Monday, 17 November 2014

Managing cyber risks in an interconnected world

The Global State of Information Security Survey 2015 (www.pwc.com/gsiss2015) – conducted by PwC, CIO, and CSO, and involving more than 9,700 director- and C-level IT and information security officials, across 154+ countries – has identified key global trends in information security. The key findings revolve around: the increasing presence of information security risk; the evolving nature of cybersecurity threats, incidents, and impacts; the types of investment made by organisations to protect against cybersecurity risk, and; recent trends in how organisations protect (or should protect) their information assets from the materialisation of cybersecurity risk.
A key finding is that employees are the most-cited culprits of incidents. Indeed, 65 per cent of respondents have identified current and former employees as key sources of security incidents, respectively, an increase from 58 per cent in 2013. Conversely, respondents identifying hackers as key sources of security incidents declined from 24 to 18 per cent.
Many companies do not have insider threat programmes in place
Increases were also notable in respondents identifying culprits as: current or former service providers/consultants/contractors; suppliers/business partners, and; customers. Yet the report also indicates that many companies do not have insider threat programmes in place, and are thus not prepared to prevent, detect, or respond to such threats. It seems that the countermeasures are not keeping up with the evolution in the types of threat.
Another key point made in the survey report is that today’s interconnected business ecosystem requires a shift, from security that focuses on prevention and controls (with a focus on technology) to a risk-based approach that prioritises an organisation’s most valuable assets and its most relevant threats (with a focus on technology, people, and processes). Such a shift can help to address the challenges arising from increasing complexities in modern business practices, as well as directing the modern organisation’s efforts and expenditures where they matter most.
In spite of headline incidents of large-scale data theft in 2013 and 2014, the report also indicates that only 54 per cent of the participants have a programme to identify sensitive assets, and just 56 per cent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.
Although frameworks underpinning information-security-management standards, like ISO/IEC 27001:2013, do encompass all three components (technology, people, and processes), the report refers to NIST’s cyber­security framework as currently leading in supporting the ­abovementioned shift.