Professional Documents
Culture Documents
1. Main report
2. Industrial products
3. Financial Services
4. Power & utilities
5. Healthcare payers and
providers
6. Retail and consumer
www.pwc.com/gsiss2015
30 September 2014
Table of contents
01
02
03
p1
p7
p13
Continued year-over-year
rise is no surprise
p3
p5
p10
p15
High growth in high-profile
crimes
p18
Domestic intelligence: A new
source of concern
04
05
07
p19
p25
p31
Declines in fundamental
security practices
06
p29
While we found declines in
some security practices, we also
saw gains in important areas
p35
Methodology
p36
Endnotes & sources
p37
Contacts by region
01
Cyber risks: A severe and
present danger
Cybersecurity is
now a persistent
business risk
It is no longer an issue that
concerns only information
technology and security
professionals; the impact
has extended to the C-suite
and boardroom.
Awareness and concern about
security incidents and threats
also has become top of mind among
consumers as well. In short, few
risk issues are as all-encompassing
as cybersecurity.
Media reports of security incidents
have become as commonplace as the
weather forecast, and over the past
12 months virtually every industry
sector across the globe has been hit
by some type of cyber threat.
Financial services
companies continued
to be major targets
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Executives of multinational
organizations are keeping an eye
on European Union Data Protection
Regulation, which is on track to be
finalized in 2015. The regulation is
expected to add new requirements
for breach notification to individuals,
require organizations that handle
personal data to conduct risk
assessments and audits, and increase
fines for compromised businesses.16
The EU General Data Protection
Regulations breach notification
requirements may increase disclosure
of security incidents in Europe,
according to John W. Woods, Jr.,
co-leader of the global cybersecurity
practice for the law firm Baker &
McKenzie LLP. In the US, state
data-breach notification statutes
have resulted in the disclosure of
a significant number of security
breaches which in turn has raised the
consciousness around cybersecurity
issues, Woods says. It will be
interesting to see if the proposed EU
data-breach notification has a similar
impact. If it parallels the experience
in the US, I think we very well may
see a proliferation of incidents
reported in Europe.
Cybersecurity
services market
is expanding
In the wake of increased
incidents and heightened
regulations, corporations
and government agencies
are scrambling to safeguard
their data and networks
a push that is catalyzing
growth in the market for
cybersecurity solutions
and technologies.
4.6
billion
21
6.2
billion
21
Figure 1
48%
Global GDP
(OECD)
22%
21%
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
of cybersecurity firms.
a cybersecurity-focused fund of
for approximately
125 1.0
million
22
billion
22
of
Sourcefire for
8.0 2.7
million
22
billion
24
550
million
23
02
Incidents and financial impacts
continue to soar
Continued yearover-year rise
is no surprise
Given the nature and
number of very prominent
security breaches over the
past year, it comes as no
surprise that incidents
reported by respondents
to The Global State of
Information Security
Survey 2015 continued a
year-over-year rise.
2014
42.8
million
Figure 2
2012
2011
22.7
million
2009
3.4
million
2010
9.4
million
24.9
million
28.9
million
13,138
9,155
2014
Figure 3
2014
2,581
1,151 1,091
2013
When it comes to
discovering incidents, one
thing is very clear: Large
companies have the edge
over smaller firms.
Among our global survey sample,
large organizations (those with gross
annual revenues of $1 billion or
more) detected 44% more incidents
compared with last year. The fact
that big companies detect more
incidents is not surprising.
2013
4,227
2013
2014
Small
Medium
Large
2014
10.8
million
2013
10.3
Figure 4
million
20132014
2013
2013
0.92
million
2014
0.73
2014
3.0
million
million
2.8
million
Small
Medium
Large
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Financial losses
increase apace
As security incidents grow
in frequency, the costs of
managing and mitigating
breaches also are rising.
Globally, the annual estimated
reported average financial loss
attributed to cybersecurity incidents
was $2.7 million, a jump of 34%
over 2013.
Not surprising in light of last years
prominent breaches, is the finding
that big losses are more common:
Organizations reporting financial hits
of $20 million or more increased
92% over 2013.
Figure 5
2014
5.9
$
2013
3.9
$
2013
2013
0.65
million
2014
0.41
1.0
2014
million
million
1.3
million
million
million
Small
Medium
Large
10
11
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
53%
37%
25%
Incidents and financial impacts continue to soar
12
03
Employees are the most-cited
culprits of incidents
Nation-states,
hackers, and
organized crime
groups are the
cybersecurity
villains that
everybody
loves to hate
10%
Insiders
Outsiders
31%
35%
Current employees
27%
8%
10%
Terrorists
30%
12%
15%
Former employees
Organized crime
16%
10%
18%
16%
Activists/activist organizations/hacktivists
13%
10%
15%
16%
Information brokers
12%
14%
13%
Suppliers/business partners
Competitors
10%
6% 9%
11%
Customers
24%
4% 7%
Foreign nation-states
Figure 6
6%
32%
24%
Hackers
24%
18%
Do not know
14
15
High growth
in high-profile
crimes
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Technology
16
Compromises by organized
crime also are on the rise.
