Zehn Regeln für sicheres und produktives BYOD

A Steria Report
Are European companies
equipped to ﬁght off
cyber security attacks?
In collaboration with PAC
Î www.steria.com
2 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 3
Contents
FOREWORD
03
OBJECTIVES AND METHODOLOGY
04
EXECUTIVE SUMMARY
06
PART 1: CHANGES IN THE THREAT ECOSYSTEM
European companies are predominantly concerned about internal attacks
European companies are still relatively unconcerned about organised
crime and state-sponsored attacks
Data theft remains a major concern and will continue to be so
11
12
13
15
PART 2: SECURITY STRATEGIES ARE BECOMING GLOBAL
16
Security strategies are defined and have far-reaching ambitions
17
The high degree of importance accorded to security favours ambitious strategies 19
PART 3: INCREASING RESOURCES AVAILABLE FOR SECURITY
Budgets are still weighted in favour of security
Companies remain optimistic about their ability to attract talent
20
21
22
PART 4: SIGNIFICANT GROWTH IN THE IMPLEMENTATION OF SECURITY
SOLUTIONS
24
PART 5: STILL ROOM FOR IMPROVEMENT IN PERFORMANCE MEASUREMENT
27
PART 6: OUTSOURCING IS BECOMING A GENUINE ALTERNATIVE
Although no single model dominates as yet, outsourcing is gaining support
Future prospects
A call for security experts to review their approach in the light of the sensitive
nature of their business
29
30
31
33
Digital has opened up new ways
of working and interacting
socially. It has created open,
collaborative and connected
virtual environments on top of
our physical environments. It has
enabled electronic document
exchange, mobility, cloud computing and social networks. But
at the same time, it has opened
up new prospects for malevolent
acts.
Even if complete protection is not possible,
have they put in place the resources,
solutions and governance needed to provide
the best possible prevention, detection
and protection? Do they have access to
appropriate resources and offerings from
security experts?
Cyber-related risks are greater than ever.
It has been estimated that in 2012 the
world saw a staggering 42% increase in
targeted attacks compared to 2011, $110
billion worth of ﬁnancial losses due to cyber
attacks and more than $200 billion lost
due to online fraud. Attacks are becoming
more diverse, complex and professional
on a daily basis, with increasingly serious
effects on business and ﬁnance, as well as
on ﬁrms’ competitiveness and reputations.
To be able to make the most of all the
business opportunities in our multi-faceted
digital world, the key is to be properly
armed for cyberwarfare, without making
things too complex or cumbersome.
Steria has surveyed 270 public and private
sector organisations across Europe, lifting
the veil on how Europe’s ﬁrms are positioned
today in terms of cyber security. We have
also assessed what short- and mediumterm trends these organisations foresee.
PART 7: QUESTIONS OF SECURITY: ARE COMPANIES BETTER PROTECTED THAN
BEFORE?
Despite the growing cyber security threat, confidence remains high
Companies do not have extensive cyber security risk insurance cover
34
35
36
CONCLUSIONS AND RECOMMENDATIONS
37
GLOSSARY OF TERMS
40
Given this alarming state of affairs, we must
ask whether companies have fully grasped
the scope of the attacks with which they are
increasingly being faced. Are they properly
equipped to deal with major crises?
Patricia Langrand
Executive Vice President
Group Business Development
& Marketing, Steria
Florent Skrabacz
Head of Security
Business, Steria
Î www.steria.com
4 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 5
2%
33%
22%
40%
36%
Between 500 and 1,000 employees
Between 1,000 and 5,000 employees
More than 5,000 employees
62%
Steria, a European leader in IT and business
services, has worked with Pierre Audoin
Consultants (PAC) to publish this independent
report on cyber security. The report is
based on a survey of 270 security decisionmakers in France, the United Kingdom,
Germany and Norway. They represent small
and medium companies, as well as large
organisations working in all areas of activity.
In this context, “companies” refers to both
private and public-sector organisations.
“Large companies” are deﬁned as those
with more than 5000 employees.
Except where otherwise stated, all ﬁgures
used in this report have been taken
from this survey. The survey comprises
a quantitative phase and a quantitative
phase. The quantitative phase draws on
250 telephone interviews conducted as
follows: 70 interviews in France, 70 in the
UK, 17 in Germany and 40 in Norway.
PAC also conducted 20 in-depth face-to-face
interviews. Based on the same questionnaire
as the quantitative interviews, these were
an opportunity for security decision-makers
from large companies and specialised
government bodies to discuss their cyber
security strategy and how it is implemented.
67%
Norway
Between 500 and 1,000 employees
Between 1,000 and 5,000 employees
More than 5,000 employees
60%
France
UK
Figure 2 : Distribution by size and country (n = 270)
This report provides an outlook on cyber
security strategies and models for the
next three years. Its purpose is to reveal
how current and future threats are
actually perceived by companies in Europe
and the appropriateness or otherwise
of the resources brought to bear.
Are European companies equipped to
ﬁght off cyber security attacks?
78%
6%
6%
11%
6%
6%
12%
21%
12%
20%
27%
63%
10%
Banking
Insurance
Manufacturing
Public sector
Retail
Services
Telecom
Transport
Utilities
Figure 3 : Distribution by business sector (n = 270)
Figure 1 : Size of organisations surveyed (n = 270)
Germany
Î www.steria.com
6 | Are European companies equipped to fight off cyber security attacks?
As concerns about the impact of cyber
security rise in tandem with the uptake of
digital technologies, this report sets out
to examine where European companies
currently stand in their defence of
corporate assets and reputations. What
measures do they have in place and how
great an understanding is there of the
scope and scale of cyber-related risks?
1.
The 270 security decision makers who took
part in our survey across both public and
private sector organisations revealed a
number of challenges and opportunities in
the corporate ﬁght against cyber crime.
Î www.steria.com
2.
Are European companies equipped to fight off cyber security attacks? | 7
Europ
pean companies are conﬁdent
ure securityy in teerms of
aboutt theirr futu
availaable reesourrces, fundin
ng, an
nd theeir
abilityy to withsttand major risks
European companies appear extremely
unrufﬂed about the prospect of a major
security crisis; 90% of them believe
they are capable of dealing with one.
