Академический Документы
Профессиональный Документы
Культура Документы
Study objectives
Establish a diagnostic of how preparation on information security and business continuity by small and medium Spanish enterprises is perceived in 2012, in terms of: Protection and prevention against risks. Incidents, consequences and responses. E-trust Recommendations and good practices
Study methodology
Document analysis of national and international studies. Survey: 2,250 interviews with IT security managers of enterprises. In-depth interviews with 10 IT security managers of enterprises. Think tank: group of 9 experts and professionals belonging to different fields of security and business continuity.
http://observatorio.inteco.es
4
Main results
Tools, best practices and security policies in the enterprises Remarkable level of basic security measures and habits implementation in Small and Medium Spanish Enterprises: Antivirus and firewalls are the most common tools (96.1% and 75.4%, respectively). 56% of enterprises have personnel dedicated to information security (21% through internal personal and 35.3% through outsourcing). It is noticeable that security backups or updates of operating and programming systems are protection habits which are increasingly used (88.2% and 81.9% respectively). Information security has developed in a positive way during the last year, according to the enterprises that take part in the research. Enterprises consider they perform security audits and hold certificates of Information Security Management System (ISMS) to a greater extent than what official data states. 4 out of 10 enterprises know what Business Continuity Plans are. 12.9% claim to have a BCP and 5.3% have a plan for the technological component. 31.9% of the enterprises having a Business Continuity Plan provide mechanisms in order to verify its efficiency, periodic tests being the most common one (42.3%).
Main results
Incidents affecting information security and business continuity 26.1% of the small and medium enterprises perceived that have an incident of this kind in 2011. Malware infection (14.7%) and spam (11.9%) are the most recurrent cases. Most common mobile security incidents in enterprises are linked to terminal theft or loss (7.1% and 7.2%, respectively). During last year, 1 out of 3 enterprises have experienced circumstances or incidents affecting their business operations continuity in some way. Most common events are failure of support systems (15.2%), meltdown of computer systems and applications (11.3%) and lack of service or supply from providers (11.2%). Impact and response against incidents Most common consequences after an incident are loss of time and productivity and disruption in operations. After an incident occurs, 38.5% of enterprises adopt a proactive attitude implementing security tools and measures. Actions at the organisational or strategic level constitute a minority of cases. In almost half of the cases, those in charge of solving the incident are internal technical personnel. Nonetheless the proportion claiming to depend on external services is noticeable (40.9%).
6
Main results
E-trust Electronic banking and online payment methods (69.8%), business website (55.5%) and e-Administration (51.9%) are the most spread ICT services in small and medium Spanish enterprises. Social networks are increasingly important as a communication channel. Facebook is the most prevalent one (88.7%), followed by Twitter (29.6%) High level of trust in most of the services, notably in e-Administration (87.0%), the use of electronic banking and online payment methods (86.1%). Social networks are the service that gives the least trust to enterprises. Lack of necessity and lack of interest are the most common reasons for not implementing new services.
Desktops
92.3%
66.2%
59.8%
Laptops
47.2%
Remote access
41.3%
27.1%
30%
40%
50%
60%
70%
80%
90%
100%
Antivirus/Antispyware Firewall Antispam Blocking pop-up windows Temporary files and cookies removal Anti-intrusion systems Browser plug-ins Data encryption 0% 20% 34.1% 40% 60% 80% 52.9% 51.4% 75.4% 75.3% 71.5% 67.4%
96.1%
100%
Solutions
Ineffective ness 5.1 0.8 0.8 0.5 0.9 0.4 0.5 1.1
They slow down business 17.4 2.8 3.8 2.0 2.9 2.1 1.6 3.1
Antivirus / Antispy Firewalls Antispam Plugins Blocking pop-up windows Anti-intrusion systems Data encryption Temporary files and cookies removal
Access via PIN code (password) Unlocking password Backup of sensitive data Hidden and password protected Bluetooth Automatic software updates Antivirus program Strength of password Formatting after a certain number of attempts to introduce password Program or application installations blocked Remote deletion of data in case of loss/theft Data and/or communications encryption 0% 7.3% 20% 40% 31.7% 30.9% 28.8% 21.8% 20.7% 19.4% 15.5% 13.5% 46.1%
57.8%
60%
27.4%
27.4%
21.1%
No protection
12.4%
Unknown/No reply
11.7%
0%
10%
20%
30%
40%
50%
43.1%
Personnel exclusively dedicated to security available In-house IT personnel available Personnel available through an external company Not considered Unknown/No reply
