Strong Cyber Security drives growth & innovation - Cyber Security: The Innovation Accelerator report - Vodafone NZ
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Strong Cyber Security drives growth & innovation Cyber Security: The Innovation Accelerator report Global research into the links between strong cyber security and business decision-making, growth and innovation The future is exciting. Ready?
Cyber Security in 2017
86 %
of high-growth companies
believe that having strong cyber
security enables new business
opportunities
89 %
of businesses said that
improving their cyber security
would enhance customer
loyalty and trust
41 %
of businesses are unsure
who can help with cyber
security challenges
87 %
of businesses expect
that their security
budget will increase
over the next three
yearsForeword When digital is everywhere, cyber security is everywhere. This is the dawning realisation that governments, businesses and individuals are starting to accept. This simple message is fundamentally changing how nations defend themselves, how data privacy is regulated and how enterprises are re-inventing themselves as digital businesses. It is also changing how global cyber crime cartels are operating, targeting data and disrupting operations for financial gain. While we have been conducting this ground-breaking research, organisations have been hit by massive ransomware attacks, digital currency thefts have reached unprecedented levels and data disclosures have strained international relations. The UN and Europol estimate that in 2016 the global cyber crime industry overtook the global illicit drug trade to be worth $445bn. Organised crime has changed its behaviour to take advantage of the shift to a data-driven economy, but how are enterprises of all sizes responding to the cyber challenges of this new reality? This is the fundamental question we are hoping to answer in this report – Cyber Security: The Innovation Accelerator – which details the findings of our global research. We are excited to share some stunning insights and highlight not only the risks facing us, but also how winning organisations are harnessing cyber security to drive growth and provide competitive differentiation. Thank you for reading our report. We look forward to working together to create a safe and secure digital world for all. Andrzej Kawalec Group Head of Enterprise Cyber Security Strategy & Innovation
Contents Executive summary 05 Methodology 07 Contributors 08 About the findings 09 Successful businesses believe that having strong cyber security will drive their future success 10 Increasing threats are driving cyber security as customer expectations rise 13 Cyber security is supporting growth and innovation projects 16 Businesses that use cloud computing and the Internet of Things approach security differently 18 Businesses are concerned about security threats but are struggling to find the solutions 20 The next generation of security decision-makers is digitally savvy and customer focused 25 Our view of the future 28 Recommendations 31 About Vodafone 33 Expert contributors 34 Vodafone contributors 37
Cyber Security: The Innovation Accelerator Executive summary 5
Executive summary
Strong cyber security is becoming increasingly essential for all
businesses, with 78% believing it is of high strategic importance.
The objective of this research was to understand the link between
business decision-making and cyber security – to what extent are
a business’s success and its ability to innovate affected by cyber
issues today? Here are six key findings.
Successful businesses believe A reputation for effective cyber security
that having strong cyber security is having a profoundly positive impact on
customers – building loyalty and trust,
will drive their future success attracting more business and protecting
Businesses that are growing in revenue company reputations. Strong cyber security
have a refreshingly different approach to is giving businesses confidence that they
cyber security. They believe it’s an enabler are ready for the future.
of growth, innovation, new business
opportunities, and digital transformation.
The management teams of growth businesses 89%
understand that investment in strong cyber of businesses said that
security creates confidence to undertake improving their cyber
business initiatives that drive growth, security would enhance
innovation and differentiation. They also customer loyalty and trust
see that cyber security can enable many
customer benefits, such as the acquisition
of new customers from competitors who
Cyber security is supporting
may not prioritise cyber security. growth and innovation projects
Businesses are embarking on a wide range
of transformation and innovation initiatives,
86% including digitalisation and flexible working.
Security is often considered when making
of high-growth companies
believe that having strong decisions – almost always for individual
cyber security enables new projects – but it’s being seriously neglected
business opportunities for important projects by some organisations,
placing them at risk.
Increasing threats are driving
cyber security as customer 99%
expectations rise of businesses that are
Strong cyber security is increasingly planning expansion
important and businesses want it intrinsically activities consider security
embedded into systems and networks from
the start. The worsening threat landscape
is the biggest driver for investment, as
organisations plan to increase their security
budget to combat it.Cyber Security: The Innovation Accelerator Executive summary 6
Businesses that use innovation The next generation of security
technologies such as cloud decision-makers is digitally savvy
computing and the Internet of Things and customer focused
(IoT) approach security differently The next generation of security decision-
More than anyone else, the growing number makers is digitally savvy and customer
of cloud and IoT adopters see security as an focused, with high expectations for cyber
enabler of new opportunities, not a barrier to security. These under 35 year old security
progress, and a source of financial benefits. decision-makers are more likely to work for
Businesses embracing innovative technologies digital businesses, are threat aware, believe
are also more likely to consider that they have in automation and understand that cyber
state-of-the-art security. security enables them to innovate and
drive growth transformation and customer
benefits. But there is also some evidence
7% of complacency among the next generation.
more financial benefits
from having strong cyber
security for adopters of 91%
the cloud of under 35-year old
decision-makers expect
24% cyber security budgets
will need to rise over
more financial benefits the next three years to
for IoT adopters meet the toughening
challenges
Businesses are struggling
to find solutions to the security
threats they face Strong cyber security
Businesses are concerned by the is becoming increasingly
essential for all businesses with
consequences of something going wrong and
78 %
many believe their cyber security is not yet
strong enough. Losing critical data, network
breaches and reputational damage are the top
three fears. Regulation and compliance issues believing that it is of high
– punishable with imprisonment or fines for strategic importance
large offences – are also top of mind, but the
responses of many businesses are slow.
