The Global State of Information Security® Survey 2017

Malware is nothing new: The first PC virus hit more than three decades ago. While early malware was relatively harmless—and sometimes little more than amateurish hijinks—over the years the technical complexity, method of proliferation and destructive capabilities have changed dramatically.

The ways that malware proliferates has evolved alongside technology. The first PC virus, Brain, was identified in 1985 and spread slowly via floppy disk. The game changed with Morris, the first Internet worm that quickly infected thousands of computers in 1988. A decade later, in 1987, viruses that propagate via document sharing were introduced, followed by malware that is spread via email.

Today’s malware is technically sophisticated, difficult to detect and capable of causing physical damage. One of the most notable examples is Stuxnet. This weaponized malware, which disrupted an Iranian uranium enrichment facility in 2010, was designed to stealthily infiltrate industrial control systems and enable operators to remotely control physical systems. Similarly, in 2014 the Energetic Bear malware affected the industrial control systems of US and European energy companies.

In 2013, the Target Stores data breach spotlighted the risk of attack via the systems of third-party partners. Hackers gained access to the retailers point-of-sale system via a trusted contractor, and over the course a month compromised 110 million customer records. The breach was not without an upside: The attendant publicity helped boost the awareness of cybersecurity risks in the Boardroom.

The sophisticated nation-state attack on Sony Pictures Entertainment in 2014 represented a new level of malice and disruption. The hack exposed sensitive data and communications, significantly disrupted business operations and resulted in last-minute cancellation of a motion picture. It also blurred the lines between cybersecurity attacks and cyberwar.

Recently, public sector organizations have been targeted by adversaries that are believed to be nation-states or hacktivists. In 2015, an attack on the US Office of Personnel Management compromised personal information of 21.5 million individuals. In 2016, the Turkish government announced an earlier data breach that exposed personal data of 50 million citizens of Turkey. Nation-states are also believed to be behind attacks on the websites of US presidential candidates, campaigns and committees.

Not all attacks are accomplished with complex code, however. Phishing schemes and business email compromise are two well-known threats that have been around for (and successful) as long as the first worms, and rely mostly on simple research and social engineering. In fact, phishing was the most-cited vector of compromise among GSISS respondents in 2016.

You might think that sharing of cyberthreat intelligence to improve incident detection and response is this year’s cyberfad. Not really. The Financial Services-Information Sharing and Analysis Center (FS-ISAC) was founded in 1999 and today counts members from more than 6,000 firms around the world.

What is new are a slew of government-backed initiatives to promote information sharing between the private and public sectors. In 2013, for instance, the UK launched the Cyber Security Information Sharing Partnership to promote sharing of cyberthreat and vulnerability information among businesses. The next year, the US National Institute of Standards and Technology (NIST) published its NIST Cybersecurity Framework, which heavily emphasizes the importance of information sharing between government and industry.

In 2015, US President Barack Obama signed Executive Order 13691, an initiative that promotes sharing of cybersecurity threat intelligence among private-sector companies. The Executive Order also called on businesses and government to create Information Sharing and Analysis Organizations (ISAOs). These new organizations, unlike ISACs, are not industry-specific and can be based on a region or even a response to a specific threat.

Later in the year, the US voted in the 2015 Cybersecurity Information Sharing Act (CISA), a federal law that provides a framework for sharing cyberthreat information between industry and government. In the European Union, the newly approved General Data Protection Regulation (GDPR) will require that member nations participate in a cybersecurity information-sharing group and establish Computer Security Incident Response Teams to promote swift operational cooperation. Most recently, Japan created a Personal Information Protection Commission to act as a supervisory body on privacy protection and to help businesses understand the impacts of the GDPR.

Whether by legislation or individual initiative, the sharing of cybersecurity intelligence can provide an additional layer of knowledge and support in detecting and responding to incidents. But information sharing will not achieve its potential if government agencies, businesses and other stakeholders do not proactively take action and commit to collaborate.

