives
approach
scrutiny
Contacts


results at a glance
next
Incidents
8M

under-reported.
Sources of
incidents
Security
spending
prev
6.9%
6M
5.2M
4.0M
6%
3.9%
4M
4%
2%

2013
2014
Average annual information security budget
2013
2014
Information security spend as percentage

of IT budget
Introduction // 4
Industrial products
Introduction
spending
Attacks spur security spending
next
As the frequency and costs of cyber incidents mount, companies are boosting their security budgets.
prev

initiatives
approach
Among industrial products organizations, information security

budgets increased 31% in 2014 over the year before, hitting an
average of $5.2 million.

scrutiny
This boost follows an even larger 97% jump in security investments in 2013, which
very well may account for a portion of the upsurge in detected incidents in 2014.
Security budgets have increased by

more than 150% over two years.
Contacts
After all, our research shows that

organizations that spend more on security
typically discover more compromises.
Its also noteworthy that respondents security investments grew even as their
overall IT budgets declined 25% over 2013. In fact, information security spending
represents 6.9% of manufacturing respondents entire IT budgetup from 3.9%
last year and the highest of any sector in our survey.
This indicates that, while industrial products companies have

traditionally been a bit behind the curve in implementing upto-date information security practices, they now understand
the risks and are investing accordingly. The increases in
security spending also suggest that those who deferred
spending on security initiatives during the recession are now
willing to spend as the economic recovery gains momentum.
Finally, the media spotlight on cybersecurity has intensified
over the past year, and reports of high-profile retailer breaches,
domestic surveillance snooping, and the government action
against nation-state hackers have illuminated the potential for
risks. As a result, many Boards of Directors are asking serious
questions about information security preparedness.
Attacks spur security spending // 5
Industrial products
Introduction
spending
Advances in key security initiatives
next
Increased security spending has resulted in some notable improvements in processes, technologies,
and personnel training.
prev

initiatives
approach
scrutiny
Contacts
The upsurge in spending over the past two

years seems to have resulted in notable
improvements in many key information
security processes, technologies, and
personnel measures.
For instance, respondents are more likely to have
implemented initiatives such as a business-focused security
strategy, risk assessments of third-party partners, and
detection technologies like security information and eventmanagement (SIEM) tools.
These advances may be the result of a change in mind-set.
Organizations are beginning to understand that it is no longer
possible to deter all adversaries all of the time; todays threat
actors are sophisticated and persistent, and one may inevitably
infiltrate the network and data. Consequently, the primary
objectives are shifting from protection to early detection and
rapid response to minimize the damage of an incident.
Nonetheless, there remains considerable room for improvement

in security practices. Survey responses indicate that some
critical initiatives have stalled or shown little advance over
the past year. These include employee awareness and training
programs, intrusion and vulnerability technologies, patchmanagement tools, and monitoring and analysis of security
intelligence.
And even among the gains highlighted in the figure Gains in
security initiatives on the following page, industrial products
companies still lag in many areas. Consider, for instance,
that businesses across industries are embracing external
collaboration to improve security and threat intelligence, yet
45% of industrial products respondents have not begun to
work with others. Also, the increasing risks of compromise by
third-party vectors warrant a more firm commitment to due
diligence of partners and supply chains.
61%
Its also worth pointing out that, while

of respondents now use some form of cloud computing,
only 53% have a security strategy for the cloud.
Advances in key security initiatives // 6
Industrial products
Introduction
spending
Gains in security initiatives

77%
81%
2013
68%
73%
next
2014
65%
74%
59%
73%
54%
prev
72%

initiatives
approach
scrutiny
Contacts
Have an overall information

security strategy
Information security strategy is

aligned to specific business needs
Employ Chief Information Security

Officer (CISO) in charge of the
security program
A senior executive communicates

the importance of security across
the enterprise
Business continuity/disaster
recovery plans
50%
58%
49%
41%
42%
58%
64%
61%
57%
50%
Risk assessments on third-party

vendors
Established security baselines/

standards for external partners/
customers/ suppliers/vendors
Program to identify sensitive assets
Use mobile device management

(MDM) solution
45%
48%
47%
50%
55%
59%
65%
66%
Collaborate with others to improve

security
Conduct penetration tests
Conduct threat assessments
Have cyber insurance
Security information & event

management (SIEM) technologies
Advances in key security initiatives // 7
Industrial products
Introduction
spending
Toward a more strategic approach
next
Organizations are revising their security programs to emphasize risk and top-down commitment.
prev

initiatives
approach
scrutiny
Survey results indicate that many industrial

product companies are beginning to rethink
their approach to information security.
More organizations are protecting information assets

based on their value to the business.
At the core of this initiative should be a risk-based

cybersecurity program that enhances their ability to identify,
manage, and respond to privacy and security threats.
Contacts
It all starts with an information security strategy.

The number of organizations that have an overall
information security strategy increased to 81%, up
from 77% in 2013. Fewer (73%) say their security
strategy is aligned to the specific needs of the business.
A basic tenet of an effective information security strategy is

that it should be anchored on the knowledge of what data
is most important to the business. Because it is no longer
possible to protect all information assets at the highest level,
companies should precisely identify the information assets
that are key to their profit and successsuch as trade secrets,
manufacturing processes, and product designsand then
prioritize protection of these assets.
Every company has some trade secrets that allow it to make
a profit, and the organization must identify and protect this
information, because thats what cyber adversaries will target, says
Orr of PwC. You have to protect your future revenue streams.
Its an approach that companies are beginning

to embrace.
In 2014, 61% of survey respondents say they have a program
to identify sensitive assets, up from 49% last year. To help
prioritize security protection, companies should classify the
business value of data, a process that 69% of respondents
currently have in place.
Next, organizations should strategically allocate security
spending to the assets that are most valuable to the business.
Industrial products respondents show an increasing commitment
in this area: 66% say their security investments are allocated
to the organizations most profitable lines of business.
Toward a more strategic approach // 8
Industrial products
Introduction
spending
Room for improvement in security practices

61%
2013
66%
2014

initiatives
approach
Contacts
2013
2013
59%
2013
Security strategy for cloud computing
2013
67%
60%
2014
Intrusion-prevention tools
2013
61%
2014
Vulnerability scanning tools
Cybersecurity and privacy should be

embedded into an organizations core, with
a top-down commitment to security and
ongoing employee training programs.
It was disappointing to find that the number of organizations
that have employee security-awareness training programs
(60%) remained static over last year. Considering that
companies cite employees as the leading source of security
incidents, we believe that training should be universal and
that accountability should cascade from the C-suite to every
employee and third-party vendor and supplier.
60%
prev
54%
Vulnerability assessments
60%
2013
60%
2014
Unauthorized use or access-monitoring tools
60%
2013
2013
63%
2014
Privileged user access
51%
2014
Security strategy for employee use of personal

devices on the enterprise
66%
67%
62%
2014
2014
Active monitoring/analysis of information

2013
61%
53%
65%
2014

scrutiny
47%
2014
Conduct personnel background checks
next
Intrusion-detection tools
63%
2013
63%
2014
Patch-management tools
An effective security program also will require topdown commitment and communication.
Almost three-quarters (73%) of industrial products respondents
have a senior executivea Chief Operating Officer, Chief
Financial Officer, or Chief Executive Officer, for example
who communicates the importance of information security
to the entire enterprise, a healthy improvement over last
year. This suggests that executive teams are starting to take
ownership of cyber risks.
To do so, senior executives should proactively ensure that the

Board of Directors understands how the organization will
detect, defend against, and respond to cyber threats. Despite
all the media attention following high-profile retailer and
banking breaches, many companies have not yet elevated
security to a Board-level discussion. Consider, for instance,
that 53% of respondents say their Board of Directors
participates in the overall security strategy and slightly fewer
(48%) report the Board participates in the security budget.
Only 33% say their Board is involved in reviews of current
security and privacy risksa crucial component of any
effective security program.
Industrial products
Introduction
spending
Business partners under scrutiny
next
Due diligence is increasingly critical as organizations share more data with third parties.
prev

initiatives
approach
scrutiny
Contacts
As industrial manufacturing companies

increasingly share data with a widening
constellation of interconnected business
partners, supply chains, and contractors, it is
essential that they carefully assess the security
capabilities of these third parties.
The logic is simple: As more data is shared through
connected business ecosystems, more data is at risk
of compromise.
In the past year, industrial products companies have stepped
up due diligence of third-party and supply-chain partners. For
instance, 64% say they have implemented security standards
for external partners, suppliers, and vendors, up from 58%
in 2013. And 58% of respondents say they perform risk
assessments on third-party vendors, up from 50% last year.
These are solid improvements, to be sure, but its worrisome
that approximately one-third of organizations have not
addressed these issues.
Given that industrial products companies increasingly

grow their businesses through mergers and acquisitions,
comprehensive cyber due diligence of target firms is
progressively important. Today, sophisticated cyber
adversaries often infiltrate smaller, less-mature companies
and lie in wait for them to be acquired by larger firms. When
the companies information systems are integrated, threat
actors may gain a foothold on the networks of the acquiring
firms and attempt to exfiltrate trade secrets and other
valuable information.
When doing an acquisition, organizations should understand
exactly what they are inheriting when they connect their
networks with the company they acquire, says PwCs Orr. This
is a mature capability that very few manufacturing companies
have developed.
Evolving from security to cyber risk

management
As security incidents continue to proliferate, industrial
products companies are beginning to understand that
cyber risks can never be completely eliminated. Protective
measures remain important, of course, but processes and
tools to detect, analyze, and respond to incidents are key
to cyber resiliency and to the ongoing success of any
industrial products manufacturing business.
To make this adjustment, industrial products companies should
reposition their security strategy by integrating technologies,
processes, and tools with the companys broader riskmanagement activities. Doing so will result in a cyber-resilient
program that can effectively manage threats based on the
businesss tolerance for risk.
When acquiring a business, a rigorous assessment of the target companys

security practices is a criticaland often lackingcapability.
Business partners under scrutiny // 10
Industrial products
Introduction
spending
Contacts
next
To have a deeper conversation about cybersecurity, please contact:
prev

initiatives
approach
Industrial products

scrutiny
United States
Contacts
Robert McCutcheon
Partner
412 355 2935
robert.w.mccutcheon@us.pwc.com
Quentin Orr
Principal
267 330 2699
e.quentin.orr@us.pwc.com
Bob Pethick
Principal
313 394 3016
bob.pethick@us.pwc.com
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.
Contacts // 11
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
Security deficits in an interconnected world

next
prev
Support from the top

Regulators tighten rules
Rising third-party risks
Inside jobs increase
Technology is not enough
Linking security and risk
Contacts
Financial services
It will come as no surprise to most financial
services executives that information security
incidents are continuing to rise, as are the
costs of these intrusions.
In the past two years, sophisticated cyber adversaries around
the world have launched powerful distributed denial of
service (DDoS) attacks against banks, siphoned off billions of
dollars from deposit accounts, stolen millions of payment card
records, and infiltrated many national stock exchanges.
Despite these attacks, many global financial services companies
have not implemented the right processes and technologies
to prevent, detect, and respond to security risks. In particular,
many do not adequately address threats from third parties and
insiders like employees and partners with trusted access.
Others disregard essential governance, operational processes,

and people capabilities that enable rapid detection and
response to compromises.
As regulators around the world move to tighten compliance
requirements for financial services organizations, improvements
in these security practices will become increasingly essential
to safeguard data as well as ensure compliance with global
regulatory bodies.
International financial services firms are at greater risk than

ever, and by all estimates those threats will only increase, says
Joe Nocera, a Principal in PwCs Cybersecurity Practice. Thats
why global organizations should prioritize their investments
based upon risk focusing on the most critical business assets.
Then they can strategically invest in the right combination
of security processes, technologies, and awareness and training
programs. In todays world, its not a matter of if an incident
will happen but rather when, and firms must be prepared
to respond.
In other words, its no longer possible to protect all data,

networks, and applications at the highest level, but a
proactive cybersecurity program will enable financial services
firms to prioritize protection and more quickly react to
incidents that are all but inevitable.
Introduction // 1
Financial services
Introduction
next
Yet security spending has not kept pace, particularly among smaller businesses.
prev

Detected incidents have maintained a steady

upward momentum.
The Global State of Information Security Survey 2015 (GSISS)
shows that, among 758 global financial services respondents,
the number of detected incidentswe define a security
incident as any adverse incident that threatens some aspect
of computer securityincreased 8% this year over 2013.
GSISS 2015: Financial services

results at a glance
Incidents
5K
4,628
Sources of
incidents
Security
spending
4,978

Contacts
The costs of security incidents jumped 24%,

with big losses leading the way
The number of financial firms reporting losses of $10
million to $19.9 million increased by a head-turning
141% over last year.
4K
3.4M
2.7M
3K
3M
2M
1M
2013
2014
2013
2014
Incidents and costs mount // 2
Financial services
Introduction
next
prev


upward momentum.

results at a glance
Incidents
Sources of
incidents
Security
spending
44%
50%

Contacts

40%
36%
33%
25%
30%
28%
26%
20%
11%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Competitors
Financial services
Introduction
next
prev


upward momentum.

results at a glance
Small organizations
Revenues less than $100M
15.4%
Sources of
incidents
Security
spending
14.7%
Large organizations
Revenues more than $1B

Contacts
Incidents
15 %
11.3M
10.7M

12%
9M
9%
Large organizations
Revenues more than $1B
3.6% 3.3%
%
3.3% 3.7
Medium organizations
Revenues $100M$1B
6M
Small organizations
Revenues less than $100M
3M
Medium organizations
Revenues $100M$1B
$
M
2.2M 2.6
1.0M $0.6M
2013
2014
Average annual IS budget
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
IS spend as percentage of IT budget
Financial services
Introduction
While security events and costs continue to

escalate, security spending has not kept pace,
particularly among smaller businesses.
Globally, investments in information security inched up
3% over the year before. And while financial firms invested
more heavily in recent years, security spending has been
stalled at less than 4% of the total IT budget for the past
seven years.

