Are European companies equipped to fight off cyber security attacks?

è www.steria.com

In collaboration with PAC

Are European companies equipped to fight off cyber security attacks?

A Steria Report

Executive summary

è www.steria.com Are European companies equipped to fight off cyber security attacks? | 3

Digital has opened up new ways of working and interacting socially. It has created open, collaborative and connected virtual environments on top of our physical environments. It has enabled electronic document exchange, mobility, cloud com-puting and social networks. But at the same time, it has opened up new prospects for malevolent acts.

Cyber-related risks are greater than ever. It has been estimated that in 2012 the world saw a staggering 42% increase in targeted attacks compared to 2011, $110 billion worth of financial losses due to cyber attacks and more than $200 billion lost due to online fraud. Attacks are becoming more diverse, complex and professional on a daily basis, with increasingly serious effects on business and finance, as well as on firms’ competitiveness and reputations.

Given this alarming state of affairs, we must ask whether companies have fully grasped the scope of the attacks with which they are increasingly being faced. Are they properly equipped to deal with major crises?

Even if complete protection is not possible, have they put in place the resources, solutions and governance needed to provide the best possible prevention, detection and protection? Do they have access to appropriate resources and offerings from security experts?

Steria has surveyed 270 public and private sector organisations across Europe, lifting the veil on how Europe’s firms are positioned today in terms of cyber security. We have also assessed what short- and medium-term trends these organisations foresee.

To be able to make the most of all the business opportunities in our multi-faceted digital world, the key is to be properly armed for cyberwarfare, without making things too complex or cumbersome.

Patricia Langrand

Executive Vice President Group Business Development

& Marketing, Steria

Florent SkrabaczHead of Security Business, Steria

FOREWORD

4 | Are European companies equipped to fight off cyber security attacks? è www.steria.com

OBJECTIVES AND METHODOLOGY

Steria, a European leader in IT and business services, has worked with Pierre Audoin Consultants (PAC) to publish this independent report on cyber security. The report is based on a survey of 270 security decision-makers in France, the United Kingdom, Germany and Norway. They represent small and medium companies, as well as large organisations working in all areas of activity. In this context, “companies” refers to both private and public-sector organisations. “Large companies” are defined as those with more than 5000 employees.

Except where otherwise stated, all figures used in this report have been taken from this survey. The survey comprises a quantitative phase and a qualitative phase. The quantitative phase draws on 250 telephone interviews conducted as follows: 70 interviews in France, 70 in the UK, 17 in Germany and 40 in Norway.

PAC also conducted 20 in-depth face-to-face interviews. Based on the same questionnaire as the quantitative interviews, these were an opportunity for security decision-makers from large companies and specialised government bodies to discuss their cyber security strategy and how it is implemented.

This report provides an outlook on cyber security strategies and models for the next three years. Its purpose is to reveal how current and future threats are actually perceived by companies in Europe and the appropriateness or otherwise of the resources brought to bear.

Are European companies equipped to fight off cyber security attacks?

Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees

10%

27%

63%

Figure 1 : Size of organisations surveyed (n = 270)


Banking Insurance Manufacturing

Public sector Retail Services

Telecom Transport Utilities

12%

6%11%

12%

6%

Figure 3 : Distribution by business sector (n = 270)

Norway France UK Germany

Between 500 and 1,000 employees Between 1,000 and 5,000 employees More than 5,000 employees

62%

36%

2%

78%67% 60%

Figure 2 : Distribution by size and country (n = 270)

22%33%40%

6%

6%

20%

21%


EXECUTIVE SUMMARYAs concerns about the impact of cyber security rise in tandem with the uptake of digital technologies, this report sets out to examine where European companies currently stand in their defence of corporate assets and reputations. What measures do they have in place and how great an understanding is there of the scope and scale of cyber-related risks?

The 270 security decision makers who took part in our survey across both public and private sector organisations revealed a number of challenges and opportunities in the corporate fight against cyber crime.

Despite the growing number of external attacks, European companies are still more concerned about internal attacks.

More than 50% of companies still see external attacks as accounting for less than 20% of the threat.

Despite the fact that organised crime and state-sponsored attacks are becoming an increasing and genuine threat, these types of attack are still of relatively little concern to European companies in the short and medium term.

Overall, less than 15% of companies believe that, either currently or in the next three years, they will have to deal with organised crime; less than 6% believe they will have to deal with state-sponsored attacks.

