Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Unit Security & Authentication - An industry perspective CCA Strictly Private and Confidential October 2014.

Similar presentations


Presentation on theme: "Business Unit Security & Authentication - An industry perspective CCA Strictly Private and Confidential October 2014."— Presentation transcript:

1 Business Unit Security & Authentication - An industry perspective CCA Strictly Private and Confidential October 2014

2 PwC October 2014 Endangering the present Cyber security threats today have become increasingly sophisticated and complex. As organisations embrace new technologies without fully comprehending the implications these have on the entire enterprise, they are rendering themselves susceptible to an array of cyber-security threats. An efficient and executable strategy, which encompasses the key levers of people, processes and technology is needed to confront the changing threat landscape, as a few risk issues are as all- encompassing as cyber-security. 2 Security & Authentication - An industry perspective CCA Cyber security attacks in the news Stuxnet worm infects critical infrastructure facilities in Gujarat and Haryana, ONGC off- shore oil rig also affected US Department of Justice (DOJ) sentences five Chinese military hackers for cyber economic espionage against American companies in the nuclear power, metals and solar energy sectors Instances of state–sponsored espionage against major European bank uncovered by Symantec The Heartbleed defect, impacts over two- thirds of web servers in the world, including those of popular and social networking sites

3 PwC October 2014 Are budgets keeping up with the rising costs? With the increase in the average cost per security incident from $194 to $414 (113%) and a 20% increase in the average losses as a consequence of security breaches, an increase in the information security budget would be anticipated. However, the average information security budgets actually declined by almost 17%. It seems counter-intuitive that, even though threats have become more frequent and damaging, organisations have not increased their security spending. 3 Security & Authentication - An industry perspective CCA What drives information security expenditure? $4.8 million $4 million Drop in total average information security budgets in India Key drivers for information security spending in India

4 PwC October 2014 The constantly evolving cyber-threat landscape is driving the increase in security incidents The marked increase in the number of detected incidents, in our view, is likely driven by the changing cyber-threat landscape. As the digital channel in financial services continues to evolve, cybersecurity has become a business risk, rather than simply a technical risk. 4 Security & Authentication - An industry perspective CCA Nation-states Cyber criminals Hacktivists Cyber terrorists/ individual hackers Global competition National security Fraud Illicit profit Fraud Identify theft Ideological Political Disenfranchised Malicious havoc Political cause rather than personal gain Ideological Motivators Targeted, long-term cyber campaigns with strategic focus Insider Third-party service providers Individual identity theft Data breaches and intellectual property theft Insider Third-party service providers Opportunistic vulnerabilities Insider Third-party service providers Targeted organizations that stand in the way of their cause Insider Third-party service providers Threat vectors Loss of intellectual property Disruption to critical infrastructure Monetary loss Regulatory Loss of identity Monetary loss Intellectual property loss Privacy Regulatory Destabilize, disrupt and destroy cyber assets of financial institutions Regulatory Disruption of operations Destabilization Embarrassment Public relations Regulatory Impact Lines between the threats are blurring

5 PwC October 2014 Insiders are the most likely perpetrators Current and former employees have been cited by respondents as the most common causes of incidents. This, however, does not imply that most users exhibit malicious behaviour, a lack of awareness of common dos and don’ts may lead to instances in which users compromise data through the loss of mobile devices or through targeted phishing attacks. Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from 3 rd parties, is largely responsible. 4 Security & Authentication - An industry perspective CCA Insider threat Estimated likely sources of incidents (insiders)

6 PwC October 2014 External sources garner most attention Cyber incidents that garner the most attention are compromises caused by nation states and organised crime and are among the least frequent. However, the fact that there has been a two-fold increase in information security incidents caused by foreign nation-states is alarming. As nation-states can carry out sophisticated attacks without detection, we believe that the volume of compromises is, in all probability, are under-reported. Indian organisations also reported twice as many attacks from competitors when compared with the global average. 5 Security & Authentication - An industry perspective CCA Outsiders Estimated likely sources of incidents

