Security & Authentication - An industry perspective Business Unit Security & Authentication - An industry perspective CCA Strictly Private and Confidential Draft October 2014

Endangering the present – Endangering the present Cyber security threats today have become increasingly sophisticated and complex. As organisations embrace new technologies without fully comprehending the implications these have on the entire enterprise, they are rendering themselves susceptible to an array of cyber-security threats. An efficient and executable strategy, which encompasses the key levers of people, processes and technology is needed to confront the changing threat landscape, as a few risk issues are as all- encompassing as cyber-security. Cyber security attacks in the news Stuxnet worm infects critical infrastructure facilities in Gujarat and Haryana, ONGC off- shore oil rig also affected US Department of Justice (DOJ) sentences five Chinese military hackers for cyber economic espionage against American companies in the nuclear power, metals and solar energy sectors Instances of state–sponsored espionage against major European bank uncovered by Symantec The Heartbleed defect, impacts over two- thirds of web servers in the world, including those of popular e-mail and social networking sites Security & Authentication - An industry perspective • CCA 2

Are budgets keeping up with the rising costs? – Are budgets keeping up with the rising costs? With the increase in the average cost per security incident from $194 to $414 (113%) and a 20% increase in the average losses as a consequence of security breaches, an increase in the information security budget would be anticipated. However, the average information security budgets actually declined by almost 17%. It seems counter-intuitive that, even though threats have become more frequent and damaging, organisations have not increased their security spending. What drives information security expenditure? $4.8 million $4 million Drop in total average information security budgets in India 2013 2014 Key drivers for information security spending in India Security & Authentication - An industry perspective • CCA 3

Lines between the threats are blurring – The constantly evolving cyber-threat landscape is driving the increase in security incidents The marked increase in the number of detected incidents, in our view, is likely driven by the changing cyber-threat landscape. As the digital channel in financial services continues to evolve, cybersecurity has become a business risk, rather than simply a technical risk. Nation-states Cyber criminals Hacktivists Cyber terrorists/ individual hackers Global competition National security Fraud Illicit profit Identify theft Ideological Political Disenfranchised Malicious havoc Political cause rather than personal gain Motivators Targeted, long-term cyber campaigns with strategic focus Insider Third-party service providers Individual identity theft Data breaches and intellectual property theft Opportunistic vulnerabilities Targeted organizations that stand in the way of their cause Threat vectors Loss of intellectual property Disruption to critical infrastructure Monetary loss Regulatory Loss of identity Intellectual property loss Privacy Destabilize, disrupt and destroy cyber assets of financial institutions Disruption of operations Destabilization Embarrassment Public relations Impact Lines between the threats are blurring Security & Authentication - An industry perspective • CCA 4

Insiders are the most likely perpetrators – Insiders are the most likely perpetrators Insider threat Current and former employees have been cited by respondents as the most common causes of incidents. This, however, does not imply that most users exhibit malicious behaviour, a lack of awareness of common dos and don’ts may lead to instances in which users compromise data through the loss of mobile devices or through targeted phishing attacks. Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders. The lack of effective mechanisms to manage risks to data stemming from 3rd parties, is largely responsible. Estimated likely sources of incidents (insiders) Security & Authentication - An industry perspective • CCA 4

External sources garner most attention – External sources garner most attention Outsiders Cyber incidents that garner the most attention are compromises caused by nation states and organised crime and are among the least frequent. However, the fact that there has been a two-fold increase in information security incidents caused by foreign nation-states is alarming. As nation-states can carry out sophisticated attacks without detection, we believe that the volume of compromises is, in all probability, are under-reported. Indian organisations also reported twice as many attacks from competitors when compared with the global average. Estimated likely sources of incidents Security & Authentication - An industry perspective • CCA 5

How do attacks impact organisations? – How do attacks impact organisations? Employee and Customer records continue to be the top targets of cyber attacks The breach of employee (45%) and customer records (42%) remained the most cited impacts of cyber attacks. Compromise of customer records may interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization. Impact of cyber attacks on business Security & Authentication - An industry perspective • CCA 6