More than
Security decision-makers are having difficulty other businesses,
finding solutions and often don’t know who the growing number
of cloud and IoT
can help. These problems can be more acute adopters see security
for smaller businesses, which have fewer as an enabler of new
in-house cyber security skills. opportunities
41%
said they were unsure who
could help with information
security challengesMethodology
In the second quarter of 2017, Vodafone directors and business owners where those
devised and commissioned a brand new individuals made or influenced their business’s
global security study. It explores the influence cyber security decisions.
of cyber security on business decision-
making, the actions companies are taking to 94% of the interviews were carried out
improve security and what impact that action in the following sectors: technology and
(or lack of) is having on their organisations’ media, manufacturing, financial and business
success and plans for the future. services, construction and engineering,
public sector, education, retail, healthcare
1,434 cyber security decision-makers and pharmaceutical, with a range of industry
and influencers were interviewed, including sectors accounting for the remaining 6%.
small, medium sized, and large companies
operating in single and multiple countries. A further ten in-depth interviews were
61% of interviews were carried out with carried out by telephone to uncover
businesses of fewer than 250 employees, additional detailed insight into
and 39% of interviewees with businesses businesses’ cyber security decision-
of 250 employees or more. making. A range of comments from these
businesses are included in the report. As the
The research, using an online quantitative subject matter is often sensitive, we have
methodology, covered North America, provided appropriate levels of anonymity
Europe and Asia through interviews in eight for the respondents.
countries (USA, UK, Ireland, Germany,
Spain, Italy, India and Singapore). This report describes the findings from the
research, supplemented by Vodafone’s
These decision-makers often worked perspective and commentary from a panel
specifically in security and/or IT teams, and of cyber security industry experts.
in smaller businesses they also includedCyber Security: The Innovation Accelerator Contributors 8
Contributors
We have worked closely with a team of industry experts from a range of countries
and functions to provide their valued additional perspective on the research findings
in this report. We thank them for their contributions and insight and have included
their biographies later in the report. They are:
Mike Sapien Chief analyst, Ovum Andrzej Kawalec Group Head of Enterprise
Cyber Security Strategy & Innovation, Vodafone
Steve Durbin Managing Director of the
Information Security Forum (ISF) Maureen Kaplan Group Head of Enterprise
Cyber Security Sales, Vodafone
Colin Robbins Innovation Director, Nexor
Jonathan Hughes Group Head of Enterprise
Piers Wilson Head of Product Management, Cyber Security Operations, Vodafone
Huntsman Security, and Director, Institute
of Information Security Professionals (IISP)
Martyn Boston Managing Director of Genesis
IA and Director, Institute of Information
Security Professionals (IISP)
The Institute of Information Security
Professionals, (the IISP) is an independent,
non-profit body with the principal objective
of advancing the professionalism of
information security practitionersCyber Security: The Innovation Accelerator About the findings 9
About the findings
This report reveals the key findings of Vodafone’s global research into cyber
security. We asked a broad range of questions to 1,434 security decision-
makers from businesses of all sizes across the globe. Our goal was to better
understand the link between business decision-making and cyber security –
to what extent are cyber issues affecting and influencing businesses?
In the following chapters, we examine the results from the research
and also offer our view of the future:
The link between The benefits and The role cyber security
having strong cyber business drivers has to play in business
security and of having strong innovation, growth
business success cyber security and transformation
How adopters of cloud Challenges, Learnings from the
computing and IoT threats and risks next generation
see cyber security of cyber security
differently decision-makersCyber Security: The Innovation Accelerator Cyber security and business success 10
Successful businesses
believe that having strong
cyber security will drive
their future success
Growth businesses understand “Security enables business by building
that cyber security is an enabler trust, reinforcing reputation, allowing
of new business opportunities remote working and cloud adoption,
Around the world, the clear majority of enabling automation and defined
businesses are seeing cyber security as processes that are less reliant on humans
an enabler of business opportunities and and more consistent and auditable,”
innovation: 73% of companies believe that comments Piers Wilson, a director of the
information security is an enabler of new IISP and head of product management
business opportunities, rather than a barrier. for Huntsman Security. “Security should
inform and support business decision-
There is however a clear difference in making to balance risk and reward: there
attitude between companies whose revenue is a risk in not doing something at all, just
is shrinking and those whose revenue is as there is in doing something insecurely.”
growing, with a positive correlation between
viewing cyber security as an enabler and Companies in the technology and media
business growth. sector (78%), businesses in India (84%)
Among businesses whose revenue shrank and C-level IT leaders (81%) are even more
over the last 12 months, just 57% believe likely to view cyber security as an enabler
having strong cyber security enables new of new business opportunities.
business opportunities. This compares with
77% of companies whose revenue grew over The management teams of
the last 12 months, and a massive 86% of growth businesses are more
high-growth companies (that is, those whose
revenue increased by more than 10% over
likely to have bought into the
the last 12 months). need for strong cyber security
Businesses that are growing are more
Percentage of businesses that say likely to have management that supports
strong cyber security enables new the development of strong cyber security.
business opportunities Among companies whose revenue is
shrinking, 57% say they have senior
management that ‘actively supports
and encourages better cyber security
measures’. However, this figure increases
57% 77% 86% sharply to 81% for growth companies
and 84% for high-growth companies.