Organized crime groups are typically
motivated by financial gain. A
successful cyber attack can net
millions of payment card records
that can be quickly monetized.
In addition to credit and debit card
data, these criminals increasingly
target patient health care data or other
personally identified information
that has considerable value in the
underworld of information resellers.
In the US alone, financial losses due
to personal identity theft, which
includes misuse of payment cards,
bank accounts, and personal
information, totaled $24.7 billion in
2012, according to the Bureau of
Justice Statistics.35 The recent theft
of more than a billion user credentials
by organized criminals illustrates that
these attacks are growing in scope.
17
In response, law-enforcement
agencies across the world are
beginning to band together
to fight organized criminals,
according to cybersecurity
attorney Woods. There has
been an increased cross-border
recognition of the need for more
coordinated law-enforcement
efforts to identify incidents
caused by organized crime, he
says. I think this will accelerate
in the coming years through
organizations like Interpol.
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Domestic
intelligence:
A new source
of concern
Edward J. Snowdens
disclosures of government
surveillance have added a
new adversary to the threat
environment: domestic
intelligence services.
As a result of the Snowden leaks,
nations, businesses, and society in
general have become increasingly
skeptical of domestic surveillance and
are concerned about potential impact
on data privacy and security.
The headline-making nature of the
Snowden revelations has resulted in
considerable awareness and concern
among business executives. Not only
are they raising questions about
government surveillance, but also
regarding the telecommunications
and technology companies that may
have provided government access
to data.
18
04
As incidents rise, security
spending falls
Organizations
are undoubtedly
worried about
the rising tide of
cybercrime
PwCs Global Economic
Crime Survey 2014 found
that almost half (48%)
of global respondents
said their perception of
cybercrime risk increased,
up from 39% in 2011.37
4.3
million
2.7
2.2
million
4.1
million
2.8
million
Looking at security
investment by company
size also sheds some light
on the anemic funding.
This year, companies with revenues
less than $100 million say they
reduced security investments by
20% over 2013, while medium
and large companies report a 5%
increase in security spending.
That represents a significant level
of spending, according to T-Mobiles
Boni. One variable is a reluctance
to increase spending during the
recent economic recovery, says
Boni. I think a 5% increase is a
pretty substantial level of attention
since companies are starving other
corporate areas and want to keep
costs tightly under control.
2013
3.8 %
2012
3.8 %
3.5 %
3.8 %
3.6 %
2011
million
2010
Figure 7
2014
20
Looking at security
investments by industry
shows that spending is down
in most sectors, with a
few notable exceptions.
While the revenues and spending
among airline manufacturers are
up, for instance, defense spending
is dropping among developing
nations. This is particularly true in
the United States after its pullout
from Afghanistan and Iraq and
subsequent defense budget cuts.
And while the decline in the retail
and consumer industry spending
may seem puzzling given widely
reported breaches, consider that
2014 security budgets may have
been in place for the year before
the incidents were reported.
Information security
budgets are declining
steeply among organizations
in the aerospace and defense
(-25%), technology (-21%),
automotive (-16%), and retail
and consumer products
(-15%) industries. In some
sectors, overall business trends
account for these drops.
21
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
22
Figure 8
24%
Account provisioning/
deprovisioning
22%
19%
Employee security
awareness training
program
Role-based
access controls
23%
Behavioral profiling
and monitoring
23
Encryption
of smartphones
27%
Prevent
19%
18%
Privileged user
access
21%
20%
Tools to discover
unauthorized access
Data loss
prevention tools
Protect
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Patch
management
tools
18%
Malicious
code detection
tools
17%
Security information
and event management
(SIEM) technologies
20%
Mobile malware
detection
20%
Tools to discover
unauthorized access
Detect
18%
22%
Vulnerability
scanning tools
22%
Active monitoring/
analysis of information
security intelligence
20%
Unauthorized use
or access monitoring
tools
Threat assessments
14%
Incident management
response process
18%
21%
Malicious
code detection
tools
Security event
correlation tools
Respond
24
05
Declines in fundamental
security practices
Security
practices must
keep pace with
constantly
evolving threats
and security
requirements
Doing so will demand
investments in the right
processes and technologies
to prevent, protect, detect,
and respond to security
risks. Overall, many
organizations are failing
to do so.
Prevent
Protect
Detect
59%
55%
55%
Respond
Figure 9
Secure access
control measures
56%
Privileged user
access
51%
Employee security
awareness training
program
54%
Require third parties
to comply with our
privacy policies
Encryption of
e-mail messages
55%
Intrusion
prevention tools
Intrusion
detection tools
59%
Malicious code
detection tools
55%
Security event
correlation tools
61%
Business continuity/
disaster recovery
plans
52%
55%
52%
Unauthorized use
or access monitoring
tools
53%
52%
Patch management
tools
55%
49%
Conduct personnel
background checks
Protection/detection
solution for advanced
persistent threats
(APTs)
Active monitoring/
analysis of information
security intelligence
54%
Vulnerability
scanning tools
26
27
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
40%
Security budget
20%
36%
Security policies
30%
Security technologies
42%
25%
Figure 10
28
06
Gains in select security
initiatives
While we found
declines in
some security
practices, we
also saw gains
in important
areas
Cyber risks, technologies,
and vulnerabilities evolve
at lightning speed, and
sharing information among
public and private entities
regarding cyber threats
and responses is central
to a strong cybersecurity
program.