How respondents are addressing the ‘human parameter’ – The ‘human parameter’ Employee training and awareness is a fundamental component of every programme, as the weakest link in the security chain is often the human resource. However, compared to last year’s 61%, fewer respondents (56%) require their employees to complete training on privacy policy and practices. How respondents are addressing the ‘human parameter’ Security & Authentication - An industry perspective • CCA 7

Data privacy safeguards – Data privacy safeguards Many organisations have implemented the following data privacy safeguards, however, to prepare themselves better to the changing threat landscape, all organisations should consider implementing these data privacy safeguards. Data privacy safeguards currently in place People Require our employees to complete training on privacy policy and practices 56.2% Impose disciplinary measures for privacy program violations 54.7% Conduct personnel background checks 58.1% Processes Have an information security strategy that is aligned to the specific needs of the business 60.9% Conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information 52.9% Inventory of all third parties that handle personal data of employees and customers 50.2% Technology Privileged user access 62.6% Malware or virus-protection software 67.9% Security information and event management (SIEM) technologies 61.2% Security-event-correlation tools Security & Authentication - An industry perspective • CCA 8

Dynamic security practices – Need of the hour Even with the increase in the average cost per incident and the overall financial losses as a consequence of security incidents, organisations are still reluctant in adopting technologies and processes that can help safeguard the organisation against these incidents. Respondents who answered security safeguards are not currently in place Security & Authentication - An industry perspective • CCA 9

Are organisations taking identity management seriously? – Are organisations taking identity management seriously? Current and former employees continue to be cited as the main causes of security breaches, with over 65% of incidents being attributed to the group. In the light of these findings, the need for identity and access management solutions now is greater than ever. A large number of organisations have identified access controls and identity management as one of the top security challenges Over 25% of organisations describe Biometrics for authentication as a top priority in the next 12 months 35% 50% Of organisations have identity management solutions already in place 50% Of organisations have solutions for automated provisioning & de-provisioning of user accounts already in place Security & Authentication - An industry perspective • CCA 10

Are organisations moving towards newer authentication methods? – Are organisations moving towards newer authentication methods? Newer techniques such as risk based authentication and behavioural profiling are quickly gaining popularity. Behavioural profiling is used to accurately predict and profile the characteristics of users that may cause breaches. Over 47% of organisations have employed behavioural profiling tools to strengthen their information security programme Of organisations plan to adopt tokenisation as an emerging technology for data protection 41% Of organisations already use multi-factor authentication to strengthen information security 53% Security & Authentication - An industry perspective • CCA 11

How prevalent is the use of smart cards and tokens for authentication? – How prevalent is the use of smart cards and tokens for authentication? Security tokens are physical devices that are provided to users to introduce an additional level of security in authentication. There are three factors to authentication : Something the user knows Something the user has Something the user is/ does Traditional methods use the first factor for authentication, smart cards and tokens are used to introduce the second factor (something the user has) to enhance security. 49% Of organisations use disposable passwords or smart cards or tokens for authentication Security & Authentication - An industry perspective • CCA 12

Are organisations adopting user activity monitoring tools? – Are organisations adopting user activity monitoring tools? To ensure strong control over the activity of users, organisations are moving towards user activity monitoring tools. The use of these tools is more prevalent in the commercial & consumer banking, insurance, aerospace & defence, pharmaceutical and consumer packaged goods sector. Adoption of user activity monitoring (sector wise) Security & Authentication - An industry perspective • CCA 13

Organisations are increasingly adopting risk based authentication – Organisations are increasingly adopting risk based authentication Risk based authentication solutions enhance traditional authentication methods by assigning a risk value to the user trying to gain access. Such solutions use additional parameters such as behaviour profiling, geo-locations etc. to evaluate the user’s risk profile Adoption of risk based authentication (sector wise) Security & Authentication - An industry perspective • CCA 14

