Cybersecurity regained: preparing to face cyber …

1 Cybersecurity regained: preparing to face cyber attacks 20th Global Information Security Survey 2 017 1820th Global Information Security Survey 2017-18 BContentsWelcome01 Section 1: Confront your cyber threats02 Section 2: Understanding the threat landscape06 Section 3: Fighting back against the threat10 Section 4: Emergency service: responding to an attack18 Section 5: Conclusion22 Section 5: Survey methodology2620th Global Information Security Survey 2017-181 Paul van Kessel EY Global Advisory Cybersecurity LeaderWelcomeWelcome to the 20th EY Global Information Security Survey (GISS) exploring the most important Cybersecurity issues facing organizations decades after EY first began publishing annual surveys detailing organizations concerns about Cybersecurity and their efforts to confront these concerns the imperative for a collaborative and coherent response to the changed threats could hardly be more pressing.

2 In our conversations with organizations of all shapes and sizes, it is clear Cybersecurity is a priority issue from board level down. But in a complex and evolving landscape, it can be difficult to see the wood for the trees: the Cybersecurity threat is often well-camouflaged, hidden in plain year, we are delighted that nearly 1,200 organizations were able to participate in the survey. We have analyzed the responses of the CIOs, CISOs and other executives of these organizations, identifying strengths and weaknesses with the aim of generating insight from which we can all benefit. The GISS-report also draws on our own extensive experience of working with clients globally to improve their Cybersecurity your organization is feeling anxious about Cybersecurity , it may be some comfort to know that you are not alone: most organizations feel they are more at risk today than 12 months ago.

3 No wonder: not only are cyber attackers becoming more sophisticated, but also, organizations themselves are increasingly hyper-connected with wave upon wave of new technology creating opportunities and risks across the value chain. This explosion of connectivity fueled by the growth of the Internet of Things (IoT) and the ever-larger digital footprint of many organizations have all introduced new vulnerabilities for attackers to exploit. It s why businesses need to explore digital from every angle to help them grow and protect their organizations today, tomorrow and far into the , despite the risks, there is good news too. Organizations that confront the Cybersecurity challenge will regain a sense of order: it is not possible to repel every threat, but resilient organizations know how to protect themselves, how to detect a problem when it occurs, and how to react quickly and effectively when trouble , we now have a good understanding of the most common attack methods and an appreciation of the ingredients of good Cybersecurity hygiene, with which most such attacks can be defeated.

4 Active defense strategies and advanced threat intelligence provide a basis for withstanding more advanced attack methods, and while new attack methods are emerging all the time, good Cybersecurity governance and concepts such as security-by-design give organizations a fighting together, we can regain Cybersecurity . With that in mind, we would like to thank clients for taking the time to complete the survey: let us continue to share our knowledge in order to build a safer world for us Global Information Security Survey 2017-182 Section120th Global Information Security Survey 2017-183 Nowadays, all organizations are digital by default. Not every organization delivers its products and services primarily through digital channels, but all operate with the cultures, technology and processes of the internet era. Moreover, in the connected and convergent world delivered by the Internet of Things (IoT), the digital landscape is vast, with every asset owned or used by the organization representing another node in the wonder the World Economic Forum now rates a large-scale breach of Cybersecurity as one of the five most serious risks facing the world The scale of the threat is expanding drastically: by 2021, the global cost of Cybersecurity breaches will reach US$6 trillion by some estimates, double the total for cyber attackers can be either indiscriminate or highly targeted, attacking large and small organizations in both the public and private sector.

5 They are well camouflaged: exposing the attackers requires Cybersecurity defenses that identify the threat, even when it adopts the colors of its immediate environment. Organizations do not always manage year alone, in the UK the ransomware attack WannaCry affected a significant part of the National Health Service (NHS);3 in France, a breach of the Presidential campaign of Emmanuel Macron threatened to throw the election into chaos;4 in the US, Yahoo disclosed that a breach saw 3 billion user accounts compromised,5 while in India an attack paralyzed the biggest container port in At the same time, it has never been more difficult for organizations to map the digital environment in which they operate, or their interactions with it. Every organization s technology infrastructure is both bespoke and complex, spanning networks consisting of tools and technologies that may be on-premises or in the cloud.