Contacts
Security breaches not only impact

a financial institutions bottom line,
but also its reputation, brand,
and intellectual property.
In analyzing this years GSISS

responses, we identified five
critical areas that financial
services firms should consider.
Executive teams and boards can no longer afford to

view cyber security as merely a technology problem,
says Stephen Russell, Managing Director at PwC.
The cost of defending against cyber threats has risen
sharply and regulators are focusing on how well
financial institutions are defending themselves against
these threats.
Due to a lack of investment, many financial firms are
falling behind in implementing up-to-date processes
and tools to detect and respond to todays evolving
security threats. Year-over-year, we saw a lack of
progressand in many cases, significant attritionin
the use of secure access controls, risk and vulnerability
assessments, threat monitoring and analysis, thirdparty security safeguards, and employee awareness
and training programs, to name a few.
next
prev
Addressing these issues can help financial

firms better detect and defend against
threats and increase their cyber resiliency.
1
2
Executive and Board

support for security
New regulatory
requirements
Third-party risks
Insider incidents
Over-reliance on
technology
Incidents and co
costs mount // 5
Financial services
Introduction
Falling behind in security safeguards
59%
59%
2014
61%
2014
2014
2014
66%
Risk assessments on internal

systems
Contacts
57%
63%
56%
60%
2013
Incident response-process to
report and handle breaches to third
parties that handle data
71%
2014
Security audits
71%
2013
2013
2013
66%
57%
2014
2014
2014
Employee awareness and
training program
57%
67%
58%
2013
Vulnerability assessments
58%
2014
65%
2013
58%
67%
Require third parties to comply

with our privacy policies
2013
Penetration testing

2014
63%
2013
2013
59%
74%
2013
64%
Threat assessments
2014
2014
Secure access-control
measures
2013
2013
73%
Risk assessments on thirdparty vendors
Financial services
Introduction
next
Cybersecurity is no longer simply an IT concern. Today, it is a critical business issue that demands the
attentionand the active stewardshipof the Chief Executive Officer and the Board of Directors.
prev

Contacts
To be effective, cybersecurity should be

integrated into the firms overall enterprise
risk-management framework, and the CEO
and Board should own the responsibility
for managing cyber resiliency.
We consider institutions to be cyber-resilient when they have a
comprehensive, well-crafted, cyber-risk management program
in placewith management held accountable for the programs
performance and results, says Stephen Russell, Managing
Director at PwC.
Senior executives should establish a strong culture of security
and cyber resilience by setting an affirmative tone at the top.
Doing so will demand that executives proactively communicate
the importance of security across the enterprise, a practice that
71% of financial services respondents say they have implemented.
Beyond that, executive leaders should engage the Board in
the discussion and management of cybersecurity risks.
Most firms have not done so. We know because we
asked survey respondents to detail how their Boards
participate in cybersecurity initiatives.
Board participation is essential to reaching an appropriate

decision on the level of cyber risk an organization will accept
and to building responses around those parameters. It also
can be a key factor in ensuring that security practices are
adequately fundedan approach that most financial firms do
not pursue. Only 44% of respondents say their Boards are
involved in setting security budgets.
Beyond the Board, risk-based cybersecurity will require crossfunctional cooperation between leaders from IT, security, legal
counsel, risk management, finance, and human resources. This
team should meet regularly to coordinate and communicate
information security issues, a practice that 56% of financial
services respondents say they have implemented.
How Boards participate

in security
50%
Overall security strategy
44%
Security budget
37%
Security policies
33%
Review of security and privacy risks
26%
The responses are telling

Only one-third (33%) of respondents say
their Board is involved in the review of
security and privacy risks, a number that
is particularly low given the criticality of
enterprise-wide cyber-risk awareness.
23%
Review roles and responsibilities of security organization
20%
Review of security and privacy testing
Support from the top // 7
Financial services
Introduction
next
Recent actions by industry regulators in the US and Europe have signaled they may require
proof that financial services firms have implemented a robust security program.
prev

Contacts
These types of regulatory

guidance and requirements
will very likely intensify
in the future.
Consider, for instance, the European
Union General Data Protection
Regulation, which is on track to be
finalized in 2015. The regulation is
expected to add new requirements for
breach notification to individuals, require
organizations that handle personal data
to conduct risk assessments and audits,
and increase fines for compromised
businesses.1 Other regulatory bodies have
announced intentions to assess financial
institutions for risk vulnerability and riskmitigation policies and procedures.2
1 Vormetric Data Security, Security measures to go

under spotlight as new Data Protection Directive
approaches, July 8, 2014
What it may take to pass a security exam

100%
71%
66%
66%
80%
61%
60%
58%
57%
57%
57%
51%
60%
40%
Incidentmanagement
response
process
Business
continuity/
disaster
recovery plans
Secure
access-control
measures
Threat
assessments
Privileged user
access
Patchmanagement
tools
Employee
Encryption of
security
smartphones
awareness
training program
Security-event
correlation
tools
Have cyber
insurance
2 PwC, Understanding and preparing for OCIE

cybersecurity exams, May 2014
Regulators tighten rules // 8
Financial services
Introduction
Contacts
Guidance from the US Securities and Exchange Commission

(SEC) suggests that US financial services firms should
seriously consider investing in cyber insurance. In fact, the
Commission included cyber insurance on its list of possible
factors that may be used in examinations. Whats more, the
SEC goes so far as to indicate that financial services firms
should be prepared to undergo examinations to actually
prove their preparedness. In other words, traditional checkthe-box regulatory compliance is no longer sufficient.
Firms must become more strategic because,

in the near future, regulators may dictate
a robust framework for cybersecurity.
Using leading industry frameworks such as ISO 27001 or
the NIST Cybersecurity Framework as a guide, many survey
respondents do not appear capable of passing security
examinations. Doing so will require that financial firms build
a thorough risk-based cybersecurity practice that includes
the following capabilities:
A culture of security led by the C-suite and Board
An incident response plan that is regularly tested
Assessment and monitoring of third-party
partners for security risks
Regulators may also expect financial services organizations

to share threat intelligence and response tactics across the
organization as well as with private and public-sector partners.
Many financial firms around the world already participate in
the Financial Services Information Sharing and Analysis Center
(FS ISAC), a global forum that was formed in 1999.
next
prev
Among survey respondents, 62% say they

collaborate with others to improve security,
a considerable gain over last year (55%).
Such collaborations have indirectly led to new types of

security preparedness, including industry-wide exercises
that simulate cyber attacks on financial institutions and
enable participants to work together and share response
tactics. Reaching beyond enterprise boundaries to share
threat intelligence and response insights is an effective way
to advance security. Its also an initiative that financial
firms may be judged on in future security exams.
Advanced threat intelligence and analysis to

understand business-specific threats
Assessment of the role of cyber insurance
Basic security fundamentals such as strong
organizational governance processes and ongoing
employee awareness programs
Regulators tighten rules // 9
Financial services
Introduction
next
Financial institutions are increasingly worried about their ability to combat threats that can arise from
sharing networks and data with business partners, service providers, contractors, and suppliers.
prev

Contacts
As recent high-profile breaches

so unequivocally proved,
third-party partners with
access to networks and data
can generate serious negative
publicity and reputational
harm, not to mention crippling
financial losses.
Key gaps in third-party security

100%
80%
62%
59%
57%
57%
55%
55%
60%
For threat actors, partners and supply

chains represent a weak link through
which they can gain access to a
financial firms network and data for
quick monetary payoff. More farsighted adversaries may infiltrate an
organizations third-party partners as a
means to gain a foothold on the financial
services firms ecosystem for long-term
exfiltration of business plans, financial
documents, and trade secrets.
40%
Established security/
baselines/standards for
external partners/customers/
suppliers/vendors
Require third parties

(including outsourcing
vendors) to comply with
our privacy policies
Incident response-process
to report and handle
breaches to third parties
that handle data
Inventory of all third

parties that handle personal
data of employees and
customers
Conduct compliance audits

of third parties that handle
personal data of customers
and employees
Risk assessments on
third-party vendors
Rising third-party risks // 10
Financial services
Introduction
Banks have sustained large lossesboth in dollars and in public confidenceas a result of successful attacks on interrelated third
parties, such as major retailers, said Thomas J. Curry, US Comptroller of the Currency, at a recent Risk Management Association
(RMA) conference. Ive been heavily focused on this particular type of operational risk because of the pace at which it is increasing
and because of its potential to undermine confidence in our institutions.3
next
prev

Contacts
Monitoring and detecting unauthorized activity by third parties

and supply chains can be difficult because their employees
often have trusted access to a financial firms facilities, systems,
and data. The situation becomes particularly hazardous
when the security capabilities of third parties do not meet
the stringent requirements of the financial services firm.
Only 34% of financial services respondents say they

have assessed the security of third-party outsourcers
over the past 12 months. Roughly the same number
(33%) report that they began monitoring fourth-party
relationships over the past year.
Its a risk that is familiar to many financial firms

participating in our survey.
This year, 41% of respondents say they detected security
incidents perpetrated by current and former service providers,
contractors, consultants, and suppliers. While many financial
services companies have detected third-party compromises,
most have done very little to protect themselves.
Consider, for instance, that fewer than two-thirds (62%) of
respondents have established security baselines and standards
for external partners, suppliers, and vendors. Just 59% require
business partners to comply with their privacy policies. In
essence, these firms have not taken even the most basic steps
to ensure third-party security.
If the security practices of third-party partners are lacking,

those even farther down the chain may represent an event
more dangerous unknown.
We believe that increased investment in third-party security
is critical to closing this security gap. Yet when we asked
respondents to name their top security spending priorities for
the coming year, only 43% said they would boost budgets for
monitoring and testing of business partners and vendors. While
this suggests that financial firms are starting to understand
the importance of third-party security, its also worth noting
that it represented the least-cited spending priority.
3 Office of the Comptroller of the Currency, remarks by Thomas J. Curry,

Comptroller of the Currency, May 8, 2014
Rising third-party risks // 11
Financial services
Introduction
next
The number of incidents attributed to insiderscurrent and former employees, in particularincreased

substantially this year, even as the readiness of financial firms to manage these risks diminished.
prev

The increase in insider incidents portends

potentially serious implications.