How is authentication on mobile devices being managed? – How is authentication on mobile devices being managed? One area that organisations are increasingly focusing on is enterprise mobility, which enables employees, partners and customers to access and work on the organisation’s technology platforms through any secure enabler (laptops, tablets or smartphones). How are organisations ensuring security mobile devices? Initiatives organisations have taken to address mobile security risks Security & Authentication - An industry perspective • CCA 15

Challenges to security – Challenges to security Challenges from within Even with the growing impact that cyber security incidents can have on the entire enterprise, boards of organizations in the country remain oblivious and continue to treat cyber security as an IT problem. The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the biggest obstacles in improving the overall strategic effectiveness of information security. Obstacles in improving overall strategic effectiveness Security & Authentication - An industry perspective • CCA 16

Challenges to security – Challenges to security Increased dependence on 3rd parties Given today’s interconnected business ecosystem, where the amount of data generated and shared with business partners and suppliers is exponentially greater, due diligence of third parties has become a concern. It is worrisome that the focus on third-party security weakened in the past year in some very key areas; even as the number of incidents attributed to ‘insiders’ increased. How respondents are safeguarding relationships with 3rd parties Security & Authentication - An industry perspective • CCA 17

Mobile security initiatives taken by organisations – Security initiatives Emerging technologies The applications of SMAC (social, mobile, analytics and cloud) technologies have been debated for long, but it is about time that Indian companies started leveraging them. Social Media The ambiguity in calculating the return on social media investments, coupled with the difficulty in understanding the applications of social media in business and leveraging them to generate a profit stream has led to a slow adoption Mobile Organisations are now widely adopting enterprise mobility, while taking initiatives to address risks from its adoption as well, over 65% respondents already have a mobile security strategy in place Respondents that audit or monitor employee postings to external blogs or social networking sites Mobile security initiatives taken by organisations Security & Authentication - An industry perspective • CCA 18

– Security initiatives Analytics As organisations adopt social media and mobile platforms and the digital footprint of its customers increases, the shear amount of data that is available for organisations to analyse and use increases exponentially. More and more organisations are using big data analytics for data driven insights Over 69% respondents employ big data analytics to model for and identify information security threats. Almost one-third respondents use big data analytics as a cloud service. Impact of big data analytics on information security How organizations employ big data analytics Security & Authentication - An industry perspective • CCA 19

– Security initiatives Cloud Migrating to cloud based services marks a fundamental shift in the way business is done, with a variety of deployment & service models available, organisations need to develop a sound strategy to manage cloud services Almost 68% respondents already use cloud services in some form (SaaS or PaaS or Iaas), although the use of cloud services for file storage and sharing remains the most popular. How are organisations using cloud services? India vs Global average Security & Authentication - An industry perspective • CCA 20

– Cyber risk management Organisations in India have been focused on perimeter security. It is only now that there are visible signs of organisations moving from the asset and technology centered paradigm for information security to comprehensive cyber-risk management. The first step for all organisations will be to align security spending with the organisation’s strategic assets Safeguards that are a top priority for respondents in the next 12 months Procedures dedicated to protecting intellectual property (IP) 19.2% Program to identify sensitive assets 23.0% Centralized security information-management processes 22.6% Classification of business value of data 16.3% Risk assessments (on internal systems) Risk assessments (on third-party vendors) 26.8% Active monitoring/analysis of information security intelligence (e.g., vulnerability reports, log files) 20.5% Governance, risk, and compliance (GRC) tools 26.0% Enterprise content-management tools 22.9% Protection/detection management solution for advanced persistent threats (APTs) 28.3% Security information and event management (SIEM) technologies 24.2% Security & Authentication - An industry perspective • CCA 21

Demographics Around 30% of our respondents had annual gross revenues of over 1 billion USD, and another 30% (approx.) had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base. Respondents by annual gross revenues Respondents by industry sector Security & Authentication - An industry perspective • CCA 22

Thank you. This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Private Limited, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2014 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.