Declining Increasing High revenue
revenue revenue growth*
Change in revenue in the last 12 months
* over 10%Growth businesses expect a Businesses based in the USA have the highest
greater range of financial benefits financial expectations from cyber security: with
an average of 6.7 significant financial benefits.
from improving cyber security Companies that are expecting to see the
Growth businesses have a markedly more largest number of benefits from cyber security
positive view of what strong cyber security are putting their money where their mouth is:
can do for them. High-growth businesses say companies planning to increase their cyber
they expect to see an average of 6.7 significant security budget by at least one-half over the
financial benefits from improving their cyber next three years are expecting an average
security, with growth businesses expecting an of 5.8 financial benefits.
average of 5.3 significant financial benefits.
Financial benefits include enhanced customer Growth businesses are
loyalty, attracting new customers, the ability committing to cyber security
to launch new products and services and
Growth businesses are investing in and
greater agility (see the full list of the expected
making cyber security an integral part of their
financial benefits on page 14).
ICT budget. This is likely to explain why these
In contrast, businesses that are losing revenue businesses are witnessing such a broad range
expect to get just 3.9 significant financial of financial benefits.
benefits out of improving their cyber security,
which suggests that they should apply greater Spending more than 10% of their IT
focus to how cyber security could enable and mobile communications budget
their business to turn around. A UK security
on cyber security
decision-maker said:
“I spoke to a customer today who had the
option of a low cost – which is like £1,000
– or the high cost option – which was 53% 78% 86%
£70,000 – and he had to go back to his
finance guys to justify £69,000.
Declining Increasing High revenue
If anything goes wrong with that £1,000 revenue revenue growth
solution, he could well lose millions. If it
works, everything is great and if it doesn’t
work then they have to consider that risk.”Cyber Security: The Innovation Accelerator Cyber security and business success 12
Benefits that businesses said they expect Growth businesses are
from having strong cyber security: implementing appropriate
policies
For the business: Growth businesses are also benefitting from
the application of cyber security policies
• Being able to apply for more to protect their business. High-growth
new contracts that require high businesses have an average of 4.7 security
security standards policies in place that are updated and tested
• Ability to launch new services regularly, compared with 4.0 for growth
and products businesses and 3.0 for shrinking businesses.
• Lower business risk Such cyber security policies could cover
• Greater business agility necessities and new ways of working like
flexible working, or they could govern bring-
• Greater business efficiency your-own device, business continuity and
breach action plans.
From greater productivity: Not only does the implementation, testing
and updating of these policies protect the
• Confidence to allow remote and flexible business concerned but strong policies are
working by staff also likely to help increase the financial
• Improved staff productivity benefits stated above.
• Reduced costs of downtime/clean-up Piers Wilson (Head of Product Management,
Huntsman Security, and Director, IISP), warns
of the dangers of employees bringing their
From increased customer confidence: own devices and tools into the workplace
without adequate policies in place.
• Enhanced customer loyalty and trust
• Better reputation “Yes of course it brings risk. For one
• Attracting new customers from thing, these devices aren’t managed
competitors that have had security by the corporate IT/IT security team.
problems Secondly, at best, it means a huge
• Being able to charge a higher price for increase in the diversity of devices,
our products/services due to increased types and applications or places where
confidence in doing business with us data is stored. Thirdly, the more types of
technology and apps you use the more
likely it is that one of them will have a
breach. If, across a large business, your
users use all ten of the top ten cloud file
High-growth storage providers (Live, iCloud, Dropbox,
businesses say they Sync, etc) then whichever of the large
expect to see an average of
cloud storage providers get hacked you
6.7
significant financial
are going to be exposed.
Also it means users have more accounts
benefits from on more systems, often with the same
improving their passwords, so the more that are in use the
cyber security
more opportunities there are for those
credentials to become compromised.”Increasing threats are
driving cyber security as
customer expectations rise
Cyber security carries strategic Martyn Boston, managing director of Genesis
importance and should be IA and a director of the Institute of Information
Security Professionals says:
designed in from the start
Strong cyber security is becoming increasingly
“Designing security into solutions from
important for all businesses. 78% said that
the start is a given and those of us
it is of high strategic importance, which
working as IA (information assurance)
demonstrates the relevance of cyber security
professionals have been fighting this for
to all managers and employees. This figure
years. But it still goes on with project
increases to 83% for the technology and
managers trying to avoid talking to
media sector and 80% for financial services.
security in case it adds complexity, cost
Respondents also believe that security should and new risks. We all know that such
be intrinsic to the systems it supports. things are misguided as it’s far cheaper
to design in security from the onset
of businesses said it was vital of any project/delivery.”
84% to consider the security of digital
networks, as well as their speed
78%
of the public sector said it was
90% vital to consider the security
of digital networks, as well as
of businesses said that
their speed strong cyber security
is of high strategic
importanceThe worsening threat landscape The technology and media sector were
is the biggest driver particularly cognisant of the worsening threat
landscape (a figure which may be buoyed
A massive 87% of businesses expect that their by their in-house technology expertise)
security budget will increase over the next while public sector organisations were most
three years, with nearly three-quarters (71%) concerned about reputational risk (perhaps
expecting an increase of over 10%. mindful of the need to be seen setting best
We asked all businesses that plan to increase practice and meeting compliance criteria).
their spending about their motivations for Indeed, reputational risk should be a board-
doing so. When asked to rank drivers for level issue that is addressed by organisations
increased security investment, the biggest in all sectors because the consequences
was the worsening threat landscape, with of a security breach can be catastrophic
‘increasing security threats’ rated as the to a company’s brand.
top driver (named by 64% of respondents).