28%

Contacts
44%
Almost half (44%) of respondents attribute security

incidents to existing staff, making current employees the
most cited source of incidents; the second most frequently
mentioned perpetrator is former employees, at 28%.
In the 2014 US State of Cybercrime Survey, we found that

almost one-third (32%) of respondents said insider crimes
are more costly or damaging than incidents perpetrated by
outsiders.4 In part, thats because internal threat actors hold
the advantage since they are more likely to know where
valuable data is stored and what processes and technologies
are in place to protect this information.
Its not that financial services employees are overwhelmingly
careless or malicious, however. Increasingly, external threat
actors leverage social engineering to steal credentials of
employees with privileged access to data and networks, then
use that information to infiltrate the financial firms networks.
More universal deployment of tools to monitor user access
and activity would help organizations detect this type of
compromise.
Insider cybercrimes get less attention in the

press, and they also appear to be off the radar
of financial services companies.
Many firms do not have an insider-threat program in
place, which leaves them unprepared to prevent, detect,
and respond to insider threats.
Employees and managers are critical to an insider-threat
management program because they are often in a position
to notice suspicious behavior or risk indicators. Consequently,
employee training forms the spine of an effective security
program. So its a bit alarming that the percentage of
respondents who say their organization has an employee
training and awareness program dropped to 57%, from
66% the year before.
Its good news, however, that almost half of respondents
(49%) say they plan to increase their investment in employee
awareness in the coming year.
4 2014 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT

division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and US Secret Service, MarchApril 2014
Inside jobs increase // 12
Financial services
Introduction
Tools to manage insider threats
next
prev

63%
60%
60%
59%
57%

Conduct personnel
background checks
Unauthorized use/accessmonitoring tools
Security strategy for

employee use of personal
devices on the enterprise
User-activity monitoring
tools
Employee security
awareness training
program

Contacts
57%
Audit/monitor user
compliance with security
policy
56%
Data loss prevention

(DLP) tools
53%
supporting Web 2.0
exchanges such as social
networks, blogs
53%

social media
48%
Behavioral profiling and

monitoring
Inside jobs increase // 13
Financial services
Introduction
next
Many financial services firms view technology solutions as the best bet to
protect their networks and data.
prev

Contacts
Truth is, sophisticated cyber adversaries

are often in the vanguard of innovation,
and are constantly working to
circumvent technologies as solutions
vendors develop them.
Essential governance and operational processes

71%
69%
80%
59%
58%
57%
57%
57%
56%
Thats why financial services organizations should

ensure that technology solutions are deployed on top
of a foundation of sound governance, operational
processes, and people skills.Consider, for instance,
detection and analysis of cyber threats. Tools to
identify and analyze threats are critical, but timely
mitigation of incidents will also demand up-to-date
response processes and properly trained personnel.
Acting upon alerts triggered by technology tools
will require that key stakeholders receive immediate
reports that enable them to proactively and
quickly respond. An effective response will be best
accomplished through the development of prepared
responses, or playbooks, that provide step-by-step
guidelines on roles, responsibilities, and actions.
These playbooks should be frequently tested so
that security and operational personnel are wellprepared to quickly mitigate incidents.
52%
60%
40%
IncidentClassification of
management
business value
response process of data
Risk assessments Program to

on internal
identify sensitive
systems
assets
Incident
response-process
to report & handle
breaches to third
parties
Procedures
dedicated to
protecting
intellectual
property
Security audits
Risk assessments Governance, risk,

on third-party
and compliance
vendors
tools
In an era in which cyber compromise is virtually certain, a coordinated approach to incident response is critical to
the bottom line, as well as reputation and compliance. So its a bit surprising to find that 29% of survey respondents
have no incident response process. Its also worrisome that one-third say they have no business continuity/disaster
recovery plans to ensure operations are quickly returned to normal with minimum disruption.
Technology is not enough // 14
Financial services
Introduction
next
As incidents continue to proliferate, its becoming clear that cyber risks can
never be completely eliminated.
prev

Protective measures remain important, of course, but processes

and tools to detect, analyze, and respond to incidents are key
to cyber resiliency and to the ongoing success of any financial
services business.
To make this adjustment, financial services firms should

reposition their security strategy by more closely linking
technologies, processes, and tools with the firms broader riskmanagement activities. Doing so will result in a cyber-resilient
program that can effectively manage risks based on the
businesss tolerance for risk.

Contacts
Five questions you should ask

How much revenue
would we lose if our
business processes were
impacted by a cyber
event?
Do we have capabilities
to quickly respond to a
cyber attack?
Have we identified our

most critical business
assets and do we
understand their value
to our adversaries?
Do we know where to
invest to reduce cyber
risks?
Is the business resilient

enough to survive a
cyber attack?
5
Linking security and risk // 15
Financial services
Introduction
Contacts
next
prev

Financial services
United States
Shawn Connors
Principal
646 471 7278
shawn.connors@us.pwc.com
Christopher Morris
Principal
617 530 7938
christopher.morris@us.pwc.com
Joe Nocera
Principal
312 298 2745
joseph.nocera@us.pwc.com
Stephen Russell
Managing Director
203 539 3079
stephen.j.russell@us.pwc.com
Andrew Toner
Principal
646 471 8327
andrew.toner@us.pwc.com
Prakash Venkata
Managing Director
617 530 7622
prakash.venkata@us.pwc.com
Contacts
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
Contacts // 16
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
At risk and unready in an interconnected world
Skilled threat actors
Financial losses decline

A more strategic approach
is needed
Guidelines for advancing
security
Gearing up for convergence
Power and utilities

Cyber attacks against power and utilities
organizations have transitioned from theoretical
to indisputable.
next
prev
20+
Detected incidents soared

to more than 20 per day,
per organization.
Contacts
Over the past year, sophisticated cyber adversaries have
infected the industrial control systems of hundreds of energy
companies in the US and Europe; others successfully infiltrated
a public utility via the Internet and compromised its control
system network.
The volume of incidents increased dramatically in the past
year. Power and utilities respondents to The Global State of
Information Security Survey (GSISS) 2015, report the average
number of detected incidents skyrocketed to 7,391, a six-fold
increase over the year before. (We define a security incident
as any adverse incident that threatens some aspect of
computer security.)
Yet as attempts to compromise supervisory control and data

acquisition (SCADA), industrial control, and information
technology systems have soared, information security spending
has not kept pace. Power and utilities respondents say security
spending in 2014 increased by a comparatively modest 9%.
In 2013, by contrast, survey respondents reported a significant
25% boost in security investments, which very well may account
for a portion of this years increase in detected incidents.
After all, organizations that spend more on security typically
discover more incidents.
20
15
10
Introduction // 1
Power and utilities
Introduction
is needed
security
Even though businesses have invested more

heavily in previous years, security spending
has been stalled at 4% or less of the total IT
budget for the past five years.
This lack of investment in security has very likely contributed
to attrition of key security capabilities, including fundamental
strategies, processes, technologies, and awareness programs.
We also found some noteworthy improvements in security
practices, but its worth pointing out that these advances were
fewer and comparatively incremental.
GSISS 2015: Power and utilities

results at a glance
next
Incidents
Sources of
incidents
Security
spending
prev
7,391
8K
6K
3M
2.4M
Contacts
4K
All things considered, many

power and utilities companies
seem to be unready for the
increasing risks of todays
interconnected world.
2M
1.2M
1,179
2013
1M
2014
2013
2014
Introduction // 2
Power and utilities
Introduction
is needed
security


results at a glance
40%
37%
next
Incidents
Sources of
incidents
prev
Security
spending
38%
31%
30%
29%
30%
20%
Contacts
17%
20%
14%

2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Current service providers/

consultants/contractors
Introduction // 3
Power and utilities
Introduction
is needed
security


results at a glance
Incidents
$
4M
next
Sources of
incidents
Security
spending
prev
3.7M
3.4M
3M
6%
4.0%
Contacts
3.9%
2M
4%

2%
2013
2014
2013
2014
Introduction // 4
Power and utilities
Introduction
is needed
security
Contacts
next
The primary threat actorsthose who perpetrate security incidentsremained relatively

constant in the past year.
Current and former employees are once
again the most-frequent culprits of
security incidents, cited by 38% and
30%, respectively, of respondents.
While incidents caused by employees often fly under the radar
of the media, those committed by organized crime groups,
activists, and nation-states typically do not.
This year, 14% of respondents attributed security incidents

to activists and hacktivists, a 40% jump over 2013.
Attacks by these threat actors remain

among the least frequent, but they
are also among the fastest-growing
incidents.
10%
14%
prev
Often these groups employ powerful distributed denial of

service (DDoS) attacks in an attempt to embarrass organizations
for social or political ends, rather than to exfiltrate data or
intellectual property. Similarly, the number of respondents
who cited organized criminals as the source of attacks
increased 31% over last year.
Cyber incidents attributed to nation-states

continue to garner the lions share of attention.
They are keenly interested in energy, and they often target
critical infrastructure providers and suppliers to steal IP and
trade secrets as a means to advance their own political and
economic advantage.
This year, incidents attributed to nation-states more than
doubled over 2013. Given the ability of nation-state adversaries
to carry out attacks without detection, we believe the volume
of compromises is very likely under-reported.
Skilled threat actors // 5
Power and utilities
Introduction
The fastest-growing sources of security incidents
next
Increase over 2013

prev

is needed
security
118%
48%
40%
31%
Contacts
Information brokers
Security executives of power and utilities companies have told

us that they also see security-incident patterns in which criminals
seem to be indiscriminately exploring the network to find any
data of any value. Once they find data, they quickly siphon it
off and try to sell it.
Activists/activist
organizations/hacktivists
Organized crime
That, in part, may account for the 43%

rise in respondents who report that data
was exploited as a result of security
incidents, the most cited impact.
Skilled threat actors // 6
Power and utilities
Introduction
is needed
security
Contacts
next
While the number of detected incidents increased dramatically, organizations say the financial
impact of these security compromises lessened.
Power and utilities respondents say total financial losses
resulting from security incidents declined to an average
of $1.2 million, a 51% drop over 2013.
This finding seems counter-intuitive, given the huge
upsurge in detected compromises.
prev
In part, the discrepancy may be attributed to the

25% rise in security spending in 2013, which
may have enabled organizations to more quickly
detect and mitigate incidents before they caused
real financial harm.
Another explanation may be that, while adversaries have been

able to gain access to power and utilities companies networks,
they are typically stopped before they can wreak havoc on
operational and SCADA systems. And unlike the retail sector,
which has been hit by a barrage of breaches, power and utilities
companies hold comparatively few payment card records and
therefore are not liable for costly mitigation of card theft and
customer data.
We also looked into how power and utilities respondents

calculate the financial consequences of security incidents,
and found that many do not consider a full range of possible
impacts, including costs associated with legal defense fees,
court settlements, forensics, and reputational damage.
Financial losses decline // 7
Power and utilities
Introduction
is needed
security
Contacts
A more strategic approach is needed
next
As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies
may need to take a more strategic approach to information security.
At the core of this initiative should be a riskbased cybersecurity program that enhances
the ability to identify, manage, and respond
to privacy and security threats.
It all starts with an information security strategyor at least
it should. However, we found the number of organizations
that have an overall information security strategy dropped
to 70% this year, down from 79% in 2013. Moreover, those
that have a security strategy that is aligned with the specific
needs of the business declined to 45%, from 65% last year.
An effective security strategy will allocate spending to the assets
that are most valuable to the business. Power and utilities
respondents show a more solid, if incomplete, commitment
in this area: 62% say their security investments are allocated
to the organizations most profitable lines of business.
prev
Power and utilities companies seem to

be falling short of the fundamentals:
Only 54% say they have a unified security
and controls framework and/or enterprise riskmanagement framework to address cybersecurity
risks. Last year that number was 61%.
A basic tenet of an effective information

security strategy is that it should be founded
on risk management.
A strategic approach is lacking // 8
Power and utilities
79%
Introduction
2013
2014
70%
65%
2013
57%
2014
Have information security strategy
59%
2013
56%
Many key security safeguards

weaken
prev
2014
Secure access-control measures
next
Patch-management tools
66%
is needed
security
2013
55%
2014
68%
2013
55%
2014
2013
Contacts
54%
2014
63%
2013
2013
47%
2014
56%
43%
2014
Security-event correlation tools
39%
2013
48%
2014
Risk assessments of third-party vendors
50%
2013
44%
2014
Employee awareness and training program
2013
49%