Another area of
improvement can be seen
in the adoption of cyber
insurance as a tool to
help manage the risks
of cybercrime.
In the US, as noted, the SEC
OCIE guidance has suggested that
financial services organizations
purchase cyber insurance as part of
an effective cyber-risk management
strategy. Given todays elevated
threat environment and escalating
costs of cybercrime, we believe that
protecting against financial losses
from cyber risks should rank as high
as other insurable risks.
30
07
Evolving from security to cyber
risk management
As incidents
continue to
proliferate
across the globe,
its becoming
clear that cyber
risks will never
be completely
eliminated
Todays interconnected
business ecosystem requires
a shift from security that
focuses on prevention and
controls to a risk-based
approach that prioritizes
an organizations most
valuable assets and its most
relevant threats.
It also will be critical to focus on rapid
detection of security intrusions
and an effective, timely response.
To get there, businesses should
reposition their security strategy by
29%
25%
32
33
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
34
Methodology
The Global State of
Information Security
Survey 2015 is a
worldwide study by
PwC, CIO, and CSO
The 2015 survey was conducted online
from March 27, 2014 to May 25, 2014;
readers of CIO, CSO, and clients of PwC
from around the globe were invited
via e-mail to take the survey.
All figures and graphics in this report,
unless noted otherwise, are sourced
from The Global State of Information
Security Survey 2015 results. The
margin of error is less than 1%.
35
35%
34%
North America
Europe
14%
13%
4%
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
Asia Pacific
South America
02
03
04
05
Declines in fundamental
security practices
43 PwC, 16th Annual Global CEO Survey,
January 2013
07
36
Contacts by region
Australia
Denmark
Japan
Andrew Gordon
Partner
andrew.n.gordon@au.pwc.com
Christian Kjaer
Director
christian.x.kjaer@dk.pwc.com
Maki Matsuzaki
Partner
maki.matsuzaki@jp.pwc.com
Steve Ingram
Partner
steve.ingram@au.pwc.com
Naoki Yamamoto
Director
naoki.n.yamamoto@jp.pwc.com
Belgium
France
Luxembourg
Floris Ampe
Partner
floris.ampe@be.pwc.com
Philippe Trouchaud
Partner
philippe.trouchaud@fr.pwc.com
Vincent Villers
Partner
vincent.villers@lu.pwc.com
Brazil
Germany
Middle East
Edgar DAndrea
Partner
edgar.dandrea@br.pwc.com
Derk Fischer
Partner
derk.fischer@de.pwc.com
Taha Khedro
Partner
taha.khedro@ae.pwc.com
Canada
Wilfried Meyer
Partner
wilfried.meyer@de.pwc.com
Waddah Salah
Partner
waddah.salah@sa.pwc.com
India
Netherlands
Sivarama Krishnan
Partner
sivarama.krishnan@in.pwc.com
Erwin de Horde
Partner
erwin.de.horde@nl.pwc.com
Israel
Gerwin Naber
Partner
gerwin.naber@nl.pwc.com
Salim Hasham
Partner
s.hasham@ca.pwc.com
China
Ramesh Moosa
Partner
ramesh.moosa@cn.pwc.com
Kenneth Wong
Partner
kenneth.ks.wong@hk.pwc.com
Yaron Blachman
Partner
yaron.blachman@il.pwc.com
Italy
Otto Vermeulen
Partner
otto.vermeulen@nl.pwc.com
Fabio Merello
Partner
fabio.merello@it.pwc.com
37
Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security Survey 2015
New Zealand
South Africa
Switzerland
Pierre Dalton
Partner
pierre.dalton@za.pwc.com
Thomas Koch
Director
thomas.koch@ch.pwc.com
Norway
Mark Telfer
Partner
mark.telfer@za.pwc.com
Jan Schreuder
Partner
jan.schreuder@ch.pwc.com
Sidriaan de Villiers
Partner
sidriann.de.villiers@za.pwc.com
Turkey
Tom Remberg
Director
tom.remberg@no.pwc.com
Poland
Rafal Jaczynski
Director
rafal.jaczynski@pl.pwc.com
Piotr Urban
Partner
piotr.urban@pl.pwc.com
Russia
Christopher Gould
Partner
chirstopher.gould@ru.pwc.com
Singapore
Vincent Loy
Partner
vincent.j.loy@sg.pwc.com
Kok Weng Sam
Partner
kok.weng.sam@sg.pwc.com
South Korea
Sung-Bae Cho
Director
sung-bae.cho@kr.pwc.com
Jae Hyeong Joo
Partner
jae-hyeong.joo@kr.pwc.com
Spain
Elena Maestre
Partner
elena.maestre@es.pwc.com
Javier Urtiaga Baonza
Partner
javier.urtiaga@es.pwc.com
Burak Sadic
Senior Manager
burak.sadic@tr.pwc.com
United Kingdom
Richard Horne
Partner
richard.horne@uk.pwc.com
Grant Waterfall
Partner
grant.waterfall@uk.pwc.com
United States
David Burg
Principal
david.b.burg@us.pwc.com
Sweden
Sean Joyce
Principal
sean.joyce@us.pwc.com
Emil Gullers
Partner
emil.gullers@se.pwc.com
Mark Lobel
Principal
mark.a.lobel@us.pwc.com
Jacob Henricson
Partner
jacob.henricson@se.pwc.com
38
www.pwc.com/gsiss2015
www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 184,000
people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by
visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should
not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express
or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC
does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act,
in reliance on the information contained in this publication or for any decision based on it.
