The Global State of Information Security Survey 2015 (www.pwc.com/gsiss2015)
– conducted by PwC, CIO, and CSO, and involving more than 9,700
director- and C-level IT and information security officials, across 154+
countries – has identified key global trends in information security.
The key findings revolve around: the increasing presence of information
security risk; the evolving nature of cybersecurity threats, incidents,
and impacts; the types of investment made by organisations to protect
against cybersecurity risk, and; recent trends in how organisations
protect (or should protect) their information assets from the
materialisation of cybersecurity risk.
A key finding is that employees are the most-cited culprits of incidents. Indeed, 65 per cent of respondents have identified current and former employees as key sources of security incidents, respectively, an increase from 58 per cent in 2013. Conversely, respondents identifying hackers as key sources of security incidents declined from 24 to 18 per cent.
Increases were also notable in respondents identifying culprits as:
current or former service providers/consultants/contractors;
suppliers/business partners, and; customers. Yet the report also
indicates that many companies do not have insider threat programmes in
place, and are thus not prepared to prevent, detect, or respond to such
threats. It seems that the countermeasures are not keeping up with the
evolution in the types of threat.
Another key point made in the survey report is that today’s interconnected business ecosystem requires a shift, from security that focuses on prevention and controls (with a focus on technology) to a risk-based approach that prioritises an organisation’s most valuable assets and its most relevant threats (with a focus on technology, people, and processes). Such a shift can help to address the challenges arising from increasing complexities in modern business practices, as well as directing the modern organisation’s efforts and expenditures where they matter most.
In spite of headline incidents of large-scale data theft in 2013 and 2014, the report also indicates that only 54 per cent of the participants have a programme to identify sensitive assets, and just 56 per cent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.
Although frameworks underpinning information-security-management standards, like ISO/IEC 27001:2013, do encompass all three components (technology, people, and processes), the report refers to NIST’s cybersecurity framework as currently leading in supporting the abovementioned shift.
A key finding is that employees are the most-cited culprits of incidents. Indeed, 65 per cent of respondents have identified current and former employees as key sources of security incidents, respectively, an increase from 58 per cent in 2013. Conversely, respondents identifying hackers as key sources of security incidents declined from 24 to 18 per cent.
Many companies do not have insider threat programmes in place
Another key point made in the survey report is that today’s interconnected business ecosystem requires a shift, from security that focuses on prevention and controls (with a focus on technology) to a risk-based approach that prioritises an organisation’s most valuable assets and its most relevant threats (with a focus on technology, people, and processes). Such a shift can help to address the challenges arising from increasing complexities in modern business practices, as well as directing the modern organisation’s efforts and expenditures where they matter most.
In spite of headline incidents of large-scale data theft in 2013 and 2014, the report also indicates that only 54 per cent of the participants have a programme to identify sensitive assets, and just 56 per cent have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees and customers.
Although frameworks underpinning information-security-management standards, like ISO/IEC 27001:2013, do encompass all three components (technology, people, and processes), the report refers to NIST’s cybersecurity framework as currently leading in supporting the abovementioned shift.
No comments:
Post a Comment