BAE systems Research results October 2016 Cyber-attacks (US) BAE systems Research results October 2016 BAE systems - cyber-attacks (US)

Demographics 200 IT decision makers in the US were interviewed in October 2016, split in the following ways... …sector …size Figure D1: “Within which sector is your organisation?” asked of all respondents (200 respondents) Figure D2: “How many employees does your organisation have globally?” asked of all respondents (200 respondents) BAE systems - cyber-attacks (US)

Approach to cyber security The majority (87%) of respondents feel that the leadership of their organisation fully understands the impact of a successful cyber- attack (figure 1) If the leadership has a good grasp on the impacts of a successful attack, they can ensure the rest of the organisation is suitably prepared to defend or deal with any such attack Nearly half (46%) of respondents’ organisations are assessing potential cyber threats at least every day, with a further three in ten (29%) conducting weekly assessments (figure 2) With leadership likely to fully understand the impacts of a successful attack (figure 1), it is no surprise that processes have adapted to cope with the fast changing world of cyber-attacks Figure 1: “Do you feel the leadership of your organisation fully understands the impact of a successful cyber-attack?” asked of all respondents (200 respondents) Figure 2: “How often does your organisation assess the cyber threats it faces?” asked of all respondents (200 respondents) BAE systems - cyber-attacks (US)

Assessing cyber threats Figure 3: Analysis showing the average number of cyber threat assessments conducted each month by respondents' organisations, split by organisation sector, asked of all respondents (200 respondents) On average, the organisations of surveyed respondents assess the potential cyber threats facing them 28 times a month, almost once a day Respondents from organisations in the financial services sector assess for cyber threats the most frequently, on average 40 times a month, more frequently than once a day In comparison, organisations in the retail, distribution and transport sectors are checking least frequently – 12 times a month on average, or 3 times a week By conducting almost daily checks into potential cyber threats, organisations are demonstrating they understand the impacts of a successful cyber-attack (figure 1) and are serious about attack mitigation and prevention BAE systems - cyber-attacks (US)

Priority given to security and defence Nearly all (96%) respondents say that business security and defence is a priority for their organisation’s leadership… …and half (50%) of all respondents say that it is the number one priority Security and defence is a priority for all respondents’ organisations in business and professional services (100%), other commercial sectors (100%) and financial services (100%) In fact, respondents working in the financial services sector are more likely (60%) to say security is the number one priority than any other sector Regarding security, the manufacturing sector is behind all other sectors – only around a fifth (21%) say that it is the number one priority for their organisation’s leadership The manufacturing sector in the US has long been considered in decline, do the organisations in this sector have other, more pressing things to worry about? Could the cyber threat originate internally, through the carelessness of poorly trained employees? Figure 4: Analysis showing respondents whose organisation’s leadership gives priority to business security and defence, split by organisation sector, asked of all respondents (200 respondents) BAE systems - cyber-attacks (US)

Internal vulnerabilities Figure 5: “Do you believe your colleagues outside of IT are aware of how much potentially revealing or harmful information they are publishing via social media and other digital channels?” asked of all respondents (200 respondents) Figure 6: Analysis showing respondents who do not think their colleagues outside of IT are aware of how much potentially revealing or harmful information they are publishing via social media and other digital channels, split by organisation sector, asked of all respondents (200 respondents) A third (33%) of IT decision makers surveyed do not think that their colleagues outside of IT are aware of how much potentially revealing or harmful information they are publishing on social media and other digital channels (figure 5) Just one poorly judged post from an employee who is unaware of the risks could undermine an entire organisation’s security effort Nearly half (46%) of manufacturing respondents feel that their colleagues lack awareness regarding business security when posting online, while only around a quarter (26%) of respondents in the IT sector agree With manufacturing leadership less likely to prioritise security (figure 4), this lax attitude could be filtering down to all employees BAE systems - cyber-attacks (US)

Concerns about attack implications Half or more respondents see the compromise of company financial data (63%), customer information (58%), and customer or supplier credentials (50%) as one of their top worries in the event of a cyber-attack (figure 7) In fact, nearly a quarter (24%) cite compromising customer information as their number one worry in this event (figure 8) Fewer than three in ten (28%) see the impact on stock price/brand as one of their top concerns (figure 7), however this can be closely linked to the compromise of customer information – an organisation’s brand reputation will not be enhanced by losing their customer’s sensitive information Organisations have a lot of sensitive data to protect, and they are extremely concerned about losing it Figure 7: “What are you most worried about happening in the event of a cyber- attack?” showing responses ranked first, second and third. Asked of all respondents (200 respondents) Figure 8: “What are you most worried about happening in the event of a cyber- attack?” showing responses ranked first. Asked of all respondents (200 respondents) BAE systems - cyber-attacks (US)

In summary… Cyber security is a serious consideration for respondents and their organisations Respondents say that their organisation is assessing potential cyber threats, on average, 28 times a month – just shy of once every day In fact, slightly more than a fifth (21%) are assessing these cyber threats on an hourly basis This may be driven by company leadership, the majority (87%) of respondents believe that the leadership at their organisation fully understands the impact of a successful cyber-attack Furthermore, nearly all (96%) respondents think that their organisation’s leadership treats security and defence as a priority And half (50%) say that it is the number one priority for leadership Despite this high level of priority given to security by leadership, a third (33%) of respondents do not think that their colleagues outside of IT are aware of how much potentially revealing and harmful information they are publishing on social media Respondents from organisations in the manufacturing sector say that this is more of a problem for them, with nearly half (46%) saying that their colleagues lack this awareness This compares to respondents from other sectors: financial services (33%), business and professional services (30%), and IT (26%) Respondents are worrying about the potential impact to their organisation of a successful cyber-attack Half or more see compromising sensitive company financial data (63%), compromising customer information (58%), and the hijacking of credentials to compromise customers or suppliers (50%) as one of their top three worries And nearly a quarter (24%) see compromising customer information as their number one worry, while more than a fifth (21%) see this as compromising sensitive company financial data BAE systems - cyber-attacks (US)

Cyber-attacks (US extension) BAE systems Research results October 2016 BAE systems - cyber-attacks (US)