The 2007 Global State Of Information Security Survey conducted by CIO, CSO and PricewaterhouseCoopers is the largest security survey to include New Zealand companies. The survey reached out to nearly 10,000 organisations from 119 different countries. As such, it represents a comprehensive view of security issues, practices, budgets and concerns around the globe and gives us an in-depth context in which to view our domestic results.
One of the most striking findings in the 2007 survey is the large number of organisations unable to report how many security incidents they have suffered in the past 12 months. Nearly 40 per cent of respondents reported they didn’t know how many security incidents they’d suffered. This is a frank reflection by IT leaders of the levels of sophistication attackers are attaining. However, even though local CIOs have considerably smaller budgets for information security and fewer staff allocated to it, you are no more likely to have suffered a security incident than your regional or global peers.
Security policies are largely in place in New Zealand organisations, though not everyone is compliant: 15 per cent of local respondents believe less than half of their users are in compliance with security policies. So whilst organisations might be making headway and implementing policies, processes and technologies, there is still a gap to be breached in terms of adherence and implementation. Businesses are increasingly aware of the importance of information security, but a significant number of users are creating holes in the security through their non-compliance. And this is not the only area in which those within your organisation may prove to be your biggest security headache. In nearly half of all reported security incidents globally, respondents believed the most likely source of the incident was an employee — the greatest single reported source.
Although many may feel the hard work has been done and policies and technologies have been put in place (only 6 per cent have no written information security policy in place), there is one final reminder thrown up from the survey — the need to keep information security current. Threats are constantly evolving, yet only 34 per cent of New Zealand organisations surveyed have measured and reviewed their security policies in the past 12 months.
Who took part in the survey?
Global respondents in this year’s survey came from almost every industry and every size of organisation imaginable. Domestic respondents to the survey came from across a range of industries (see Graph A) but describing them as predominantly medium and large is a term we use subjectively — a large company in New Zealand may not necessarily be thought of as such in North America.
The size of companies from New Zealand was clearly different from the global average and was deliberately skewed towards the enterprise space in this country while still including some 31 per cent of organisations with fewer than 50 employees, thus giving us a valuable cross-section of local organisations.
The major points of difference were at the top and bottom ends of the scale. The 31 per cent with fewer than 50 staff compared with a global total of 13 per cent while at the other end, 27 per cent of global respondents came from organisations with more than 10,000 staff compared to just 7 per cent domestically in the same bracket. You might think that smaller organisations with lower budgets and fewer staff might be disadvantaged by comparison to larger, richer, better-resourced global corporations, though the survey results show, the Kiwi reputation for resourcefulness is well deserved.
Finally by way of background to the survey we should mention those who took part in terms of their function within their own organisations. CIOs might expect their colleagues from elsewhere in the business to have differing views on information security or that those in security-specific roles (prevalent overseas but not so much so locally), may have differing views or experiences.
In NZ 13 per cent of respondents were at CEO/MD level, which was more than double the Asian (5 per cent) or global (6 per cent) numbers and the skew was similar for those in the CIO role too. In NZ, 16 per cent of respondents held the CIO position compared with just 8 per cent in Asia and a global figure of 7 per cent. And in NZ 15 per cent of respondents were network managers but only 8 per cent globally held the same title. And with 10 per cent of respondents globally, compared to just 1 per cent locally, holding a job title including “security”, it would seem that in NZ, responsibility for security is perhaps more diverse than elsewhere.
However, in the place of specialists, NZ has experience: 50 per cent of those surveyed had been in their role for more than five years, compared with just 25 per cent for Asia and 39 per cent globally.
Information security resources: People
The demographics of respondents showed clearly that, by comparison, domestic respondents were from organisations with fewer staff and considerably lower turnovers than the global averages. Unsurprisingly this difference was reflected when we examined the resources allocated to information security. Firstly, we asked respondents how many full-time employees (FTEs) they had within the security department. (At this point many readers may well be asking “What security department”?). The results below present few, if any, surprises but does clearly illustrate the point. What is interesting to note, however, is the regional context for this finding, as the averages across Asia were notably higher than the averages globally. So our neighbours are some of the best-resourced of all.
To give a full picture of staff allocation to IS, the survey also asked respondents about staff dedicated to information security that were not in the security department and again the results followed the same pattern as above. NZ organisations were far more likely to have zero or one person allocated whilst Asian organisations generally were again the best resourced, significantly above the global average. So across Asia where company size of respondent was in line with the global averages, the human resources allocated to security are significantly above average: It is not just lip service being paid to IS.