57%
55%
Vulnerability scanning tools
Privileged user access
2014
Inventory of all third parties that handle personal

data of employees and customers
2013
2014
50%
63%
Established security standards for external partners,

suppliers, vendors and customers
58%
2013
43%
2014
Require employees to complete privacy training
Before resources can be allocated, however, it will

be necessary to first identify the organizations
most valuable assets and determine who owns
responsibility for them. This is an area in which we
found great potential for improvement: Only 54%
of respondents have a program to identify sensitive
assets, and the same number (54%) have an
inventory of all third parties that handle personal
data of customers and employees.
Cybersecurity and privacy should

be embedded into an organizations
core, with a top-down commitment
to security and ongoing employee
training programs.
The number of organizations that have employee
security-awareness training programs (47%)
actually declined over last year, as did those
that require personnel to complete training on
privacy practices and policies (43%). Considering
that employees are the leading source of security
incidents, we believe that training should be
universal and that accountability should cascade
from the C-suite to every employee and thirdparty vendor and supplier.
Power and utilities
Introduction
Strategic processes are often lacking

45%
%
54
2014
2013
61%
%
54
2014
2013
next
65%
%
45
2014
2013
65%
%
46
2014
2013
54%
%
36
2014
2013
52%
%
33
2014
prev
2013

is needed
security
Program to identify sensitive assets
Have a unified security and controls

framework for cybersecurity risks
Information security strategy is

aligned with specific business needs

importance of security to entire
enterprise
Collaborate with others to improve

security
Contacts
An effective security program will require

top-down commitment and communication.
Yet fewer than half (46%) of organizations have a senior
executive who communicates the importance of information
security to the entire enterprise. Thats a substantial drop from
last year (65%) and demonstrates that the executive team may
not be taking adequate ownership of cyber risks.
To do so, senior executives should proactively ensure that the

Board of Directors understands how the organization will
detect, defend against, and respond to cyber threats. Despite
all the discussion following high-profile retailer breaches,
many power and utilities companies have not elevated security
to a Board-level discussion.
Consider, for instance, that only 26% of respondents say their
Board of Directors participates in the overall security strategy.
Fewer (23%) say their Board is involved in reviews of current
security and privacy risksa crucial component of any
effective security program. The area in which Boards are most
likely to participate is the security budget (40%).
Finally, cyber threats, technologies, and vulnerabilities are

evolving at lightning speed, and sharing information among
public and private entities has become central to a strong
cybersecurity program.
More than half (55%) of overall survey respondents across
industries say they collaborate with others to share security
intelligence and tactics. Among power and utilities sector,
however, the number of organizations that collaborate sank
to 36% this year, a sharp drop over 2013.
Power and utilities
Introduction
Guidelines for advancing security
This years survey indicates that power and utilities organizations are falling behind in key practices.
next
prev

is needed
security
For many, it may be necessary to reposition

the security strategy by more closely linking
technologies, processes, and tools with the
organizations broader risk-management
activities.
This comparatively low implementation rate is not

necessarily discouraging; its a matter of timing.
The Framework was released in February 2014,
and our survey was conducted from March 27, 2014
to May 25, 2014, giving organizations little time
to embrace the Framework.

Contacts
International standards provide a good measure to gauge

preparedness and build a strong cybersecurity program. Some
of the most widely used include ISO/IEC 27001, COBIT 5,
and ISA 62443. A new set of guidelines from the US National
Institute of Standards and Technology (NIST) compiles these
global standards into one framework, providing an up-to-date
model for implementing and improving risk-based security.
The voluntary NIST Cybersecurity Framework, which targets

critical infrastructure providers and suppliers, has been
adopted by 11% of US power and utilities respondents;
an additional 22% say adoption is a future priority.
22%
11%
Among those that have, most (54%) say they have

leveraged the Framework to determine their risk based on
Implementation Tiers, which are designed to help companies
understand the maturity of their current cybersecurity
risk-management capabilities. It seems very likely that
organizations with mature security practices may have adopted
some of the Frameworks controls and standards, while not
formally implementing the entire set of guidelines.
No matter whether companies have adopted the Framework
fully or partially, it seems to be elevating the discussion on
cybersecurity. We believe that organizations across industries
and even geographies can gain significant benefits by
adopting the guidelines at the highest possible risk-tolerance
level. As the worlds sophisticated organized criminals and
nation-states devise new ways to compromise systems and
steal intellectual property of power and utilities companies,
the Framework provides the right foundation for proactive,
risk-based cybersecurity.
Guidelines for advancing security // 11
Power and utilities
Introduction
is needed
security
Contacts

The convergence of information, operational, and consumer technologies will very likely introduce
tremendous benefits for businesses and significant conveniences for their customers.
It also will create a new world of security
risks, a possibility that power and utilities
respondents are beginning to address.
In fact, 25% of respondents say they have already implemented
a security strategy for the convergence of information,
operational, and consumer technologies, most often referred
to as the Internet of Things. An additional 27% say they are
working on a strategy.
next
prev
When asked to name primary drivers for security spending,

this year 17% of respondents cited modernization of field
assets such as IP-connected process control systems,
compared with 6% last year. This increased focus on
connected field assets suggests that power and utilities
respondents are gearing up for the Internet of Things.
Gearing up for convergence // 12
Power and utilities
Introduction
Contacts
next
prev

is needed
security
Power and utilities

United States

Contacts
Brad Bauch
Principal
713 356 4536
brad.bauch@us.pwc.com
Darren Highfill
Director
678 419 1323
darren.highfill@us.pwc.com
Contacts // 13
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Healthcare cybersecurity challenges

in an interconnected world
Healthcare payers and providers
Prepping for the Internet

of Things
Technology is not the only agent of change.
Contacts
prev
Rising risks of mobility

and Big Data
Security starts
at the top
next
Innovations in business models and partnerships with a

broadening range of care collaborators are generating new
services and promoting growth. At the same time, mergers
and acquisitions are creating synergies while compacting
the industry through consolidation. Both will yield new
opportunities and redefine the industry.
Nowhere is the force of change more evident than in the

US, where organizations are implementing electronic health
records (EHRs) as a means to lower healthcare costs, modernize
back-office systems, and speed payments. The real challenge,
however, will be integrating disparate systems to seamlessly
share EHR information with providers, payers, and patients.
Doing so will help providers monitor and improve patient care,
predict development of illnesses, boost patient engagement
in their care, and enhance workflows among providers,
care collaborators, and payers.
With change comes challenge, however. More than ever, healthcare payers and providers face a raft of
issues that could impact the security of patient health data, sensitive corporate information,
and regulatory compliance mandates. Most are boosting their investments in information security to
address these evolutions, according to The Global State of Information Security Survey (GSISS) 2015.
Introduction // 1
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
Technology advances like telemedicine,

information sharing via mobile devices and
social media, and Big Data analytics are
transforming how healthcare payers and
providers interact with their patients,
business partners, and regulators.
The confluence of these technologies is also changing how
organizations provide care and is helping create a marketplace
in which consumers pay for healthcare by value rather
than volume.
It will also expose more sensitive patient data

to the Internet, which will increase information
security risks.
GSISS 2015: Healthcare payers and

providers results at a glance
Incidents
Medical records are more valuable because

cybercriminals can use them to create an identity, as well
as carry out sophisticated insurance fraud schemes.
Sources of
incidents
Security
spending
prev
4,470
5K
4K
2,786
2.9M
3K
3M
In part, thats because electronic data is inherently more

vulnerable to large-scale compromise than paper-based
information. Another factor is that troves of patient data
contained in EHRs and healthcare information exchanges
(HIEs) are increasingly tempting to cyber criminals.
A comprehensive identity-theft kit containing a health
insurance record can be worth as much as $1,000 on the black
market, and even partial health insurance credentials can
fetch $20; stolen payment cards, by comparison, typically are
sold for $1 each.1
next
2M
0.8M
1M
2013
2014
2013
2014
1 Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts,

SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, 2013
Introduction // 2
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts

than volume.

security risks.

50%
next
Incidents
Sources of
incidents
43%
39%
40%
26%
30%
24%
23%
24%

sold for $1 each.1

prev
Security
spending
2%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
5%
2014

Introduction // 3
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts


Incidents
$

prev
3.4%
3M
3%
2.4M
2M
2%

sold for $1 each.1
Security
spending
3.7%

security risks.
Sources of
incidents
4.0M
4M

than volume.
next
1%
2013
2014
2013
2014

Introduction // 4
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Security incidents skyrocket
next
The increased volume and value of healthcare data comes at a time when governments have warned
healthcare providers that their security lacks the maturity of industries like financial services and retail.
prev
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
Officials have also warned that malicious

actors are more actively targeting patient data.
Our security survey results bear that out: Incidents among

healthcare payers and providers soared 60% over 2013,
an increase that was almost double that reported by all
industries. (We define a security incident as any adverse
incident that threatens some aspect of computer security.)
These compromises come at a great cost: The estimated
average financial losses as a result of security incidents
skyrocketed to $2.9 million in 2014, a head-turning 282%
increase over the year before.
120%
41%
While retailers are grappling with a rash of payment-card

heists, healthcare payers and providers report increases
in theft of more valuable data.
This year, survey respondents

say identity theft jumped 32%,
and 20% say personally
identifiable information (PII)
was compromised.
32%
206%
Increase over 2013
Activists/activist
organizations/hacktivists
126%
68%
Organized crime
Information brokers
Competitors
20%
Security incidents skyrocket // 5
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
EHRs continue to drive security investment
60%
next
What trends drive security spending?
53%
60%
prev
44%
50%
40%
40%
30%

and Big Data
31%
33%
27%
29%
27%
23%
25%

of Things
24%
17%
Security starts
at the top
Contacts
2013
2014
Implementation of electronic
health records (EHRs)/
public health records (PHRs)
2013
2014
Data sharing via Health

Information Exchanges
Recently, a major US hospital chain reported that personal

records of several million patients were stolen.2 While the
total number of survey respondents who attribute security
incidents to foreign nation-states is comparatively low, they
are the fastest-growing source, increasing 206% over 2013.
2013
2014
Increased drive for outcomebased research and health

analytics
2013
2014
Data sharing via medical

devices
2013
2014
Data sharing via mobile

devices
This rise in incidents perpetrated by highly organized

threat actors is part of a larger pattern we have seen:
Data losses are shifting from accidental compromises (such
as the use of an incorrect e-mail address for distribution
of sensitive data) to more targeted and broader attacks by
nation-states, organized crime, and activists/hacktivists.
2013
2014
Data sharing via social

media
2013
2014
Data sharing via telemedicine
Its a troubling trend, but the good news is that many

healthcare payers and providers seem to be taking these
threats seriously. Investment in information security increased
66% over 2013, and spending on information technology is
up 53%. While implementation of electronic records remains
the primary driver for security spending, its influence is
beginning to wane.
2 PwC, Managing cyber risks in an interconnected world: Key findings from The
Global State of Information Security Survey 2015, September 30, 2014
Security incidents skyrocket // 6
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and partnerships drive change
next
Companies are forming new business relationships to meet heightened consumer expectations.
prev
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
The need to invest in security will only increase

as todays connected consumers expect access
to complete medical records via health portals
set up by hospitals, individual physicians,
and payers.
Consumer demand for electronic access to health records
and changes in the traditional fee-for-service based
payment model will demand that organizations forge new
business associations between a range of healthcare payers
and providers, as well as invest in identity management
technologies.
Just as consumer healthcare behavior is evolving, so too
are relationships among health companies. Increasingly,
healthcare companies are forming new affiliations with a
range of partners to meet changing customer demands.
Consider the following:
Payers are investing in

analytics companies,
physician group practices,
and healthy food programs.
These acquisitions are
driving consolidation
and convergence in the
health industries.
Drugstores are providing

more care through
in-store clinics that offer
immunizations, wellness
screening, and routine lab
work like blood tests.
As the industry focuses

on population health
management, which seeks
to reduce medical
interventions through
preventive care and targets
hospitals traditional fee-forservice payment system,
providers are altering
business models to address
increasing financial risks.
And as health information

exchanges and EHRs go
online, even more third
parties are involved in the
digital flow of healthcare
information.
Consumers and partnerships drive change // 7
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
These shifts in relationships may increase

compliance risks as new partners take on
unfamiliar roles that are subject to increasingly
stringent privacy regulations.
The Final Health Insurance Portability and Accountability
Act (HIPAA) Rule, for instance, expands accountability to
subcontractors of business associates, who are now required
to comply with the HIPAA Privacy Rule and Security
Rule, including the same provisions related to physical,
administrative, and technical safeguards applicable to
business associates.
This creates additional burdens for business associates, but
it also produces new cybersecurity risks by expanding the
attack surface through sharing of more data. The risks
are compounded when healthcare organizations execute
business-associate agreements without adequate due
diligence and monitoring of these third parties.
Other organizations may more thoroughly evaluate business
associates while ignoring other vendors that may also have
trusted information to sensitive information. As one highprofile retailer breach last year so conclusively demonstrated,
cyber adversaries canand willaccess sensitive data and
networks via third-party vendors.
For many healthcare payers and providers, the HIPAA Final
Rule may represent a challenge. We found, for instance, that
only 54% of respondents conduct risk assessments on thirdparty vendors, and just 60% conduct compliance audits of third
parties that handle personal data of customers and employees
to ensure they can protect this information.
Top 5 security challenges in 2014
next
prev
35%
30%
30%
27%
23%
Access control and