When cellular phones took off in the early 1990s, they were used exclusively for phone calls. That changed as smartphones and tablet computers were developed and mobile operating systems and apps enabled devices to deliver a rich computing experience.

These technologies set the stage for one of the biggest moments in mobility: On January 9, 2007, Apple announced its first iPhone. The iPhone was an entirely new breed of mobile device that integrated new functionalities and services through mobile apps. A decade later, smartphones are the go-to device for email, instant messaging, online banking, snapping photos, social media, shopping and more. In the workplace, businesses have gradually adopted smartphones and tablets to enhance employee processes and productivity. In doing so, they have redefined whefirst iPhonen, where and how work is done.

As use of mobile devices surges, so too do cybersecurity risks. In part, that’s because mobile devices use a range of communications interfaces—such as cellular, Wi-Fi, Bluetooth, GPS and Near Field Communication—that expose more surface areas to attack. In addition, mobile devices present an increased opportunity for data loss and exposure, aggravated by the fact that they are more easily stolen or lost than desktop computers and servers. And mobile devices are also subject to specialized malware and phishing attacks.

It’s not surprising, then, that the number of GSISS respondents who reported compromise of a mobile device increased by 76% from 2009 to 2016. To address these risks, 54% of this year’s GSISS respondents said they have implemented a mobile security strategy, while 47% (in 2014) said they use Mobile Device Management software. In addition to technology solutions, mobile device security also will require ongoing employee training to reduce cybersecurity incidents that result from user carelessness or lack of awareness.

As cybersecurity incidents multiply in frequency and destructive power, the Chief Information Security Officer (CISO) has become increasingly pivotal to business success. And the stature of the CISO will continue to rise as businesses are digitized and dependent on effective cybersecurity.

A decade ago, only 32% of GSISS respondents had a CISO in charge of information security; in 2016, more than half (53%) said they have hired a CISO. But this year’s CISO will probably not resemble his or her 2007 counterpart. In the past, CISOs typically rose through the ranks of IT and relied on technical skills to manage cybersecurity. They tended to be siloed in IT, and typically were not attuned to the business objectives and strategies of the overall organization.

As companies recognize that cybersecurity is an enterprise-wide risk issue—not an IT responsibility—the CISO’s responsibilities and competencies have become increasingly business focused. Today’s CISOs are held accountable for risks and are expected to deliver a minimum information security posture across the organization. They also should be prepared to help C-suite executives and the Board understand that managing cyberthreats is just as important as managing operational, legal, financial and compliance risks.

Increasingly, CISOs are senior business managers who have expertise not only in cybersecurity but also risk management, corporate governance and overall business objectives. They have access to—and the confidence of—key executives to provide insight into cybersecurity risks in a language that the C-suite and Board understands.

This level of accountability is more likely to be achieved when the top security leader reports to a corporate officer who has broad oversight of both risk and strategy, preferably the CEO or other C-suite executives. GSISS research shows that most CISOs report directly to the CEO, followed by the CIO and Board.

The Heartland Payment Systems hack in 2009, which compromised 100 million payment cards, was among the first mega-breaches to boost awareness of digital credit card compromise. It also focused attention on rising payment card fraud: According The Nilson Report, US payment card fraud losses reached $3.56 billion in 2010.

These factors galvanized US credit card issuers to announce in 2012 migration roadmaps to the EMV payment card standard, which will replace magnetic-swipe cards. Card issuers set a deadline of October 2015 for most US retailers.

The years after the announcement of the EMV road map certainly supported the need for more secure card payment systems. In 2013 and 2014, breaches at Target Stores (110 million customer records), Neiman Marcus (payment card information of 350,000 customers) and Home Depot (56 million payment card records) galvanized support for adoption of the EMV standard.

Despite the rise of mega-breaches and industry support for EMV, by 2016 only 20% of GSISS US retail and consumer respondents said they had implemented EMV capabilities. US merchants that have not deployed EMV should take action now to assess the liability risk compared with the cost and impact of implementation. It’s also important to factor in customer trust in charting a road map for EMV deployment.