Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016

Cybersecurity Preparedness Benchmark Study

2Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study

National Cybersecurity Awareness Month (NCSAM)

• This October is the 13th annual National Cyber Security Awareness Month

• As the month comes to a close we hope you will continue to promote a safer, more secure and more trusted internet all year long

• BRG is a proud NCSAM Champion and we encourage everyone to support the 6th anniversary of STOP. THINK. CONNECT.™ NCSAM initiative

• More information can be found @ https://staysafeonline.org/

BRG Overview

Over 1,000 professionals in 37 offices

Study Background

Why the need for cybersecurity benchmarking?

• Financial and non-financial consequences of a successful cyber attack

• Governance and Technology

• Gain understanding how other peers implement Information Security

• Study results from two different points of view:

– overall results across all participants to provide a thorough and balanced view of the current state of Cybersecurity

– an individual assessment for each participant where individual answers are discussed and compared against other study respondents

Study Background

Target group: Executive Management and Board of Directors from different sectors

Survey: 103 Questions, approximately 60 minutes.Online questionnaire; select phone interviews

Timeline: Q1 and Q2 2016

Results: Q3 2016

Participants received: Anonymized evaluation of participant data including indication of their individual answers

Berkeley Research Group - Cybersecurity Preparedness Benchmarking Study

Objectives

Country of Origin

Study Participants

Primary Industry of Organization Title or Level in Organization

Total Employees with Average FTE IT Employees

Strategic Insights

Who does the CISO/CSO report to?

Growing Importance of CISO

of organizations report an

Information Security Officer is in place

How would you rate your organization’s information security culture?

Security Culture

of organizations have a formal

cybersecurity training and awareness program

Rate the effectiveness of your organization’s cyber security program

Cybersecurity Effectiveness

of organizations report that senior managers approach information

security as an enterprise risk-management issue

How would you rate your organization’s cyber security incident response capabilities?

Incident Response Capability

of organizations inform governments and

regulators of cybersecurity breaches

What strategic initiatives has your organization adopted in its security program?

Strategic Initiatives

of organizations do not have a cybersecurity

strategy for the Internet of Things

Board and Executive Leadership

Areas in which the Board of Directors actively participate:

Board Engagement

of organizations report that the Board of Directors actively participate in overall

cybersecurity strategy

Areas board participation has helped improve your organization’s information security program:

Board Influence

How does the board oversee cyber security-related issues?

Board Oversight

How would you rate the organizational leadership support for cybersecurity?

Rate senior management focus on information security

Leadership Support & Focus

How do you measure the effectiveness of the organization’s cyber security program?

Feedback Mechanisms

of organizations rely on auditors, both

internal and external as a measure of their

cybersecurity effectiveness

Managing Security Risk

Has your organization performed a cyber risk appetite assessment?

Has your organization performed a cyber threat assessment?

Cybersecurity Risk Assessments

47%of organizations do

not believe that leadership has a

functional understanding of their

network security

Are there formal security and operational procedures documented?

Documented Procedures

91%of organizations document their cybersecurity policies and procedures

Areas for improvement and awareness programs?

Improvement & Awareness

How often does executive management receive periodical briefings on the state of your organization’s network security system?

Executive Briefings30%of executive

management receive a briefing once every

six months or less

Systems and Controls

Which information security standard and best practice does your organization follow?

Security Standards

of organizations used ISO27001,

with financial services at 43%

Security controls and business continuity plans are tested on a regular basis?

Controls Testing

How often are the security controls of the enterprise systems and interconnected systems reviewed?

29Berkeley Research Group - Cybersecurity Preparedness Benchmark Study

System Reviews24%

of organizations do not routinely test security controls

and business continuity plans on

a regular basis

How often are self-assessments conducted?

Self-assessments30%

of organizations do not routinely undertake self-assessments

How often are external security assessments conducted?

External Assessments

What steps has your organization taken in order to obtain assurances from external service providers and vendors that their security meets standards?

32Berkeley Research Group - Cybersecurity Preparedness Benchmark Study

External Service Providers & Vendors

of organizations have ensured external

service providers and vendor contracts

include provisions for security

Governance and Reporting

Rate your organization’s cyber security risk management program

Risk Management Effectiveness

of organizations somewhat agree that cybersecurity risks

are being considered in business decision

making

of organizations strongly agree that cybersecurity risks

are being considered in business decision

making

Rate your organization’s cyber security Information Governance capabilities

Information Governance Capabilities 56%

of organizations rate their Information

Governance capabilities as

‘slightly’ or ‘somewhat effective’

Rate your company’s information security governance maturity level

IS Governance Maturity

Rate your company’s IT risk management maturity level

IT Risk Management Maturity

CISOCISO

Rate your company’s cloud computing maturity level

Cloud Computing Maturity

of organizations do not allow use of

public cloud services

Does the organization incident response plan outline regulatory and governmental

notification protocols for breaches?

Regulatory & Government Reporting

of organizations are required by

regulatory and government

agencies to disclose system breaches

Breaches and Incidents

What type of breaches did your organization experience?

Type of Cybersecurity Breaches

of organizations do not believe they are well equipped to handle a

breach

of organizations report having experienced a

cybersecurity breach

of organizations report current

employees as the most likely source of cybersecurity breach

incidents

What was the estimated source of data breach incidents?

Sources of Breaches

Type of staff-related incidents the organization experienced?