But when we included outsourced FTEs, it became immediately apparent that domestic organisations too are allocating people to this area and that outsourced employees are playing a significant role in IS in this country.
In NZ the staffing function and the technology is more likely to be outsourced. The outsourcing of security functions was divided into a number of component areas in a similar way to the technology safeguards: Firewalls, data, detection, web/internet and assessments being the various categories. Across all these areas, the results showed NZ organisations are considerably more likely to outsource functions than the global average, a trend that we can tie closely back into the findings regarding allocation of resource, budget and relative size.
To complete the information picture on security staffing we asked about the security safeguards companies had in place relating specifically to people. The key findings were:
- Thirty-two per cent of global companies have a chief information security officer (CISO) — in NZ just 8 per cent do.
- Globally, 28 per cent reported having a chief security officer as did 18 per cent in NZ.
- Twenty-two per cent have a chief privacy officer. NZ figures are higher — 26 per cent.
- Half of all organisations employ security guards or other physical security methods for their information infrastructure, though only 25 per cent of NZ organisations do so.
When we look at the process safeguards organisations have in place to ensure information security, NZ organisations score on the whole as well, or better than their global counterparts (see Graph B). From a comprehensive list of 29 different options covering authentication, processes, compliance, assessments and audits, just 13 per cent of NZ organisations had none of the listed options in place, compared with 25 per cent in Asia and 26 per cent globally.
In terms of having secure processes in place around strategy and standards, NZ organisations demonstrate their relative lack of dedicated resources is no hindrance to implementation. Again we see our ICT professionals wearing more hats than perhaps is true elsewhere. Operationally too, the results show that local organisations keep pace with their global peers.
Again, when we examine the assessment and compliance safeguards, NZ organisations come out in line with or ahead of their regional and global counterparts, being more likely to carry out tests, assessments and audits of their security processes. One might expect to find overseas organisations, particularly with the spread of respondents in heavily-regulated North America and Europe, to have more assessment and compliance processes in place, but NZ companies come in significantly ahead of the global and regional averages.
So the data tells us you are being at least as secure as anywhere else, but you are doing it by including it as part of existing workloads. Perhaps not having one single person responsible actually means that more people have to take some responsibility and so security is permeating deeper into the ICT department.
Use of firewalls was evenly spread throughout the regions and showed a very clear preference within organisations primarily to employ network firewalls.
User technology safeguards
For NZ CIOs, it is interesting to note the uptake of biometric user security being employed overseas, particularly in Asia (see Graph C). There, 25 per cent of organisations reported they are currently using it, as opposed to just 9 per cent in NZ. Single, sign-on software is also less prevalent in this country, as is the use of smart cards or tokens for authentication. However, user-activity monitoring tools are more prevalent in NZ than elsewhere.
Backup and replication were looked at separately with local and global results in line with each other. With 89 per cent of NZ organisations using backup and 48 per cent using replication/synchronisation solutions, these are relatively well-established practices in the local market.
Intriguingly, encryption is far less widespread in its use as a security solution in NZ than the global or regional averages. In Asia it is particularly widely-adopted, notably above the global average, though local organisations have largely chosen not to employ it. Almost the entire range of forms of encryption surveyed is employed less in NZ than elsewhere. As well, just 17 per cent of domestic respondents said encryption was on their priority list for information security in the coming year.
Domestic and global trends are closely aligned in this area. It is interesting to note that the use of monitoring tools appears to be more prevalent in NZ. Spyware and adware are now on the corporate agenda with a significant majority of organisations across the board reporting these are being monitored.
Scores in this area were lower for all geographies than might perhaps be expected. Sixty-one per cent of organisations in NZ and 55 per cent globally reported using intrusion prevention tools. One of the more basic elements in prevention — having locks, keys or physical security for computer hardware was reported as being used in just half the organisations surveyed. Yet physical theft remains a major reason for loss of corporate data. Again, in monitoring, NZ organisations scored higher than average with 58 per cent using content filters compared with 47 per cent in the Asian region.
In other areas, VoIP security stands out as an area in which organisations may find there are further steps to be taken. Despite the widespread adoption of VoIP, only 25 per cent of organisations surveyed globally reported using VoIP-specific security.
Are we spending enough?
The survey examined both overall IT budgets and specific information security budgets. The findings included:
- 223 global organisations had IT budgets in excess of US$1 billion. By way of comparison, 31 organisations in this year’s MIS100 had total annual turnovers in excess of $NZ1 billion.
