BT Cyber Security Research

BT AssureSecurity that matters

www.bt.com/btassure/securitythatmatters

http://www.bt.com/btassure/securitythatmatters

BT Assure. Security that matters

BT Cyber SecurityResearch Summary

February 2014

© British Telecommunications plc3

Research methodology

• Commissioned by BT to examine current priorities in IT security:

• Explore key themes of shared responsibility between IT and corporate• Examine the changing cyber security threats

• 550 online questionnaires carried out by Vanson Bourne in September / October 2013

• Enterprise-sized organisations (>500 employees) across five sectors:

• Finance• Pharmaceuticals• Retail • Government• Other

• Audience type - IT decision-maker

• 7 countries: UK, France, Germany, USA, Brazil, Hong Kong and Singapore

4

Key themes:

a) Shared responsibility of cyber security across organisations

b) Attitudes towards cyber security threats

c) Responses to cyber security threats

© British Telecommunications plc

5

Organisations have some way to go in terms of shared cyber security responsibility...


© British Telecommunications plc6

The importance of cyber security is underestimated

Respondents that believe their CEO’s attitude towards cyber security is “protection against cyber-attack is an absolute priority” (BASE: all respondents)

The majority of IT decision-makers (ITDMs) believe that CEOs and board members are underestimating the significance that cyber security plays in their organisation

Europe

Americas

APAC

20%

44%

28%

58%

42%

“Do you think the board in your company underestimates the importance of cyber security?” (BASE: all respondents)

YesNo

© British Telecommunications plc 7

ITDMs view those outside of IT as not taking full responsibility for security

Less than a quarter (23%) of those outside the IT department are viewed as taking IT security very seriously, and even fewer (18%) always assess projects with cyber security in mind

This confirms that responsibility for IT security is not shared equally across all facets of the organisation

Respondents that believe that those outside of IT take cyber security very seriously, and that projects are always assessed with security in mind (BASE: all respondents)

23%

18%


Cyber security responsibility falls mainly to the IT department

The CIO / IT director takes ultimate responsibility in the majority of organisations, and is expected to assume different roles the event of a cyber security breach. Again, this highlights how IT security responsibility is not shared equally across all departments of an organisation

“Who has ultimate responsibility for IT security within your organisation?” (BASE: all respondents)

75%

15%

9% 1%

CIO/IT DirectorIndividual directors or department headsCEOOther

57%58%

53%

50%

Respondents that expect IT to assume the above roles in the event of a major security incident (BASE: all respondents)


Many organisations are looking to change this attitude through education

58%

31%

11%

Yes – they are currently receiving training

No – but type of training is in the pipeline

No – we have no plans for this type of training

The majority (58%) of organisations are currently training senior decision-makers in IT security, and an additional 31% are planning to do so in the future

This shows that education in cyber security is becoming the norm for those outside of the IT department, and implies a renewed shared responsibility across organisations

“Are directors and other senior decision-makers in your organisation given training in IT security?” (BASE: all respondents)

10

IT see cyber security as extremely important…



The majority of those in IT see cyber security as a concern to some degreeMost organisations (76%) see cyber security as a major concern, though only 43% are actively strengthening their protection. This varies by region; organisations in the Americas are far more likely to be actively strengthening their protection than other markets

Europe Americas APAC

28%

59%

48%

Those that believe that “cyber security is a major concern” cut by region (BASE: all respondents)

“Which of these statements best describes your current view of cyber security?” (BASE: all respondents)

Cyber security is a major concern. We are actively strengthening our protection, making significant investments in technology and resources to ensure we minimise the risk of disruption to our business

Cyber security is a major concern and the risks are increasing. We're working as hard as we can to stay ahead, but new threats emerge all the time and it's impossible for us to achieve 100% protection regardless of how much we invest

Cyber security is a concern, but we're constantly reviewing the risks. With a sound strategy, appropriate resources and good support from our technology suppliers, we're doing everything we can

43%

33%

19%

12

There are a multitude of concerns and security threats…



Organisations face many challenges

The majority of organisations see IT security challenges in various areas across the business

This concern highlights just how ingrained the issue of cyber security is within organisations - it is affecting many areas, and is causing issues with each of these areas

Areas of potential IT security threat that are considered challenging (BASE: all respondents)

Preventing data leaked accidentally or intentionally by employees

Securing information and data stored on mobile devices

Increasing use of personally-owned devices and social media sites

Protecting data stored in the cloud

Cyber security (including cyber terrorism and cyber crime)

Preventing or fixing weaknesses within our business systems

Industrial or state-sponsored espionage

Security in our supply chain systems

66%

65%

62%

62%

60%

58%

56%

55%


The majority recognise numerous cyber security threats to their organisation

While the majority see many cyber security threats to their organisation currently, both insider threats (malicious and non-malicious) and hacktivism are predicted by the majority to pose more of a risk in the coming 12 months

This highlights how cyber security is a continuing challenge for organisations

Non-malicious insider threat (e.g. ac-cidental loss of data)

Hacktivism

Malicious insider threat (e.g. intentional leaks)

Organised crime

Nation state

Terrorism

65%

63%

63%

53%

45%

39%

51%

54%

53%

47%

39%

38%

Posing more risk over the next 12 months Posing risk now

Cyber security threats posing risk now and posing more risk over the coming year (BASE: all respondents)

15

How are cyber security threats being dealt with?



Overhauling and training are the answers

The vast majority (75%) see an overhaul of their IT infrastructure as a way to protect themselves against security threats, followed closely by cyber security best practice training for all staff (74%)

Both methods require a re-education of the business and its practices, though a complete overhaul is a more severe and expensive reaction. Training is less disruptive and more feasible, which explains its popularity

This being said, both methods highlight how organisations need to change in order to deal with numerous cyber security threats

“In an ideal world, what would you do to protect your organisation from cyber threats?” - answers ranked first, second and third (BASE: all respondents)

Overhaul our infrastructure and design them with security features from the ground up

Training all staff in cyber security best practice

Engaging an external vendor to monitor the system and prevent attacks

Improve whitelisting policies

Increase the use of virtualised environments

Other

75%

74%

54%

49%

47%

1%


In summary:

• 58% of IT decision-makers believe that the board underestimates the importance of cyber security

• Only a minority (23%) of those outside the IT department are viewed as taking IT security very seriously

• The CIO / IT director takes ultimate cyber security responsibility in three quarters (75%) of organisations

• Though education is in effect, the majority (58%) of businesses are currently training senior non-IT decision-makers in cyber security, and 31% of organisations are planning to do so

• A significant proportion of organisations (43%) see cyber security as a major concern and are actively strengthening their protection

• Non-malicious insider threats are the most commonly cited concern (65%) • The vast majority see an overhaul of their IT infrastructure (75%) and

cyber security best practice training (74%) as ways to protect themselves against IT security threats

BT AssureSecurity that matters

www.bt.com/btassure/securitythatmatters

http://www.bt.com/btassure/securitythatmatters

BT Cyber Security Research

Technology

Transcript of BT Cyber Security Research