2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
next
prev
Industrial products
Cybersecurity has become top of mind for
most industrial products executives.
In the past year, the US Department of Justice charged five
Chinese military hackers with conducting economic cyberespionage against six American organizations that included
major manufacturers.1 And the seemingly relentless assaults
on major retailers, banks, and entertainment companies
have heightened the awareness of cybersecurity risks
across sectors and across the world.
Current and former employees remain the mostcited sources of security incidents.
In 2014, we noted a considerable jump in incidents attributed
to competitors, which more than doubled over 2013. Increasingly,
industrial products executives believe that sophisticated
international competitors are infiltrating their networks
to pilfer trade secrets and manufacturing processes.
Introduction // 1
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
Advances in key security
initiatives
Toward a more strategic
approach
Business partners under
scrutiny
Contacts
next
Incidents
Sources of
incidents
Security
spending
prev
5K
4K
2.8M
3K
3M
1,756
2,051
2.0M
2M
1M
2013
2014
2013
2014
Introduction // 2
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
Advances in key security
initiatives
Toward a more strategic
approach
Business partners under
scrutiny
Contacts
next
Incidents
Sources of
incidents
prev
Security
spending
50%
40%
36%
33%
30%
24%
30%
26%
28%
26%
13%
2013
2014
Current employees
2013
Former employees
2014
2013
Competitors
2014
2013
2014
Hackers
Introduction // 3
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
Advances in key security
initiatives
Toward a more strategic
approach
Business partners under
scrutiny
Contacts
next
Incidents
8M
Sources of
incidents
Security
spending
prev
6.9%
6M
5.2M
4.0M
6%
3.9%
4M
4%
2%
2013
2014
2013
2014
Introduction // 4
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
next
As the frequency and costs of cyber incidents mount, companies are boosting their security budgets.
prev
This boost follows an even larger 97% jump in security investments in 2013, which
very well may account for a portion of the upsurge in detected incidents in 2014.
Contacts
Its also noteworthy that respondents security investments grew even as their
overall IT budgets declined 25% over 2013. In fact, information security spending
represents 6.9% of manufacturing respondents entire IT budgetup from 3.9%
last year and the highest of any sector in our survey.
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
next
Increased security spending has resulted in some notable improvements in processes, technologies,
and personnel training.
prev
61%
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
2013
68%
73%
next
2014
65%
74%
59%
73%
54%
prev
72%
Business continuity/disaster
recovery plans
50%
58%
49%
41%
42%
58%
64%
61%
57%
50%
45%
48%
47%
50%
55%
59%
65%
66%
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
next
Organizations are revising their security programs to emphasize risk and top-down commitment.
prev
Contacts
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
66%
2014
Contacts
2013
2013
59%
2013
2013
67%
60%
2014
Intrusion-prevention tools
2013
61%
2014
60%
prev
54%
Vulnerability assessments
60%
2013
60%
2014
60%
2013
2013
63%
2014
51%
2014
66%
67%
62%
2014
2014
2013
61%
53%
65%
2014
47%
2014
next
Intrusion-detection tools
63%
2013
63%
2014
Patch-management tools
An effective security program also will require topdown commitment and communication.
Almost three-quarters (73%) of industrial products respondents
have a senior executivea Chief Operating Officer, Chief
Financial Officer, or Chief Executive Officer, for example
who communicates the importance of information security
to the entire enterprise, a healthy improvement over last
year. This suggests that executive teams are starting to take
ownership of cyber risks.
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
next
Due diligence is increasingly critical as organizations share more data with third parties.
prev
Addressing security risks in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Industrial products
Introduction
Attacks spur security
spending
Contacts
next
prev
Industrial products
United States
Contacts
Robert McCutcheon
Partner
412 355 2935
robert.w.mccutcheon@us.pwc.com
Quentin Orr
Principal
267 330 2699
e.quentin.orr@us.pwc.com
Bob Pethick
Principal
313 394 3016
bob.pethick@us.pwc.com
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 11
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
prev
Financial services
It will come as no surprise to most financial
services executives that information security
incidents are continuing to rise, as are the
costs of these intrusions.
In the past two years, sophisticated cyber adversaries around
the world have launched powerful distributed denial of
service (DDoS) attacks against banks, siphoned off billions of
dollars from deposit accounts, stolen millions of payment card
records, and infiltrated many national stock exchanges.
Despite these attacks, many global financial services companies
have not implemented the right processes and technologies
to prevent, detect, and respond to security risks. In particular,
many do not adequately address threats from third parties and
insiders like employees and partners with trusted access.
