Strong Cyber Security drives growth & innovation - Cyber Security: The Innovation Accelerator report - Vodafone NZ

Page created by Hugh Figueroa
 
CONTINUE READING
Strong Cyber
Security drives
growth & innovation

Cyber Security:
The Innovation
Accelerator report
Global research into the links between
strong cyber security and business
decision-making, growth and innovation

The future is exciting.
Ready?
Cyber Security in 2017

            86                 %
           of high-growth companies
        believe that having strong cyber
         security enables new business
                  opportunities

                                              89               %
                                              of businesses said that
                                           improving their cyber security
                                             would enhance customer
                                                  loyalty and trust

      41            %
    of businesses are unsure
    who can help with cyber
       security challenges

                                                 87 %
                                             of businesses expect
                                              that their security
                                             budget will increase
                                              over the next three
                                                     years
Foreword
When digital is everywhere, cyber security is everywhere. This is the
dawning realisation that governments, businesses and individuals
are starting to accept.
This simple message is fundamentally changing how nations defend
themselves, how data privacy is regulated and how enterprises are
re-inventing themselves as digital businesses. It is also changing how
global cyber crime cartels are operating, targeting data and disrupting
operations for financial gain.
While we have been conducting this ground-breaking research,
organisations have been hit by massive ransomware attacks, digital
currency thefts have reached unprecedented levels and data
disclosures have strained international relations.
The UN and Europol estimate that in 2016 the global cyber crime
industry overtook the global illicit drug trade to be worth $445bn.
Organised crime has changed its behaviour to take advantage of the
shift to a data-driven economy, but how are enterprises of all sizes
responding to the cyber challenges of this new reality?
This is the fundamental question we are hoping to answer in this
report – Cyber Security: The Innovation Accelerator – which details
the findings of our global research. We are excited to share some
stunning insights and highlight not only the risks facing us, but also
how winning organisations are harnessing cyber security to drive
growth and provide competitive differentiation.
Thank you for reading our report. We look forward to working
together to create a safe and secure digital world for all.

Andrzej Kawalec
Group Head of Enterprise Cyber Security Strategy & Innovation
Contents
Executive summary                                             05
Methodology                                                   07
Contributors                                                  08
About the findings                                            09
Successful businesses believe that having strong
cyber security will drive their future success                10
Increasing threats are driving cyber security
as customer expectations rise                                 13
Cyber security is supporting growth and innovation projects   16
Businesses that use cloud computing and the
Internet of Things approach security differently              18
Businesses are concerned about security threats
but are struggling to find the solutions                      20
The next generation of security decision-makers
is digitally savvy and customer focused                       25
Our view of the future                                        28
Recommendations                                               31
About Vodafone                                                33
Expert contributors                                           34
Vodafone contributors                                         37
Cyber Security: The Innovation Accelerator Executive summary                                           5

Executive summary
Strong cyber security is becoming increasingly essential for all
businesses, with 78% believing it is of high strategic importance.
The objective of this research was to understand the link between
business decision-making and cyber security – to what extent are
a business’s success and its ability to innovate affected by cyber
issues today? Here are six key findings.

Successful businesses believe                         A reputation for effective cyber security
that having strong cyber security                     is having a profoundly positive impact on
                                                      customers – building loyalty and trust,
will drive their future success                       attracting more business and protecting
Businesses that are growing in revenue                company reputations. Strong cyber security
have a refreshingly different approach to             is giving businesses confidence that they
cyber security. They believe it’s an enabler          are ready for the future.
of growth, innovation, new business
opportunities, and digital transformation.
The management teams of growth businesses                              89%
understand that investment in strong cyber                             of businesses said that
security creates confidence to undertake                               improving their cyber
business initiatives that drive growth,                                security would enhance
innovation and differentiation. They also                              customer loyalty and trust
see that cyber security can enable many
customer benefits, such as the acquisition
of new customers from competitors who
                                                      Cyber security is supporting
may not prioritise cyber security.                    growth and innovation projects
                                                      Businesses are embarking on a wide range
                                                      of transformation and innovation initiatives,
                  86%                                 including digitalisation and flexible working.
                                                      Security is often considered when making
                  of high-growth companies
                  believe that having strong          decisions – almost always for individual
                  cyber security enables new          projects – but it’s being seriously neglected
                  business opportunities              for important projects by some organisations,
                                                      placing them at risk.