Europeean co
ompan
nies haave no
ot yet fully
graspeed the scopee of th
he attaacks to
o whicch
they will be increaasinglyy expo
osed
Despite the growing number of external
attacks, European companies are still
more concerned about internal attacks.
More than 50% of companies still
see external attacks as accounting
for less than 20% of the threat.
Despite the fact that organised crime and
state-sponsored attacks are becoming
an increasing and genuine threat, these
types of attack are still of relatively
little concern to European companies
in the short and medium term.
attacks from organised crime within the
next three years, and 18% believe they will
be faced with state-sponsored attacks.
Data theft is a major concern
and is likely to remain so.
60% of the companies surveyed say
that data theft is one of the three most
signiﬁcant risks keeping them awake at
night, and is set to remain so over the
next three years. The impact of Prism,
Bullrun, and Mandiant is clearly evident.
Overall, less than 15% of companies believe
that, either currently or in the next three
years, they will have to deal with organised
crime; less than 6% believe they will have
to deal with state-sponsored attacks.
Advanced Persistent Threats (APTs), a
three-letter threat that should have heads of
security quaking in their boots, has not yet
been identiﬁed as one of the major risks.
Only the largest organisations are starting to
become concerned about this type of attack:
19% of them believe they will be faced with
Only 12% of the companies identiﬁed
APTs as one of the three chief threats.
However, 35% of the largest companies
are concerned about APTs.
One in ﬁve of the larger companies
identiﬁes a lack of experienced security
resources as one of their main risks, but
85% of respondents believe that within
the next three years they will have
good access to the necessary skills.
Security budgets have not been cut and are
likely to remain protected: less than one
third of the companies surveyed anticipate
cuts. 85% of the respondents are of the
opinion that they will have an appropriate
security budget over the next three years.
Maintaining these budgets is,
however, accompanied by cost control,
with cost KPIs in place in over half
of the companies surveyed.
Î www.steria.com
8 | Are European companies equipped to fight off cyber security attacks?
3.
It is un
nclearr whetther this show off
conﬁd
dence is baccked up by realityy. Man
ny
compaanies have not taaken the mo
ost baasic
ad hocc meaasuress to deeal witth crises
24/7 security is not yet standard:
only one quarter of the companies
surveyed have implemented it. Fewer
than half of the largest companies
beneﬁt from this level of protection.
As yet, companies have little insurance cover
for cyber security risks and have not taken
out this type of policy; two thirds of them
do not plan to take out speciﬁc insurance in
the future. Cyber risk insurance has not yet
found its market: policies are seen as being
too complex, with too many exclusions.
Changes in cyber security strategy are
not predominantly driven by changing
cyber risks or the need to protect against
cyber threats. Strategic priorities are
directed more at risks arising from the use
of new information and communication
technologies, particularly with mobility and
Bring Your Own Device (BYOD) policies.
Î www.steria.com
4.
Are European companies equipped to fight off cyber security attacks? | 9
Comp
paniess mostly adopt a self-reliiant
appro
oach when
n dealling with risks
European companies identify a number
of structural barriers to outsourcing
(security criticality, giving priority to
internal resources, etc). Only one in
ﬁve of the largest companies would
have no problem in outsourcing.
There is a perceived lack of maturity in
industry offerings: 20% of companies
(and one in four large companies) have
not yet found the right outsourcing
offering for their requirements.
Looking forward, however, companies
believe they will be more willing to envisage
outsourcing; almost three-quarters of them
believe that they will outsource part of
their security operations in the future.
The most compelling argument in
favour of outsourcing is cost reduction.
For companies with over 5000
employees, however, improvements
in attack detection rank second.
Î www.steria.com
10 | Are European companies equipped to fight off cyber security attacks?
5.
Î www.steria.com
Are European companies equipped to fight off cyber security
attacks? | 11
Î www.steria.com
PART 1
The relationship betweeen com
mpaniees
and th
heir seccurity partners will need
d
to change in
n comiing yeaars
Within the next ﬁve years, more than
one enterprise in four (and more than
one large enterprise in three) believe
that security is likely to be dealt with
mainly by external providers.
Over the same period, co-operation
between companies in the same
business sectors is predicted to become
a reality: 15% of companies think they
will end up pooling security resources
with other players in their sector.
“Security as a service” has not yet
achieved market maturity. Less than
10% of companies have bought security
as a service or plan to do so in 2014.
However, companies of all sizes are
open to this possibility in the future.
Over 40% of all companies have already
done so, or plan to do so ultimately.
Changes in the threat Ecosystem
Î www.steria.com
12 | Are European companies equipped to fight off cyber security attacks?
Europeann compannies are predominantly
concerneed about internal attacks
54%
of European companies
believe that 80% of
the threat is originated
internally
The rule of thumb stating that
80% of the threat is internal
is still largely true, despite the
development of external attacks.
Indeed, more than 50% of companies
(and 62% of smaller ones) believe
that external attacks account for less
than 20% of their overall threats.
“Threats to IT systems” (“Menaces sur
le système informatique”), published on
September 12, 2006 by France’s National
Defence General Secretary, states that
“between 70 and 80% of cases involving
known threatening elements [...] are internal
in nature.” Another survey conducted in
2012 (PwC’s Global State of Information
Security 2012) indicated that 31% of
security incidents originating internally were
attributed to employees, 27% to former
employees and 16% to companies’ providers.
Almost all companies are more
concerned about internal attacks.
Indeed, internal threats in one form
or another are a concern for all
companies monitoring and controlling
employees to counter these threats.
Only in highly exposed large companies
is the threat of external attacks deemed
to be signiﬁcant: 17% of companies
with more than 5000 employees see
external attacks as accounting for
more than 50% of the total threat.
Today, despite external attacks
growing in number and becoming
increasingly diverse and complex,
internal attacks are still perceived as
the predominant security threat by
companies, especially smaller ones.
15%
3%
Europeann compannies are still relatively unconcernedd
about orgganised crime annd state-ssponsoreed attackss
Even though the threat of organised
crime and state-sponsored attacks
has been shown to be increasingly
real, European companies are still
relatively unconcerned about these
in the short and medium term,
particularly smaller companies.