Introduction // 1
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Yet security spending has not kept pace, particularly among smaller businesses.
prev
Incidents
5K
4,628
Sources of
incidents
Security
spending
4,978
4K
3.4M
2.7M
3K
3M
2M
1M
2013
2014
2013
2014
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Yet security spending has not kept pace, particularly among smaller businesses.
prev
Incidents
Sources of
incidents
Security
spending
44%
50%
40%
36%
33%
25%
30%
28%
26%
20%
11%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Competitors
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Yet security spending has not kept pace, particularly among smaller businesses.
prev
15.4%
Sources of
incidents
Security
spending
14.7%
Large organizations
Revenues more than $1B
Incidents
15 %
11.3M
10.7M
12%
9M
9%
Large organizations
Revenues more than $1B
3.6% 3.3%
%
3.3% 3.7
Medium organizations
Revenues $100M$1B
6M
Small organizations
Revenues less than $100M
3M
Medium organizations
Revenues $100M$1B
$
M
2.2M 2.6
1.0M $0.6M
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
Support from the top
Regulators tighten rules
next
prev
1
2
New regulatory
requirements
Third-party risks
Insider incidents
Over-reliance on
technology
Incidents and co
costs mount // 5
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
59%
59%
2014
61%
2014
2014
2014
66%
Contacts
Intrusion-detection tools
57%
63%
56%
60%
2013
Incident response-process to
report and handle breaches to third
parties that handle data
71%
2014
Security audits
71%
2013
2013
2013
66%
57%
2014
2014
2014
Employee awareness and
training program
57%
67%
58%
2013
Vulnerability assessments
58%
2014
65%
2013
58%
67%
2013
Penetration testing
2014
63%
2013
2013
59%
74%
2013
64%
Threat assessments
2014
2014
Secure access-control
measures
2013
2013
73%
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Cybersecurity is no longer simply an IT concern. Today, it is a critical business issue that demands the
attentionand the active stewardshipof the Chief Executive Officer and the Board of Directors.
prev
44%
Security budget
37%
Security policies
33%
Review of security and privacy risks
26%
Security technologies
23%
Review roles and responsibilities of security organization
20%
Review of security and privacy testing
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Recent actions by industry regulators in the US and Europe have signaled they may require
proof that financial services firms have implemented a robust security program.
prev
71%
66%
66%
80%
61%
60%
58%
57%
57%
57%
51%
60%
40%
Incidentmanagement
response
process
Business
continuity/
disaster
recovery plans
Secure
access-control
measures
Threat
assessments
Privileged user
access
Patchmanagement
tools
Employee
Encryption of
security
smartphones
awareness
training program
Security-event
correlation
tools
Have cyber
insurance
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
Support from the top
Regulators tighten rules
Rising third-party risks
Inside jobs increase
Technology is not enough
Linking security and risk
Contacts
next
prev
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Financial institutions are increasingly worried about their ability to combat threats that can arise from
sharing networks and data with business partners, service providers, contractors, and suppliers.
prev
80%
62%
59%
57%
57%
55%
55%
60%
40%
Established security/
baselines/standards for
external partners/customers/
suppliers/vendors
Incident response-process
to report and handle
breaches to third parties
that handle data
Risk assessments on
third-party vendors
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
Banks have sustained large lossesboth in dollars and in public confidenceas a result of successful attacks on interrelated third
parties, such as major retailers, said Thomas J. Curry, US Comptroller of the Currency, at a recent Risk Management Association
(RMA) conference. Ive been heavily focused on this particular type of operational risk because of the pace at which it is increasing
and because of its potential to undermine confidence in our institutions.3
next
prev
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
prev
28%
44%
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
next
prev
63%
60%
60%
59%
57%
Conduct personnel
background checks
User-activity monitoring
tools
Employee security
awareness training
program
57%
Audit/monitor user
compliance with security
policy
56%
53%
Security technologies
supporting Web 2.0
exchanges such as social
networks, blogs
53%
48%
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
Many financial services firms view technology solutions as the best bet to
protect their networks and data.
prev
69%
80%
59%
58%
57%
57%
57%
56%
52%
60%
40%
IncidentClassification of
management
business value
response process of data
Incident
response-process
to report & handle
breaches to third
parties
Procedures
dedicated to
protecting
intellectual
property
Security audits
In an era in which cyber compromise is virtually certain, a coordinated approach to incident response is critical to
the bottom line, as well as reputation and compliance. So its a bit surprising to find that 29% of survey respondents
have no incident response process. Its also worrisome that one-third say they have no business continuity/disaster
recovery plans to ensure operations are quickly returned to normal with minimum disruption.
Technology is not enough // 14
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
next
As incidents continue to proliferate, its becoming clear that cyber risks can
never be completely eliminated.
prev
Do we have capabilities
to quickly respond to a
cyber attack?
Do we know where to
invest to reduce cyber
risks?