Increasing threats are driving
cyber security as customer                                             99%
expectations rise                                                      of businesses that are
Strong cyber security is increasingly                                  planning expansion
important and businesses want it intrinsically                         activities consider security
embedded into systems and networks from
the start. The worsening threat landscape
is the biggest driver for investment, as
organisations plan to increase their security
budget to combat it.
Cyber Security: The Innovation Accelerator Executive summary                                                            6

Businesses that use innovation       The next generation of security
technologies such as cloud           decision-makers is digitally savvy
computing and the Internet of Things and customer focused
(IoT) approach security differently  The next generation of security decision-
More than anyone else, the growing number             makers is digitally savvy and customer
of cloud and IoT adopters see security as an          focused, with high expectations for cyber
enabler of new opportunities, not a barrier to        security. These under 35 year old security
progress, and a source of financial benefits.         decision-makers are more likely to work for
Businesses embracing innovative technologies          digital businesses, are threat aware, believe
are also more likely to consider that they have       in automation and understand that cyber
state-of-the-art security.                            security enables them to innovate and
                                                      drive growth transformation and customer
                                                      benefits. But there is also some evidence
                  7%                                  of complacency among the next generation.
                  more financial benefits
                  from having strong cyber
                  security for adopters of                             91%
                  the cloud                                            of under 35-year old
                                                                       decision-makers expect

                  24%                                                  cyber security budgets
                                                                       will need to rise over
                  more financial benefits                              the next three years to
                  for IoT adopters                                     meet the toughening
                                                                       challenges

Businesses are struggling
to find solutions to the security
threats they face                                                       Strong cyber security
Businesses are concerned by the                                       is becoming increasingly
                                                                   essential for all businesses with
consequences of something going wrong and

                                                                         78             %
many believe their cyber security is not yet
strong enough. Losing critical data, network
breaches and reputational damage are the top
three fears. Regulation and compliance issues                        believing that it is of high
– punishable with imprisonment or fines for                            strategic importance
large offences – are also top of mind, but the
responses of many businesses are slow.
                                                                                                      More than
Security decision-makers are having difficulty                                                    other businesses,
finding solutions and often don’t know who                                                       the growing number
                                                                                                   of cloud and IoT
can help. These problems can be more acute                                                      adopters see security
for smaller businesses, which have fewer                                                         as an enabler of new
in-house cyber security skills.                                                                      opportunities

                  41%
                  said they were unsure who
                  could help with information
                  security challenges
Methodology
In the second quarter of 2017, Vodafone            directors and business owners where those
devised and commissioned a brand new               individuals made or influenced their business’s
global security study. It explores the influence   cyber security decisions.
of cyber security on business decision-
making, the actions companies are taking to        94% of the interviews were carried out
improve security and what impact that action       in the following sectors: technology and
(or lack of) is having on their organisations’     media, manufacturing, financial and business
success and plans for the future.                  services, construction and engineering,
                                                   public sector, education, retail, healthcare
1,434 cyber security decision-makers               and pharmaceutical, with a range of industry
and influencers were interviewed, including        sectors accounting for the remaining 6%.
small, medium sized, and large companies
operating in single and multiple countries.        A further ten in-depth interviews were
61% of interviews were carried out with            carried out by telephone to uncover
businesses of fewer than 250 employees,            additional detailed insight into
and 39% of interviewees with businesses            businesses’ cyber security decision-
of 250 employees or more.                          making. A range of comments from these
                                                   businesses are included in the report. As the
The research, using an online quantitative         subject matter is often sensitive, we have
methodology, covered North America,                provided appropriate levels of anonymity
Europe and Asia through interviews in eight        for the respondents.
countries (USA, UK, Ireland, Germany,
Spain, Italy, India and Singapore).                This report describes the findings from the
                                                   research, supplemented by Vodafone’s
These decision-makers often worked                 perspective and commentary from a panel
specifically in security and/or IT teams, and      of cyber security industry experts.
in smaller businesses they also included
Cyber Security: The Innovation Accelerator Contributors                                                    8