Hactivism (where a computer system is
hacked for a political or socially-motivated
purpose) is by far the greatest external
source of concern for companies now and
for the next three years. 64% of large
companies expect to have to deal with
this within the next three years, compared
to 51% of all respondents. The contrast
is even sharper when considering two
speciﬁc types of threat: those that require
resources capable of being brought to bear
only by groups supported by nation states
and those represented by organised crime.
Indeed, despite the scope of the threat, just
18% of large companies believe that they
will be faced with state-sponsored attacks
within the next three years; 19% of them
believe that they will have to deal with
attacks conducted by groups with links to
organised crime; for the sample as a whole,
the ﬁgures are 6% and 14% respectively.
Against a background of harsh economic
conﬂict, large companies are confronted
with increasingly offensive action. This is
indicated by the head of security for a French
32%
Between 20 and 50%
Are European companies equipped to fight off cyber security attacks? | 13
It is worth pointing out that all companies
perceive attacks by competitors as a
signiﬁcant threat; (22% believe they
are exposed to such threats).
50%
Less than 20%
Î www.steria.com
Between 50 and 80%
More than 80%
Figure 4 : Large companies’ estimate of the percentage of external attacks as a total of all the IT security threats they face
Data theft is the primary concern
and is set to remain so for
60%
of the companies surveyed
energy group when detailing the external
threats to which he believes his organisation
will be exposed over the next three years:
“Since we are in competition for contracts
worth billions worldwide, I would list attacks
supported by nation states, organised crime
and, increasingly, attacks by competitors,
with the boundaries between these different
players becoming increasingly blurred.”
The Prism affair, in which US security
agencies had reportedly been ‘spying’ on
other countries’ electronic data, also brought
to light a new form of cyber attack driven
by intelligence operations. It has raised the
issue of the conﬁdentiality of private and
professional data online and, even more so,
the control of storage and access to this data.
In the wake of such cases, the increase
of cyber threats is a trend that is being
taken extremely seriously by the highest
international bodies. The 2013 “Global
Risks” report published by the International
Monetary Fund (IMF) claims that cyber
threats are the foremost worldwide
technological risk, with cyber attacks and
massive data theft leading the pack.
Î www.steria.com
14 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 15
Data thefft remainns a majoor concerrn and will
continue to be soo
Hacktivism
Competitors
Criminal individuals
Organised crime
State-sponsored attacks
Other
None of them
Today
Today
In 3 years
Today
19%
23%
8%
11%
4%
2%
4%
4%
15%
9%
1%
26%
14%
27%
42%
31%
Between 500 and 1,000 employees
84%
64%
46%
Between 1,000 and 5,000 employees
More than 5,000 employees
Figure 5 : Breakdown of origins of external attacks faced by organisations today and predicted in three years’ time
Today
Large companies are less worried than
the others, but this is still the case for
The impact of Prism, Bullrun
and Mandiant are clearly 45% of them. The results of the survey
indicate a uniform perception of major
evident.
security risks by all companies.
The risk of data theft is followed by
damage to reputation (30%) and IT
espionage (26%) as top concerns. These
ﬁndings show that Europe’s companies are
concerned mainly about protecting their
assets, whether in terms of information,
image or know-how. Risks that can be
deﬁned as technical (i.e. not directly linked
to business processes) are perceived as
being less signiﬁcant. For instance, the
lack of qualiﬁed security resources (14%),
Advanced Persistent Threats (APT) (12%)
and dependence on third-party security
providers (8%) are the least cited risks.
23%
60%
35%
16%
15%
14%
24%
18%
19%
22%
12%
8%
42%
31%
2%
1%
15%
15%
In 3 years
14%
In 3 years
15%
In the wake of the Prism, Bullrun
and Mandiant affairs, data theft
remains a major concern and is likely
to remain so. 60% of companies see
data theft as the risk most likely
to ‘keep them awake at night’.
APTs, which are highly sophisticated and
precisely-targeted cyber threats, ought to
have heads of security quaking in their boots.
Conducted by exceptionally well-organised
criminals, they enable covert access to even
the best-protected networks to extract highly
sensitive information or carry out massive
destruction of data. Even though they are
the most dangerous, APTs have not yet
emerged as one of the major risks identiﬁed
In 3 years
48%
22%
22%
15%
12%
5%
2%
51%
24%
24%
30%
14%
6%
1%
Hacktivism
Competitors
Criminal individuals
None of them
Organised crime
Figure 6 : Origins of external attacks faced by organisations today and predicted in three years’ time
State-sponsored
attacks
Other
Theft of data
Reputation damage
6SHFLƂFEXVLQHVVULVNV
IT espionage
Internal fraud
Unavailability of information systems
Lack ok skilled resources
Advanced Persistent Threats
Depending on third parties for security services
Other
by companies. Only 12% of them rank APTs
in the top three threats. This is not the case,
however, for large companies, for which
APTs are identiﬁed as the second-largest risk;
(35% of them place APTs in the top three).
APTs may have one of two goals: they may
be designed to destroy vital interests or give
a competitive advantage to a third party.
For large companies, the line between
vital interests and business interests is
very hard to draw, and any attack on these
interests is clearly perceived as one of the
major risks by these stakeholders: they
are generally major national champions,
sometimes with state backing. This is
evidenced by the concept of Operator of
Vital Importance introduced in France: “The
main risks for us are attacks plotted by
states, APTs and targeted attacks on our
production and distribution systems,” says
the Head of Information Security Services
of a major French transport company.
This Steria security survey also reveals
a high level of disparity between
countries for two types of attack:
– IT espionage is perceived as the
lowest risk in the UK (15%) and as
the highest in France (37%).
– The risk of an impact on Information
System (IS) availability is perceived as
highly signiﬁcant in Norway and the UK,
with a score of 28% and 26% respectively,
whereas in France only 9% of respondents
think this will keep them awake at night.