Managing risk accounted for the third and For many businesses, there is a balance
fifth most common reasons listed (by 46% to be struck between mitigating risk from
and 41% of respondents) while greater use external threats and successfully project
of cloud and mobile devices were a driver managing the implementation of innovative
for 48% and 42% respectively, making new technologies and ways of working in
these the second and fourth biggest drivers. sometimes complex environments.
Supporting business growth and innovation
rate highly too:
of businesses said new growth
87 %
39% or transformation initiatives were
driving spending
of businesses expect
of financial and business services their security budget
46% said new growth or transformation will increase over the
next three years
initiatives were driving spending
of businesses noted new
34% business models as the driverCyber Security: The Innovation Accelerator Increasing threats are driving cyber security 15
Percentage increase in cyber security budget expected over the next 3 years
1% 10% 16% 32% 16% 13% 10%
Up to 10% No Up to 10% 10-29% 30-49% 50-99% At least
decrease change increase increase increase increase 100%
2% Don’t know
increase
Cyber security is delivering Motivations for businesses to
customer benefits increase their security spending
What does this investment in information
security mean in business terms? Increasing security threats
The most profound impact was the positive
effect on customers. 89% of businesses said Greater use of cloud computing
that improving their cyber security would
enhance customer loyalty and trust. 90% said
it would give them a better reputation in the To minimise risks to
market, potentially attracting new customers. organisational reputation
89% said they felt better information security
was a competitor differentiator that would
help them win customers from competitors More mobile devices to secure
that could not offer the same assurances.
Businesses in India rated these customer Industry- or company-specific risks
factors even higher at 95%, 93% and 97%
respectively. US businesses also rated these
customer factors very highly, with 94%, 96% Being ready for the future
and 92% respectively. Martyn Boston adds:
Improving information security is about more
than the present: businesses said clearly that
“Those companies who demonstrate information security is preparing them for
that they can manage a client’s data both the future.
securely and in accordance with any
regulatory or legislative requirements 83% said that being confident in their security
will obviously attract more business helps their organisation be ready for the future.
than those who do not.” Financial and business services, and businesses
in India, believe in this even more, with 86%
and 88% in agreement, respectively.
Furthermore, high-growth businesses believe
that information security is a fundamental
building block for the future, with 88% agreeing.Cyber Security: The Innovation Accelerator The role of security in business initiatives 16
Cyber security is supporting
growth and innovation projects
Businesses are embarking on a Singapore is more lax, with a figure of just:
wide range of innovative growth
and transformation initiatives considering security for almost
34%
all decisions
Businesses are focusing on a wide range
of growth and innovation initiatives, including
digitalisation, developing online sales However, there is some comfort to be had
channels, developing an as-a-service culture, in Singapore:
the IoT and remote or flexible working (see
full list on page 19). On average, businesses consider security for the most
52%
are planning or executing, or have completed, significant decisions
4.1 of these initiatives.
The response of the UK is between those
Half of companies nearly always two extremes. One senior UK-based security
decision-maker said:
think about security
Security is often – but not always – considered “(There is) a perception that it won’t
for these initiatives: 50% of companies report happen to us: ‘We’ve never had a cyber
that security is considered for almost all attack; we’ve never had denial of service
decisions regarding these projects. A further or any other things that you read about,
35% report that security is considered for the so why should we bother?’ They’ll then
most significant decisions regarding these turn round and say ‘look, it’s too late’.
projects, while 14% report that security is So information security has to be in
occasionally considered and just 1% report that place because this is the ultimate case
security is not considered at all. This means that of shutting the door after the horse has
over one in seven businesses – the latter two escaped.”
groups – are putting themselves at significant
risk of unforeseen and unpredictable disruption.
A Singapore-based security decision-maker
Healthcare and pharmaceutical companies, working for a regional crane and warehouse
perhaps mindful of the large quantity of equipment manufacturer was markedly more
personal data that they handle, are taking confident regarding cyber security threats due
a tougher approach: to the implementation of a new technology
solution. He said:
of healthcare and pharmaceutical
58% companies consider security for “We don’t have many security risks.
almost all decisions I have to travel all over the region and
until now we’ve had no problem with the
Companies in the United States are taking cloud service. We had too many security
a tough approach too: problems before we implemented cloud.”
of US companies consider
66%
security for almost all decisionsSecurity is top of mind for Businesses are focusing on a wide range
digitalisation of growth and transformation initiatives
On an individual project level, security
implications were considered by nearly all Implementing digital technologies
businesses. For the implementation of digital
technologies, 93% considered security, while
Business expansion
99% of businesses that are planning expansion
activities considered security. Of those
companies implementing as-a-service ways of Increased use of process automation
working (like cloud computing) 91% considered
security, while 90% of companies that allowed Sensors and smart devices
their employees to bring their own devices into
work considered security in relation to this.
Outsourcing
“As we increase our dependence on
the cloud, remote and mobile working, Online sales and support
so too must we apply greater protection
to business assets upon which our brand Big data
reputation may depend,” says Steve
Durbin, managing director of the
Information Security Forum. “Mission- As-a-service ways of working,
critical information assets demand and e.g. cloud computing
justify additional investment to ensure
these assets are adequately protected – Digital collaboration between
wherever they may be located.” our employees
Remote and flexible working
Allowing employees to use their own
devices at work
Collaboration with business partnersCyber Security: The Innovation Accelerator Cloud computing, the Internet of Things and security 18
Businesses that use cloud
computing and IoT approach
security differently
Most innovative businesses are now using Because they help businesses realise new,
cloud computing or IoT. This could involve, innovative outcomes and enable the shift to
for example, a colocation agreement, a the much talked about as-a-service culture,
multinational infrastructure-as-a-service cloud and IoT are vital tools for businesses
project or any of a broad range of applications now and in the future.