identity management
for end users
Data leakage
prevention
Cloud
computing
Encryption in storage
and in transit
Regulatory
requirements
Landmark privacy regulation will impact

organizations operating in Europe.
5% of annual worldwide turnover. As a result, multimillion-euro penalties for non-compliance could become
commonplace in the EU.
The European Union (EU) is on course in the coming

months to adopt its biggest privacy-regulation overhaul
in a generation.
Whats more, under the new regulation, the EUs classification

of personal health information as sensitive could result in
heightened obligations and scrutiny for organizations in the
healthcare, pharmaceutical, and life sciences industries.
The new reform rules are expected to introduce extensive

breach-notification requirements, give regulators the power
to perform compulsory audits, and impose fines as high as
Consumers and partnerships drive change // 8
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Rising risks of mobility and Big Data
next
The use of smartphones and tablets, both by employees and customers, to access protected
healthcare data is likely to further elevate risks of compromise.
prev
Consumers and
and Big Data
Already, almost one in five (19%) respondents report

compromise of mobile devices in the past year. Among
healthcare providers, physicians who bring their own
smartphones and tablets to the workplace are a particular
concern. These devices may not be integrated with the
workplace IT system, and that makes it difficult for the
security function to monitor transmission of patient data.
47%
N/A
Big Data
53%
44%
2014
Privacy rules, after all, apply when any protected

health data is accessed and transmitted, whether
from a centralized customer relationship
management system or an individual physicians
smartphone.
Cloud computing
56%
2014
Social media
55%
2013
Employee use of personal devices on the

enterprise
2013
58%
57%
2014
62%
2014
Contacts
2013
Security starts
at the top
Have a strategy for:

2014

of Things
Security strategies are often lacking
N/A
The Internet of Things
Given the risks, it seems surprising that 38% of respondents

have no security strategy governing employee use of
personal devices on the enterprise.
and an additional 15% outsource analytics. The majority

(58%) of those who have harnessed data analytics say it has
enabled them to detect more incidents.
Also consider that healthcare payers and providers, thanks in

large part to the implementation of EHRs and sensor-based
health-monitoring devices, are swimming in a rapidly rising
sea of data. Data analytics is likely to transform healthcare
by helping predict and diagnose illness, monitor patient
wellness, better understand customer preferences, and
increase operational efficiencies.
To protect this trove of data, its essential that organizations

implement the proper security safeguards.
Big Data analytics also can help organizations model for

and predict security incidents. Among healthcare payers and
providers, 44% say they have Big Data analytics in place,
Yet 47% of respondents do not have a security strategy for

Big Data, and others lack important security tools and policies
such data loss prevention (40%) and an inventory of where
personal data is collected, stored, and transmitted (36%).
Implementation of security controls may be particularly
challenging when the analytics is outsourced to a cloud
services provider.
Rising risks of mobility and Big Data // 9
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Prepping for the Internet of Things
next
The convergence of information, operational, and consumer technologies will bring great
benefitsand new risks.
prev
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
The Internet of Things will introduce tremendous

benefits for healthcare organizations and
life-changing conveniences and wellness
opportunities for consumers.
It also will create a new world of security risks, a fact
that many respondents seem to realize.
In fact, 44% of healthcare payers and providers say they have
already implemented a security strategy for the convergence
of information, operational, and consumer technologies; an
additional 24% say they are working on a strategy. Nonetheless,
many seem to be implementing these new technologies before
they can be secured.
Almost half (47%) of respondents say they have integrated
consumer technologies such as wearable health-monitoring
devices or operational systems like automated pharmacy
systems with their IT ecosystem. Yet most have not taken
precautions to help ensure the security of these IT-connected
devices. Just more than one-third (34%) say they have
contacted device manufacturers to understand security
capabilities and risks, and 58% have performed a risk
assessment of the technologies. Only 53% have implemented
security controls.
The security implications are potentially

colossal.
Exponentially more personal information will be traversing
more connected corporate ecosystems and personal networks
of consumers, increasing risks to sensitive patient information.
An effective security strategy should identify protected data,
determine ownership, and define accountability before
consumer and operational technologies are connected to the
IT system. This is key because, unlike a stolen payment card
number, consumers cannot simply request a new identity
or health history once the information has been breached.
62%
Health information is also much more personal than a credit

card number: Consumers may not be concerned in the long
run if payment card data is leaked, but health conditions
such as infectious diseases or the use of certain medications
can be deeply personal.
To determine what assets are high priority, healthcare payers
and providers should identify their most valuable assets and
determine who owns responsibility for them. Assigning
ownership and accountability will become increasingly
challenging as more electronic data is shared among a new
constellation of partners.
60%
Its also an area in which there is great room
for improvement:
We found that just 62% of respondents have a program
to identify sensitive assets, and fewer (60%) have an
inventory of all third parties that handle personal data.
Prepping for the Internet of Things // 10
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Security starts at the top
next
Cybersecurity and privacy should be embedded in the organizations DNA, with a topdown commitment to security and ongoing employee training programs.
Consumers and
and Big Data
of Things
Security starts
at the top
Contacts
This years survey finds cause for some

optimism.
The number of healthcare organizations that have employee
training programs (62%) and those that require employees
to complete training on privacy practices and policies (73%)
both increased over last year. Nonetheless, training should be
universal, and accountability should cascade from the C-suite
to every employee and third-party vendor and supplier.
Top-down commitment and participation is essential. This
year, 65% of healthcare payers and providers say a senior
executive communicates the importance of information
security to the entire organization. Thats a healthy gain from
last year (58%) and demonstrates that the executive team
is taking ownership of cyber risk.
But ownership of risk also demands that senior executives

proactively ensure that the Board of Directors understands
how the organization will defend against and respond to
cyber threats. We have heard much discussion about Board
concern after the recent rash of retailer breaches, but our
survey demonstrates that organizations clearly have not
elevated security to a Board-level discussion.
Consider, for instance, that only 25% of respondents say their
Board of Directors participates in reviewing current security
and privacy risksa crucial component of any effective security
program. Just 24% are involved in security technologies
and 32% participate in security policies. Slightly more, 36%,
take a role in setting the security budget.
How Boards participate in security
40%
Overall security
strategy
36%
Security budget
32%
Security policies
25%
Review of security
and privacy risks
24%
18%
Review roles and

responsibilities of
security organization
15%
prev
Security in the
new health
economy
A sweeping transformation
of the health economy is
well under way.
Connected technologies, Big Data
analytics, and electronic health records
are combining to redefine consumer
demands and business models. At the
same time, sophisticated threat actors
are devising new ways to compromise
and steal digitized medical data.
Taken together, this inexorable shift will
demand a rethink of information security.
At the heart of this initiative should be
a risk-based cybersecurity program to
identify, manage, and respond to privacy
and security threats.
Review of security
and privacy testing
Security starts at the top // 11
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Contacts
next
prev
Consumers and
and Big Data
Healthcare payers and providers

of Things
United States
Security starts
at the top
Jay Cline
Principal, Risk Assurance
612 596 6403
jay.cline@us.pwc.com
Mick Coady
Principal, Health Industries
713 356 4366
mick.coady@us.pwc.com
Joe Greene
612 596 6024
joe.greene@us.pwc.com
Peter Harries
602 750 3404
peter.harries@us.pwc.com
Contacts
Contacts // 12
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
Cybersecurity challenges in an interconnected world

next
prev
Data governance is lacking

Increasing third-party
threats
New technologies and
their risks
approach
Contacts
Retail and consumer

Over the past year, the phrase data breach
has become closely associated with the word
retailer as attacks reached epic levels.
The most notable mega-breaches occurred in the US,
where cyber compromises resulted in the loss of information
for more than 100 million payment cards. The trend is not
limited to America, however. In the UK, payroll and bank
account numbers of 100,000 employees of a supermarket
chain were stolen.1 And hackers employed a new version
of the point-of-sale (POS) malware known as ChewBacca
to pluck payment card data from numerous retailers in
11 nations, including Russia, Canada, and Australia.2
Our research shows that retail and consumer goods

companies are most likely to report cybercrime incidents
than businesses from any other industry except
financial services.4
These breaches have resulted in global negative publicity, loss
of shareholder value, reduced profits, and millions of dollars
in breach-mitigation expenses. They also may have eroded
customer trust, which is indispensable to any retailer and
brand. Our research shows, for instance, that concerns about
the security of personal and payment data are top reasons
why some consumers still do not shop online.5 These breaches
have very likely increased shopper concerns about in-store
security as well.
Threats to retail and consumer goods companies continue

to become more persistent and dynamic, and by all indicators
these threats will only increase, says G. Christopher Hall,
an Advisory principal focused on cybersecurity and privacy.
Companies must step up their efforts to invest in security
personnel, processes, and technologies that address holistic
information security strategies and go beyond any industryspecific mandates.
467
95% of incidents were
within the retail industry
Labeling 2013 as the year of the retailer breach, Verizon counted 467 retailer compromises around the
world in its annual Data Breach Investigations Report, noting that payment card data was the primary target
in 95% of incidents within the retail industry.3
1 Networkworld, Morrisons supermarket suffers major pay-roll data breach after

insider attack, March 14, 2014.
3 Verizon, 2014 Data Breach Investigations Report, April 2014
2 Networkworld, Tor-enabled malware stole credit card data from PoS systems at
dozens of retailers, January 30, 2014
5 PwC, Global Total Retail Survey 2014, February 2014
4 PwC, Global Economic Crime Survey 2014, February 2014
Introduction // 1
Retail and consumer
Introduction
budgets fall
If there is an upside, its that the compromises have spurred

stakeholders in the US payment card industry to move from the
existing magnetic-stripe technology to EMV (short for Europay,
MasterCard, and Visa), a more secure microprocessor-based
standard that is less vulnerable to compromise.
GSISS 2015: Retail and consumer

results at a glance
Contacts
Sources of
incidents
Security
spending
prev
3,207
3K

their risks
Incidents
4K
threats

approach
next
The breaches have also increased awareness of cyber

risks across industries and elevated the cybersecurity
discussion to top executives and Boards of Directors.
2,702
3M
1.9M
$
2K
2M
While its no longer possible to protect all data, networks,

and applications at the highest level, a proactive cybersecurity
program will enable retail and consumer goods manufacturers
to prioritize protection and more quickly react to incidents
that are all but inevitable.
1.0M
1M
2013
2014
2013
2014
Introduction // 2
Retail and consumer
Introduction
budgets fall


results at a glance
next
Incidents
Sources of
incidents
prev
Security
spending
47%
50%
threats
37%

approach
Contacts
34%
40%

their risks
29%
29%
30%
30%
30%
20%

2013
2014
Current employees
2013
Former employees
2014
2013
2014
Service providers/contractors/
suppliers/partners
2013
2014
Hackers
Introduction // 3
Retail and consumer
Introduction
budgets fall


results at a glance
4M

Contacts

Sources of
incidents
Security
spending
prev
3.7%
3.5%
$

their risks
approach
Incidents
3.6%
threats
next
3.0M
3M
3%
2M
2%

1%
2013
2014
2013
2014
Information security spend as percentage

of IT budget
Introduction // 4
Retail and consumer
Introduction
budgets fall
Incidents rise, while budgets fall
next
The number of detected incidents may be rising because many organizations have deployed network
monitoring and logging technologies in recent years.
prev

threats
their risks
approach
Contacts

Survey (GSISS) shows that, among 836
worldwide retail and consumer goods
respondents, the number of detected
incidents in 2014 increased 19% over 2013.
(We define a security incident as any adverse incident that
threatens some aspect of computer security.)
While this proliferation undoubtedly reflects the increased
activity of cyber adversaries, the number of detected
incidents also may be rising because many organizations
have deployed network monitoring and logging technologies
in recent years. Use of these technologies will result in
discovery of more incidents.
Its also worth noting that adversaries appear to be

