2016 scalar security study roadshow
TRANSCRIPT
TorontoFebruary 25, 2016
2016 Security Roadshow
The 2016 Scalar Security Study
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
Purpose of the Study
§ How prepared are Canadian organizations to deal with cyber attacks?
§ How have cyber attacks changed over the past year?
§ What is the cost of cyber attacks to Canadian organizations?
§ What are the most effective ways to reduce cyber security risk?
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Study Scope
§ 100% Canadian§ 654 qualified responses§ Security-savvy respondents§ Medium-to-large organization focused
(25% > $1B revenue)§ 18 industries§ Global presence
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 5
Why Canadian Data Matters
§ US studies reveal individual breach costs in the millions
§ Regulatory landscape§ Different cyber attack profile in Canada§ Canadian companies differ
§ Size§ Culture
§ Budgets
§ Access to resources
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 6
Only 37%of organizations believe they are winning the cyber security war
§ Attacker sophistication on the rise§ More attacks reported§ Greater losses of data§ Traditional defenses ineffective§ Lack of advanced technology§ Skill gap persists
Overall – Lower Confidence
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 7
$7 MillionOver the last 12 months, cyber security compromises cost organizations roughly
§ Average 40 incidents per year§ 51% reported lost sensitive data§ Increased concern of cyber crime§ Inside threats specifically concerning§ Targeted attacks on the rise
§ Severity§ Sophistication
§ Frequency
Attacks on the Rise
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Most Losses Are Indirect
Breakdown of Losses 2015 2014
Cleanup or remediation $766,667 $676,023
Lost user productivity $950,625 $987,191
Disruption to normal operations $1,061,818 $1,101,379
Damage or theft of IT assets and infrastructure $1,638,663 $1,533,989
Damage to reputation $2,647,560 $2,586,941
Total $7,065,332 $6,885,523
§ Within each category 15%-20% of respondents could not estimate the cost
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Intellectual Property Losses and Competitive Advantage
36%33%
31%32%30%
38%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Yes, I believe it has caused a loss of
competitive advantage
No, it hasn't caused a loss of competitive
advantage
Unsure
2015
2014
§ 33% reported a loss of IP in the past 24 months
§ Criminals were ranked as “most likely” to launch an attack
§ Insider threats ranked very important
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Intellectual Property Losses
59%
43%
33%
30%
19%
7%
65%
46%
30%
33%
15%
8%
0% 10% 20% 30% 40% 50% 60% 70%
Gut feeling
Appearance of copied products or activities
Emergence of new competition
Soured deals or business ventures
Compromised negotiations
Other
2014
2015
§ Average between $5M and $6M annual losses
§ Losses are supported by evidence of damage
§ Criminal activity affecting business deals
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
70%
26%
4%
77%
20%
3%0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Yes No Unsure
2015
2014
§ 70% of threats evaded IDS or AV systems
§ 82% of respondents reported threats that evaded AV systems
§ Confidence in “No” response?
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
80%
65%
49%
48%
46%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Web-borne malware attacks
Rootkits
Advanced persistent threats (APTs)/targeted attacks
Spear phishing
Clickjacking§ Most threats are
considered ”advanced”
§ Targeted attacks to gain access to data (loss of IP)
§ Users as targets§ High number
exploits > 3 months old
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
38%
54%
8%
0%
10%
20%
30%
40%
50%
60%
Yes No Unsure
62%Cannot confirm that they are able to detect nor stop advanced threats
46%Unsure how to identify APTs as cause of incidents
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
60%
55%
44%
41%
29%
56%
49%
42%
38%
36%
0% 10% 20% 30% 40% 50% 60% 70%
IT downtime
Business interruption
Theft of personal information
Exfiltration of classified or sensitive information
Nothing happened
2014
2015
§ Overwhelming data that supports losses of data and business interruption
§ YET… 29% believe “nothing happened” as a result of APTs
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Beyond Technology
3.54
3.13
2.18
2.00
1.75
3.94
2.89
1.90
1.67
2.05
0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50
Insufficient budget (money)
Lack of clear leadership
Lack of collaboration with other functions
Lack of in-house expertise
Insufficient personnel
2014
2015
§ No mention of technology (except lack of budget)
§ 93%-95% rank experience as qualifier for experts
§ Collaboration important outside of IT function
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Beyond Technology
25%
33%
37%
23%
31%
40%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Yes, fully aligned Yes, partially aligned No, not aligned
2015
2014
37%Of Security Strategies NOT aligned with the business
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 17
§ Less reliance on traditional tools§ Leverage technology to achieve
visibility, understanding and control§ More awareness of severity and
frequency of attacks§ Align security strategy with business
objectives
Attributes of High Performers
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 18
§ High performing organizations:§ More aware of threats
§ Spend more on security§ Measure ROI on investment
§ Report more attacks§ Suffer fewer losses§ Beyond the numbers
Driving Successful Outcomes
© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 19
Study Conclusions
§ Conduct risk and vulnerability assessments to understand probable attack vectors
§ Align security strategy with business objectives, and secure sufficient funding in people, process and technology
§ Invest in technologies that provide visibility understanding and control to detect anomalies in your environment
§ Invest in expert skills and specialized training for in-house teams;; or consider leveraging an external 3rd party security services firm
Thank You