The dirty war on information security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.voxy.co.nz/business/dirty-war-information-security/5/168289

Organisations are raising the bar to protect themselves from information
security risks, but losing the battle against adversaries who are doing
even more, according to The Global State of Information Security Survey
2014, released today by PwC.

In conjunction with CIO and CSO magazines, the global survey asked more
than 9,600 business, security and IT executives to describe the information
security threats their organisations face and how they are defending
themselves.

PwC Security and Technology Partner Colin Slater says, "Businesses are
being outpaced and outsmarted by determined attackers who are deploying the
latest technologies to cause harm.

"Encouragingly, organisations are spending more and recognise the
importance of information security, yet need to stop fighting security
battles of today with the tools and strategies of yesterday to increase
their effectiveness."

This year’s survey found the number of security incidents detected in the
past 12 months has increased by 25% over last year, while the average
financial costs of incidents are up 18%.

"New Zealand businesses should pay heed to these global findings. We may be
geographically isolated, but in this online and digitally connected world
we’re just as vulnerable to threats as businesses in the US, UK, Australia
or China.

"We can’t afford to be naive to the risks we face as the costs and
complexities of responding to attacks continue to rise. Looking at the
recent public sector focus, The Government CIO has been instrumental in
establishing a stronger understanding of the relative issues. We can look
at this approach as something to elevate the thinking and help us get at
least onto the curve of understanding these risks," adds Mr Slater.

Alarmingly it was found financial losses are accelerating sharply among
those that report a high-dollar value impact: respondents who reported
losses of US$10 million-plus have increased by more than 50% since 2011.

"New models of information security strategies and practices are needed to
be better prepared. This also means coming to the realisation that
safeguarding everything to the same threat level is no longer possible.
Businesses need to identify and prioritise what’s most important to them
and focus their resources on protecting that," says Mr Slater.

In today’s elevated threat landscape, PwC recommends organisations rethink
their security strategy so that it is integrated with business needs and
prioritised by business leaders.

"Eighty percent of respondents told us their information security spend is
aligned to business objectives. It suggests business leaders are beginning
to understand how IT security impacts their bottom line. But business
leaders need to go a step further and create a culture of security
awareness throughout their organisations to increase knowledge and
vigilance. Collaboration, with those inside and even outside your business,
is becoming a key weapon in fighting back."

Another key security risk is the adoption of mobile technology tools, such
as smart phones, tablets and the proliferation of cloud computing services.
Efforts to implement mobile security programs continue to trail the
increasing use of mobile devices, while of the 47% of respondents who use
cloud computing only 18% say they have policies for governing its use.

"Technology and how we use it is constantly evolving. We need to find the
optimal point between being afraid to adopt new technologies that will
increase our competitive positions, and seriously addressing security
implications," says Mr Slater.

Respondents say the top three obstacles to improving security are:
insufficient capital funding, a lack of vision on how future business needs
will impact security, and a lack of leadership from the CEO or Board.

"Surprisingly, CEOs were most likely to name themselves as the greatest
obstacle to improving their organisations information security practices,
with the majority of CFOs in agreement," concludes Mr Slater.

Most respondents cite insiders, particularly current or former employees,
as a source of security incidents. And while many believe nation-states
cause the most threats, only 4% of respondents cited them, whereas 32%
pinpoint hackers as a source of outsider security incidents.

To explore the survey findings by industry and region, visit
www.pwc.co.nz/gsiss2014.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.