Staff-related Incidents

Key Observations

Despite a strong focus on cybersecurity culture, many organizations do not believe their cybersecurity programs are fully effective45% of respondents reported that they needed to improve security awareness and training

Current employees are the likely cause behind most cybersecurity breachesRespondents reported that current employees were the likely source of 45% of data breach incidents, followed by 22% of incidents caused by hackers and 13% by former employees

Viruses and malicious software are the most common breaches.Respondents reported that infections from viruses or malicious software accounted for 39% of all data breaches, followed by system failures or data corruption accounting for 35% of breaches

Key Observations

Most organizations do not have strategies for the emerging fields of the Internet of Things or Big Data90% of respondents do not have a cybersecurity strategy for the Internet of Things, and 86% do not have a strategy for Big Data

Organizations lack confidence in their cybersecurity incident response capability65% of respondents reported having a formal cyber incident response plan, and 60% incorporated regulatory and government notification protocols for breaches. However, when asked if their organization was well equipped to handle a cyber breach, 51% of respondents were neutral or disagreed

Organizations anticipate an increase in information security budgets54% of respondents reported that they expected an increase in their 2016 cybersecurity budget. However, 48% of respondents reported they were neutral or disagreed when asked if leadership allocated adequate budget for cybersecurity efforts

Recommendations

• Review and approve the cyber risk appetite and tolerance at board level; • Ensure the board has sufficient cybersecurity expertise and/or access to such

expertise; • Build cybersecurity in to all activities and develop enterprise-wide cyber risk

management strategies and procedures; • Incorporate cybersecurity within business strategy and risk management

frameworks; • Develop procedures to identify and manage cyber risks associated with

outside vendors, suppliers, customers, utilities, and other external organizations and service providers;

• Undertake testing to include the potential for multiple attacks and the impact of interruptions on critical infrastructure;

• Ensure there is a robust cyber resilience and incident response program; • Pro-actively undertake cyber threat intelligence gathering and ongoing

security analytics;• Invest in your people to ensure there is high awareness and ownership for

cybersecurity across the organisation.

The full study is available at:http://www.thinkbrg.com/media/publication/828_CSPBS_Report.pdf

Tony Moroney | Managing Director | International Financial Services

Berkeley Research Group, LLC6 New Street Square, 15th Floor | London, EC4A 3BFD +44 (0) 20 3597 5167 | M +353 87 2556947 | F +44 (0)20 3808 2784tmoroney@thinkbrg.com | thinkbrg.com

Faisal Amin | Director | Benchmarking & Strategic Research

Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016

Documents

CBAO · Web view2018/10/10 · Cybersecurity Preparedness Resource (10. 19. 2018) As part of the FDIC's Community Banking Initiative, the agency is adding to its cybersecurity awareness

State of Cybersecurity in the Banking Sector in …State of Cybersecurity in the Banking Sector in Latin America and the Caribbean 7•In relation to digital security preparedness

Healthcare Cybersecurity Preparedness & Response · cyber resilient, clinical configurations that enable continued clinical operation in the face of cyber-physical hazards, in support

AIMA SASOS OCOBER

ISAO Federal Opportunity Announcement (FOA)...Preparedness and Response (ASPR) on priority issues related to cybersecurity for critical public health infrastructure” (Commitment

The University of Texas at Dallas ( UT Dallas) CyberSecurity and Emergency Preparedness Institute – Erik Jonsson School SARA TITLE III TIER II REPORT ONLINE

THE CONTINUOUS DIAGNOSTIC & MITIGATION PROGRAM FIELD … › wp-content › uploads › 2014 › 06 › The-Co… · combat cyberthreats and improve cybersecurity preparedness. The

Cybersecurity Preparedness and Supply Chain Risk

CYBERSECURITY: AN ANALYSIS OF THE LEGAL LANDSCAPE AND BEST … · of preparedness and ... develop principles and best practices to constructively resolve issues surrounding data security

Volume 33, Issue 19 Ocober 20 The RMP

LEGAL ADVISOR - PilieroMazza · Cybersecurity awareness and preparedness are critical for federal contractors, not just as a matter of compliance, ... for federal contractors designed

about your cybersecurity posture so that you have an ......When it comes to cybersecurity preparedness, most organizations have room for improvement. Each of these questions represents

Committee on Information Technology · Risk Management and Disaster Preparedness City has adopted NIST Cybersecurity Framework (Federal and Industry Standard) •Updated Cybersecurity

50+ - syb.com€¦ · Incident Response Preparedness Checklist Items Written by: Buzz Hillestad, Senior Information Security Consultant at SBS CyberSecurity, LLC and Blake Coe, Vice

EMERGING TECHNOLOGIES IN CYBERSECURITY · EMERGING TECHNOLOGIES IN CYBERSECURITY | Randall Lewis 1 EMERGING TECHNOLOGIES IN CYBERSECURITY ... Cybersecurity and Cybersecurity Technologies

ELECTION INFRASTRUCTURE SECURITY RESOURCE GUIDE...The Cyber Infrastructure Survey (Survey) evaluates the effectiveness of organizational security controls, cybersecurity preparedness,

Cybersecurity: Learn Critical Strategies to Protecting ...€¦ · • LinkedIn, Last.fm and eHarmony breaches called into question those businesses’ cybersecurity preparedness

Cyber Risk Management Services - Alston & Bird · • Conducted a cybersecurity preparedness legal review for a large state bank, assessing its cybersecurity program against guidance

Translating Cybersecurity Preparedness

FDIC Advisory Committee on Community Banking€¦ · best practices to assess their cybersecurity preparedness. These tools include the FFIEC Cybersecurity Assessment Tool, the National