35.0% 17.2%
37.3%
88.2%
Program updates Control and access to equipment and documents Employee program installation constraints Employee internet access constraints 0% 50.1%
81.9%
69.1%
21.3%
20%
40%
60%
80%
100%
2.2%
27.3%
70.5%
Yes
No
Unknown/No reply
13.3%
60.6%
39.4% 26.1%
No
Base: total number of enterprises answering the business continuity survey (CN) (n=1,109)
17
41.2% 19.3% 11.4% 10.0% 2.4% 1.4% 0.7% 1.7% 11.9% 0% 10% 20% 30% 40% 50%
6.5%
Prohibitive cost Have other security priorities Do not think about it Lack of knowledge When necessary they resolve it by themselves Other Unknown/No reply
51.7%
Base: total number of enterprises answering the business continuity survey (n=1,109)
18
2010
35.8%
11.7%
22.6%
12.5%
17.5%
2012
35.1%
7.8%
21.9%
11.7%
9.8%
6.8% 6.9%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Base: total of enterprises 2012 (n=1,109); total enterprises and success cases 2010 (n=429)
19
Risk assessment
14.4% 2.4% Yes, we have a complete BCP 5.2% 5.3% 59.8% 12.9% Yes, but it only covers the technological aspects No, it is necessary but its implementation is not planned No, but its implementation is planned Unknown/No reply No, it is not necessary
56.0% 45.2% 41.2% 36.6% 33.6% 32.2% 31.9% 4.4% 17.6% 0% 10% 20% 30% 40% 50% 60% 70%
Allocation of responsibilities Activation of the plan for the restoration of business activities Identification and prioritisation of critical processes Defining recovery period Communication plan strategies Continuity plan tests Other Unknown/No reply
20
26.1%
50% 40%
73.9%
30% 20% 10% 0% Personnel exclusively dedicated to security available In-house IT personnel available Personnel available through an external company Not considered 46.4% 29.6% 21.5% 26.9%
Yes
No
21
Malware (virus, troyans, etc.) Bulk mail advertising (spam) Technical failure Equipment/program physical damage Identity theft Loss/theft of devices Unauthorized external access Online fraud/phishing Distributed denial of service (DDoS) act Data leakage due to error / intention (internal staff) Sabotage (internal act) None of the following 0%
14.7% 11.9% 4.3% 2.2% 1.1% 0.9% 0.9% 0.8% 0.6% 0.4% 0.3% 73.9% 20% 40% 60% 80% 100%
22
7.2% 7.1% 1.3% 0.9% 0.8% 0.0% 0.0% 77.0% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100
56.7%
66.4%
Base: total number of enterprises answering the business continuity survey (n=1,109)
25
Technical failures
89.2%
10.8%
Malware
68.3%
31.7%
53.2%
46.8%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
No consequences
Base: enterprises having suffered an incident (malware n=199; bulk mailing n=157; meltdown of systems=90)
26
Security Incidents Waste of time / productivity Business downtime Technical consequences Repair / replacement costs Image / reputation damage File deletions Hardware / software damage Fines / sanctions due to legal non-compliance Economic damage (fraud) Leaking of confidential / sensitive information Cancellation of contracts with clients No consequences Unknown / No reply
Technical failures 66,9 25,8 17,2 7,6 5,9 0,6 0,5 0,5 0,5 0,5 0,5 15,5 1,1
Malware 41,1 5,3 10,5 19,3 0,0 6,3 4,6 42,4 4,2
Spam 6,1 37,7 0,5 3,5 0,2 8,5 0,4 50,1 0,3
27
Consequences
Lack of service/supply from provider 83.9 14.6 2 0.1 0.4 0.3 9.8 2.3
Delays/hours lost/impact on productivity Economic (direct cost) Impact on business image (reputation impact) Loss of clients with which a firm contract was established (contractual impact) Sanctions/fines (legal impact) Other consequences No impact Unknown/No reply
I have installed/updated security tools I have implemented new security measures Security training has been carried out for employees Business continuity measures have been implemented An Information Security Management System (ISMS) has been implemented (ISO 27001) My company has stopped using certain internet services Internal staff/external security service has been hired Unknown/No reply We keep proceeding as usual 0% 10% 2.2% 2.1% 0.9% 0.6% 0.1% 7.1%
19.7% 12.9%
Company's personnel
48.5%
External technical support service Company's personnel with external professional counselling A friend/acquaintance with computer skills 1.9% 2.6%
33.5%
7.4%
Other
5.3%
Unknown/No reply
88.7%
29.6%
Google+
10.3%
Linkendin
10.1%
Youtube
9.8%
Scribd
0.1%
Others 0%
5.3% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Unknown/No reply
Electronic sales Electronic procurement Electronic invoicing Profile on social networks Electronic signature (certificate, electronic ID, etc.) Electronic purchasing Formalities with the public administration (e-Administration) Business website Electronic banking/online payment methods
Business continuity
Prepared Unprepared Indifferent Reckless
Enterprises distribution according to their business continuity profiles
9.1%
21.1%
22.5%
24.4%
29.1%
25.4%
Cautious
Mainly micro-enterprises from all sectors. They show a big concern for security but they do not always have the best technical resources available. They report few occurences of risk exposure. They rarely use Internet services and have a medium/high level of trust.