5
Linking security and risk // 15
Security deficits in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Financial services
Introduction
Incidents and costs mount
Contacts
next
prev
Financial services
United States
Shawn Connors
Principal
646 471 7278
shawn.connors@us.pwc.com
Christopher Morris
Principal
617 530 7938
christopher.morris@us.pwc.com
Joe Nocera
Principal
312 298 2745
joseph.nocera@us.pwc.com
Stephen Russell
Managing Director
203 539 3079
stephen.j.russell@us.pwc.com
Andrew Toner
Principal
646 471 8327
andrew.toner@us.pwc.com
Prakash Venkata
Managing Director
617 530 7622
prakash.venkata@us.pwc.com
Contacts
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 16
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Key findings from The Global State of Information Security Survey 2015
next
prev
20+
Contacts
Over the past year, sophisticated cyber adversaries have
infected the industrial control systems of hundreds of energy
companies in the US and Europe; others successfully infiltrated
a public utility via the Internet and compromised its control
system network.
The volume of incidents increased dramatically in the past
year. Power and utilities respondents to The Global State of
Information Security Survey (GSISS) 2015, report the average
number of detected incidents skyrocketed to 7,391, a six-fold
increase over the year before. (We define a security incident
as any adverse incident that threatens some aspect of
computer security.)
20
15
10
Introduction // 1
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
next
Incidents
Sources of
incidents
Security
spending
prev
7,391
8K
6K
3M
2.4M
Contacts
4K
2M
1.2M
1,179
2013
1M
2014
2013
2014
Introduction // 2
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
40%
37%
next
Incidents
Sources of
incidents
prev
Security
spending
38%
31%
30%
29%
30%
20%
Contacts
17%
20%
14%
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Introduction // 3
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
Incidents
$
4M
next
Sources of
incidents
Security
spending
prev
3.7M
3.4M
3M
6%
4.0%
Contacts
3.9%
2M
4%
2%
2013
Average annual IS budget
2014
2013
2014
Introduction // 4
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
Gearing up for convergence
Contacts
next
10%
14%
prev
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
next
118%
48%
40%
31%
Contacts
Foreign nation-states
Information brokers
Activists/activist
organizations/hacktivists
Organized crime
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
Gearing up for convergence
Contacts
next
While the number of detected incidents increased dramatically, organizations say the financial
impact of these security compromises lessened.
Power and utilities respondents say total financial losses
resulting from security incidents declined to an average
of $1.2 million, a 51% drop over 2013.
This finding seems counter-intuitive, given the huge
upsurge in detected compromises.
prev
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
Gearing up for convergence
Contacts
next
As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies
may need to take a more strategic approach to information security.
At the core of this initiative should be a riskbased cybersecurity program that enhances
the ability to identify, manage, and respond
to privacy and security threats.
It all starts with an information security strategyor at least
it should. However, we found the number of organizations
that have an overall information security strategy dropped
to 70% this year, down from 79% in 2013. Moreover, those
that have a security strategy that is aligned with the specific
needs of the business declined to 45%, from 65% last year.
An effective security strategy will allocate spending to the assets
that are most valuable to the business. Power and utilities
respondents show a more solid, if incomplete, commitment
in this area: 62% say their security investments are allocated
to the organizations most profitable lines of business.
prev
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
79%
Introduction
2013
2014
70%
65%
2013
57%
2014
59%
2013
56%
prev
2014
next
Patch-management tools
66%
A more strategic approach
is needed
Guidelines for advancing
security
2013
55%
2014
68%
2013
55%
2014
Intrusion-detection tools
2013
Contacts
54%
2014
63%
2013
2013
47%
2014
56%
43%
2014
39%
2013
48%
2014
50%
2013
44%
2014
2013
49%
57%
55%
2014
2013
2014
50%
63%
58%
2013
43%
2014
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
2014
2013
61%
%
54
2014
2013
next
65%
%
45
2014
2013
65%
%
46
2014
2013
54%
%
36
2014
2013
52%
%
33
2014
prev
2013
Contacts
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
This years survey indicates that power and utilities organizations are falling behind in key practices.
next
prev
22%
11%
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Skilled threat actors
Financial losses decline
A more strategic approach
is needed
Guidelines for advancing
security
Gearing up for convergence
Contacts
next
prev
At risk and unready in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Power and utilities
Introduction
Contacts
next
prev
Brad Bauch
Principal
713 356 4536
brad.bauch@us.pwc.com
Darren Highfill
Director
678 419 1323
darren.highfill@us.pwc.com
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 13
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Contacts
prev
Key findings from The Global State of Information Security Survey 2015
Security starts
at the top
next
With change comes challenge, however. More than ever, healthcare payers and providers face a raft of
issues that could impact the security of patient health data, sensitive corporate information,
and regulatory compliance mandates. Most are boosting their investments in information security to
address these evolutions, according to The Global State of Information Security Survey (GSISS) 2015.