covered by the Internet of Things. IoT
connects objects, turning them into Companies that use IoT and cloud
‘intelligent’ assets that can communicate
with people, applications and each other.
computing are more likely to see
It enables things like cars, buildings and security as an enabler of new
machines to communicate about their status opportunities and innovation
and environment – creating many new In a previous section, we noted that 73% of
opportunities for businesses. businesses saw cyber security as an enabler
According to Vodafone’s Cloud Barometer of new opportunities, rather than a barrier.
research, 70% of enterprises use or would This figure was higher for businesses that
consider using the cloud for mission-critical use IoT (82%) and those that use the cloud
enterprise applications. 63% of businesses are (76%). Their management teams also better
already using IoT, or plan to within 12 months, understand the importance of security,
according to Vodafone’s IoT Barometer with 79% (companies using cloud) and 83%
research. (companies using IoT) compared with 77%
for all businesses.
Percentage who see security as an Percentage of businesses whose
Percentage of businesses
enabler of new that
opportunities Percentage
senior of management
management that the
understands
saw cyber security as an enabler saw cyber security as an enabler
importance of cyber security
of new opportunities of new opportunities
73% 82% 76% 77% 83% 79%
All Businesses Businesses All Businesses Businesses
businesses using IoT using cloud businesses using IoT using cloudCyber Security: The Innovation Accelerator Cloud computing, the Internet of Things and security 19
Companies that use IoT and cloud Companies that use IoT and
computing are more likely to cloud computing see greater
have ‘state-of-the-art’ security financial returns from having
Companies that use cloud and IoT are also stronger security
more likely to consider that they have ‘state- Because companies that use cloud and IoT
of-the-art’ cyber security measures in place. are more likely to see security as an enabler
74% of companies using cloud believe their of new opportunities, allowing them to be
measures are state-of-the-art, while the figure more innovative and try new ways of working,
is 82% for companies using IoT – compared their management teams better understand
with 69% for all companies. the importance of security and their measures
are more state-of-the-art. It is not surprising
“Cloud is a fast-moving, business that they also see greater financial benefits
transformative technology,” says Colin from having stronger security.
Robbins, innovation director at Nexor. The average business expects to see 5.0
“In 2017, major UK government financial benefits from security, but this rises
departments have adopted cloud to 5.3 financial benefits for companies using
technology – not least the National cloud and 6.2 financial benefits for companies
Cyber Security Centre. This demonstrates using the Internet of Things. Examples of the
that when approached in a systematic increased financial benefits for cloud and IoT
way, adopting good risk management adopters are shown in the three bar charts
practice, cloud solutions can be built at the foot of this page.
with appropriate security controls.”
Percentage of businesses that have
state-of-the-art security measures in place
74%
of companies using
cloud believe their
69% 82% 74% security measures are
state-of-the-art
All Businesses Businesses
businesses using IoT using cloud
Percentage of businesses expecting the following significant financial benefits
from improved cyber security
46% 55% 49% 36% 46% 39% 43% 50% 46%
All businesses Businesses Businesses All businesses Businesses Businesses All businesses Businesses Businesses
using IoT using cloud using IoT using cloud using IoT using cloud
Enhanced customer Greater confidence to Ability to launch new
loyalty allow remote/flexible products and services
working by staffCyber Security: The Innovation Accelerator Challenges, threats and risks 20
Businesses are concerned
about security threats but are
struggling to find the solutions
Businesses are concerned about “We had an incident not too long ago,
their cyber security not being where the competition had stolen some
strong enough research data. They sent us a Trojan and
Despite many businesses securing through this managed to install spyware.”
management buy-in, businesses remain
concerned about their cyber security not Smaller businesses (those with between
being strong enough, with 64% worrying 10 and 99 employees) fear permanent loss
about it affecting their organisation (just 14% of their data or lost revenue more than
are not worrying). This is unsurprising given their peers in larger businesses.
the increase in the volume and sophistication
of cyber security threats. Businesses in Regulation and compliance issues are top
Singapore and the United States show of mind, with 44% of businesses saying they
heightened levels of concern, with 73% each. consider security issues because of legal
obligations (rising to 60% for the public
But what worries them? Loss of data, network sector) and 33% because of the potential
breaches or reputational damage are the top risk of fines.
three fears, though there were 13 individual
consequences feared by at least one-quarter A senior respondent based in Ireland and
of businesses, ranging from downtime to working in the international governance and
ransomware, showing the broad variety risk team for a global insurance company said,
of security issues facing businesses.
“We have to ensure that we effectively
“The main risk is that someone from the respond and adhere to not just insurance
outside world would get access to our sort of requirements and regulations,
data. Spyware is particularly an issue in but that we also – although we’re not a
our sector because of the research data,” bank – adhere to as many banking rules
says the Chief Executive Officer of a and regulations, as well, in terms of the
manufacturer working in the medical investment piece. We have a lot of those
sector in Germany. (regulations) because we are global and
we have to ensure they are picked up for
each country.”