Protective
Mainly medium enterprises from industry and business services sectors. They show a high concern for information security. They have technical and human means in order to ensure it. Few occurences of risk exposure. They have a high of trust in the internet.
Careless
Mainly micro-enterprises from retail. hospitality and other sectors. They show very little concern for security. They report many occurrences of risk exposure. They use ITC extensively and have a medium /high level of trust.
Caution
36
Indifferent
Mainly micro-enterprises from industry, retail and hospitality sectors. They consider themselves as not being prepared to tackle a crisis situation. They report few occurences of incidents. They do not identify critical business activities. They do not have a strategy to tackle crisis situations.
Prepared
Mainly small and medium enterprises from services sector. They consider themselves prepared to tackle a crisis. They report few occurences of risk exposure. They have critical business activities identified. They have a strategy for crisis situations.
Reckless
Mainly micro-enterprise industries. They consider themselves not well prepared to tackle crisis situations. They report many occurrences of risk exposure. They do not identify critical business activities. The do not have a strategy to tackle crisis situations.
37
Final observations
SWOT analysis
STRENGTHS WEAKNESSES
Good technological capacity. Remarkable level of preventive security measures implementation. Appreciation of recovery period. Positive response towards initiatives.
False sense of security. Shortcomings in the security culture of enterprises. A small size is a determining factor (negative) of the protection level. Low margin over business tolerable downtime. Security approach excessively focused on the technological aspect.
THREATS
OPPORTUNITIES
Joint approach of different players in order to obtain a better position with regards to enterprises. Large portfolio of security services and business continuity services. Outsourcing of IT tasks and information security.
Slow progress in security. Worsening of the attack consequences. New technology challenges and new security risks.
38
Recommendations
Recommendations for enterprises Consciousnessraising Implementation
Progress in raising awareness in enterprises about information security risks. Promoting the use of best practices among members of the organisation. Adopting business continuity strategies to ensure organisation endurance against a crisis or disaster.
Turn to external professionals in order to resolve the lack of internal resources without neglecting security. Correct use of security tools and measures. Establish security criteria in relationships with providers. Keep at breast with new security risks and protection measures.
39
Recommendations
Recommendations for the security industry and administration
Adapt security solutions and product offers to the context of small and medium Spanish enterprises. Deploy measures which help complement the security of the enterprise, starting with raising awareness and training. Promote professionalisation of security solution vendors. Closely collaborate with Public Administration.
Industry Administration
Advise enterpreneurs to include information security competences. Deploy actions to create awareness based on the benefits of using ICT services and of proactive security. Promote development of business strategies based on standards. Deploy information and training initiatives for enterprise personnel. Study the status of information security and business continuity among Spanish enterprises. Carry out specific actions for IT service enterprises.
40
Follow us on:
Web
http://observatorio.inteco.es Facebook Profile http://www.facebook.com/ObservaINTECO Twitter Profile http://www.twitter.com/ObservaINTECO Scribd Profile http://www.scribd.com/ObservaINTECO Youtube Profile http://www.youtube.com/ObservaINTECO Blog of the Information Security Observatory http://www.inteco.es/BlogSeguridad
http://www.inteco.es http://observatorio.inteco.es