bt cyber security research
Post on 15-Jan-2015
269 Views
Preview:
DESCRIPTION
TRANSCRIPT
BT AssureSecurity that matters
www.bt.com/btassure/securitythatmatters
BT Assure. Security that matters
BT Cyber SecurityResearch Summary
February 2014
© British Telecommunications plc3
Research methodology
• Commissioned by BT to examine current priorities in IT security:
• Explore key themes of shared responsibility between IT and corporate• Examine the changing cyber security threats
• 550 online questionnaires carried out by Vanson Bourne in September / October 2013
• Enterprise-sized organisations (>500 employees) across five sectors:
• Finance• Pharmaceuticals• Retail • Government• Other
• Audience type - IT decision-maker
• 7 countries: UK, France, Germany, USA, Brazil, Hong Kong and Singapore
4
Key themes:
a) Shared responsibility of cyber security across organisations
b) Attitudes towards cyber security threats
c) Responses to cyber security threats
© British Telecommunications plc
5
Organisations have some way to go in terms of shared cyber security responsibility...
© British Telecommunications plc
© British Telecommunications plc6
The importance of cyber security is underestimated
Respondents that believe their CEO’s attitude towards cyber security is “protection against cyber-attack is an absolute priority” (BASE: all respondents)
The majority of IT decision-makers (ITDMs) believe that CEOs and board members are underestimating the significance that cyber security plays in their organisation
Europe
Americas
APAC
20%
44%
28%
58%
42%
“Do you think the board in your company underestimates the importance of cyber security?” (BASE: all respondents)
YesNo
© British Telecommunications plc 7
ITDMs view those outside of IT as not taking full responsibility for security
Less than a quarter (23%) of those outside the IT department are viewed as taking IT security very seriously, and even fewer (18%) always assess projects with cyber security in mind
This confirms that responsibility for IT security is not shared equally across all facets of the organisation
Respondents that believe that those outside of IT take cyber security very seriously, and that projects are always assessed with security in mind (BASE: all respondents)
23%
18%
© British Telecommunications plc 8
Cyber security responsibility falls mainly to the IT department
The CIO / IT director takes ultimate responsibility in the majority of organisations, and is expected to assume different roles the event of a cyber security breach. Again, this highlights how IT security responsibility is not shared equally across all departments of an organisation
“Who has ultimate responsibility for IT security within your organisation?” (BASE: all respondents)
75%
15%
9% 1%
CIO/IT DirectorIndividual directors or department headsCEOOther
57%58%
53%
50%
Respondents that expect IT to assume the above roles in the event of a major security incident (BASE: all respondents)
© British Telecommunications plc 9
Many organisations are looking to change this attitude through education
58%
31%
11%
Yes – they are currently receiving training
No – but type of training is in the pipeline
No – we have no plans for this type of training
The majority (58%) of organisations are currently training senior decision-makers in IT security, and an additional 31% are planning to do so in the future
This shows that education in cyber security is becoming the norm for those outside of the IT department, and implies a renewed shared responsibility across organisations
“Are directors and other senior decision-makers in your organisation given training in IT security?” (BASE: all respondents)
10
IT see cyber security as extremely important…
© British Telecommunications plc
© British Telecommunications plc 11
The majority of those in IT see cyber security as a concern to some degreeMost organisations (76%) see cyber security as a major concern, though only 43% are actively strengthening their protection. This varies by region; organisations in the Americas are far more likely to be actively strengthening their protection than other markets
Europe Americas APAC
28%
59%
48%
Those that believe that “cyber security is a major concern” cut by region (BASE: all respondents)
“Which of these statements best describes your current view of cyber security?” (BASE: all respondents)
Cyber security is a major concern. We are actively strengthening our protection, making significant investments in technology and resources to ensure we minimise the risk of disruption to our business
Cyber security is a major concern and the risks are increasing. We're working as hard as we can to stay ahead, but new threats emerge all the time and it's impossible for us to achieve 100% protection regardless of how much we invest
Cyber security is a concern, but we're constantly reviewing the risks. With a sound strategy, appropriate resources and good support from our technology suppliers, we're doing everything we can
43%
33%
19%
12
There are a multitude of concerns and security threats…
© British Telecommunications plc
© British Telecommunications plc 13
Organisations face many challenges
The majority of organisations see IT security challenges in various areas across the business
This concern highlights just how ingrained the issue of cyber security is within organisations - it is affecting many areas, and is causing issues with each of these areas
Areas of potential IT security threat that are considered challenging (BASE: all respondents)
Preventing data leaked accidentally or intentionally by employees
Securing information and data stored on mobile devices
Increasing use of personally-owned devices and social media sites
Protecting data stored in the cloud
Cyber security (including cyber terrorism and cyber crime)
Preventing or fixing weaknesses within our business systems
Industrial or state-sponsored espionage
Security in our supply chain systems
66%
65%
62%
62%
60%
58%
56%
55%
© British Telecommunications plc 14
The majority recognise numerous cyber security threats to their organisation
While the majority see many cyber security threats to their organisation currently, both insider threats (malicious and non-malicious) and hacktivism are predicted by the majority to pose more of a risk in the coming 12 months
This highlights how cyber security is a continuing challenge for organisations
Non-malicious insider threat (e.g. ac-cidental loss of data)
Hacktivism
Malicious insider threat (e.g. intentional leaks)
Organised crime
Nation state
Terrorism
65%
63%
63%
53%
45%
39%
51%
54%
53%
47%
39%
38%
Posing more risk over the next 12 months Posing risk now
Cyber security threats posing risk now and posing more risk over the coming year (BASE: all respondents)
15
How are cyber security threats being dealt with?
© British Telecommunications plc
© British Telecommunications plc 16
Overhauling and training are the answers
The vast majority (75%) see an overhaul of their IT infrastructure as a way to protect themselves against security threats, followed closely by cyber security best practice training for all staff (74%)
Both methods require a re-education of the business and its practices, though a complete overhaul is a more severe and expensive reaction. Training is less disruptive and more feasible, which explains its popularity
This being said, both methods highlight how organisations need to change in order to deal with numerous cyber security threats
“In an ideal world, what would you do to protect your organisation from cyber threats?” - answers ranked first, second and third (BASE: all respondents)
Overhaul our infrastructure and design them with security features from the ground up
Training all staff in cyber security best practice
Engaging an external vendor to monitor the system and prevent attacks
Improve whitelisting policies
Increase the use of virtualised environments
Other
75%
74%
54%
49%
47%
1%
© British Telecommunications plc 17
In summary:
• 58% of IT decision-makers believe that the board underestimates the importance of cyber security
• Only a minority (23%) of those outside the IT department are viewed as taking IT security very seriously
• The CIO / IT director takes ultimate cyber security responsibility in three quarters (75%) of organisations
• Though education is in effect, the majority (58%) of businesses are currently training senior non-IT decision-makers in cyber security, and 31% of organisations are planning to do so
• A significant proportion of organisations (43%) see cyber security as a major concern and are actively strengthening their protection
• Non-malicious insider threats are the most commonly cited concern (65%) • The vast majority see an overhaul of their IT infrastructure (75%) and
cyber security best practice training (74%) as ways to protect themselves against IT security threats
BT AssureSecurity that matters
www.bt.com/btassure/securitythatmatters
top related