Percentage of businesses that worry about cyber security affecting their organisation
52% 68% 55% 61% 73% 72% 63% 73%
Germany India Italy Ireland Singapore Spain England USACyber Security: The Innovation Accelerator Challenges, threats and risks 21
The frequency of incidents Many businesses have a
appears to be under reported simplistic view of cyber threats
within businesses and externally The research indicates that businesses have
taken a simplistic view of cyber security
of businesses acknowledge being threats, with the largest major perceived
22% affected by a security incident threats being viruses/malware, hacking and
in the last 12 months being targeted by cybercriminals (just 34%,
29% and 26% of respondents respectively).
of these businesses say a data
65% For all threats, the severity rating most
breach resulted
commonly awarded by businesses was
moderate, with ‘minor’ being selected by the
It is likely that the actual figures are far higher
greatest number of businesses for attacks by
than this as many businesses do not wish to
insiders and former employees and for being
reveal publicly that they have been affected,
targeted by competitors or foreign states.
due to possible reputational damage, or
the individual involved was not aware of a This indicates that some businesses may not
breach that actually occurred. Among those fully understand the prevalence and variety
whose primary role is in IT, 29% said that their of security threats, which have increased
company had experienced a security incident markedly in the last 12 months.
in the last 12 months, whereas the figure was
only 13% for decision-makers working outside The perceived risk of every threat listed in the
the IT department. This indicates that there research is higher for organisations that have
may be a lack of transparency within witnessed a security incident in the last 12
a business’s leadership team as to the threats months, indicating that actual security events
and incidents faced. Any opaqueness should markedly change businesses’ views on cyber
be addressed urgently so the business’s security risk.
response to a future incident is not impaired. The impact of a security breach is also not
always what businesses expect. We discussed
that loss of data, network breaches and
reputational damage were the top three fears.
22 %
But when security breaches occurred, what
was actually top of the list of impacts were
tangible business criteria – downtime and lost
revenue – as well as loss of data.
said that their company
had experienced a
security incident in the
last 12 months
Organisations that
have witnessed a
security
threat
in the last 12 months have
a higher perception of riskSecurity decision-makers have devices (46%), with failure to follow company
difficulty finding solutions policies stated by 40% and shadow (personal)
IT stated by 39%. Though stories of security
Many security decision-makers themselves incidents regarding insecure public Wi-Fi
admitted to difficulties finding solutions connections have been circulating for over
to cyber security challenges. A hefty 41% a decade, this was still rated as the second
said they were unsure who could help top employee concern (43%) providing further
with cyber security challenges, and this evidence that businesses are struggling to
increased further to 52% for construction keep up with the latest most potent threats.
and engineering companies.
This is likely to be partly due to the supplier “No doubt things could be improved but
landscape containing lots of start-up niche we’re doing everything we can at the
suppliers and partly due to threats rapidly moment,” said a UK-based security
evolving. decision-maker. “We’ve always got it in
the back of our minds that we’re doing
Decision-makers also shared their concerns
99.9% of this and that we’re looking
regarding the skills and knowledge of
out for 0.1% that could come and cause
company employees. The top fear was the
us some damage.”
careless sharing of information on mobile
Percentage of businesses that are unsure of who can help them with cyber security challenges
48% 33% 52% 43% 22% 45% 41% 32%
Tech and Manufacturing Engineering Financial Public Education Retail Healthcare
media and and sector and
construction business pharmaceutical
servicesSmall businesses are at risk from
“It’s not surprising that six out of ten
poor infrastructure and visibility SMEs feel uninformed on security
Many cyber security challenges are more matters, because the nature of an SME is
acute for smaller businesses. While 78% of they tend to be focused on being experts
enterprises (over 250 employees) believe that at what they do, using technology to
their technology is state-of-the-art, this figure innovate and bring efficiency”, says Colin
falls markedly to 58% for small businesses Robbins, Innovation Director at Nexor.
with 10–49 employees.
“Security process and technical expertise
Smaller businesses also say that they suffer is not a usual skill found in the direct
from a lack of visibility on security risks (55% SME employee base, and consulting
compared with 42% of enterprises) and are engagements are deemed expensive.
more likely to not have the security staff A solution being increasingly used by
needed to monitor security (45% for small SMEs, especially start-ups without a
businesses compared with 28% for large legacy to manage, is the adoption of
businesses). cloud technology. By applying due
diligence on the security credentials of
These issues are being compounded by a lack
a cloud provider, a lot of the security risk
of IT budget made available for security, with
mitigation challenges can effectively be
4 percentage points less being made available
outsourced (remembering business risk
for security in small businesses compared
itself cannot be outsourced).”
with enterprises.
55 %
of smaller businesses
say that they suffer from
a lack of visibility on
security risks60% of SMEs feel uninformed According to Mike Sapien, chief analyst at
about security – our experts Ovum, hindrances caused by a lack of scale
analyse the causes and can be a major issue for smaller businesses
when it comes to cyber security.
implications of this
Steve Durbin, Managing Director, Information “Most SMEs tend to have few skilled
Security Forum, notes that privacy and security staff and tools to really identify
compliance concerns may be more acute security issues and the scale to support
for smaller businesses. He says: the required security investment which
begs for both a simple solution and a
“The fact that 60% of SMEs feel qualified managed provider to address
uninformed about security solutions and their security requirements.
who can help is a concerning statistic.
This will become even more important Ovum sees great value in aligning
from a privacy standpoint as we move with strong service partners including
closer to the EU GDPR (General Data traditional telco providers who can
Protection Regulation) coming into provide many network-centric security
effect in May 2018. offers, especially for these SMEs who
need simple solutions with security
With only 22% of the sample in Europe wrapped around their network and
being aware of GDPR and having taken mobile services. Most SMEs need to
action to ensure compliance, many align with a service partner to ensure
companies are potentially leaving that they have a stronger, more secure
themselves exposed to non-compliance environment to keep up with the
and associated sanctions being imposed growing number of security threats.”
by regulators. But more importantly,
they are potentially leaving an open door
for cyber threat actors to gain access to
60 %
valuable information.”
of SMEs feel uninformed
about security solutions
and who can helpCyber Security: The Innovation Accelerator The next generation of security decision-maker 25
The next generation of security
decision-makers is digitally
savvy and customer focused
Five behaviours of younger 2. Younger decision-makers
security decision-makers believe in automation
Digitally savvy and customer focused, with Younger decision-makers also believe in the
high expectations for cyber security: the next benefits of automating security, with 73%
generation of security decision-makers 48%
believing that automating their business’s
is profoundly different. security will help their business become
more secure (compared to 67% of over 35s).