Only the largest organisations are starting to become concerned about this type of attack: 19% of them believe they will be faced with

attacks from organised crime within the next three years, and 18% believe they will be faced with state-sponsored attacks.

Data theft is a major concern and is likely to remain so.

60% of the companies surveyed say that data theft is one of the three most significant risks keeping them awake at night, and is set to remain so over the next three years. The impact of Prism, Bullrun, and Mandiant is clearly evident.

Advanced Persistent Threats (APTs), a three-letter threat that should have heads of security quaking in their boots, has not yet been identified as one of the major risks.

Only 12% of the companies identified APTs as one of the three chief threats. However, 35% of the largest companies are concerned about APTs.

1. European companies have not yet fully grasped the scope of the attacks to which they will be increasingly exposed


European companies are confident about their future security in terms of available resources, funding, and their ability to withstand major risks2.European companies appear extremely unruffled about the prospect of a major security crisis; 90% of them believe they are capable of dealing with one.

One in five of the larger companies identifies a lack of experienced security resources as one of their main risks, but 85% of respondents believe that within the next three years they will have good access to the necessary skills.

Security budgets have not been cut and are likely to remain protected: less than one third of the companies surveyed anticipate cuts. 85% of the respondents are of the opinion that they will have an appropriate security budget over the next three years.

Maintaining these budgets is, however, accompanied by cost control, with cost KPIs in place in over half of the companies surveyed.


It is unclear whether this show of confidence is backed up by reality. Many companies have not taken the most basic ad hoc measures to deal with crises3.24/7 security is not yet standard: only one quarter of the companies surveyed have implemented it. Fewer than half of the largest companies benefit from this level of protection.

As yet, companies have little insurance cover for cyber security risks and have not taken out this type of policy; two thirds of them do not plan to take out specific insurance in the future. Cyber risk insurance has not yet

found its market: policies are seen as being too complex, with too many exclusions.

Changes in cyber security strategy are not predominantly driven by changing cyber risks or the need to protect against cyber threats. Strategic priorities are directed more at risks arising from the use of new information and communication technologies, particularly with mobility and Bring Your Own Device (BYOD) policies.


Companies mostly adopt a self-reliant approach when dealing with risks4.European companies identify a number of structural barriers to outsourcing (security criticality, giving priority to internal resources, etc). Only one in five of the largest companies would have no problem in outsourcing.

There is a perceived lack of maturity in industry offerings: 20% of companies (and one in four large companies) have not yet found the right outsourcing offering for their requirements.

Looking forward, however, companies believe they will be more willing to envisage outsourcing; almost three-quarters of them believe that they will outsource part of their security operations in the future.

The most compelling argument in favour of outsourcing is cost reduction. For companies with over 5000 employees, however, improvements in attack detection rank second.


The relationship between companies and their security partners will need to change in coming years5.Within the next five years, more than one enterprise in four (and more than one large enterprise in three) believe that security is likely to be dealt with mainly by external providers.

Over the same period, co-operation between companies in the same business sectors is predicted to become a reality: 15% of companies think they will end up pooling security resources

with other players in their sector.

“Security as a service” has not yet achieved market maturity. Less than 10% of companies have bought security as a service or plan to do so in 2014. However, companies of all sizes are open to this possibility in the future. Over 40% of all companies have already done so, or plan to do so ultimately.

è www.steria.com

CONCLUSIONS AND RECOMMENDATIONS



Being properly equipped to deal with cyber risks is vital to enable organisations small, medium and large to make the most of all the business opportunities available in a multi-faceted digital world.

There is no such thing as zero risk, but European companies must put in place prevention, detection, protection and response resources commensurate with the actual threat levels.

In view of the growing sophistication of attacks, European companies are still too focused on internal threats, and not concerned enough about new forms of external attack; they have not yet implemented even the most basic resources, for example in order to deal with major crises 24/7.

However, there are some more positive observations.

Firstly, budget decisions still favour security, with budgets in this field remaining intact and likely to do so in the future.

Secondly, the fact that security is currently managed at high levels within companies favours the implementation of ambitious strategies that address business issues.

While security experts clearly still have some way to go in tailoring their outsourcing offerings to client needs and making their solutions better known, improving attack detection is already cited as the second most important reason for outsourcing by major companies, just behind cost reduction.