Introduction // 1
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
Incidents
Sources of
incidents
Security
spending
prev
4,470
5K
4K
2,786
2.9M
3K
3M
next
2M
0.8M
1M
2013
2014
2013
2014
Introduction // 2
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
50%
next
Incidents
Sources of
incidents
43%
39%
40%
26%
30%
24%
23%
24%
prev
Security
spending
2%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
5%
2014
Foreign nation-states
Introduction // 3
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
Incidents
$
prev
3.4%
3M
3%
2.4M
2M
2%
Security
spending
3.7%
Sources of
incidents
4.0M
4M
next
1%
2013
Average annual IS budget
2014
2013
2014
Introduction // 4
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
next
The increased volume and value of healthcare data comes at a time when governments have warned
healthcare providers that their security lacks the maturity of industries like financial services and retail.
prev
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
120%
41%
32%
206%
Activists/activist
organizations/hacktivists
126%
68%
Organized crime
Information brokers
Competitors
Foreign nation-states
20%
Security incidents skyrocket // 5
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
60%
next
53%
60%
prev
44%
50%
40%
40%
30%
31%
33%
27%
29%
27%
23%
25%
24%
17%
Security starts
at the top
Contacts
2013
2014
Implementation of electronic
health records (EHRs)/
public health records (PHRs)
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2 PwC, Managing cyber risks in an interconnected world: Key findings from The
Global State of Information Security Survey 2015, September 30, 2014
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
next
Companies are forming new business relationships to meet heightened consumer expectations.
prev
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
next
prev
35%
30%
30%
27%
23%
Cloud
computing
Encryption in storage
and in transit
Regulatory
requirements
5% of annual worldwide turnover. As a result, multimillion-euro penalties for non-compliance could become
commonplace in the EU.
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
next
The use of smartphones and tablets, both by employees and customers, to access protected
healthcare data is likely to further elevate risks of compromise.
prev
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
47%
N/A
Big Data
53%
44%
2014
Cloud computing
56%
2014
Social media
55%
2013
2013
58%
57%
2014
62%
2014
Contacts
2013
Security starts
at the top
N/A
The Internet of Things
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
next
The convergence of information, operational, and consumer technologies will bring great
benefitsand new risks.
prev
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
62%
60%
Its also an area in which there is great room
for improvement:
We found that just 62% of respondents have a program
to identify sensitive assets, and fewer (60%) have an
inventory of all third parties that handle personal data.
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
next
Cybersecurity and privacy should be embedded in the organizations DNA, with a topdown commitment to security and ongoing employee training programs.
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
Prepping for the Internet
of Things
Security starts
at the top
Contacts
40%
Overall security
strategy
36%
Security budget
32%
Security policies
25%
Review of security
and privacy risks
24%
18%
Security technologies
15%
prev
Security in the
new health
economy
A sweeping transformation
of the health economy is
well under way.
Connected technologies, Big Data
analytics, and electronic health records
are combining to redefine consumer
demands and business models. At the
same time, sophisticated threat actors
are devising new ways to compromise
and steal digitized medical data.
Taken together, this inexorable shift will
demand a rethink of information security.
At the heart of this initiative should be
a risk-based cybersecurity program to
identify, manage, and respond to privacy
and security threats.
Review of security
and privacy testing
Healthcare cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Healthcare: payers
and providers
Introduction
Security incidents
skyrocket
Contacts
next
prev
Consumers and
partnerships drive change
Rising risks of mobility
and Big Data
United States
Security starts
at the top
Jay Cline
Principal, Risk Assurance
612 596 6403
jay.cline@us.pwc.com
Mick Coady
Principal, Health Industries
713 356 4366
mick.coady@us.pwc.com
Joe Greene
Principal, Health Industries
612 596 6024
joe.greene@us.pwc.com
Peter Harries
Principal, Health Industries
602 750 3404
peter.harries@us.pwc.com
Contacts
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 12
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
prev
467
Labeling 2013 as the year of the retailer breach, Verizon counted 467 retailer compromises around the
world in its annual Data Breach Investigations Report, noting that payment card data was the primary target
in 95% of incidents within the retail industry.3
2 Networkworld, Tor-enabled malware stole credit card data from PoS systems at
dozens of retailers, January 30, 2014
Introduction // 1
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
Contacts
Sources of
incidents
Security
spending
prev
3,207
3K
Incidents
4K
Increasing third-party
threats
next
2,702
3M
1.9M
$
2K
2M
1.0M
1M
2013
2014
2013
2014
Introduction // 2
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
Incidents
Sources of
incidents
prev
Security
spending
47%
50%
Increasing third-party
threats
37%
34%
40%
29%
29%
30%
30%
30%
20%
2013
2014
Current employees
2013
Former employees
2014
2013
2014
Service providers/contractors/
suppliers/partners
2013
2014
Hackers
Introduction // 3
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
4M
Sources of
incidents
Security
spending
prev
3.7%
3.5%
$
Incidents
3.6%
Increasing third-party
threats
next
3.0M
3M
3%
2M
2%
1%
2013
2014
2013
2014
Introduction // 4
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
The number of detected incidents may be rising because many organizations have deployed network
monitoring and logging technologies in recent years.
prev
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
Data governance is lacking
Increasing third-party
threats
New technologies and
their risks
next
prev
Contacts
66%
54%
54%
Information brokers
Organized crime
67%
Activists/hacktivists
Foreign nation-states
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
prev
57%
67%
2014
55%
63%
2014
2013
2013
54%
60%
57%
2014
2013
Have an accurate inventory of
where personal data for customers
and employees are collected,
transmitted, and stored
54%
53%
2014
2014
2013
Limit collection, retention, and
access of personal information
to the minimum necessary to
accomplish purpose
67%
2013
51%
57%
2014
2013
Have a written security policy for
off-premises storage, access, and
transport of personal data
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
Data governance is lacking
Increasing third-party
threats
New technologies and
their risks
next
prev
A sound data governance program also will limit the data that
is stored to only what is needed. Its a practice that many do
not follow: Only 54% say they limit the collection, retention,
and access of personal information to the minimum necessary
to accomplish a legitimate business purpose.