targeting retailers more frequently than consumer products
manufacturers. Consumer products companies detected an
average of 2,065 incidents, fewer than the 3,447 incidents
detected by retailers, and a decline of 14% over 2013.
Current employees (34%) and former employees (30%)
account for the most incidents, with a notable increase in
retail and consumer goods respondents who point the finger
at current employees. We also saw a 27% jump in incidents
attributed to third-party service providers, contractors,
suppliers, and business partners, which often have trusted
access to the companys network and data.
While the total number of survey respondents who link

incidents to sophisticated threat actors like nation-states,
hacktivists, and organized crime are comparatively low,
they are among the fastest growing sources. Respondents
who cited foreign nation-states as the cause of incidents
increased 115% in 2014.
Customer and employee data are the target of most
incidentsnot surprising, considering that threat actors often
set their sites on payment card information. Among consumer
goods manufacturers, theft of intellectual property (IP) is a
larger concern. Thats because manufacturers often produce
products for other smaller businesses, and they often store
these clients IP and research and development information.
This year, one in four consumer goods

respondents say they lost soft IP
(information such as processes and
institutional knowledge), a 27% jump
over last year.
Incidents rise while budgets fall // 5
Retail and consumer
Introduction
budgets fall
threats
their risks
Despite the rise in detected incidents, retail

and consumer companies report that total
financial losses resulting from security
incidents declined 46% in 2014.
This finding seems counter-intuitive, given the upsurge
in detected compromises.
In part, the discrepancy may be attributed to a 61% rise
in security spending in 2013, which may have enabled
organizations to more quickly detect and mitigate incidents.
Whats more, as businesses implement monitoring and
logging technologies they will detect more incidents that are
benign, such as viruses that do not result in costly damage.
It is troubling, however, to find that information security

budgets are down 15% over 2013. Retailers cut their security
investments more sharply than consumer goods companies.
next
prev
The decline in security spending initially seems puzzling,

given the recent high-profile breaches. Its likely that
organizations had finalized their 2014 budgets before
December 2013, when the first mega-breach was
announced. Afterward, some businesses we know revisited
their budgets and reallocated more funds for cybersecurity.
We expect to see a spike in security spending in the
coming year.

approach

115%
Increase over 2013
Contacts
66%
54%
54%
Information brokers
Organized crime
Foreign entities and

organizations
67%
Activists/hacktivists
Incidents rise while budgets fall // 6
Retail and consumer
Introduction
budgets fall
next
Many businesses emphasize regulatory compliance at the expense of a framework

that governs information.
prev

threats
their risks
approach
57%
67%
2014
55%
63%
2014
2013
2013

Contacts
Have centralized user data store

Have secure-access control
measures
54%
60%
57%
2014
2013
Have an accurate inventory of
where personal data for customers
and employees are collected,
transmitted, and stored
54%
53%
2014
2014
2013
Limit collection, retention, and
access of personal information
to the minimum necessary to
accomplish purpose
67%
2013
Have privileged user access tools
51%
57%
2014
2013
Have a written security policy for
off-premises storage, access, and
transport of personal data
Attrition in data governance safeguards
Retailers, in particular, often take a compliancechecklist approach to information security,

focusing on Payment Card Industry Data
Security Standard (PCI DSS) requirements
while disregarding implementation of
adequate data governance to protect valuable
information assets.
Good data governance will require that businesses develop

a framework and policies for the creation, use, storage,
and deletion of information. It will also demand that retail
and consumer companies know where their data is stored,
manage access to sensitive information, and govern the use
and security of valuable data by third-party partners.
Data governance is lacking // 7
Retail and consumer
Introduction
budgets fall
threats
their risks
A basic foundation of data governance is

centralized data storage, which enables
organizations to consolidate, manage, and
secure their information.
This is becoming increasingly essential as the use of
smartphones and social media accelerate the creation and
sharing of data. Yet organizations seem to be falling short
of fundamentals: Just 55% of respondents say they have
centralized user data storage, down from 63% in 2013.
Furthermore, many companies seem to know very little about

the sensitive data they hold or allow third parties to access.
Consider, for instance, that the number of respondents who
say they have an accurate inventory of where personal data
for employees and customers are collected, transmitted, and
stored dropped to 54% this year, down from 60% in 2013.
next
prev
A sound data governance program also will limit the data that
is stored to only what is needed. Its a practice that many do
not follow: Only 54% say they limit the collection, retention,
and access of personal information to the minimum necessary
to accomplish a legitimate business purpose.
Other security basics include safeguards to limit access

to data and systems, and monitoring for anomalous
network activity.

approach
Contacts
Only 47% of respondents say they have identitymanagement tools in place, and just 57% say they have
secure access control measures. Because adversaries often
target employees with extensive access to systems and
data, privileged user access technologies are key.
Yet only 53% of

respondents say they
have privileged user
access tools in place,
down from 67%
last year.
67%
2013
53%
2014
Data governance is lacking // 8
Retail and consumer
Introduction
budgets fall
Increasing third-party threats
next
Data breaches often start with the compromise of suppliers, contractors, and vendors.
prev

threats
their risks
approach
Contacts
In the past year, several retailers that have

been hit by costly, high-impact breaches have
had one thing in common: Criminals gained
access to their networks and POS systems
through attacks on third-party suppliers and
contractors, resulting in the compromise of
millions of payment card accounts.
While retail and consumer companies are adopting the EMV

standard, many have not yet taken more basic precautions
to protect themselves from breach via the systems of third
parties. Consider, for instance, that only 54% of survey
respondents say they have established security standards
for external partners, suppliers, and vendors. And just 44%
conduct risk assessments on third-party vendors, down from
55% last year.
These breaches resulted in heavy financial and reputational

losses, but they also encouraged some retailers to more
rapidly migrate to the EMV system.
Furthermore, we asked if organizations have implemented

or plan to implement a program that monitors third-party
partners and service providers to ensure they comply with
security and data-protection policies.
Today, a very small percentage of payment and debit cards

in the US employ EMV technology, which is more resistant
to compromise and counterfeit than magnetic-stripe cards.
Thats changing, however, as several major card networks
have begun migration to the chip-based EMV system and
have set an October 15, 2015 deadline for implementation
of EMV technologies. (Gas station owners will have until
October 1, 2017 to migrate to EMV.) Thereafter, fraud
liability will shift to the party that is not EMV-compliant.6
The responses are not encouraging:
Only 29% say they have this type of monitoring program

in place, and 37% say they plan to add one.
An effective vendor-management program

will require more than individual policies
and processes, however.
Whats also needed is a tiered framework that assesses,
segments, and manages third-party partners based on the
risks they present to the business. This is critical because
large organizations may have thousands of vendors that
have access to their systems and data; a tiered approach will
help them focus on the most serious risks.
This tiered approach also will enable organizations to
hold third parties to different levels of accountability. For
instance, businesses that share sensitive information of
customers with external marketing partners should ensure
that those firms adhere to the very highest level of security,
while those that have access to less sensitive information
need not be held to the most rigorous standards.
But one in five say they have no

plans to implement a program
to monitor third parties.
6 PwC, Securing the card payments infrastructure: Where are we headed?,

July2014
Increasing third-party threats // 9
Retail and consumer
Introduction
Key safeguards for third-party security and privacy are lacking
prev

budgets fall
60%
59%
54%

threats
their risks
approach
next
55%
52%
51%
55%
49%
48%
44%
2013
2013
2013
2014
2014
2013
2013
2014
2014
2014
Established security baselines/

standards for external partners/
customers/suppliers/vendors
Require third parties to comply

with privacy policies
Have an inventory of all third
parties that handle personal data
of employees and customers
Have incident response process

to report and handle breaches to
third parties that handle data
Perform risk assessments on

third-party vendors
Contacts
Increasing third-party threats // 10
Retail and consumer
Introduction
budgets fall
New technologies and their risks
next
Retail and consumer goods companies are embracing new technologies to connect with customers,
build operational efficiencies, and enable collaboration.
prev

threats
their risks
The trouble is, many businesses adopt

these technologies before they effectively
secure them.
Consider cloud computing, perhaps the decades most
transformative technology trend.

approach
Contacts
More than half of respondents

say they use some form of
cloud computing for file storage
and sharing, and hosting of
databases, applications, e-mail,
and websites.
Yet only 45% of respondents have a security strategy for

cloud computingan astonishing findingand just 33%
say they are very prepared to protect sensitive data in the
cloud. Given that 29% of respondents say they use cloud
services for e-commerce, thats certainly disquieting.
Mobility continues to transform how companies and

their employees operate. The use of mobile devices also
introduces new risks, including data loss, device theft, and
accidental leakage. In fact, 23% of respondents say mobile
devices were exploited this year. While many retail and
consumer companies have made progress in strengthening
their mobile security practices, there remains considerable
room for improvement. For instance, only 51% say they
have a mobile security strategy, and fewer (43%) use mobile
device management software to safeguard their fleet of
mobile devices.
Another risk lies in the rise in employee use of personal

devices in the workplace, a trend known as bring your own
devices or BYOD. This year, 69% of respondents either plan
to allow or already do allow use of employee-owned devices
to access the corporate network, yet most organizations are
ill-prepared to secure their assets. The number that have a
security strategy for BYOD dropped to 49% this year, down
considerably from 2013.
New technologies and their risks // 11
Retail and consumer
Introduction
Attrition in safeguards for

new technologies
next
69%

budgets fall
56%
56%
59%
51%
prev
49%
54%
47%
45%
45%
threats
their risks
2013
2014
Have secure remote

access (VPN)
2013
2014

mobile devices
2013
2014

BYOD
2013
2014

cloud computing
2013
2014

social media

approach
Contacts
As workers become increasingly more mobile, employees

access the network, data, and applications remotely via
laptops, smartphones, and tablets. So it was worrisome to
find that the number of respondents who have secure remote
access software like virtual private networks is low and
shrinking: Only 56% have this essential technology, down
from 69% in 2013.
Another technological juggernaut is social networking, which
enables retail and consumer companies to attract and engage
customers, improve the customer experience, and manage
brand images. The benefits are many, but so are the risks.
Employees can inadvertently disclose sensitive data via

social networking sites, and cyber criminals can mine
accounts to obtain valuable information that can be used
in targeted phishing attacks. Despite these very real risks,
only 45% of respondents have a security strategy for social
media, a number that decreased considerably over last year.
Finally, this years game-changing technology may be mobile
payment systems or digital wallets. The capability to make
payments from smartphones is not new, but it is gaining
momentum as more devices support payment systems
like Apple Pay, the Merchant Customer Exchange (MCX)
CurrentC, and Google Wallet. And given the recent rash of
retailer breaches, consumers may prefer to whip out their
smartphones and leave their payment cards in their wallets.
Its worth noting, however, that no payment system will

be 100% secure. Determined threat actors will very likely
find ways to circumvent technologies that underpin digital
payment systems. In fact, compromises already have
beenreported.
The success of mobile payments will require a wide
constellation of retailers that are capable of accepting these
digital payments, of course, and thats not yet a given. Onequarter (25%) of retail and consumer respondents say they
have implemented systems for digital wallets, and an additional
36% say they plan to implement them in the future.
New technologies and their risks // 12
Retail and consumer
Introduction
budgets fall
Toward a more strategic approach
next
Our survey results show that many retail and consumer companies need to take a more strategic
approach to help identify, manage, and respond to privacy and security threats.
prev

threats
their risks
approach
In many cases, commitment to strategic

security safeguards seems to be diminishing.
Before resources can be allocated, however, it will be necessary to

first identify the organizations most valuable assets and determine
who owns responsibility for them. This is an area in which we found
significant potential for improvement: Only 52% of respondents
have a program to identify sensitive assets.
It all starts with an information security strategy that is

aligned with the specific needs of the business. This year,
59% of respondents say they have united their security
strategy and business goals. An effective security program
also should apportion spending to the data assets that
have the highest business value. Respondents show a more
solid, if incomplete, commitment in this area: 67% say their
security investments are allocated to the organizations
most profitable lines of business.
Strategic processes are often lacking
Contacts
56%
61%
59%
52%
59%
52%
50%
4
201
4
201
3
201
Collaborate with others to

improve security
49%
3
201
40%
4
201
Program to identify sensitive

assets
45%
3
201
4
201
Information security strategy

is aligned with specific business
needs
53%
3
201
4
201
3
201
4
201
3
201

importance of security to entire
enterprise
65%
Have employee security training

and awareness program
Retail and consumer
next
Introduction
More than ever, senior executives should proactively ensure

that the Board understands how the organization will detect,
defend against, and respond to cyber threats.

