BT Assure. Security that matters BT Assure: ‘Rethink the Risk’ Research Summary Ray Stanton Vice President BT Advise The Professional Services Unit of BT Global Services 7 th June 2012 Amsterdam
Oct 31, 2014
BT Assure. Security that matters
BT Assure: ‘Rethink the Risk’ Research Summary
Ray StantonVice President BT AdviseThe Professional Services Unit of BT Global Services7th June 2012Amsterdam
Agenda & Objective of session
• Insight into key research findings• BYOD phenomenon
• Key Themes
• Key Findings
• Take-a-ways & BT opinion
• Objective• Bring new research to table
• Table Independent views
• Put forward BT Opinion
• Stimulate more informed discussion.
© BT plc 20122
3
Objective of Research:Examine current priorities in corporate IT security on key topics of ‘bring-your-own-device’, cyber-security and on-demand services.
Key out takes:
a) Pressure to take advantage of new technologies for productivity & competitive advantage, shows BYOD has shown most significant development;
b) Excitement over possibilities and benefits, but limited awareness of security implications;
c) IT departments see risks, but struggle to manage within established corporate security frameworks.
© BT plc 2012
4
Research methodology
• 2,000+ online questionnaires carried out by Vanson Bourne in March / April 2012 commissioned by BT
• Contrast views and expectations of employees with plans and priorities of IT decision-makers in enterprises across public and key private sectors.
• Enterprise size organisations (>1,000 employees) across five sectors: • FMCG• Finance• Logistics• Pharmaceuticals • Government
• Four audience types: Office workers (1,000), IT decision makers (860), Finance decision makers (150) and HR decision makers (150).
• Eleven countries: UK, France, Germany, Spain, Italy, Benelux, USA, Brazil, China, India and Singapore.
© BT plc 2012
5
The risk landscape continues changing, fast...
© BT plc 2012
6
Emerging threats already rank alongside established cyber-security challenge
Industrial or state-sponsored espionage
Security in our supply chain systems
Preventing or fixing weaknesses within our business systems
Increasing use of personally-owned devices and social media sites
Preventing data leaked by employees
Cybersecurity
53%
57%
57%
61%
68%
68%
Number of respondents rating each of these threat areas as “‘challenging” or “very challenging’ (BASE: IT respondents)
• Employees leaking data, BYOD and a mobile workforce are in the same threat league as cyber-security
© BT plc 2012
7
Focussing on why BYOD presents unprecedented challenges
© BT plc 2012
8
Priority concerns before introducing BYOD
Security issues (malware, viruses etc)
The complexity/cost of the set up for multiple devices
The potential threat to our IP Increased data usage/mobile expenditure
74%
50%
42%
30%
Question Asked:Which of these factors/concerns did you have to deal with before being able to allow employees to use their personally-owned devices for work purposes? (BASE: IT respondents)
• IT decision-makers need to tackle a range of issues before they feel able to introduce a BYOD policy.
© BT plc 2012
9
Employees recognise the rewards but not the risks
• 42% of employees using their own device for work believe they are more efficient and productive, but…
32%
43%
25%
No risk Neutral A significant risk
How big a risk to company security do you perceive using your personal device in a work context to be? (BASE: Employees)
9%
80%
11%
No not at all Not all of them Yes, all of them do
• 1 in 3 employees see “no risk” in using their own device in a work context
Do employees generally recognise the risk to company security that using a personal device in a work context could represent? (BASE: IT respondents)
• Only 1 in 10 IT decision-makers think all BYOD users recognise the risks
© BT plc 2012
10
Global perspectives on BYOD
© BT plc 2012
© British Telecommunications plc11
Research without insight is useless, so context…
Source: Gartner Reimagining IT - The 2011 CIO Agenda
12
The BYOD ‘genie’ is out of the bottle
• 60% of employees companies allow them to connect personally-owned devices & for work purpose
• The UK however, drops to 37% & increases to 80% in India and 92% in China.
• 46% of remainder, would like to be able to use their personal devices for work.