- 56 per cent of NZ organisations had budgets under US$1 million — 42 per cent globally fell into the same category.
- Exactly a quarter of global respondents enjoyed IT budgets over US$5 million annually as did a full 16 per cent of domestic respondents.
- NZ organisations are more likely to know their budget than is the global average. Locally 10 per cent reported not knowing their IT budget, compared with a total figure of 18 per cent.
However, looking at the overall ICT budgets and the dollar totals allocated to security is not a particularly helpful exercise for NZ organisations wishing to benchmark themselves in a global or regional context. As the results have already indicated, there is a significant disparity in organisational size between NZ and the global average and the same difference of scale is of course repeated in ICT budgets. A far more valid comparison is to examine information security budget as a percentage of the total IT budget. (see graph D).
The real differences highlighted here are that a relatively small number of NZ organisations allocate 25 per cent to 49 per cent of budget and that more NZ organisations are unsure of the proportion of budget allocated to information security.
Most telling, however, is a look at the mean averages.
Globally 15 per cent of IT budget is allocated to information security and the Asian figure is slightly higher still at 18 per cent. For NZ organisations however, the mean figure is substantially lower at 9 per cent. This begs the question: “Are we spending enough on information security?”
As information security continues its way up the corporate agenda, in the future we would expect to see a decrease of the number of companies not knowing their information security budget.
Now we examine the drivers, alignment, and expectations of these budgets: (see graph E)
In a country as geologically challenging as NZ it is unsurprising to see business continuity and disaster recovery rate so highly, being cited by nearly 80 per cent of all respondents. Given recent environmental disasters across the Asian region it is perhaps something of a surprise to see NZ above the regional average however, and in a post-September 11th world we might expect the significant number of responses from Europe and North America to raise the global average.
Is information security spending aligned with business objectives?
Only 13 per cent of NZ organisations who took part believe that this is the case, and this suggests we may be in danger of seeing a disconnect between organisational priorities and the resources allocated to achieving them. And this is not down to respondents choosing a neutral view: Thirty per cent of NZ respondents believe information security spending is aligned either poorly or not at all with business objectives. So although 59 per cent said that internal regulatory compliance was driving spending, only 13 per cent see that same spending as being in line with business objectives.
Where to from here?
The expectations of those surveyed for next year’s security spending shows a significant difference between local and global respondents. Significantly, more organisations in NZ expect spending to stay static than to increase, whilst the reverse is true regionally and globally. In NZ, 43 per cent believe that spending will remain static whilst that number is just 23 per cent across the Asian region, and 27 per cent when aggregated globally. Although 34 per cent of NZ organisations expect to see an increase of any magnitude this is relatively pessimistic when compared with nearly half (48 per cent) of respondents across Asia and 44 per cent globally.
The real story
The survey provides a clear picture of the security incidents being experienced by end users in all industries across the globe, rather than the incidence reporting we might perhaps see from security vendors. Also, we need to question how complete a picture of incidents the respondents painted — would perhaps an independent audit have revealed more incidents? And at what point did respondents define something as an “incident” — the attempted attack, the successful attack detected later, or the suspected attack? (see graph F)
The data provides us with a number of interesting points. With a global, regional and local figure of 22 per cent of organisations claiming to have had no security incidents in the previous 12 months, the criteria for defining an incident appears to be reasonably subjective depending on the respondent. Given the increasing sophistication of attacks, the growing malware industry and the well-documented move of organised crime into the online space, there may well be 22 per cent of respondents who believe that they have not suffered any security incidents, but the real figure is most likely quite different. On the other side of this coin we do see a large number of respondents admitting that they simply don’t know how many security incidents have occurred. Globally, 40 per cent of companies admitted not knowing how many incidents had occurred and although the number was substantially lower in NZ at 28 per cent, this result suggests that organisations are well aware of the limitations of their detection processes and technology.
Next we look at the type of incidents being reported or caught. The spread of incidents is even with only fairly minor variance compared to other results in the survey, except in the case of human exploits. This former is perhaps indicative of the global nature of attackers who are distributed globally and, judging by the above results, attack systems regardless of location.
The methods used for attacks show a little more variance than the type of incidents and this raises the question: Are attackers really using different methods to carry out the same attacks? Once again though, the number of respondents admitting to not knowing was high — as much as 40 per cent in NZ and 33 per cent globally. So as we look more closely, the picture is one of many organisations simply not knowing how many attacks are occurring, what type of incidents they are or indeed how they’re being perpetrated.