The research compared the attitudes and
Automation is likely to become increasingly
expectations of security decision-makers
necessary due to the rapidly increasing
younger than 35 years of age with those over
volume and variety of threats, and information
35 years of age and saw profound differences.
about threats, which already cannot be
handled in sufficient detail by human
1. Younger decision-makers responses alone.
are more likely to work for
digital businesses 3. Younger decision-makers
Younger decision-makers are more likely believe in cyber security enabling
to work for businesses that use digital growth and transformation,
technologies. For example:
and better customer outcomes
Younger decision-makers are also more likely
of under 35-year old security
69% decision-makers work for to believe in strong cyber security being an
enabler of growth and transformation projects
businesses that use cloud
– and they are more focused on security
computing, compared with 61% for
driving customer benefits.
over 35 year old decision-makers
of under 35-year old decision- of under 35-year old decision-
51% makers work for organisations 43% makers believe that supporting
that use IoT, compared to 34% growth or transformation is a
of over 35s driver for increased security spend,
compared to 38% of over 35s
of under 35s work for
52% organisations that use big data of under 35s believe that the
compared to 44% for over 35s 41% requirements of customers and
shareholders will drive security
This may be due to younger decision-makers spend, compared to 33% of over 35s
being more digitally savvy themselves, but
is also likely to be due to them being more of under 35s believe that strong
50% security will bring enhanced
attracted to innovative, digitally progressive
organisations. customer loyalty and trust,
compared with 44% of over 35sCyber Security: The Innovation Accelerator The next generation of security decision-maker 26
4. Younger decision-makers 5. But there is evidence
are more aware and have of complacency
higher expectations However, we’d urge a note of caution over
Younger decision-makers appear more the apparent complacency of some under
aware of cyber security threats and expect 35 year old decision-makers with regards
more in turn from their organisation. Under to data loss.
35s identify a quarter more threats as major This is an area which older decision-makers
compared with their older counterparts take much more seriously. Just 40% of under
(3.46 compared with 2.74). And a massive 35s said they feared losing critical data:
91% expect that cyber security budgets will 11 percentage points lower than over 35s
need to rise over the next three years to meet and a massive 23 percentage points lower
these toughening challenges (compared to than over 55s.
85% of over 35s).
While younger decision-makers’ increased
use of cloud may mean that they are more
likely to have a business continuity, disaster
recovery or back-up strategy in place to help
91
to mitigate any data loss, any complacency
% on protecting an organisation’s data should
raise a red flag for business owners which
should be acted on.
of decision-makers under
35 expect cyber security
to rise over the next
40 %
three years
of under 35s said
they feared losing
critical dataCyber Security: The Innovation Accelerator The next generation of security decision-maker 27
Attitudes and behaviours
of security decision-makers
18-34 year old DMs 35+ year old DMs
Digitally savvy
Use Cloud 69% 61%
Use IoT 51% 34%
Use big data 52% 44%
Automation
Automating our security will help our business
to be more secure
73% 67%
Growth and customer focused
Supporting growth or transformation is a driver
for increased security spend
43% 38%
Expect strong security to bring enhanced
customer loyalty and trust
50% 44%
Believe that requirements from customers and
shareholders will drive increases in security spend
41% 33%
Higher expectations
Number of security issues considered as
a major threat
3.46 2.74
Expect to see information security budget
increase over the next three years
91% 85%
Complacency
Fear permanent loss of critical data 40% 51%Cyber Security: The Innovation Accelerator Our view of the future 28
Our view of the future
This report identified some clear indicators of cyber activity and
resulting business preparation and behaviour – especially the
positive link between strong cyber security and business growth
and innovation. From these insights and Vodafone’s cyber security
experience, we believe that there are six key future disruptors that
will shape how businesses manage digital risk and build resilience.
These disruptors cannot be ignored as they will force direct and
significant change upon businesses, governments and individuals –
how you approach them, and your ability to adapt and innovate, will
be critical to your future business growth.
1. Cyber adversaries will continue 2. New cyber technologies
to out-think, out-innovate and and service models will help
out-invest traditional models to address the scale of the
for cyber defence challenge and the scarcity
The continued rise of global cyber crime of cyber expertise
cartels, the weaponisation of cyber space The ability of businesses to monitor, detect
and sophistication of attacks will further and respond will take a leap forward by
increase the gap in capabilities between leveraging cognitive and behavioural
cyber adversaries and businesses. analytics, contextual cyber intelligence
It is an arms race that is being fuelled by and real-time automated incident response.
an explosion of new technology, ubiquitous These advances allow building new types
connectivity, IoT integration and artificial of enterprise-grade security operations
intelligence-based services. and services that can be deployed at scale,
through consumption adoption models,
extending to encompass the user and their
data – not just the infrastructure.