France 54 18 26 37 32
6
6
%
UK 68 42 29 15 16 26 18 10 11
4
%
7
4
%
10
5
%
9
6
12
Germany 54 21 35 28 17 18 24 21
Norway 65 45 25 23 15 28
8
0
Figure 7 : The key risks keeping companies awake at night: breakdown by country (multiple choices)
16 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 17
6HFXULW\VVWUDWHJLHVVDUHGHƂƂQHGDQGG
have far-rreachingg ambitioons
PART 2
Security strategies are
becoming global
In a globalised environment driven by the digital revolution in mobile technology,
security strategies are no longer the sole preserve of IT. Instead, they also address
business and strategic issues, positioned in the uppermost levels of organisations.
Almost
80%
of decision-makers have
implemented security
strategy and solutions
to minimise information
leakage and so on
Almost all companies have established
a security strategy; (80% have already
done so and this is underway for a
further 11%). This is the case in both
medium and large companies.
Security strategies have been
designed chieﬂy to address the
issues arising from mobility and
Bring Your Own Device (BYOD).
Somewhat counterintuitively, security
strategies have not predominantly been
geared to addressing threats from cyber
risks and their development. They have
been designed to address security issues
speciﬁc to the line of business (35%) and
above all to address changes in the use
of new information and communication
technologies, such as mobility and BYOD
(57%). This is true for all companies,
irrespective of their size, sector and country.
Astonishingly, this is even more the case in
the public sector, where mobility is cited by
59% of respondents, and line-of-business
issues by 37%. Security policies should enable
better protection of mobile infrastructures.
They address the issue of maintaining
quality of service amidst a background of
cost-cutting and staff cuts in public-sector
organisations. This is illustrated by the head
of security for a major UK police department.
He emphasised, above all, the issue of public
conﬁdence relating to the conﬁdentiality
of information as being the main aim of
public-sector security strategy: “Damage
to reputation may be the most important
issue by far, because it could adversely affect
relations with our community. The public will
not go to the police if they do not trust us to
preserve their conﬁdentiality, and this would
become a long-term problem,” he said.
Business-speciﬁc issues are the second
major inﬂuence on security strategies,
scoring 35%, ahead of cyber threats (27%).
Business-speciﬁc issues are ranked very
differently in different countries: only 15%
in Norway, as opposed to 49% in France.
Cloud computing is ranked in fourth
place among issues determining strategy,
scoring 26%, although here again, there is
considerable discrepancy between different
countries: in the UK, which has largely
adopted cloud computing, it scores 44%.
Cost, meanwhile, is a relatively weak
inﬂuence on security strategies: only 21%
of companies rank cost pressures as being
among the three most important factors
inﬂuencing their security strategy, and only
10% of companies employing more than
5000 people. Cost has the least inﬂuence in
France (8%), and the most in Norway (33%).
In larger organisations, however, the cloud
is ranked second, just ahead of businessspeciﬁc security issues. Data conﬁdentiality
is still one of the major reasons for some
companies being reluctant to adopt
cloud-based computing. Companies are
increasingly seeking to give employees
access to their business applications via the
cloud when they are mobile. However, this
creates a much broader access, with all the
accompanying risks of breaches. Security
systems must adapt to cater for this shift.
Î www.steria.com
18 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 19
The high degree of imporrtance
accordedd to securrity favouurs
ambitiouss strateggies
11%
11%
9%
deﬁnes the controls to be put in place and
so on.” To achieve the ambitious aims set
out in their security strategies, managers are
preserving and in some cases even increasing
resources and investments in this ﬁeld.
In companies employing more than
5000 people, security is overseen
by Senior Management (40%),
ahead of IT functions (38%).
80%
For most respondents, security is generally
overseen by an IT department (54%),
but in companies employing more than
5000 people, senior management is
principally responsible for security (40%).
Yes
No
This development is also supported by
security managers themselves, such as
this respondent from a large German
energy company: “I am surprised that
most people say they are overseen by the
IT department; I think the responsibility
should ultimately lie with the executive
committee. Of course, the IT department
Ongoing
Figure 8 : Companies that have established an IT security strategy
Mobility / BYOD
%XVLQHVVVSHFLƂFVHFXULW\LVVXHV
Cyber threats
Cloud computing
Cost pressure
Purchasing policies
Social networks
Availability of skilled competencies
Legislation and compliance
Other
Between 500 and 1,000 employees
58%
60%
51%
58%
58%
49%
34%
31%
15%
35%
16%
22%
38%
15%
44%
22%
23%
8%
27%
24%
33%
15%
18%
22%
25%
13%
16%
19%
23%
12%
19%
17%
3%
6%
5%
11%
3%
3%
5%
Germany
Norway
France
UK
The fact that senior management is taking
on more direct responsibility for the issue
of cyber security may also be due to the
strategic impact of cyber crime in terms
of its implications for legal affairs and
image (notoriety and reputation), as well
as business and ﬁnancial issues. According
to a 2012 survey, ﬁnancial losses due to
security incidents amounted to $110 billion.
It thus comes as little surprise that the
protection of private and public-sector assets
is becoming an absolute priority at the
highest levels of government and enterprise.
)LJXUH7KHPDMRUDVSHFWVLQƃXHQFLQJFRPSDQLHVŒ,7VHFXULW\VWUDWHJ\PXOWLSOHFKRLFHV
Between 1,000 and 5,000 employees
More than 5,000 employees
58%
40%
38%
31%
29%
11%
11%
6%
IT department
Executive management
(board level)
Information Systems
Security Manager (ISSM)
8%
8%
1%
Security managers within
the IT department
Figure 10 : Principal oversight for IT security by company size
2%
Lines of business
3%
Other
20 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 21
Budgets are still weightedd in favouur of secuurity
PART 3
Security has become a priority for
companies; security budgets have
remained untouched and should
continue to stay that way.
While most corporate activities have
to contend with budget restrictions,
security has been unaffected.
Increasing resources available
for security
68% of all respondents and 74% of
those from large companies believe
that their budget will increase
moderately or considerably. Less than
one third anticipate any reduction
(one quarter for large companies).
