günümüzde siber güvenlik : güncel tehditler, yeni...
TRANSCRIPT
Günümüzde Siber Güvenlik : Güncel Tehditler, Yeni Yaklaşımlar
2
Siber riskler sadece bir teknoloji riski mi ve şirketlerin sadece Bilgi Teknolojileri altyapısı mı tehlikede?
3
4
Target
Millions of customer records stolen via a
malware on POS system
CEO had to step down
+ $1 billion – Potential cost to Target
Initial intrusion via a third-party HVAC
company
PwC
5
SONY Pictures
PwC
The Global State of Information Security® Survey
6PwC
7
The survey includes 10,000 respondents from 127 countries.
37% North
America
14% South
America
30% Europe
16% Asia Pacific
3% Middle East
& AfricaPwC
8
A mix of business and IT security executives are represented.
20%IT & Security
(Other)
25%IT & Security
(Mgmt.)
9%Compliance,
Risk, Privacy
21%CISO, CSO,
CIO, CTO
25%CEO, CFO,
COO
PwC
16 Aralık 2015Siber Güvenlik
9
Tehditler ne durumda?
10
In 2015, respondents detected 38% more information security incidents.*
Average number of security incidents in past 12 months
* A security incident is defined as any adverse incident that threatens some aspect of computer security.
2011 2012 2013 2014 2015
2,5622,989
3,741
4,948
6,853
Small organizations reported a dramatic increase in incidents, while the number of detected compromises among large companies grew at the slowest pace.
PwC
11
Small(Revenues less than
$100 million)
Medium(Revenues $100 million
to $1 billion)
Large(Revenues more than $1 billion)
2014 2015
The financial costs of incidents more than doubled for small organizations.
Small companies reported a two-fold increase in total financial losses attributed to security incidents, while large companies said losses dropped 16% in 2015.
Average total financial losses due to security incidents
$4.9million
$5.9million
$1.3million
$1.3million
$940,429$428,471
PwC
12
Employees remain the most cited source of compromise, but incidents attributed to business partners are up substantially.
Estimated likely source of incidents
Security events ascribed to current and former third-party partners jumped 22% over the year before, while those attributed to employees inched down a notch.
Current employees Former employees Current service providers/consultants/contractors
Former serviceproviders/consultants/contractors
Suppliers/business partners
2014 2015
35%
30%
18%
13%15%
34%
29%
22%19%
16%
PwC
13
Increasingly, organizations report that employee, customer and internal data are primary targets of cyberattacks.
Customer recordscompromised
Employee recordscompromised
Loss or damageof internal records
Theft of “soft”intellectual property
Theft of "hard" intellectual property
2014 2015Impact of security incidents
While compromise of customer records rose 35%, theft of “hard” intellectual property like strategic business plans and financial documents increased more than any other data loss.
28% 29%
20%
24%
15%
38%
33%
26% 25%23%
PwC
16 Aralık 2015Siber Güvenlik
14
Peki ya önlemler?
15
Among organizations that have a CISO (54%), the security executive is most likely to report directly to the CEO.
Where the CISO reports (all respondents)
23%Board ofDirectors
15%CTO
13%CPO
25%CIO
36%CEO
PwC
16
In large businesses, the security function is often organized under the CIO.
Where the CISO reports (by company size)
CISOs of small companies are slightly more likely to report to the Board.
CEO BoardCIO
24% 25%
22%
30% 18%
24%
37% 39%
33%
Large
Medium
Small
PwC
17
* Information security budget refers to funds specifically and explicitly dedicated to information security,
including money for hardware, software, services, education, and information security staff.
2011 2012 2013 2014 2015
$2.7million
$2.8million
$4.3million
$4.1million
$5.1million
As risks rise, organizations significantly boost investments in information security.*
Reversing last year’s slight drop in security spending, respondents increased their information security budgets by 24% in 2015.
of IT budget spent on
information security
19%
Information security budget for 2015
PwC
18
Small companies take a decisive lead in expanding spending for security programs.
Small organizations doubled information security budgets in 2015, while large companies’ spending has remained stable.
Small(Revenues less than
$100 million)
Medium(Revenues $100 million
to $1 billion)
Large(Revenues more than $1 billion)
2014 2015
Information security budget for 2015
$10.1million
$10.0million
$3.3million
$2.8million
$1.5million
$733,052
PwC
19
Adoption of risk-based security frameworks
Have not adopted asecurity framework
Have adopted othersecurity framework(s)
Have adopted ISFStandard of Good
Practice
Have adopted SANSCritical Controls
Have adopted NISTCybersecurityFramework
Have adoptedISO 27001
8%18%
26%28%
34%40%
91%
Most respondents (91%) have implemented one or more risk-based information security frameworks. A majority of organizations also say they collaborate with external industry partners to improve security and reduce risks.
PwC
20
of respondents who use cloud-based
cybersecurity also employ real-time
monitoring and analyticsfrom cloud providers
Many organizations have adopted cyber securityinsurance, cloud-based initiatives and Big Data analytics
Adoption of strategic initiatives
56%
Cybersecurity insurance Big Data analytics Cloud-based cybersecurity
59% 59%69%
PwC
Nereden Başlamalı, Neler Yapmalı?
16 Aralık 2015Siber Güvenlik
21
CISO
Cyber Security Strategy
Cyber Security Awareness
(Staff + Execs)
Teşekkürler...
© 2016 PwC Türkiye. Tüm hakları saklıdır. Bu belgede “PwC” ibaresi, her bir üye şirketinin ayrı birer tüzel kişilik olduğu PricewaterhouseCoopers International
Limited’in bir üye şirketi olan PwC Türkiye’yi ifade etmektedir. “PwC Türkiye”, Başaran Nas Bağımsız Denetim ve Serbest Muhasebeci Mali Müşavirlik A.Ş.,
Başaran Nas Yeminli Mali Müşavirlik A.Ş. ve PricewaterhouseCoopers Danışmanlık Hizmetleri Ltd. Şti. ticari unvanları ile Türkiye’de kurulmuş tüzel kişiliklerden
oluşan PwC Türkiye organizasyonunu ifade ve temsil etmektedir.
burak.sadic @ tr.pwc.com@adilburaksadic
tr.linkedin.com/in/buraks/www.pwc.com.tr/siberguvenlik