NZ organisations reported a larger percentage of not knowing what the primary method of attack had been, with this being cited by 40 per cent of respondents. In Asia the figure was 29 per cent, globally it was 33 per cent.
How did you learn of the security events?
NZ organisations reported their intrusion detection system had alerted them to half of all known security incidents. Although that figure dropped to just below 40 per cent regionally and globally, these systems obviously represent a significant addition to the security bow. The next most prevalent way of discovering a security breach came from colleagues within the organisation.
Analysis of server/firewall files and logs accounted for another 40 per cent of responses, further increasing the number of incidents first picked up by internal systems.
However, not all of those incidents picked up were done so internally.
Customers and/or suppliers alerted respon-dents in 15 per cent of incidents around the world; as many as 10 per cent in NZ (7 per cent globally) were alerted by a government official and more disturbingly, a further 10 per cent claim to have learned from the media (9 per cent globally). As well, 6 per cent globally claimed to have been alerted to the security incident by the perpetrators themselves.
What impact did these attacks have on your organisation?
A wide range of effects were recorded in this section of the survey, although due to the nature of the question there were slightly fewer responses in this category than in others. As variances between NZ/Asia/global results are statistically slightly less reliable; we will focus instead on the overall trends displayed globally.
Thirty-eight per cent saw reduced speed or unavailability of their networks. Thirty-two per cent reported software applications being altered by the attacker and 23 per cent found that OS programs and files had been altered. Email and application availability was also cited in 23 per cent of cases. So some fairly significant impacts were felt and ones that would have had a direct impact on productivity and availability.
Returning to the theme of data-breach disclosure — one which will continue to be on the agenda in NZ — 18 per cent reported that confidential records had been compromised and 17 per cent cited customer records as having been compromised, an alarming and potentially serious statistic. Identity theft was also cited at 9 per cent. The table below is a breakdown of the impact of the attacks globally:
Given that only 22 per cent of organisations globally reported having no security incidents, it is interesting to note that 30 per cent of those surveyed reported no downtime at all occurring in the previous 12 months as a result of security events. This confirms that increasingly attacks are occurring for criminal reasons, rather than the purely malicious hack. Although downtime comes with an associated dollar cost and as such probably attracts more attention from the Executive, it may well be that it is becoming less relevant as a measure of the impact of security events. Whilst customers both internal and external find downtime an annoyance, it is probably fair to say that breach of the security surrounding their private details would disturb them far more.
The greatest threats
The final piece of the picture to be added was to examine where the attacks were coming from — what did respondents believe was the most likely source of the incidents they reported (see Graph G below). And in this section the results are both revealing and startling. It must be noted that these results represent the estimated likely source of the incidents, and have not been independently verified.
Current employees appear to be a far greater security risk than former employees; in fact twice as much according to global results, and more than three times as much for NZ organisations. It is of particular interest to note that this incidence is in fact higher in global organisations than in NZ, despite the fact that NZ has significantly fewer security-dedicated individuals within its organisations. So the culture of having more people involved with security as part of their jobs rather than separating the function out, may indeed be reducing the incidence of internal attacks, presumably by virtue of having more stakeholders in the security policy. Hackers were, unsurprisingly, reported as the next most likely source of incident.
Customers, partners and suppliers were cited in a significant number of cases — as high as 22 per cent across the Asian region, although NZ’s individual figure was a little lower at 13 per cent. Combined with service providers, contractors and consultants, the figures rose even further providing the alarming suggestion that organisations are opening the door to attackers themselves. Overall, we see that the likelihood of an attack coming from someone working for or with your organisation is the greatest threat of all.
More headline-grabbing, although perhaps ultimately of less practical use to IT professionals, was the number of organisations reporting terrorists as the likely source of the security incident.
Globally, “terrorist” was cited by 163 different respondents. This represented 3 per cent of responses in this category, and included the response of one NZ organisation amongst the 49 who cited it across the Asian region.
The last documented attack sanctioned by a foreign government in NZ was back in 1985 and one that all New Zealanders would know well. But in a fairly dramatic revelation, foreign governments were cited as the estimated likely source of the incident by more than one organisation here in New Zealand. And across all respondents to the survey, foreign governments were suspected in more than 150 individual instances.
Next month: Part two of the 2007 Global Information Security Survey results, focusing on global developments and their implications for New Zealand.
Forsyth Thompson is enterprise publisher CIO and Computerworld New Zealand. He was previously Business Development Manager of Fairfax Business Research in the UK.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.