87% of the respondents believe that they
will have an appropriate security budget
for the next three years. The French are
the most optimistic in this respect (90%)
and the Norwegians the most pessimistic
(8%). One explanation for these results may
be the legal measures enacted in France
to increase the levels of protection for
companies and administrations. However,
these encouraging ﬁgures should be seen
against the backdrop of a signiﬁcant increase
in the number of cyber attacks. Security
is no longer simply an option, but a real
priority that is nonetheless difﬁcult to seize.
The Head of Information Security Services
of one of the UK’s large industrial groups
sums up the dichotomy of his job in terms of
budgets: “The strange thing about budgets is
that if we have a large number of incidents,
we get more money, whereas if performance
is state-of-the-art and there are no incidents,
our budgets can be cut. Whereupon
things become more complicated, the
number of incidents increases – and
money becomes available once again.”
Although budgets are being maintained,
cost controls are in place too: more than
half of all respondents said that KPI
performance indicators for cost control had
been implemented in their enterprise.
27%
France
69%
26%
4%
UK
54%
11%
Sharp increase
5%
3%
9%
Moderate increase
30%
Germany
56%
35%
11%
Moderate decrease
Figure 11 : Security budgets by country: 2013-2012 evolution
Norway
12%
Sharp decrease
48%
Î www.steria.com
22 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 23
Companiies remaiin optimistic abouut their ability
to attractt talent
The issue of security skills is not a
top priority for European companies:
they believe they are capable
of bringing to bear the required
resources to protect themselves.
In current market conditions, issues
of competencies and recruitment are
nonetheless important for many of
those involved in security. 29% of those
interviewed in large companies rank access
to experienced resources among the top
three factors inﬂuencing their security
strategy. For them, access to good resources
is a priority. For one in ﬁve respondents in
larger enterprises, the lack of experienced
resources is one of the three most important
risks keeping them awake at night. This
shows that the issue of competency is
central, but not seen as an absolute priority.
This is an important point to bear in
mind, especially given that many of those
involved in security in institutions and
industry highlight the issue of a skills
shortage. A representative of a European
security agency believes that the lack
of appropriate competencies should be
the number one factor affecting security
strategies: “the lack of skills is the key
challenge for us and our companies.”
It may also be noted that the perceived
risk of a skills shortage is much lower in
small companies (in which fewer than
one in ten respondents ranked it among
the three most signiﬁcant risks).
Furthermore, the companies surveyed remain
optimistic about their growing ability to
mobilise experts capable of protecting them.
For the vast majority of them (88%), there is
every reason to be optimistic about recruiting
appropriate skills to deal with security issues,
or ﬁnding them outside the enterprise.
France
88
90
88
81
63
69
50
51
%
UK
93
81
84
81
71
63
46
47
%
Germany
82
93
81
68
74
68
57
46
%
Norway
88
80
70
75
60
58
43
28
%
Access to required skills
Having the right security budget
Ability to manage with complex attacks
Ability to demonstrate a return on investment in security projects
Providers capacity to meet our needs
Users awareness
Career development of my position within the organisation
Alignement ok C-level executives and lines-of-business managers
)LJXUH&RPSDQLHVŒFRQƂGHQFHOHYHOVE\FRXQWU\IRUWKHQH[WWKUHH\HDUV
Almost
20%
of large companies see a skills
shortage as a major risk
24 | Are European companies equipped to fight off cyber security attacks?
PART 4
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 25
To date, companies have concentrated
on identity and access management
(87% of them), management of
mobile devices (72%) and encryption
(53%). Data theft is a central concern
and is likely to remain so, but
companies are not well-prepared
for what they fear the most:
- Only 42% of them have implemented
Data Loss Prevention (DLP) solutions
Signiﬁcant growth
in the implementation
of security solutons
- Only 18% of them say that they
will be implementing this type of
solution over the next three years,
and this is true irrespective of
the size of the enterprise.
However, companies are implementing
solutions that indirectly have a positive
impact on data theft. Indeed, combating
data theft involves a number of building
blocks that at are at the heart of current
strategies. For instance, identity and access
management is the only way of establishing
a link between legitimate users and data.
Similarly, data scattering cannot be avoided
without stringent management of mobile
device ﬂeets. The same is true with regard
to encryption techniques, particularly in
view of threats such as passive listening
and interception of data in transit or
stored in third-party data centres.
What is more, the decision-makers
interviewed know that there is no such
thing as zero risk, especially since attacks
gressive.
are becoming increasingly aggressive.
Large companies are also concentrating on
the operational and real-time dimensions
of protection solutions. For instance, 32%
of large companies have set up a Security
Operations Centre (SOC). A critical mass
is needed for dedicated resources of this
kind to be cost-effective. When it comes
to organisations with fewer than 5000
employees, only 14% have a facility of
this type. In Norway, which has very few
companies with more than 5000 employees,
the number of respondents who reported
having implemented a SOC is only half that
in the UK (7.5% and 15% respectively).
Indeed, the UK has a great number of
large ﬁrms and a strong emphasis on the
operational aspects of security. In terms
of outlook, France has the highest levels
of growth in SOC projects: 14% of French
respondents said that they would have a
SOC project within the next three years, well
ahead of Germany (5.6%), the UK (4.1%)
and Norway (2.5%). One explanation for
this trend is that France is doing its best
to catch up with its European neighbours
in this respect, particularly the UK.
32%
of large companies
have set up a SOC
Î www.steria.com
26 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security
attacks? | 27
Î www.steria.com
87%
Figure 13 : Existing security solutions
14%
France
14%
17%
Germany
6%
UK
4%
Norway
2,5%
2
15%
8%
A SOC has already been implemented
The implementation of a SOC is considered within the next 3 years
Figure 14 : Establishment of SOCs per country
6%
2%
None
14%
Other
21%
Security procured “as a service”
22%
SOC (Security Operations Centre)
PART 5
Governance, risk and compliance
32%
Security Information and Event Management (SIEM)
Data Loss Prevention (DLP)
Encryption
48%
Mobile Device Management (MDM)
Identity and Access Management (IAM)
53%
Instrusion Dection and Prevention System
72%
3%
Still room for improvement in
performance measurement
Î www.steria.com
28 | Are European companies equipped to fight off cyber security attacks?