Contributors
We have worked closely with a team of industry experts from a range of countries
and functions to provide their valued additional perspective on the research findings
in this report. We thank them for their contributions and insight and have included
their biographies later in the report. They are:

Mike Sapien Chief analyst, Ovum                           Andrzej Kawalec Group Head of Enterprise
                                                          Cyber Security Strategy & Innovation, Vodafone
Steve Durbin Managing Director of the
Information Security Forum (ISF)                          Maureen Kaplan Group Head of Enterprise
                                                          Cyber Security Sales, Vodafone
Colin Robbins Innovation Director, Nexor
                                                          Jonathan Hughes Group Head of Enterprise
Piers Wilson Head of Product Management,                  Cyber Security Operations, Vodafone
Huntsman Security, and Director, Institute
of Information Security Professionals (IISP)
Martyn Boston Managing Director of Genesis
IA and Director, Institute of Information
Security Professionals (IISP)

The Institute of Information Security
Professionals, (the IISP) is an independent,
non-profit body with the principal objective
of advancing the professionalism of
information security practitioners
Cyber Security: The Innovation Accelerator About the findings                                       9

                  About the findings
                  This report reveals the key findings of Vodafone’s global research into cyber
                  security. We asked a broad range of questions to 1,434 security decision-
                  makers from businesses of all sizes across the globe. Our goal was to better
                  understand the link between business decision-making and cyber security –
                  to what extent are cyber issues affecting and influencing businesses?
                  In the following chapters, we examine the results from the research
                  and also offer our view of the future:

                      The link between                The benefits and    The role cyber security
                     having strong cyber              business drivers    has to play in business
                        security and                  of having strong      innovation, growth
                      business success                 cyber security      and transformation

                   How adopters of cloud                Challenges,        Learnings from the
                    computing and IoT                 threats and risks     next generation
                    see cyber security                                      of cyber security
                        differently                                         decision-makers
Cyber Security: The Innovation Accelerator Cyber security and business success                             10

Successful businesses
believe that having strong
cyber security will drive
their future success
Growth businesses understand                               “Security enables business by building
that cyber security is an enabler                          trust, reinforcing reputation, allowing
of new business opportunities                              remote working and cloud adoption,
Around the world, the clear majority of                    enabling automation and defined
businesses are seeing cyber security as                    processes that are less reliant on humans
an enabler of business opportunities and                   and more consistent and auditable,”
innovation: 73% of companies believe that                  comments Piers Wilson, a director of the
information security is an enabler of new                  IISP and head of product management
business opportunities, rather than a barrier.             for Huntsman Security. “Security should
                                                           inform and support business decision-
There is however a clear difference in                     making to balance risk and reward: there
attitude between companies whose revenue                   is a risk in not doing something at all, just
is shrinking and those whose revenue is                    as there is in doing something insecurely.”
growing, with a positive correlation between
viewing cyber security as an enabler and                Companies in the technology and media
business growth.                                        sector (78%), businesses in India (84%)
Among businesses whose revenue shrank                   and C-level IT leaders (81%) are even more
over the last 12 months, just 57% believe               likely to view cyber security as an enabler
having strong cyber security enables new                of new business opportunities.
business opportunities. This compares with
77% of companies whose revenue grew over                The management teams of
the last 12 months, and a massive 86% of                growth businesses are more
high-growth companies (that is, those whose
revenue increased by more than 10% over
                                                        likely to have bought into the
the last 12 months).                                    need for strong cyber security
                                                        Businesses that are growing are more
  Percentage of businesses that say                     likely to have management that supports
  strong cyber security enables new                     the development of strong cyber security.
       business opportunities                           Among companies whose revenue is
                                                        shrinking, 57% say they have senior
                                                        management that ‘actively supports
                                                        and encourages better cyber security
                                                        measures’. However, this figure increases
      57%            77%             86%                sharply to 81% for growth companies
                                                        and 84% for high-growth companies.
   Declining      Increasing High revenue
   revenue         revenue      growth*
Change in revenue in the last 12 months
* over 10%
Growth businesses expect a                           Businesses based in the USA have the highest
greater range of financial benefits                  financial expectations from cyber security: with
                                                     an average of 6.7 significant financial benefits.
from improving cyber security                        Companies that are expecting to see the
Growth businesses have a markedly more               largest number of benefits from cyber security
positive view of what strong cyber security          are putting their money where their mouth is:
can do for them. High-growth businesses say          companies planning to increase their cyber
they expect to see an average of 6.7 significant     security budget by at least one-half over the
financial benefits from improving their cyber        next three years are expecting an average
security, with growth businesses expecting an        of 5.8 financial benefits.
average of 5.3 significant financial benefits.
Financial benefits include enhanced customer         Growth businesses are
loyalty, attracting new customers, the ability       committing to cyber security
to launch new products and services and
                                                     Growth businesses are investing in and
greater agility (see the full list of the expected
                                                     making cyber security an integral part of their
financial benefits on page 14).
                                                     ICT budget. This is likely to explain why these
In contrast, businesses that are losing revenue      businesses are witnessing such a broad range
expect to get just 3.9 significant financial         of financial benefits.
benefits out of improving their cyber security,
which suggests that they should apply greater            Spending more than 10% of their IT
focus to how cyber security could enable                and mobile communications budget
their business to turn around. A UK security
                                                                on cyber security
decision-maker said:

 “I spoke to a customer today who had the
 option of a low cost – which is like £1,000
 – or the high cost option – which was                      53%            78%            86%
 £70,000 – and he had to go back to his
 finance guys to justify £69,000.
                                                          Declining     Increasing High revenue
 If anything goes wrong with that £1,000                  revenue        revenue      growth
 solution, he could well lose millions. If it
 works, everything is great and if it doesn’t
 work then they have to consider that risk.”
Cyber Security: The Innovation Accelerator Cyber security and business success                                             12

Benefits that businesses said they expect                                  Growth businesses are
from having strong cyber security:                                         implementing appropriate
                                                                           policies
           For the business:                                               Growth businesses are also benefitting from
                                                                           the application of cyber security policies
           • Being able to apply for more                                  to protect their business. High-growth
             new contracts that require high                               businesses have an average of 4.7 security
             security standards                                            policies in place that are updated and tested
           • Ability to launch new services                                regularly, compared with 4.0 for growth
             and products                                                  businesses and 3.0 for shrinking businesses.
           • Lower business risk                                           Such cyber security policies could cover
           • Greater business agility                                      necessities and new ways of working like
                                                                           flexible working, or they could govern bring-
           • Greater business efficiency                                   your-own device, business continuity and
                                                                           breach action plans.

           From greater productivity:                                      Not only does the implementation, testing
                                                                           and updating of these policies protect the
           • Confidence to allow remote and flexible                       business concerned but strong policies are
             working by staff                                              also likely to help increase the financial
           • Improved staff productivity                                   benefits stated above.
           • Reduced costs of downtime/clean-up                            Piers Wilson (Head of Product Management,
                                                                           Huntsman Security, and Director, IISP), warns
                                                                           of the dangers of employees bringing their
           From increased customer confidence:                             own devices and tools into the workplace
                                                                           without adequate policies in place.
           • Enhanced customer loyalty and trust
           • Better reputation                                               “Yes of course it brings risk. For one
           • Attracting new customers from                                   thing, these devices aren’t managed
             competitors that have had security                              by the corporate IT/IT security team.
             problems                                                        Secondly, at best, it means a huge
           • Being able to charge a higher price for                         increase in the diversity of devices,
             our products/services due to increased                          types and applications or places where
             confidence in doing business with us                            data is stored. Thirdly, the more types of
                                                                             technology and apps you use the more
                                                                             likely it is that one of them will have a
                                                                             breach. If, across a large business, your
                                                                             users use all ten of the top ten cloud file
                     High-growth                                             storage providers (Live, iCloud, Dropbox,
                 businesses say they                                         Sync, etc) then whichever of the large
              expect to see an average of
                                                                             cloud storage providers get hacked you

