Mais conteúdo relacionado Semelhante a 2016 Scalar Security Study Roadshow (20) Mais de Scalar Decisions (18) 2016 Scalar Security Study Roadshow3. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
Purpose of the Study
§ How prepared are Canadian
organizations to deal with cyber attacks?
§ How have cyber attacks changed over
the past year?
§ What is the cost of cyber attacks to
Canadian organizations?
§ What are the most effective ways to
reduce cyber security risk?
4. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Study Scope
§ 100% Canadian
§ 654 qualified responses
§ Security-savvy respondents
§ Medium-to-large organization focused
(25% > $1B revenue)
§ 18 industries
§ Global presence
5. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 5
Why Canadian Data Matters
§ US studies reveal individual breach
costs in the millions
§ Regulatory landscape
§ Different cyber attack profile in Canada
§ Canadian companies differ
§ Size
§ Culture
§ Budgets
§ Access to resources
6. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 6
Only 37%
of organizations believe they are winning
the cyber security war
§ Attacker sophistication on the rise
§ More attacks reported
§ Greater losses of data
§ Traditional defenses ineffective
§ Lack of advanced technology
§ Skill gap persists
Overall – Lower Confidence
7. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 7
$7 Million
Over the last 12 months, cyber security
compromises cost organizations roughly
§ Average 40 incidents per year
§ 51% reported lost sensitive data
§ Increased concern of cyber crime
§ Inside threats specifically concerning
§ Targeted attacks on the rise
§ Severity
§ Sophistication
§ Frequency
Attacks on the Rise
8. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Most Losses Are Indirect
Breakdown of Losses 2015 2014
Cleanup or remediation $766,667 $676,023
Lost user productivity $950,625 $987,191
Disruption to normal operations $1,061,818 $1,101,379
Damage or theft of IT assets and infrastructure $1,638,663 $1,533,989
Damage to reputation $2,647,560 $2,586,941
Total $7,065,332 $6,885,523
§ Within each category 15%-20% of
respondents could not estimate the cost
9. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Intellectual Property Losses and Competitive Advantage
36%
33%
31%32%
30%
38%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Yes, I believe it has
caused a loss of
competitive advantage
No, it hasn't caused a
loss of competitive
advantage
Unsure
2015
2014
§ 33% reported a
loss of IP in the
past 24 months
§ Criminals were
ranked as “most
likely” to launch
an attack
§ Insider threats
ranked very
important
10. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Intellectual Property Losses
59%
43%
33%
30%
19%
7%
65%
46%
30%
33%
15%
8%
0% 10% 20% 30% 40% 50% 60% 70%
Gut feeling
Appearance of copied products or
activities
Emergence of new competition
Soured deals or business ventures
Compromised negotiations
Other
2014
2015
§ Average between
$5M and $6M
annual losses
§ Losses are
supported by
evidence of
damage
§ Criminal activity
affecting business
deals
11. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
70%
26%
4%
77%
20%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Yes No Unsure
2015
2014
§ 70% of threats
evaded IDS or
AV systems
§ 82% of
respondents
reported threats
that evaded AV
systems
§ Confidence in
“No” response?
12. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
80%
65%
49%
48%
46%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Web-borne malware attacks
Rootkits
Advanced persistent threats
(APTs)/targeted attacks
Spear phishing
Clickjacking
§ Most threats are
considered
”advanced”
§ Targeted attacks
to gain access to
data (loss of IP)
§ Users as targets
§ High number
exploits > 3
months old
13. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
38%
54%
8%
0%
10%
20%
30%
40%
50%
60%
Yes No Unsure
62%
Cannot confirm that they
are able to detect nor stop
advanced threats
46%
Unsure how to identify
APTs as cause of incidents
14. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Interesting Data on Advanced Threats
60%
55%
44%
41%
29%
56%
49%
42%
38%
36%
0% 10% 20% 30% 40% 50% 60% 70%
IT downtime
Business interruption
Theft of personal information
Exfiltration of classified or sensitive
information
Nothing happened
2014
2015
§ Overwhelming
data that
supports losses
of data and
business
interruption
§ YET… 29%
believe “nothing
happened” as a
result of APTs
15. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Beyond Technology
3.54
3.13
2.18
2.00
1.75
3.94
2.89
1.90
1.67
2.05
0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50
Insufficient budget (money)
Lack of clear leadership
Lack of collaboration with other
functions
Lack of in-house expertise
Insufficient personnel
2014
2015
§ No mention of
technology (except
lack of budget)
§ 93%-95% rank
experience as
qualifier for experts
§ Collaboration
important outside
of IT function
16. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Beyond Technology
25%
33%
37%
23%
31%
40%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Yes, fully aligned Yes, partially aligned No, not aligned
2015
2014
37%
Of Security Strategies NOT
aligned with the business
17. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 17
§ Less reliance on traditional tools
§ Leverage technology to achieve
visibility, understanding and control
§ More awareness of severity and
frequency of attacks
§ Align security strategy with business
objectives
Attributes of High Performers
18. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 18
§ High performing organizations:
§ More aware of threats
§ Spend more on security
§ Measure ROI on investment
§ Report more attacks
§ Suffer fewer losses
§ Beyond the numbers
Driving Successful Outcomes
19. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 19
Study Conclusions
§ Conduct risk and vulnerability assessments to understand probable attack vectors
§ Align security strategy with business objectives, and secure sufficient funding in
people, process and technology
§ Invest in technologies that provide visibility understanding and control to detect
anomalies in your environment
§ Invest in expert skills and specialized training for in-house teams;; or consider
leveraging an external 3rd party security services firm