However, as one head of IS security for
a UK energy ﬁrm points out, cost control
may not be a good performance indicator
when it comes to security: “We don’t
view costs as a KPI. Indeed, I don’t really
see cost as a performance indicator at all.
Spending more may mean that you are
better protected, but it could also show
that you are not managing your security
expenditure properly, and vice versa. Of
course, costs must be controlled. But as far
as we’re concerned, KPIs should relate to
the number of incidents identiﬁed and dealt
with; response time is key too, of course.”
Surprisingly, security performance
measurement is not focused
primarily on security.
Initial observations are encouraging:
the use of key performance indicators
(KPIs), adopted by 94% of companies for
their security, indicates an increasingly
professional approach to the issue.
However, security is no stranger to
the prevailing tendency to rationalise
expenditure and optimise investments.
Indeed, the KPIs measured by companies
to ensure that resources allocated to
security are used appropriately reﬂect
this overall trend: controlling security
costs is the most frequently used KPI,
reported by 53% of respondents.
The frequent use of two other KPIs
lends support to this argument:
While overall budget trends are good news
as far as security is concerned, there is
nonetheless an aspect of cost control, with
related KPIs, for over half of the companies
interviewed. The effectiveness of procedures
needs to be demonstrated, particularly in
terms of cost control. The message is clear:
“invest and protect, but don’t waste money”.
- 39% of companies use a KPI relating to
response times in the event of a security crisis
- 33% monitor the time taken to
implement security ﬁxes.
However, these are not yet used widely
enough to constitute a really appropriate
performance measurement.
There is deﬁnitely room for
improvement in this area.
53%
39%
33%
27%
16%
2%
Control of
security cost
Response time
in the event of
a major crisis
Deadline for
correction
of critical
vulnerabilities
Internal customer
satisfaction
Information
security levels
within projects
Figure 15 : Existing security performance indicators
Other
Î www.steria.com
Are European companies equipped to fight off cyber security
attacks? | 29
Î www.steria.com
PART 6
Outsourcing is becoming
a genuine alternative
Î www.steria.com
30 | Are European companies equipped to fight off cyber security attacks?
Althoughh no singgle modeel dominaates as yeet,
outsourciing is gaining suppport
European companies see many reasons not
to outsource (the critical aspect of security,
giving priority to internal resources, the
lack of appropriate offerings, and so on).
Only one in ﬁve large companies sees no
reason not to outsource. But at the end of
the day, European companies are willing to
outsource, at least partially, for reasons of
cost control and to improve the way attacks
are dealt with: more than two thirds of
companies believe that they will outsource
part of their security activities in the future.
The availability of tried and tested
resources is the third reason given by
large companies; as seen above, they
are more concerned by the issue of a
shortage of competent resources.
However, this forecast is offset by a prevailing
precautionary principle. The most frequently
mentioned “non-core” activities include
the following: audits and intrusion testing
(“The only thing that we could never do
in-house is intrusion testing, which is highly
specialised,” explains an energy ﬁrm’s head
of IS security) along with risk management.
Improvements in quality of service
are ranked fourth, cited by 29% of
respondents, or as few as 19% in France.
Other reasons include improving attack
detection (ranked second in large
companies (33%) and third in all companies
as a whole (30%)), and streamlining
organisation, ranked second overall for all
sizes of enterprise (33%). There is quite
a signiﬁcant range between the most
sensitive country (Norway, with 40%)
and the least sensitive (Germany, 26%).
Cost are more advantageous
Streamline our organisation
Better capacity to detect cyber attacks
Quality of service is better
We don’t have enough internal skills
We don’t have enough investment resources
62%
48%
47%
33%
36%
33%
26%
40%
24%
26%
38%
33%
19%
34%
31%
35%
22%
18%
26%
18%
5%
7%
14%
5%
3%
4%
4%
3%
13%
11%
8%
France
UK
Germany
Figure 16 : Arguments in favour of outsourcing by country
Are European companies equipped to fight off cyber security attacks? | 31
Future prospeects
The aim of outsourcing should be to control or even bring down costs whilst
improving quality of service, using appropriate resources. Is the security ecosystem
ready?
Those decision-makers interviewed remained
highly focused on cost reductions as the
main beneﬁt of outsourcing: 49% of
companies ranked cost reduction as one
of their top three reasons for outsourcing.
This is especially the case in France (62%),
where outsourcing is very deﬁnitely seen in
this light, as opposed to Norway (33%).
Î www.steria.com
Norway
Other
None
In terms of SOCs, more than 20% of
ﬁrms surveyed (rising to almost 50% for
organisations with a workforce in excess of
5000) already have a SOC or plan to acquire
one. Almost one third of these has or intends
to have one on their premises, and just over
5% would be willing to share it with other
companies. One in four large companies
already has or will have an outsourced SOC.
More than
2/3
!
of companies plan to make
use of outsourcing within the
next three years
On average, 42% of respondents have
already chosen or will choose a ‘regional’
partner to assist them in outsourcing their
security. As for large companies, they tend
to choose a ‘global’ provider for security
outsourcing – 47% of them in all. One
possible reason for this difference is the
global nature of these providers themselves,
their maturity when it comes to outsourcing
and the international dimension of their other
outsourcing partners. As to public-sector
organisations, almost half (47%) are being
assisted or plan to be assisted by regional
stakeholders, as is the case for the Head of
IT at a Norwegian administration: “Partners
must be based in Scandinavia; offshore and
nearshore are ruled out. This means that,
for the moment, we are working solely with
regional, Scandinavian stakeholders.”
As might be expected, SMEs with fewer
than 1000 employees turn mostly to local
providers (46%), as the spokesperson for a
European cyber security agency explains:
“SMEs look for a partner that they can
easily approach and whose helpdesks
speak their own language. They are also
more inclined to work with a local provider
rather than commit to a large, impersonal
structure, with which they can ﬁnd it
very difﬁcult to make a connection.”
Î www.steria.com
32 | Are European companies equipped to fight off cyber security attacks?
‘Security as a service’ has not yet achieved
market maturity. Less than 10% of companies
already purchase security as a service or
intend to do so in 2014. However, companies
of all sizes are open to this possibility in the
future. More than 40% of all companies have
already done so, or plan to do so, ultimately.