                      6.7
                   significant financial
                                                                             are going to be exposed.
                                                                             Also it means users have more accounts
                      benefits from                                          on more systems, often with the same
                     improving their                                         passwords, so the more that are in use the
                      cyber security
                                                                             more opportunities there are for those
                                                                             credentials to become compromised.”
Increasing threats are
driving cyber security as
customer expectations rise
Cyber security carries strategic                 Martyn Boston, managing director of Genesis
importance and should be                         IA and a director of the Institute of Information
                                                 Security Professionals says:
designed in from the start
Strong cyber security is becoming increasingly
                                                  “Designing security into solutions from
important for all businesses. 78% said that
                                                  the start is a given and those of us
it is of high strategic importance, which
                                                  working as IA (information assurance)
demonstrates the relevance of cyber security
                                                  professionals have been fighting this for
to all managers and employees. This figure
                                                  years. But it still goes on with project
increases to 83% for the technology and
                                                  managers trying to avoid talking to
media sector and 80% for financial services.
                                                  security in case it adds complexity, cost
Respondents also believe that security should     and new risks. We all know that such
be intrinsic to the systems it supports.          things are misguided as it’s far cheaper
                                                  to design in security from the onset
     of businesses said it was vital              of any project/delivery.”
 84% to consider the security of digital
     networks, as well as their speed

                                                                 78%
        of the public sector said it was
 90%    vital to consider the security
        of digital networks, as well as
                                                             of businesses said that
        their speed                                           strong cyber security
                                                               is of high strategic
                                                                   importance
The worsening threat landscape                  The technology and media sector were
is the biggest driver                           particularly cognisant of the worsening threat
                                                landscape (a figure which may be buoyed
A massive 87% of businesses expect that their   by their in-house technology expertise)
security budget will increase over the next     while public sector organisations were most
three years, with nearly three-quarters (71%)   concerned about reputational risk (perhaps
expecting an increase of over 10%.              mindful of the need to be seen setting best
We asked all businesses that plan to increase   practice and meeting compliance criteria).
their spending about their motivations for      Indeed, reputational risk should be a board-
doing so. When asked to rank drivers for        level issue that is addressed by organisations
increased security investment, the biggest      in all sectors because the consequences
was the worsening threat landscape, with        of a security breach can be catastrophic
‘increasing security threats’ rated as the      to a company’s brand.
top driver (named by 64% of respondents).
Managing risk accounted for the third and       For many businesses, there is a balance
fifth most common reasons listed (by 46%        to be struck between mitigating risk from
and 41% of respondents) while greater use       external threats and successfully project
of cloud and mobile devices were a driver       managing the implementation of innovative
for 48% and 42% respectively, making            new technologies and ways of working in
these the second and fourth biggest drivers.    sometimes complex environments.
Supporting business growth and innovation
rate highly too:

        of businesses said new growth

                                                               87 %
 39%    or transformation initiatives were
        driving spending
                                                           of businesses expect
        of financial and business services                 their security budget
 46%    said new growth or transformation                  will increase over the
                                                              next three years
        initiatives were driving spending

     of businesses noted new
 34% business models as the driver
Cyber Security: The Innovation Accelerator Increasing threats are driving cyber security                      15

        Percentage increase in cyber security budget expected over the next 3 years

         1%            10%            16%             32%            16%            13%        10%
    Up to 10%           No         Up to 10%        10-29%          30-49%          50-99%     At least
    decrease          change        increase       increase        increase        increase     100%
2% Don’t know
                                                                                              increase

Cyber security is delivering                               Motivations for businesses to
customer benefits                                          increase their security spending
What does this investment in information
security mean in business terms?                                     Increasing security threats

