2016 scalar security study roadshow

TorontoFebruary 25, 2016

2016 Security Roadshow

The 2016 Scalar Security Study

© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 3

Purpose of the Study

§ How prepared are Canadian organizations to deal with cyber attacks?

§ How have cyber attacks changed over the past year?

§ What is the cost of cyber attacks to Canadian organizations?

§ What are the most effective ways to reduce cyber security risk?


Study Scope

§ 100% Canadian§ 654 qualified responses§ Security-savvy respondents§ Medium-to-large organization focused

(25% > $1B revenue)§ 18 industries§ Global presence


Why Canadian Data Matters

§ US studies reveal individual breach costs in the millions

§ Regulatory landscape§ Different cyber attack profile in Canada§ Canadian companies differ

§ Size§ Culture

§ Budgets

§ Access to resources


Only 37%of organizations believe they are winning the cyber security war

§ Attacker sophistication on the rise§ More attacks reported§ Greater losses of data§ Traditional defenses ineffective§ Lack of advanced technology§ Skill gap persists

Overall – Lower Confidence


$7 MillionOver the last 12 months, cyber security compromises cost organizations roughly

§ Average 40 incidents per year§ 51% reported lost sensitive data§ Increased concern of cyber crime§ Inside threats specifically concerning§ Targeted attacks on the rise

§ Severity§ Sophistication

§ Frequency

Attacks on the Rise

© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.

Most Losses Are Indirect

Breakdown of Losses 2015 2014

Cleanup or remediation $766,667 $676,023

Lost user productivity $950,625 $987,191

Disruption to normal operations $1,061,818 $1,101,379

Damage or theft of IT assets and infrastructure $1,638,663 $1,533,989

Damage to reputation $2,647,560 $2,586,941

Total $7,065,332 $6,885,523

§ Within each category 15%-20% of respondents could not estimate the cost


Intellectual Property Losses and Competitive Advantage

36%33%

31%32%30%

38%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Yes, I believe it has caused a loss of

competitive advantage

No, it hasn't caused a loss of competitive

advantage

Unsure

2015

2014

§ 33% reported a loss of IP in the past 24 months

§ Criminals were ranked as “most likely” to launch an attack

§ Insider threats ranked very important


Intellectual Property Losses

59%

43%

33%

30%

19%

7%

65%

46%

30%

33%

15%

8%

0% 10% 20% 30% 40% 50% 60% 70%

Gut feeling

Appearance of copied products or activities

Emergence of new competition

Soured deals or business ventures

Compromised negotiations

Other

2014

2015

§ Average between $5M and $6M annual losses

§ Losses are supported by evidence of damage

§ Criminal activity affecting business deals


Interesting Data on Advanced Threats

70%

26%

4%

77%

20%

3%0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Yes No Unsure

2015

2014

§ 70% of threats evaded IDS or AV systems

§ 82% of respondents reported threats that evaded AV systems

§ Confidence in “No” response?



80%

65%

49%

48%

46%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Web-borne malware attacks

Rootkits

Advanced persistent threats (APTs)/targeted attacks

Spear phishing

Clickjacking§ Most threats are

considered ”advanced”

§ Targeted attacks to gain access to data (loss of IP)

§ Users as targets§ High number

exploits > 3 months old



38%

54%

8%

0%

10%

20%

30%

40%

50%

60%

Yes No Unsure

62%Cannot confirm that they are able to detect nor stop advanced threats

46%Unsure how to identify APTs as cause of incidents



60%

55%

44%

41%

29%

56%

49%

42%

38%

36%

0% 10% 20% 30% 40% 50% 60% 70%

IT downtime

Business interruption

Theft of personal information

Exfiltration of classified or sensitive information

Nothing happened

2014

2015

§ Overwhelming data that supports losses of data and business interruption

§ YET… 29% believe “nothing happened” as a result of APTs


Beyond Technology

3.54

3.13

2.18

2.00

1.75

3.94

2.89

1.90

1.67

2.05

0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50

Insufficient budget (money)

Lack of clear leadership

Lack of collaboration with other functions

Lack of in-house expertise

Insufficient personnel

2014

2015

§ No mention of technology (except lack of budget)

§ 93%-95% rank experience as qualifier for experts

§ Collaboration important outside of IT function


Beyond Technology

25%

33%

37%

23%

31%

40%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Yes, fully aligned Yes, partially aligned No, not aligned

2015

2014

37%Of Security Strategies NOT aligned with the business


§ Less reliance on traditional tools§ Leverage technology to achieve

visibility, understanding and control§ More awareness of severity and

frequency of attacks§ Align security strategy with business

objectives

Attributes of High Performers


§ High performing organizations:§ More aware of threats

§ Spend more on security§ Measure ROI on investment

§ Report more attacks§ Suffer fewer losses§ Beyond the numbers

Driving Successful Outcomes


Study Conclusions

§ Conduct risk and vulnerability assessments to understand probable attack vectors

§ Align security strategy with business objectives, and secure sufficient funding in people, process and technology

§ Invest in technologies that provide visibility understanding and control to detect anomalies in your environment

§ Invest in expert skills and specialized training for in-house teams;; or consider leveraging an external 3rd party security services firm

Thank You