7 PwC October 2014 How do attacks impact organisations? The breach of employee (45%) and customer records (42%) remained the most cited impacts of cyber attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization. 6 Security & Authentication - An industry perspective CCA Employee and Customer records continue to be the top targets of cyber attacks Impact of cyber attacks on business

8 PwC October 2014 The ‘human parameter’ Employee training and awareness is a fundamental component of every programme, as the weakest link in the security chain is often the human resource. However, compared to last year’s 61%, fewer respondents (56%) require their employees to complete training on privacy policy and practices. 7 Security & Authentication - An industry perspective CCA How respondents are addressing the ‘human parameter’

9 PwC October 2014 Data privacy safeguards Many organisations have implemented the following data privacy safeguards, however, to prepare themselves better to the changing threat landscape, all organisations should consider implementing these data privacy safeguards. 8 Security & Authentication - An industry perspective CCA Data privacy safeguards currently in place People Require our employees to complete training on privacy policy and practices56.2% Impose disciplinary measures for privacy program violations54.7% Conduct personnel background checks58.1% Processes Have an information security strategy that is aligned to the specific needs of the business60.9% Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information 52.9% Inventory of all third parties that handle personal data of employees and customers50.2% Technology Privileged user access62.6% Malware or virus-protection software67.9% Security information and event management (SIEM) technologies61.2% Security-event-correlation tools56.2%

10 PwC October 2014 Dynamic security practices – Need of the hour Even with the increase in the average cost per incident and the overall financial losses as a consequence of security incidents, organisations are still reluctant in adopting technologies and processes that can help safeguard the organisation against these incidents. 9 Security & Authentication - An industry perspective CCA Respondents who answered security safeguards are not currently in place

11 PwC October 2014 Are organisations taking identity management seriously? 10 Security & Authentication - An industry perspective CCA A large number of organisations have identified access controls and identity management as one of the top security challenges Over 25% of organisations describe Biometrics for authentication as a top priority in the next 12 months 35% 50% Of organisations have solutions for automated provisioning & de-provisioning of user accounts already in place 50% Of organisations have identity management solutions already in place Current and former employees continue to be cited as the main causes of security breaches, with over 65% of incidents being attributed to the group. In the light of these findings, the need for identity and access management solutions now is greater than ever.

12 PwC October 2014 Are organisations moving towards newer authentication methods? 11 Security & Authentication - An industry perspective CCA Of organisations plan to adopt tokenisation as an emerging technology for data protection 41% Newer techniques such as risk based authentication and behavioural profiling are quickly gaining popularity. Behavioural profiling is used to accurately predict and profile the characteristics of users that may cause breaches. Over 47% of organisations have employed behavioural profiling tools to strengthen their information security programme Of organisations already use multi-factor authentication to strengthen information security 53%

13 PwC October 2014 How prevalent is the use of smart cards and tokens for authentication? 12 Security & Authentication - An industry perspective CCA Security tokens are physical devices that are provided to users to introduce an additional level of security in authentication. There are three factors to authentication : -Something the user knows -Something the user has -Something the user is/ does Traditional methods use the first factor for authentication, smart cards and tokens are used to introduce the second factor (something the user has) to enhance security. 49% Of organisations use disposable passwords or smart cards or tokens for authentication

14 PwC October 2014 Are organisations adopting user activity monitoring tools? 13 Security & Authentication - An industry perspective CCA To ensure strong control over the activity of users, organisations are moving towards user activity monitoring tools. The use of these tools is more prevalent in the commercial & consumer banking, insurance, aerospace & defence, pharmaceutical and consumer packaged goods sector. Adoption of user activity monitoring (sector wise)

15 PwC October 2014 Organisations are increasingly adopting risk based authentication 14 Security & Authentication - An industry perspective CCA Risk based authentication solutions enhance traditional authentication methods by assigning a risk value to the user trying to gain access. Such solutions use additional parameters such as behaviour profiling, geo-locations etc. to evaluate the user’s risk profile Adoption of risk based authentication (sector wise)