This overall trend is illustrated by the
comments of the Head of IT for a
Norwegian administration: “For the
time being, we are not operating on a
‘security as a service’ basis, but we could
National
46%
33% of large companies intend to rely mainly
on external providers, and 14% think their
security activities will be carried out in closer
liaison with other organisations in their
sector. However, 53% of them still think that,
for the next ﬁve years, they will continue to
manage most of their security in-house.
Europe’s companies are likely to call on
external providers more in the future.
More than one in four companies (one in
three large companies) say that within
ﬁve years, security will mostly be dealt
with by external providers, while 15%
think that they will be sharing it with
other companies in their sector. However,
more than 60% of companies think
that security will mainly be dealt with
internally for at least the next ﬁve years.
Regional
By far and away the greatest barrier to
working with an outsourced security provider
is the critical nature of security: 46% of all
companies rank this consideration among
the top three barriers to outsourcing, more
especially large companies (64%). This ﬁgure
is especially high in France (60%) and low
47%
35%
33%
27%
19%
Too many companies have still not found
the right outsourcing offerings for their
needs. On average, one in ﬁve of the
companies interviewed (and one in four
large companies) listed the unavailability
of appropriate solutions as one of the three
most important reasons for not outsourcing.
This reason ranks second in Norway (28%).
19%
60%
37%
28%
20%
18%
29%
21%
30%
23%
22%
25%
38%
12%
21%
25%
28%
17%
22%
21%
20%
10%
11%
10%
8%
10%
1%
7%
0%
4%
4%
4%
0%
9%
19%
29%
20%
France
UK
Germany
Norway
Security is too critical to be outsourced
We have all the necessary internal resources
We favor the use of internal resources
Between 500 and 1,000 employees
in Norway (20%) and Germany (28%). The
second reason cited is a desire to give priority
to internal resources: irrespective of their
size, one enterprise in four ranks this as one
of the three most important reasons; this
proportion rises to one in three in Norway.
Global
46%
23%
Are European companies equipped to fight off cyber security attacks? | 33
A call forr securityy expertss to review
w their approach in
light of thhe sensittive nature of their businesss
consider it for some areas, particularly
the less critical ones, where it might be
useful – for instance, to overcome skills
shortages when these become apparent.
My most pressing need is for better
control and more robust assurance.”
Buying security: ‘as a service’
has not yet become established
as a credible alternative, but is
being envisaged for the future
Î www.steria.com
Between 1,000 and 5,000 employees
Figure 17 : Preferred types of security provider by companiy size
:HGLGQRWƂQGDQ\DSSURSULDWHRIIHUV
We don’t think that protection will be better
We don’t know what the market offers
More than 5,000 employees
Figure 18 : Barriers to outsourcing by country
We have not been able to demonstrate a return on
investment
Other
None
34 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 35
Despite the grow
wing cybeer securityy threat,
FRQƂGHQFFHUHPDLQVKLJK
PART 7
Questions of security :
Are companies better protected
than before ?
European companies are particularly
conﬁdent about their ability to
withstand a major security crisis,
despite the fact that they have not
taken the most basic ad hoc measures
to deal with such incidents.
91% of companies say that they are
capable of coping with a major security
crisis. However, only one in four companies
have operational capacity 24/7, and less
than 14% have an SOC. Yet, the fact is
that SOCs and related security activities,
such as control, crisis management,
monitoring and so on, are indispensable
when dealing with a major crisis.
90%
of companies say they are
capable to face a major
security crisis
The survey highlights noteworthy disparities
with regard to 24/7 security. Germany
scores the best, with 35% of companies
already protected 24/7 (compared to
an average of 27% across all countries);
Norway brings up the rear with just
20% of companies protected 24/7.
Given the nature of the very real,
operational risks that are of concern
to companies, the lack of permanent
security capabilities appears evident.
25%
14%
have 24/7 operational
capacities
are equipped with a SOC
Î www.steria.com
36 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Are European companies equipped to fight off cyber security
attacks? | 37
Î www.steria.com
Companiies do noot have extensivee
cyber seccurity riskk insurannce coverr
Two thirds of the respondents are not
considering cyber insurance policies
Only 15% of companies think their insurance
covers their cyber risks (30% of large
companies) and 63% of companies are not
considering taking such a policy out within
the next two years (50% of large companies).
Two thirds of respondents do not
envisage any such solution. Since the
market does not yet appear to be
mature, it will probably be several years
before this type of offer emerges. This
also indicates a need to structure and
smooth services and improve security
performance. The cyber risk insurance
market has not yet come into being.
There has not been any massive uptake
of cyber risk insurance, echoing the
previous indication of companies being
over-conﬁdent when it comes to the
potential crises they could experience.
15%
63%
Yes
22%
No but it is planned within the next two years
No, and there is nothing planned
Figure 19 : Companies with an insurance policy covering cyber risks
CONCLUSIONS AND
RECOMMENDATIONS
Î www.steria.com
38 | Are European companies equipped to fight off cyber security attacks?
Being properly equipped to deal with
cyber risks is vital to enable organisations
small, medium and large to make the
most of all the business opportunities
available in a multi-faceted digital world.
There is no such thing as zero risk, but
European companies must put in place
prevention, detection, protection and
response resources commensurate
with the actual threat levels.
In view of the growing sophistication
of attacks, European companies are
still too focused on internal threats,
and not concerned enough about new
forms of external attack; they have
not yet implemented even the most
basic resources, for example in order
to deal with major crises 24/7.
However, there are some more
positive observations.
Firstly, budget decisions still favour security,
with budgets in this ﬁeld remaining
intact and likely to do so in the future.
Secondly, the fact that security is currently
managed at high levels within companies
favours the implementation of ambitious
strategies that address business issues.
While security experts clearly still have some
way to go in tailoring their outsourcing
offerings to client needs and making their
solutions better known, improving attack
detection is already cited as the second most
important reason for outsourcing by major
companies, just behind cost reduction.
Awareness of outsourcing is growing –
as is the willingness to pool resources.