• More importantly:
• The level of use stated by employees is higher than IT decision-makers acknowledge in company sanctioned BYOD adoption.
• Interestingly in China (53%), Brazil (51%) and the USA (50%) organisations show to have formal BYOD policies in place,
• in countries shown least likely to already have a policy - Italy (25%), UK (31%) and Germany (34%) have policies in place.
© BT plc 2012
13
Understanding further the BYOD Challenge
• Providing focussed security infrastructure to support has had the greatest impact in the USA
• with every aspect scoring between 62% and 89%;
• 15% say the cost of BYOD is unclear
• This more than doubles in the UK and Benelux to 38%.
• 31% of total surveyed reported a net cost, in China and India this reaches 53% and 50% respectively;
• so while they may appear to be top of the game, it is costing them.
• 47% Globally, think BYOD may threaten auditing and compliance obligations – this reaches 60% in the UK and 65% in India.
• 73% (almost double the average of 39%) of IT decision-makers in India admit they have had a security breach due to an unauthorised device. This is also high in Singapore (58%) and Brazil (49%).
© BT plc 2012
14
Varying levels of oversight
• Only 43% are actively monitoring for people using their own device on the network.
• A third (33%) can tell immediately if an authorised user misuses their device
• IT decision-makers in China have the greatest vigilance on their corporate network. 79% say they can tell immediately if an unauthorised device is connected to their network and 71% can tell if an authorised user misuses their device.
UK
France
Germany
Spain
Italy
Benelux
USA
Brazil
China
India
Singapore
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
No Yes – but not immediatelyYes – immediately
Can you tell if someone is using an unauthorised device on the system?(BASE: IT respondents with a BYO policy)
© BT plc 2012
It’s not just our own network anymore…• Connectivity and ubiquitous access have changed the landscape of business and therefore,
security perimeters, dramatically;• What was once not permitted & unthinkable is now routine; • The adoption of innovative new tools is being pulled through from our most senior executives, rather
pushed by IT• The risk of abuse and attack has multiplied along with this massive expansion;
Our response has to be, adaptive, flexible, agile and responsible. Saying no, it no longer an option.We must Rethink the risk
Source:http://www.intel.com/content/dam/www/public/us/en/documents/best-practices/intel-it-annualperformance-report-2011-12.pdf
Source: KPMG Data Loss Barometer
15© BT plc 2012
© British Telecommunications plc 16
Some simple, real tips in our opinion
• Carry out real surveys on your business needs with regards to BYOD, do not ignore the obvious;
• Adapt interim policies for usage – engage user community in developing, these;
• Provide focussed security infrastructure to support;
• Drive awareness campaigns which engage the user community, not the ‘thou shall not do’ approach;
• Adapt, improvise, overcome.
In summary, an opinion and take-a-ways
17© BT plc 2012
Our opinion
• Information risk frontier management is even more essential to controlling business risk: and those risks related to ensuring agility;
• Compliance management will focus more on compliance with established security program expectations as external forces are incorporated into the fabric of corporate security services;
• Capability maturity management of security operations will be necessary to ensure full realisation of business investments.
Take-aways / food for thought:
• Impact of lack of engagement of business lines is clearly an issue, we all need to address;
• Without proactive relationship & stakeholder management, the ability to engage the business stakeholders, CISOs will have a passive role & voice in business/orgainsaitional direction.
• Exploiting change to drive security, will require new thinking, new approaches, and trust in strategic providers.
© British Telecommunications plc 18
But before I go….just in-case you’re worried…
Hot of the press….you can read..
• http://www.kryogenix.org/days/2012/06/06/how-i-checked-whether-my-linkedin-password-was-leaked
• And you can (could!) downloaded the file (note 115mb); http://205.196.122.52/qq8a90aq89rg/n307hutksjstow3/SHA1.txt_1.rar
• Common view at this moment, you can try and check if your password was one of those leaked (it’s bit of a fiddle as its hashed and needs reverse engineering, but can be done);
• Good practice says change password and anywhere else you have & think you’ve used it!
BT AssureSecurity that matters
www.bt.com/btassure/securitythatmatters