16 PwC October 2014 How is authentication on mobile devices being managed? 15 Security & Authentication - An industry perspective CCA One area that organisations are increasingly focusing on is enterprise mobility, which enables employees, partners and customers to access and work on the organisation’s technology platforms through any secure enabler (laptops, tablets or smartphones). How are organisations ensuring security mobile devices? Initiatives organisations have taken to address mobile security risks

17 PwC October 2014 Challenges to security Even with the growing impact that cyber security incidents can have on the entire enterprise, boards of organizations in the country remain oblivious and continue to treat cyber security as an IT problem. The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the biggest obstacles in improving the overall strategic effectiveness of information security. 16 Security & Authentication - An industry perspective CCA Challenges from within Obstacles in improving overall strategic effectiveness

18 PwC October 2014 Challenges to security Given today’s interconnected business ecosystem, where the amount of data generated and shared with business partners and suppliers is exponentially greater, due diligence of third parties has become a concern. It is worrisome that the focus on third-party security weakened in the past year in some very key areas; even as the number of incidents attributed to ‘insiders’ increased. 17 Security & Authentication - An industry perspective CCA Increased dependence on 3 rd parties How respondents are safeguarding relationships with 3 rd parties

19 PwC October 2014 Security initiatives The applications of SMAC (social, mobile, analytics and cloud) technologies have been debated for long, but it is about time that Indian companies started leveraging them. 18 Security & Authentication - An industry perspective CCA Emerging technologies Social Media The ambiguity in calculating the return on social media investments, coupled with the difficulty in understanding the applications of social media in business and leveraging them to generate a profit stream has led to a slow adoption Respondents that audit or monitor employee postings to external blogs or social networking sites Mobile Organisations are now widely adopting enterprise mobility, while taking initiatives to address risks from its adoption as well, over 65% respondents already have a mobile security strategy in place Mobile security initiatives taken by organisations

20 PwC October 2014 Security initiatives 19 Security & Authentication - An industry perspective CCA Analytics As organisations adopt social media and mobile platforms and the digital footprint of its customers increases, the shear amount of data that is available for organisations to analyse and use increases exponentially. More and more organisations are using big data analytics for data driven insights Impact of big data analytics on information security Over 69% respondents employ big data analytics to model for and identify information security threats. Almost one-third respondents use big data analytics as a cloud service. How organizations employ big data analytics

21 PwC October 2014 Security initiatives Almost 68% respondents already use cloud services in some form (SaaS or PaaS or Iaas), although the use of cloud services for file storage and sharing remains the most popular. 20 Security & Authentication - An industry perspective CCA How are organisations using cloud services? India vs Global average Cloud Migrating to cloud based services marks a fundamental shift in the way business is done, with a variety of deployment & service models available, organisations need to develop a sound strategy to manage cloud services

22 PwC October 2014 Cyber risk management Organisations in India have been focused on perimeter security. It is only now that there are visible signs of organisations moving from the asset and technology centered paradigm for information security to comprehensive cyber-risk management. The first step for all organisations will be to align security spending with the organisation’s strategic assets 21 Security & Authentication - An industry perspective CCA Safeguards that are a top priority for respondents in the next 12 months Procedures dedicated to protecting intellectual property (IP)19.2% Program to identify sensitive assets23.0% Centralized security information-management processes22.6% Classification of business value of data16.3% Risk assessments (on internal systems)19.2% Risk assessments (on third-party vendors)26.8% Active monitoring/analysis of information security intelligence (e.g., vulnerability reports, log files)20.5% Governance, risk, and compliance (GRC) tools26.0% Enterprise content-management tools22.9% Protection/detection management solution for advanced persistent threats (APTs)28.3% Security information and event management (SIEM) technologies24.2%

23 PwC October 2014 Demographics Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30% (approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base. 22 Security & Authentication - An industry perspective CCA Respondents by annual gross revenuesRespondents by industry sector

24 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Private Limited, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2014 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. Thank you.


Download ppt "Business Unit Security & Authentication - An industry perspective CCA Strictly Private and Confidential October 2014."

Similar presentations


Ads by Google