$445bn 120 days
is the annual cost of global is the average number
cyber crime, overtaking of days it takes a business
the global drugs trade. to know its data has been
There are 16 cyber crimes compromised. According
committed every second, to a 2016 UK government
with a rise of ransomware report, 25 of the large
attacks such as WannaCry firms who detected a cyber
and Petya1 security breach or attack
in the past year experience
a breach at least once
per month2
Source: 1. A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty
2. The Cyber Security Breaches Survey 2017, Department for Digital, Culture, Media & SportCyber Security: The Innovation Accelerator Our view of the future 29
3. Regulation, legislation and 4. Cyber security awareness
litigation will become powerful at a societal level will change
drivers for cyber investment behaviours and determine
Security and privacy regulation has shaped the value of protection
cyber security spend over the past 20 years. As digital adoption accelerates, businesses
Yet many organisations use these and their employees have never been more
requirements to “admire the problem” in cyber-aware. The implications on society
specific areas of their business rather than of cyber crimes, digital disruption and the
address essential security controls on their blurring of the physical and digital worlds
mission-critical data. are becoming better understood. Schools
We anticipate regulation, legislation and are increasingly teaching cyber security skills,
litigation issues will continue to be significant yet a divide exists between digital natives
drivers of investment. The (re-)definition of and digital immigrants. We will start to move
privacy, as enshrined in the EU’s General Data away from passwords to biometric identity
Protection Regulation (GDPR) highlights the controls and behaviour monitoring, but we
significant gap many organisations have in have a long way to go before cyber risk is
protecting their data. And GDPR affects every understood and managed at a personal
business that does business within the EU, level. Increased visibility and accountability
regardless of what country they are based in. of core levels of security will be inherent
in all products and services, while a price
Nations are pushing cyber capability through premium for additional protection will
regulation, legal frameworks are being become part of the value proposition.
bent and changed to accept digital risk
and negligence, yet there is little common
ground on cyber law enforcement. As a result,
brand damage and personal reputations will
continue to take the hit.
$20m 2,356,000
or 4% of global annual instances of bank account
turnover for the preceding fraud were reported over
financial year, whichever is the 12 months leading
the greater, is the maximum up to June 2016. It is the
financial penalty in place most common form of
for breaches of the cyber crime in the UK4
upcoming GDPR3
Source: 3.The Official Journal of the EU (OJEU)
4. Office for National Statistics5. Cyber capability and 6. The real-world implications
expertise will become the of cyber attacks will change
most scarce resource our view of safety
The constantly shifting sands of technology As IoT rapidly spreads sensors and semi-
adoption and vulnerability, aligned to intelligent devices across the globe, smart
the explosion of digital business models, cities and smart transport systems route
will accentuate an already acute lack of and manage our movements and critical
cyber expertise. Cyber capacity requires infrastructure and services are digitised –
organisations to take advantage of new we will expose ourselves to huge safety risk.
service models as businesses will be unable
to find enough appropriate resources. Attacks on power grids, autonomous cars
and health services will continue and we will
As our report shows, the winners in the finally see cyber bridge the digital and the
digital economy will be those with access physical world.
to cyber expertise. Businesses that partner
with cyber security experts will be best
placed to overcome challenges and meet
their growth objectives.
1m 152,000
was the number of cyber consumer IoT devices were
security job openings used by hackers during
globally in 2016. Demand the September 2016 DDoS
is expected to rise to (Distributed Denial of
6 million by 2019, with Service) attacks on a large
a projected shortfall French hosting provider.
of 1.5 million5 They were able to inundate
the company with 1Tbps
of traffic, causing mayhem
for customers around
the world6
Source: 5. Mitigating the Cybersecurity Skills Shortage, Cisco & statement by Michael Brown, CEO at Symantec
6. The Register – http://www.theregister.co.uk/2016/09/27/152463_hacked_cameras_deliver_990gbps_recordbreaking_dual_ddos/Cyber Security: The Innovation Accelerator Recommendations 31
Recommendations
At Vodafone we believe that cyber security is both a fundamental
business requirement and an enabler for innovation and digital
transformation. We also understand that maintaining cyber resilience
in the face of the six key disruptors is a difficult and resource-intensive
activity. Resilience is critical, maintaining your organisation’s goals
and operations while facing a relentless and dynamic adversary.
In this section, we outline four areas that form the cornerstones
of a cyber-ready organisation.
Understanding Building a cyber- Cyber security Cyber response
cyber risk ready culture operations and recovery
Understanding cyber risk Building a cyber-ready culture
To understand cyber risk, an organisation People are our most valuable resource.
must first identify its critical assets and the They provide the first and most effective line
threats facing them. This starts with key data of defence against cyber attacks, while also
assets, but also includes brand reputation, playing a pivotal role in maintaining cyber
core operational processes and customer resilience during disruption. People are also
information. At Vodafone we advocate the the weak link in the security chain. Cyber
use of a ‘RISK Compass’ to help orientate education and awareness must sit at the heart
to these risk areas (see next page). of any comprehensive cyber security strategy.
This is as relevant at the board level as it is
Organisations must think both in terms of on the shop floor.
current and future risk exposure, as well as
regulatory requirements and industry/societal Our safety is quite literally in our own hands.
benchmarks for risk appetite. Our digitally networked society means that
we each hold sensitive data in trust for many
From the board and exec committee, every others; understanding that responsibility
group within the organisation should be and also the protective measures and policies
able to articulate their key cyber risks and in place can guide our behaviour.
the business impact they present. Executive
leadership requires a view of residual risk –
the delta between people, processes and
technologies in place to protect mission-
critical systems and data and the risks which
remain. Continuous risk reviews and risk
acceptance tracking along with ongoing
risk mitigation approaches are essential
for organisations.You can also read