6 In addition, it is becoming more difficult to define an organization. This is due to the proliferation of devices belonging to employees, customers and suppliers (including laptops, tablets, mobile phones and more) with access to the organization s systems that blur the security perimeter. Organizations must think of themselves as having long and trailing tentacles in every Global Risks Report 2017 , World Economic Forum, 11 January Cybercrime Report 2017 Edition , Cybersecurity Ventures, 19 October Investigation: WannaCry cyber attack and the NHS , National Audit Office, 27 October Hackers hit Macron campaign with massive attack, Financial Times, 6 May All 3 billion Yahoo Accounts Were Affected by 2013 Attack, The New York Times, 3 October Petya cyber attack: India is worst affected in Asia, Ukraine on top globally, The Indian Express, 29 June your cyber threats20th Global Information Security Survey 2017-184 Connected devices add to the complexity.

7 The IoT is not a collection of passive items; rather it is network of connected and inter-connected devices that actively and constantly interact. The convergence of these networks with what were once separate and self-contained and therefore more manageable systems represents fundamental stakes could hardly be higher. Organizations that fall prey to a cyber attack are at risk of substantial reputational loss as well as the direct costs of a breach, estimated to average US$ by the Ponemon There is also the potential for damaging confrontations with authorities and regulators. The European Union s General Data Protection Regulation (GDPR), due to come into force in 2018, gives regulators powers to fine organizations up to 2% of their global annual turnover for failures relating to a breach, and 4% if an organization significantly mismanages a is it only data and privacy that are vulnerable.

8 The IoT exposes organizations operational technologies to attackers, offering them an opportunity to shut down or subvert industrial controls systems, for example. The threat may even be to life: imagine the attacker with the ability to turn off life support systems in hospitals or take control of connected cars on the threat levels require a more robust response and this year s GISS reveals that many organizations continue to increase their spending on Cybersecurity . Seventy percent say they require up to 25% more funding, and the rest require even more than this. However, only 12% expect to receive an increase of more than 25%.7 2017 Cost of Data Breach Study , The Ponemon Institute, June GDPR Portal: Site Overview , European Union, October of respondents this year say their budgets increased over the last 12 say they need up to 50% more expect an increase of more than 25% in their Cybersecurity Global Information Security Survey 2017-185 For many organizations, the worst may have to happen for these calls to be met.

9 Asked what kind of event would result in Cybersecurity budgets being increased, 76% of survey respondents said the discovery of a breach that caused damage would be likely to see greater resources contrast, 64% said an attack that did not appear to have caused any harm would be unlikely to prompt an increase in the organization s Cybersecurity budget. This is higher than the figure reported last year, which is concerning given the reality that harm is generally being done by an attack even it is not immediately obvious. The breach may be a test attack that exposes vulnerability or a diversion designed to take attention away from another more damaging threat; alternatively, the attacker may simply be biding their time before capitalizing on the breach. Organizations should assume all attacks are harmful and conclude that where harm has not been identified, this is only because it has not yet been , organizations that fail to devote the resources necessary for adequate Cybersecurity will find it very difficult to manage the risks they face.

10 Our survey suggests organizations increasingly recognize this: 56% of respondents say either that they have made changes to their strategies and plans to take account of the risks posed by cyber threats, or that they are about to review strategy in this context. However, only 4% of organizations are confident they have fully considered the information security implications of their current strategy and incorporated all relevant risks and organizations are confident that they have fully considered the information security implications of their current strategy, and that their risk landscape incorporates and monitors relevant cyber threats, vulnerabilities and Global Information Security Survey 2017-186 Section220th Global Information Security Survey 2017-187 The first step for organizations seeking to enhance their Cybersecurity ability is to develop a better understanding of the nature of the threat to them.