budgets fall
prev

threats
their risks
approach
Contacts
An effective security program will require

top-down commitment and communication
of information security fundamentals and
priorities.
Organizations have made some progress in this measure: 61%
of respondents have a senior executive who communicates the
importance of information security to the entire enterprise.
Information security communications also must cascade
upward to the Board of Directors to ensure that members
have the information they need to manage risks and protect
the company from cyber adversaries. Boards are increasingly
concerned about having the right risk intelligence, and they
may also be worried that their personal reputations could
be tarnished by a high-profile compromise. Earlier this
year, several directors of a prominent retailer came under
public scrutiny after the company suffered a very public
data breach that also resulted in the resignations of several
C-suite executives.
Despite the discussion following recent retailer breaches,

many companies have not yet elevated security to a Boardlevel discussion. Consider, for instance, that only 39% of
respondents say their Board participates in the overall
security strategy, and 35% say the Board participates in the
security budget. Fewer (22%) say their Board is involved
in reviews of current security and privacy risksa crucial
component of any effective security program.
Finally, sharing information about securityinternally and

externallyis essential to the success of security programs
as cyber threats, technologies, and vulnerabilities evolve
at lightning speed. Employee training and awareness is
particularly important because the weakest link in the security
chain is often human. So it was a bit worrisome to find that
the number of respondents who have an employee training
program in place dropped to 49%, from 59% in 2013.
Many organizations are finding that cyber insurance can be

an effective way to help manage risks and mitigate financial
losses of cyber attacks. It has been widely reported, in fact,
that several retailers breached over the past year recovered
tens of millions of dollars in mitigation costs through
insurance coverage.
Externally, sharing information among public and private

entities has enabled businesses to gain better intelligence on
threats and response tactics. To this end, US retailers recently
formed the Retail Cyber Intelligence Sharing Center (R-CISC)
to serve as an Information Sharing and Analysis Center
(ISAC) as well as a forum for education, and training and
research on future threats. Among our survey respondents,
more than half (52%) say they collaborate with others to
share security intelligence and tactics. Thats an improvement
over last year. Consumer packaged goods companies may not
have a dedicated ISAC, but they tend to share information
more readily. Among consumer products respondents, 65%
say they collaborate with others to improve security.
This year, 50% of respondents say they have purchased

cybersecurity insurance, up from 40% last year.
Perhaps more significant is the finding that some companies
are leveraging cyber insurance as a way to improve their
security program. Almost one-third say they have taken
steps to enhance their security posture in order to lower
insurance premiums.
Retail and consumer
Introduction
budgets fall
As incidents continue to proliferate, its becoming clear that cyber risks can never
be completely eliminated.
next
prev

threats
their risks
approach
Contacts
Protective measures remain important,

but they may not stop determined and
highly skilled adversaries.
Case in point: Most of the retailers impacted in recent
data breaches were compliant with PCI regulations.
In addition to regulatory compliance, effective

cybersecurity will require up-to-date processes,
trained personnel, and tools to detect, analyze, and
respond to incidents.
To make this adjustment, retail and consumer
companies should reposition their security strategy
by more closely linking technologies, processes,
and tools with the firms broader risk-management
activities. Doing so will result in a cyber-resilient
program that can effectively manage risks based on
the businesss individual tolerance for risk.
Linking security and risk // 15
Retail and consumer
Introduction
budgets fall
Contacts
next
prev

threats
their risks
approach
Retail and consumer

United States
Alexander Coassin
Principal
415 498 5282
alexander.t.coassin@us.pwc.com
G. Christopher Hall
Principal
412 355 6183
g.christopher.hall@us.pwc.com
Ron Kinghorn
Principal
617 530 5938
ron.kinghorn@us.pwc.com
Gary Loveland
Principal
949 437 5380
gary.loveland@us.pwc.com
Bryan Oberlander
Principal
617 530 4125
bryan.s.oberlander@us.pwc.com
Paul Ritters
Director
612 596 6356
paul.j.ritters@us.pwc.com

Contacts
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.
Contacts // 16
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
Improving cyber readiness in an

interconnected world
next
prev
Technology
Technology organizations tend to
have comparatively robust and mature
cybersecurity programs. It makes sense,
given that many have been in the vanguard
of developing the systems and tools that
have forever altered how businesses
operate, market products, and interact
with customers.
In the past year, hackers infiltrated the servers of a global

software company and stole not only source code but
also personal information of tens of millions customers.
Computers of prominent multinational Internet companies
were compromised as a result of watering-hole attacks.
Hackers employed key-logging software to steal the user
credentials of more than 2 million social media and
e-mail accounts from companies that dominate the Web. A
prominent social networking and entertainment website
was taken down by a massive distributed denial of service
(DDoS) attack. And European Internet service providers
were prominent targets of an extremely complex and
stealthy espionage tool that has been in use for more than
six years.
The bad news? Cyber-threat actors seem to have the

advantage. Consider the following:
Increasingly, cyber criminals target technology companies to lift intellectual

property, sabotage websites and reputations, and modify source code.
Introduction // 1
Technology
Introduction
budgets decline
compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
These are just a few of many attacks against technology

companies in the past 12 months. While many breaches
resulted in theft of customer information, others were
more maleficent in intent. Increasingly, cyber criminals
target technology companies to lift intellectual property,
sabotage websites and reputations, and modify source code.
The result has been worldwide negative publicity, loss of
shareholder value, reduced profits, and millions of dollars in
breach-mitigation expensesnot to mention an erosion of
customer trust.
Businesses and people are becoming more and more connected
and empowered by technology, and technology companies in
particularand the customers they serve and products and
services they produceare becoming increasingly valuable
targets, says Mark Lobel, Principal in PwCs Advisory practice
focused on cybersecurity and privacy. At the same time, the
complexities of the global business ecosystem and the evolving
threat and compliance landscape are forcing technology
companies to re-imagine security. To do so, organizations
should invest in security personnel, processes, and technologies
that address holistic information security strategies and go
beyond outdated, ineffective security models.
Clearly, its no longer possible to protect all data, networks,
and applications at the highest level. But a proactive
cybersecurity program will enable businesses to prioritize
protection and more quickly react to attacks that are all but
inevitableeven against the most tech-savvy of businesses.
GSISS 2015: Technology results

at a glance
next
5K
Incidents
Sources of
incidents
Security
spending
prev
4,529
3,777
4K
3K
2.5M
3M
2.0M
2M
1M
2013
2014
2013
2014
Introduction // 2
Technology
Introduction
budgets decline
compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts

customer trust.

at a glance
next
Incidents
Sources of
incidents
prev
Security
spending
50%
40%
40%
36%
32%
34%
35%
31%
30%
28%
22%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Competitors
Introduction // 3
Technology
Introduction
budgets decline
compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts

customer trust.

at a glance
next
Incidents
Sources of
incidents
Security
spending
prev
5.2M
5M
4.1M
3.7%
3.7%
4M
3M
3%
2%
1%
2013
2014
2013
2014
Information security spend as percentage of IT budget
Introduction // 4
Technology
Introduction
budgets decline
Security incidents and budgets decline
Technology companies are detecting fewer incidents, despite evidence that attacks are rising
across industries.
next
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts

Survey (GSISS) 2015 shows that the
technology sector leads most industries
in implementation of the technologies,
processes, and personnel skills that are vital
to protecting data and quickly responding
to incidents.
But even among these technologically sophisticated
companies, there are troubling trends. Our survey
of 1,892 technology industry executives reveals that
respondents reported 17% fewer security incidents in the
past yeardespite overwhelming evidence that insider as
well as targeted threats continue to multiply. (We define a
security incident as any adverse incident that threatens some
aspect of computer security.)
Against a global backdrop of escalating cyber attacks, this

finding seems counter-intuitive. One explanation might
be that technology companies boosted security spending
by a hefty 39% in 2013, which may have enabled them to
implement solutions and processes to help prevent attacks.
Whats more, as businesses deploy monitoring and logging
technologies they will detect more incidents that are benign
and do not result in costly damage. Another interpretation
may lie in the increased use of outsourced or cloud services,
which is shifting some responsibility and potentially making
it more difficult to gain visibility into events.
Taking another view, one might assume that technology
companies are simply not detecting many incidents. Todays
sophisticated adversaries, particularly foreign nation-states
and organized crime, make it their business to carry out
sustained attacks without detection. Consequently, the
volume of incidents may very well be under-reported.
Information security budgets declined significantly this year,

particularly among smaller businesses.
Security incidents and budgets decline // 5
Technology
Introduction
budgets decline
compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
Security budgets by company size
next
2013
If the decrease in incidents leaves room for

interpretation, there is no positive way to spin the
steep 21% decrease in information security
spending in 2014. Looking at security spending
by company size sheds some light on the spending
patterns. Small companies (those with revenues of
$100 million or less) reduced security spending by
36% in 2014, while large companies (revenues of
$1 billion or more) trimmed investments by 9%.
Medium-size firms (revenues of $100 million to
$1 billion) reported a 3% drop in security budgets.
12.5
million
11.3
prev
million
2013
3.6
The decreased commitment to information security among

small businesses is downright alarmingand a bit puzzling.
One explanation may be that small businesses often consider
themselves unworthy of serious cyber adversaries. We could
also posit that the over-abundance of security solutions has
resulted in an analysis paralysis that has rendered small
companies unable to take action. And the current shortage
of experienced security professionals may mean that the
most skilled candidates go to larger organizations with
hefty budgets. Nonetheless, these declining investments in
security do not bode well for future cyber readiness.
2014
2013
1.4
million
2014
3.5
million
million
2014
893
thousand
Small
Medium
Large
Security incidents and budgets decline // 6
Technology
Introduction
budgets decline
Sources and impact of compromise

Incidents attributed to sophisticated threat actors are escalating.
next
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
Current and former employees are

once again the most-frequent culprits
of security incidents, cited by 36% and
32% of respondents, respectively. While
compromises caused by employees often
by organized crime groups, activists/
hacktivists, and nation-states typically do
not. Attacks by these threat actors remain
among the least frequent, but they are also
the fastest growing.
report loss of intellectual property. Many, it seems, are

not prepared: Almost half of tech respondents have no
procedures in place to protect intellectual property.
Many businesses are particularly worried about attacks by

nation-states, which often target tech companies to steal IP
and trade secrets as a means to advance their own economic
advantage. With good reason: Incidents attributed to nationstates soared by 80% over 2013.
This type of espionage is prompting some businesses

to reconsider their relationships with certain solutions
providers. More than one-quarter of respondents (28%)
say they are purchasing fewer products and services from
technology companies based in certain nations, and 9% say
they no longer procure products and services from those
in specific countries. Given that this type of surveillance is
most closely associated with the US, the implications for
American technology companies are potentially serious.
The jump in nation-state incidents may also explain the

rising theft of intellectual property, including source code
of products and services, designs for products like chipsets
and networking equipment, and proprietary manufacturing
processes. This year, 42% of technology respondents
Edward J. Snowdens disclosures of government surveillance

have added a new adversary to the list of threat actors:
domestic intelligence services. This year we included this
option as a response to our question regarding the source
of incidents, and 8% of technology respondents attributed
incidents to domestic surveillance agencies, a rate that is
higher than the global sample. In a finding that reflects the
mood of the technology industry, almost two-thirds (65%) of
respondents say they are somewhat or very concerned about
government surveillance.
Compromises by foreign nation-states are the fastest

growing type of threats.
Sources and impact of compromise // 7
Technology
Introduction
budgets decline
Insider threat programs are lacking
next
Many technology companies have not deployed basic identity and access technologies.
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
When it comes to cybercrime, many top

executives know that security breaches by
insidersemployees as well as contractors
and business partners with trusted access
can be even more damaging than those
attributed to external adversaries.
In the 2014 US State of Cybercrime Survey, we found that
almost one-third (32%) of respondents said insider crimes
are more costly or damaging than incidents perpetrated by
outsiders.1 In part, thats because internal threat actors hold
the advantage since they are more likely to know where
valuable data is stored and what processes and technologies
are in place to protect this information and prevent theft.
The increase in insider incidents, particularly among
employees, could have critical implications for technology
companies. Increasingly, external threat actors employ
social engineering techniques such as spear phishing to
steal credentials of employees with privileged access to data
and networks, then use that information to infiltrate the
companys network. Limiting and controlling access to key
data assets is increasingly pivotal to information security
and privacy.
Nonetheless, many technology companies are still grappling

with automated identity and access management, a
fundamental tool for preventing and managing insider
incidents. Consider, for instance, that just over half (53%)
of respondents have implemented identity management
tools and only 54% employ multifactor authentication.
Other technologies that are central to managing
access and monitoring employee behavior are also not
adequately deployed.
Employees and managers are vital to insider-threat
management because they are often in a position to notice
suspicious behavior or risk indicators. Consequently,
employee training forms the spine of an effective insider

program. So it was worrisome to find that the percentage of
organizations that have an employee training and awareness
program dropped to 51% this year.
Internal threats represent a people issue, not a technology
problem, and an insider-threat program cannot be addressed
by the IT function alone. Effective management will require
a disciplined, cross-functional approach that includes IT,
information security, corporate security, human resources,
legal counsel, audit, and privacy, as well as leadership from
lines of business. Just half of technology respondents have a
cross-functional team that coordinates security issues.
Almost half of respondents have not implemented

identity and access management tools.
1 2014 US State of Cybercrime Survey, co-sponsored by CSO magazine, CERT

