2016 Scalar Security Study Roadshow

Toronto
February 25, 2016
2016 Security Roadshow

The 2016 Scalar Security Study

© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
Purpose of the Study
§ How prepared are Canadian
organizations to deal with cyber attacks?
§ How have cyber attacks changed over
the past year?
§ What is the cost of cyber attacks to
Canadian organizations?
§ What are the most effective ways to
reduce cyber security risk?

Study Scope
§ 100% Canadian
§ 654 qualified responses
§ Security-savvy respondents
§ Medium-to-large organization focused
(25% > $1B revenue)
§ 18 industries
§ Global presence

Why Canadian Data Matters
§ US studies reveal individual breach
costs in the millions
§ Regulatory landscape
§ Different cyber attack profile in Canada
§ Canadian companies differ
§ Size
§ Culture
§ Budgets
§ Access to resources

Only 37%
of organizations believe they are winning
the cyber security war
§ Attacker sophistication on the rise
§ More attacks reported
§ Greater losses of data
§ Traditional defenses ineffective
§ Lack of advanced technology
§ Skill gap persists
Overall – Lower Confidence

$7 Million
Over the last 12 months, cyber security
compromises cost organizations roughly
§ Average 40 incidents per year
§ 51% reported lost sensitive data
§ Increased concern of cyber crime
§ Inside threats specifically concerning
§ Targeted attacks on the rise
§ Severity
§ Sophistication
§ Frequency
Attacks on the Rise

© 2016 Scalar Decisions Inc. Not for distribution outside of intended audience.
Most Losses Are Indirect
Breakdown of Losses 2015 2014
Cleanup or remediation $766,667 $676,023
Lost user productivity $950,625 $987,191
Disruption to normal operations $1,061,818 $1,101,379
Damage or theft of IT assets and infrastructure $1,638,663 $1,533,989
Damage to reputation $2,647,560 $2,586,941
Total $7,065,332 $6,885,523
§ Within each category 15%-20% of
respondents could not estimate the cost

Intellectual Property Losses and Competitive Advantage
36%
33%
31%32%
30%
38%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Yes, I believe it has
caused a loss of
competitive advantage
No, it hasn't caused a
loss of competitive
advantage
Unsure
2015
2014
§ 33% reported a
loss of IP in the
past 24 months
§ Criminals were
ranked as “most
likely” to launch
an attack
§ Insider threats
ranked very
important

Intellectual Property Losses
59%
43%
33%
30%
19%
7%
65%
46%
30%
33%
15%
8%
0% 10% 20% 30% 40% 50% 60% 70%
Gut feeling
Appearance of copied products or
activities
Emergence of new competition
Soured deals or business ventures
Compromised negotiations
Other
2014
2015
§ Average between
$5M and $6M
annual losses
§ Losses are
supported by
evidence of
damage
§ Criminal activity
affecting business
deals

Interesting Data on Advanced Threats
70%
26%
4%
77%
20%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Yes No Unsure
2015
2014
§ 70% of threats
evaded IDS or
AV systems
§ 82% of
respondents
reported threats
that evaded AV
systems
§ Confidence in
“No” response?

80%
65%
49%
48%
46%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Web-borne malware attacks
Rootkits
Advanced persistent threats
(APTs)/targeted attacks
Spear phishing
Clickjacking
§ Most threats are
considered
”advanced”
§ Targeted attacks
to gain access to
data (loss of IP)
§ Users as targets
§ High number
exploits > 3
months old

38%
54%
8%
0%
10%
20%
30%
40%
50%
60%
Yes No Unsure
62%
Cannot confirm that they
are able to detect nor stop
advanced threats
46%
Unsure how to identify
APTs as cause of incidents

60%
55%
44%
41%
29%
56%
49%
42%
38%
36%
0% 10% 20% 30% 40% 50% 60% 70%
IT downtime
Business interruption
Theft of personal information
Exfiltration of classified or sensitive
information
Nothing happened
2014
2015
§ Overwhelming
data that
supports losses
of data and
business
interruption
§ YET… 29%
believe “nothing
happened” as a
result of APTs

Beyond Technology
3.54
3.13
2.18
2.00
1.75
3.94
2.89
1.90
1.67
2.05
0.00 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50
Insufficient budget (money)
Lack of clear leadership
Lack of collaboration with other
functions
Lack of in-house expertise
Insufficient personnel
2014
2015
§ No mention of
technology (except
lack of budget)
§ 93%-95% rank
experience as
qualifier for experts
§ Collaboration
important outside
of IT function

Beyond Technology
25%
33%
37%
23%
31%
40%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Yes, fully aligned Yes, partially aligned No, not aligned
2015
2014
37%
Of Security Strategies NOT
aligned with the business

§ Less reliance on traditional tools
§ Leverage technology to achieve
visibility, understanding and control
§ More awareness of severity and
frequency of attacks
§ Align security strategy with business
objectives
Attributes of High Performers

§ High performing organizations:
§ More aware of threats
§ Spend more on security
§ Measure ROI on investment
§ Report more attacks
§ Suffer fewer losses
§ Beyond the numbers
Driving Successful Outcomes

Study Conclusions
§ Conduct risk and vulnerability assessments to understand probable attack vectors
§ Align security strategy with business objectives, and secure sufficient funding in
people, process and technology
§ Invest in technologies that provide visibility understanding and control to detect
anomalies in your environment
§ Invest in expert skills and specialized training for in-house teams;; or consider
leveraging an external 3rd party security services firm

2016 Scalar Security Study Roadshow

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to 2016 Scalar Security Study Roadshow (20)

More from Scalar Decisions (18)

Recently uploaded (20)

2016 Scalar Security Study Roadshow