Awareness of outsourcing is growing – as is the willingness to pool resources. Two thirds of the companies interviewed plan to make use of outsourcing in the future; over one quarter of them believe that five years from now, security will be handled mostly by external partners.

Motives are still largely centred on cost control – the chief criterion for evaluating security performance to date.

It is now up to security experts to demonstrate the effectiveness of their capabilities in terms of attack prevention and detection (as well as response) if they are to persuade Europe’s security decision-makers of the benefits of pooling protection resources.


aa

aa

aaa

Recommendations for optimum cyber security

The above conclusion means that a number of recommendations can be made when it comes to defending the best interests of companies in cyberspace. The following recommendations in particular may be made:

- greater co-operation is needed in Europe between security experts and all other stakeholders in order to create global, joint capabilities and to increase the firepower of European providers

- performance measurement for security should be improved by focusing first and foremost on security itself (number of attacks detected and dealt with, response times, etc). Today, although security budgets have been maintained, the leading KPI is cost control, whereas greater expenditure may actually indicate better protection

- 24/7 operational security management should be provided more systematically

- there is a need to develop professional service offers that are better geared to addressing the twofold challenge of economic performance and security effectiveness, in line with companies’ expectations.

Some industry professionals have already invested heavily to develop top-ranking cyber security capabilities, and are inviting companies to benefit from these. Cooperation between Europe’s security experts and companies is dependent on three factors:

- better support by the experts to help companies understand security issues, diagnostics and the definition of the right governance and resources, in terms of criteria based on efficiency and return on investment

- greater maturity of security implementation models in order to drive a much broader uptake whilst improving practices

- developing innovative technological partnerships within Europe to provide better protection from the most sophisticated attacks (such as APTs) and to respond as quickly as possible.

These recommendations will enable European companies to take hold of the many opportunities offered by every aspect of the digital world, whilst keeping cyber risks under control.

As a result, companies will be able to express cautious confidence in their digital activities and cyber security controls – and, just as importantly, be justified in doing so.


About PAC

Pierre Audoin Consultants (PAC) is a privately held and management-owned research & consulting firm, specialized on the software and ICT services (SITS) industry.

PAC combines detailed knowledge of the local ICT markets in 30+ countries around the globe, with a strong European heritage. At present, PAC is the most reliable source of European IT market intelligence.

With a growing network of 120 industry analysts and consultants around the globe, PAC and its partners ensure local presence in the major IT markets.

For more information, visit: https://www.pac-online.com/



(*): including “SET Trust” and “XEBT Trust” (4.15% of capital)

About Steria

Steria delivers IT enabled business services and is the Trusted Transformation Partner for private and public sector organisations across the globe. By combining in depth understanding of our clients’ businesses with expertise in IT and business process outsourcing, we take on our clients’ challenges and develop innovative solutions to address them efficiently and profitably. Through our highly collaborative consulting style, we work with our clients to transform their business, enabling them to focus on what they do best. Our 20,000 people, working across 16 countries, support the systems, services and processes that make today’s world turn, touching the lives of millions around the globe each day. For more than 20 years, Steria has been the trusted partner of both private businesses and public organisations seeking a security services provider to protect their infrastructures, applications and data. With more than 700 experts throughout Europe, Steria manages every stage of the security lifecycle, from agreeing on a security strategy through to running day-to-day routine tasks. Steria’s deep consulting skills allow the company to recommend the most efficient security policies – and improve clients’ return on investment. Steria’s Advanced Security Operations Centre (SOC) ensures early detection and prevention of the most complex threats, including APTs (Advanced Persistent Threats), as well as an appropriate, proactive response. Steria also delivers digital trust solutions tailored to clients’ specific requirements and business processes: identity and access management and authentication, data protection, cloud security, mobile security and more.

Founded in 1969, Steria has offices in Europe, India, North Africa and SE Asia and a 2012 revenue of €1.83 billion. Over 20%(*) of Steria’s capital is owned by its employees. Headquartered in Paris, Steria is listed on the Euronext Paris market.


Groupe Steria SCA 43-45 Quai du Président Roosevelt 92130 Issy-les-Moulineaux France © Steria

Steria is committed to supporting a sustainable world and is Certified Carbon Neutral for Flight and Fleet Travel

www.steria.comwww.steria.com @Steria_cybersec

Are European companies equipped to fight off cyber security attacks?

Technology

cyber security

european companies

cyber security

faceted digital

cyber security

properly equipped

european companies

external attacks