Division of the Software Engineering Institute at Carnegie Mellon University, PwC,
and the US Secret Service, March-April 2014
Insider threat programs are lacking // 8
Technology
Introduction
Many companies lack tools to manage insider threats
next

budgets decline
compromise
prev
66%
60%
56%
58%
54%

are lacking
45%
44%
46%
Identity management
and the cloud
of Things
that matter
2013
2014
Have network access

control software
2013
2014
User activity monitoring

tools
2013
2014
Have employee training and

awareness program
2013
2014
Have behaviorial profiling

and monitoring
Contacts
Insider threat programs are lacking // 9
Technology
Introduction
budgets decline
Identity management and the cloud
next
More businesses are adopting cloud-based security services.
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
Its official: The cloud is now mainstream.

This year 64% of technology respondents say
they use some form of cloud computing.
Tentative early implementations of cloud services have given
way to large-scale deployments of business functions such
as customer relationship management, talent management,
payroll, and enterprise communications. As organizations
are becoming more familiar with the cloud and as cloud
providers are maturing, the perception that providers
security practices are incapable of protecting sensitive data
and mission-critical workloads is beginning to shift. In fact,
our research shows that the majority of organizations that
use cloud services report that doing so has improved their
information security program.
It was somewhat surprising to find that big enterprises
are most likely to employ cloud services. More than three
quarters (77%) of large companies employ cloud, as
compared with 74% of medium-size businesses and 55%
of small firms. Another intriguing finding: One in four
technology respondents use cloud-based security services,
a solution that is gaining favor as providers offer more
sophisticated, secure services.
In particular, we have seen growing interest in cloud-based

identity and access management (IAM) solutions. While
small and medium-size businesses were among the first
to adopt cloud-based security as a means to extend their
IAM capabilities, larger organizations are also beginning to
embrace the concept, often as a replacement for on-premises
solutions. In fact, 28% of respondents who employ cloudbased security are big businesses, while 19% are small.
Adoption of cloud computing by

company size
No matter the size, enterprises that move sensitive data

and mission-critical workloads to the cloud should do so
following a carefully considered cloud strategy and due
diligence. But many do not. In fact, only 52% of respondents
have a security strategy for cloud computing, and just 54%
perform risk assessments on third-party vendors, including
cloud providers.
Large businesses are leading the way to the cloud and to

cloud-based security services.
55%
74%
77%
Small
Medium
Large
Revenues less
than $100 million
Revenues $100
million$1 billion
Revenues more
than $1 billion
Identity management and the cloud // 10
Technology
Introduction
budgets decline
Gearing up for the Internet of Things

Half of respondents say they have a strategy for the convergence of information,
operational, and consumer technologies.
next
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
The convergence of information, operational,

and consumer technologiestypically
referred to as the Internet of Thingswill
introduce tremendous business opportunities
for companies that produce technologies. It
also will create a new world of security risks.
As more devices are connected, exponentially more data
will traverse an expanded constellation of enterprise
ecosystems, increasing risks to sensitive corporate data
and private consumer information. Its a risk that many
technology companies seem to recognize. In fact, half of
respondents say they have already implemented a security
strategy for the convergence of information, operational,
and consumer technologies; an additional 28% say they are
developing a strategy.
Yet a closer look at the data reveals that many respondents

do not yet have security strategies for technologies
that underpin the Internet of Thingsand most likely
do not an have integrated plan for the convergence of
thesetechnologies.
Doing so will demand that companies assess how technology

convergence will affect the individual organization,
and then establish goals for securing information and
operations for future convergence. A disciplined, enterprisewide assessment of the scope of valuable assets that are
potentially at risk will be a key step.
Consider, for instance, that only 52% of respondents have

a security strategy for cloud computing, and the same
number have a security strategy for mobile devices. We
believe technology businesses are beginning to develop
a strategy for convergence, but have not yet integrated
disparate components into a holistic strategy.
Gearing up for the Internet of Things // 11
Technology
Introduction
budgets decline
Strategies for technologies that underpin the Internet of Things
next
A closer look at the data reveals that many companies lack security strategies for mobile, social,
and cloud technologies.
prev

compromise
are lacking
Identity management
and the cloud
of Things
54%
Security strategy for BYOD
52%
Security strategy for mobile

devices
52%
Security strategy for cloud

computing
52%
Security strategy for social

media
52%
Security strategy for big data

that matter
Contacts
Identifying sensitive assets and determining ownership of

data will become increasingly arduous as the Internet of
Things expands and more electronic information is shared
among new business partners and consumers. For many
tech companies, thats already a challenge. Just 57% of
respondents have a program to identify sensitive assets
and fewer (51%) have an inventory of all third parties that
handle personal data.
The Internet of Things will also require that technology

companies improve fundamental security processes like user
access controls, patch management, and third-party risk
assessments. Privacy of consumer data is also criticaland
represents an opportunity for improvement considering that
only 55% of respondents require third parties to comply
with their privacy policies.
Gearing up for the Internet of Things // 12
Technology
Introduction
budgets decline
The security safeguards that matter

How technology companies are taking a more strategic approach to security.
next
prev

compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
Technology companies continue to bolster

their security programs as cyber risks evolve.
But much remains to be done.
As the frequency and severity of cyber attacks grows, it has
become clear that every business should have an executivelevel officer in charge of the security program. For most
technology companies, that person is the Chief Information
Security Officer (CISO). Demand for CISOs is at an alltime high: In the past two years, the number of technology
companies that employ a security executive has climbed
46%, and today more than three-quarters of organizations
have a CISO in charge of information security.
We believe it is imperative that the CISO report up to the
CEO, Chief Financial Officer, Chief Privacy Officer, or
the Board, rather than to the Chief Information Officer.
Information security is, after all, a business risk issue and,
as such, it should have a separate governance structure and
budget to ensure that sufficient resources are allocated.
Exposing security leaders to the executive level is critical

to risk governance. In the wake of recent massive breaches,
directors are asking for the risk intelligence necessary to
make informed cybersecurity decisions and help protect
the organization from cyber attacks. Board participation in
security is stronger among technology businesses than in
many other sectors, but leadership from the very top is not
yet the norm. Only 46% of respondents say their Board is
involved in the overall security strategy and fewer (27%)
say directors participate in reviews of current security and
privacy risks.
While a very large margin of technology companies have
a formal strategy for information security, the number
that have a security strategy that is specifically aligned
with unique business needs slipped this year. Thats a key
component of a risk-based security strategy.
77% of technology companies have hired a CISO to oversee

their security program.
The security safeguards that matter // 13
Technology
Introduction
budgets decline
compromise
are lacking
Identity management
and the cloud
of Things
that matter
Contacts
Many businesses are embracing guidelines developed by

the US National Institute of Standards and Technology
(NIST) to more closely link their technologies, processes,
and personnel skills with the organizations broader riskmanagement activities. The NIST Cybersecurity Framework,
which targets critical infrastructure providers and suppliers,
has been adopted by 41% of US technology respondents; an
additional 28% say the Framework is a future priority.
In addition to improving risk-based cybersecurity, the
Framework also aims to create a common language to
facilitate collaboration and communications among
internal executives and external industry and government
organizations. Sharing of threat intelligence and response
tactics has become an indispensable tool to advance
cybersecurity, one that the tech sector has readily adopted.
This year, 62% of technology respondents say they work
with others to improve security, compared with 55% of the
overall survey sample.
Finally, many organizations are finding that cyber insurance
can be effective in helping manage risks and mitigate
financial losses of cyber attacks that are all but inevitable.
In fact, cyber insurance has received considerable attention
over the past year as victims of high-profile breaches
reported that they recovered tens of millions of dollars
in mitigation costs through insurance coverage. Among
technology respondents, 59% say they have purchased
cybersecurity coverage. Perhaps more significant is the
finding that some companies are leveraging cyber insurance
as a way to improve their security program. More than onethird say they have taken steps to enhance their security
posture in order to lower insurance premiums.
Linking information security and risk

As security incidents continue to proliferate, its becoming
clear that cyber risks can never be completely eliminated.
Protective measures remain important, of course, but they
cannot reliably be guaranteed to stop determined and highly
skilled adversaries.
Consequently, many technology businesses may need to
reposition their security strategy by more closely linking
technologies, processes, and tools with broader riskmanagement activities. Effective cybersecurity will require
up-to-date processes, trained personnel, and tools to detect,
analyze, and respond to todays incidents.
next
prev
Identify
Protect
Detect
While a well-designed cybersecurity program will not totally

eliminate risk, it can enable businesses to better manage
threats through an informed decision-making process, boost
efficiencies in security practices, and create a more resilient
security practice.
Respond
Recover
41% of respondents say they have adopted the riskbased NIST Cybersecurity Framework.
The security safeguards that matter // 14
Technology
Introduction
budgets decline
Contacts
next
prev

compromise
are lacking
Technology
Identity management
and the cloud
United States

of Things
Shafeeq Banthanavasi
Managing Director
408 534 2487
shafeeq.banthanavasi@us.pwc.com
Mark Lobel
Principal
646 471 5731
mark.a.lobel@us.pwc.com

that matter
Contacts
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Contacts // 15

PWC Global State of Information Security Survey 2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PWC Global State of Information Security Survey 2015

Uploaded by

Copyright:

Available Formats

Contents

Managing cyber risks in an

Cybersecurity is now a persistent

Figure 2: Security incidents grow

Nation-states, hackers, and

And the risks go beyond devices

Figure 3: Larger companies detect

Figure 4: Information security

Cybersecurity services market

Figure 1: Security incidents outpace

Financial losses increase apace

Cyber risks: A severe and

Incidents and financial

Figure 5: Incidents are more costly

Employees are the mostcited culprits of incidents

Figure 6: Insiders vs. outsiders

Organizations are undoubtedly

Security practices must keep pace

Figure 7: Overall, average security

Figure 9: Failing to keep up with

As incidents continue to proliferate

As incidents rise, security

Figure 8: Top spending priorities

Figure 10: At most organizations, the

Gains in select security

Evolving from security to

Following are but a few: As incidents

Its a trend that will likely

Assaults on major retailers reached

Stock exchanges also have become routine targets

Huge heists of consumer data were

The retail attacks did much to elevate

Cyber thieves plundered more

Other critical infrastructure

Cyber risks: A severe and present danger

One of the years most far-reaching

HP reviewed 10 of the most

And the risks go

In an indicator of how the regulatory

Organizations that do not comply

The new guidance highlights several

It was widely reported that

We have also seen new

Cyber risks: A severe and present danger

Research firm Gartner predicts that

Network security provider FireEye,

Enterprise firewall specialist Palo

Security incidents outpace GDP and mobile phone growth

Global security incidents

Global smartphone users

Sources: OECD, Economic Outlook No. 95, May

At the height of the venturefunding boom, the valuation

Venture capital investments

It has also been an active year

in cybersecurity firms are

for mergers and acquisitions

also accelerating in Europe.

London-based C5 Capital launched

FireEye purchased Mandiant

and announced an investment

Cisco Systems acquired

in IT security firm Balabit

Index Ventures, another venture