Only 47% of respondents say they have identitymanagement tools in place, and just 57% say they have
secure access control measures. Because adversaries often
target employees with extensive access to systems and
data, privileged user access technologies are key.
67%
2013
53%
2014
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
Data breaches often start with the compromise of suppliers, contractors, and vendors.
prev
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
prev
60%
59%
54%
next
55%
52%
51%
55%
49%
48%
44%
2013
2013
2013
2014
2014
2013
2013
2014
2014
2014
Contacts
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
Retail and consumer goods companies are embracing new technologies to connect with customers,
build operational efficiencies, and enable collaboration.
prev
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
next
69%
56%
56%
59%
51%
prev
49%
54%
47%
45%
45%
Increasing third-party
threats
New technologies and
their risks
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
next
Our survey results show that many retail and consumer companies need to take a more strategic
approach to help identify, manage, and respond to privacy and security threats.
prev
Contacts
56%
61%
59%
52%
59%
52%
50%
4
201
4
201
3
201
49%
3
201
40%
4
201
45%
3
201
4
201
53%
3
201
4
201
3
201
4
201
3
201
65%
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
next
Introduction
prev
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
As incidents continue to proliferate, its becoming clear that cyber risks can never
be completely eliminated.
next
prev
Cybersecurity challenges in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Retail and consumer
Introduction
Incidents rise while
budgets fall
Contacts
next
prev
G. Christopher Hall
Principal
412 355 6183
g.christopher.hall@us.pwc.com
Ron Kinghorn
Principal
617 530 5938
ron.kinghorn@us.pwc.com
Gary Loveland
Principal
949 437 5380
gary.loveland@us.pwc.com
Bryan Oberlander
Principal
617 530 4125
bryan.s.oberlander@us.pwc.com
Paul Ritters
Director
612 596 6356
paul.j.ritters@us.pwc.com
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the
accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular
purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document.
2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 16
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
prev
Key findings from The Global State of Information Security Survey 2015
Technology
Technology organizations tend to
have comparatively robust and mature
cybersecurity programs. It makes sense,
given that many have been in the vanguard
of developing the systems and tools that
have forever altered how businesses
operate, market products, and interact
with customers.
Introduction // 1
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
5K
Incidents
Sources of
incidents
Security
spending
prev
4,529
3,777
4K
3K
2.5M
3M
2.0M
2M
1M
2013
2014
2013
2014
Introduction // 2
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
Incidents
Sources of
incidents
prev
Security
spending
50%
40%
40%
36%
32%
34%
35%
31%
30%
28%
22%
2013
2014
Current employees
2013
Former employees
2014
2013
Hackers
2014
2013
2014
Competitors
Introduction // 3
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
Incidents
Sources of
incidents
Security
spending
prev
5.2M
5M
4.1M
3.7%
3.7%
4M
3M
3%
2%
1%
2013
2014
2013
2014
Introduction // 4
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Technology companies are detecting fewer incidents, despite evidence that attacks are rising
across industries.
next
prev
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
2013
12.5
million
11.3
prev
million
2013
3.6
2014
2013
1.4
million
2014
3.5
million
million
2014
893
thousand
Small
Revenues less than $100 million
Medium
Revenues $100 million$1 billion
Large
Revenues more than $1 billion
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
prev
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
Many technology companies have not deployed basic identity and access technologies.
prev
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
next
prev
66%
60%
56%
58%
54%
45%
44%
46%
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
2013
2014
2013
2014
2013
2014
2013
2014
Contacts
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
prev
55%
74%
77%
Small
Medium
Large
Revenues less
than $100 million
Revenues $100
million$1 billion
Revenues more
than $1 billion
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
prev
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
A closer look at the data reveals that many companies lack security strategies for mobile, social,
and cloud technologies.
prev
54%
52%
52%
52%
52%
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
next
prev
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Sources and impact of
compromise
Insider threat programs
are lacking
Identity management
and the cloud
Gearing up for the Internet
of Things
The security safeguards
that matter
Contacts
next
prev
Identify
Protect
Detect
Respond
Recover
41% of respondents say they have adopted the riskbased NIST Cybersecurity Framework.
Improving cyber readiness in an interconnected world // Key findings from The Global State of Information Security Survey 2015
Technology
Introduction
Security incidents and
budgets decline
Contacts
next
prev
Technology
Identity management
and the cloud
United States
Shafeeq Banthanavasi
Managing Director
408 534 2487
shafeeq.banthanavasi@us.pwc.com
Mark Lobel
Principal
646 471 5731
mark.a.lobel@us.pwc.com
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 157 countries with more than 195,000 people who are committed to delivering quality in assurance,
tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security is a registered trademark of International Data Group, Inc.
Contacts // 15