Two thirds of the companies interviewed
plan to make use of outsourcing in the
future; over one quarter of them believe
that ﬁve years from now, security will be
handled mostly by external partners.
Motives are still largely centred on cost
control – the chief criterion for evaluating
security performance to date.
It is now up to security experts to
demonstrate the effectiveness of their
capabilities in terms of attack prevention
and detection (as well as response) if
they are to persuade Europe’s security
decision-makers of the beneﬁts of
pooling protection resources.
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 39
Recommendations for
optimum cyber security
The above conclusion means that a number
of recommendations can be made when
it comes to defending the best interests of
companies in cyberspace. The following
recommendations in particular may be made:
D
D
- greater co-operation is needed in
Europe between security experts and
all other stakeholders in order to create
global, joint capabilities and to increase
the ﬁrepower of European providers
- performance measurement for security
should be improved by focusing ﬁrst and
foremost on security itself (number of
attacks detected and dealt with, response
times, etc). Today, although security budgets
have been maintained, the leading KPI is
cost control, whereas greater expenditure
may actually indicate better protection
D
D
- 24/7 operational security management
should be provided more systematically
- there is a need to develop professional
service offers that are better geared to
addressing the twofold challenge of economic
performance and security effectiveness,
in line with companies’ expectations.
Some industry professionals have already
invested heavily to develop top-ranking
cyber security capabilities, and are inviting
companies to beneﬁt from these. Cooperation
between Europe’s security experts and
companies is dependent on three factors:
D
D
D
- better support by the experts to help
companies understand security issues,
diagnostics and the deﬁnition of the right
governance and resources, in terms of criteria
based on efﬁciency and return on investment
- greater maturity of security implementation
models in order to drive a much broader
uptake whilst improving practices
- developing innovative technological
partnerships within Europe to provide
better protection from the most
sophisticated attacks (such as APTs) and
to respond as quickly as possible.
These recommendations will enable
European companies to take hold of
the many opportunities offered by
every aspect of the digital world, whilst
keeping cyber risks under control.
As a result, companies will be able to
express cautious conﬁdence in their digital
activities and cyber security controls – and,
just as importantly, be justiﬁed in doing so.
40 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 41
Glossary of terms
APT (Advanced Persistent Threat)
Mandiant
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains
access to a network and stays there undetected for a long period of time.
The Mandiant® Intelligence Center™ released an unprecedented report in 2013 exposing the
multi-year, enterprise-scale computer espionage campaign of a unit referred to as APT1.
Bullrun
Prism
Bullrun is a clandestine, highly classiﬁed decryption program run by the United States National
Security Agency (NSA).
PRISM is a clandestine program used by the US National Security Agency (NSA) to collect
the private electronic data of users of major internet services like Google, Facebook, Outlook,
Skype, and others.
Business speciﬁc issues
Business speciﬁc issues are the highest-priority problems affecting a business. In the ﬁeld
of security, a business speciﬁc issue would be the protection of a company’s key competitive
advantages, such as IP (Intellectual Property) or customer databases.
SOC: Security Operations Centre
The Security Operations Centre monitors activity and events in client environments to ensure
that anomalous behaviour is detected, identiﬁed, classiﬁed and acted upon where appropriate.
Cyber attacks
A cyber attack is a deliberate exploitation of computer systems, technology-dependent
enterprises and networks. It results in disruptive consequences such as data theft, denial of
service or website defacement.
Internal attacks
An internal attack occurs when an individual or a group within an organization seeks to disrupt
operations or exploit organisational assets.
Scattered data
In the context of Big Data, scattered data are geographically dispersed data.
42 | Are European companies equipped to fight off cyber security attacks?
Î www.steria.com
About PAC
Pierre Audoin Consultants (PAC) is a privately held and management-owned research & consulting ﬁrm,
specialized on the software and ICT services (SITS) industry.
PAC combines detailed knowledge of the local ICT markets in 30+ countries around the globe, with a strong
European heritage. At present, PAC is the most reliable source of European IT market intelligence.
With a growing network of 120 industry analysts and consultants around the globe, PAC and its partners
ensure local presence in the major IT markets.
For more information, visit: https://www.pac-online.com/
Î www.steria.com
Are European companies equipped to fight off cyber security attacks? | 43
About Steria
Steria delivers IT enabled business services and is the Trusted Transformation Partner
for private and public sector organisations across the globe. By combining in depth
understanding of our clients’ businesses with expertise in IT and business process
outsourcing, we take on our clients’ challenges and develop innovative solutions to
address them efﬁciently and proﬁtably. Through our highly collaborative consulting style,
we work with our clients to transform their business, enabling them to focus on what they
do best. Our 20,000 people, working across 16 countries, support the systems, services
and processes that make today’s world turn, touching the lives of millions around the
globe each day. For more than 20 years, Steria has been the trusted partner of both private
businesses and public organisations seeking a security services provider to protect their
infrastructures, applications and data. With more than 700 experts throughout Europe,
Steria manages every stage of the security lifecycle, from agreeing on a security strategy
through to running day-to-day routine tasks. Steria’s deep consulting skills allow the
company to recommend the most efﬁcient security policies – and improve clients’ return
on investment. Steria’s Advanced Security Operations Centre (SOC) ensures early detection
and prevention of the most complex threats, including APTs (Advanced Persistent Threats),
as well as an appropriate, proactive response. Steria also delivers digital trust solutions
tailored to clients’ speciﬁc requirements and business processes: identity and access
management and authentication, data protection, cloud security, mobile security and more.
Founded in 1969, Steria has ofﬁces in Europe, India, North Africa and SE Asia and
a 2012 revenue of €1.83 billion. Over 20%(*) of Steria’s capital is owned by its
employees. Headquartered in Paris, Steria is listed on the Euronext Paris market.
(*): including
includi “SET Trust” and “XEBT Trust” (4.15% of capital)
www.steria.com
www.steria.com
Groupe Steria SCA
43-45 Quai du Président Roosevelt
92130 Issy-les-Moulineaux
France
Steria is committed to supporting a sustainable world and is
Certified Carbon Neutral for Flight and Fleet Travel
© Steria

Download Report