The most profound impact was the positive
effect on customers. 89% of businesses said                          Greater use of cloud computing
that improving their cyber security would
enhance customer loyalty and trust. 90% said
it would give them a better reputation in the                        To minimise risks to
market, potentially attracting new customers.                        organisational reputation
89% said they felt better information security
was a competitor differentiator that would
help them win customers from competitors                             More mobile devices to secure
that could not offer the same assurances.
Businesses in India rated these customer                             Industry- or company-specific risks
factors even higher at 95%, 93% and 97%
respectively. US businesses also rated these
customer factors very highly, with 94%, 96%               Being ready for the future
and 92% respectively. Martyn Boston adds:
                                                          Improving information security is about more
                                                          than the present: businesses said clearly that
  “Those companies who demonstrate                        information security is preparing them for
  that they can manage a client’s data both               the future.
  securely and in accordance with any
  regulatory or legislative requirements                  83% said that being confident in their security
  will obviously attract more business                    helps their organisation be ready for the future.
  than those who do not.”                                 Financial and business services, and businesses
                                                          in India, believe in this even more, with 86%
                                                          and 88% in agreement, respectively.
                                                          Furthermore, high-growth businesses believe
                                                          that information security is a fundamental
                                                          building block for the future, with 88% agreeing.
Cyber Security: The Innovation Accelerator The role of security in business initiatives                      16

Cyber security is supporting
growth and innovation projects
Businesses are embarking on a                               Singapore is more lax, with a figure of just:
wide range of innovative growth
and transformation initiatives                                         considering security for almost
                                                              34%
                                                                       all decisions
Businesses are focusing on a wide range
of growth and innovation initiatives, including
digitalisation, developing online sales                     However, there is some comfort to be had
channels, developing an as-a-service culture,               in Singapore:
the IoT and remote or flexible working (see
full list on page 19). On average, businesses                          consider security for the most
                                                              52%
are planning or executing, or have completed,                          significant decisions
4.1 of these initiatives.
                                                            The response of the UK is between those
Half of companies nearly always                             two extremes. One senior UK-based security
                                                            decision-maker said:
think about security
Security is often – but not always – considered               “(There is) a perception that it won’t
for these initiatives: 50% of companies report                happen to us: ‘We’ve never had a cyber
that security is considered for almost all                    attack; we’ve never had denial of service
decisions regarding these projects. A further                 or any other things that you read about,
35% report that security is considered for the                so why should we bother?’ They’ll then
most significant decisions regarding these                    turn round and say ‘look, it’s too late’.
projects, while 14% report that security is                   So information security has to be in
occasionally considered and just 1% report that               place because this is the ultimate case
security is not considered at all. This means that            of shutting the door after the horse has
over one in seven businesses – the latter two                 escaped.”
groups – are putting themselves at significant
risk of unforeseen and unpredictable disruption.
                                                            A Singapore-based security decision-maker
Healthcare and pharmaceutical companies,                    working for a regional crane and warehouse
perhaps mindful of the large quantity of                    equipment manufacturer was markedly more
personal data that they handle, are taking                  confident regarding cyber security threats due
a tougher approach:                                         to the implementation of a new technology
                                                            solution. He said:
          of healthcare and pharmaceutical
 58%      companies consider security for                     “We don’t have many security risks.
          almost all decisions                                I have to travel all over the region and
                                                              until now we’ve had no problem with the
Companies in the United States are taking                     cloud service. We had too many security
a tough approach too:                                         problems before we implemented cloud.”

          of US companies consider
 66%
          security for almost all decisions
Security is top of mind for                       Businesses are focusing on a wide range
digitalisation                                    of growth and transformation initiatives
On an individual project level, security
implications were considered by nearly all              Implementing digital technologies
businesses. For the implementation of digital
technologies, 93% considered security, while
                                                        Business expansion
99% of businesses that are planning expansion
activities considered security. Of those
companies implementing as-a-service ways of             Increased use of process automation
working (like cloud computing) 91% considered
security, while 90% of companies that allowed           Sensors and smart devices
their employees to bring their own devices into
work considered security in relation to this.
                                                        Outsourcing
 “As we increase our dependence on
 the cloud, remote and mobile working,                  Online sales and support
 so too must we apply greater protection
 to business assets upon which our brand                Big data
 reputation may depend,” says Steve
 Durbin, managing director of the
 Information Security Forum. “Mission-                  As-a-service ways of working,
 critical information assets demand and                 e.g. cloud computing
 justify additional investment to ensure
 these assets are adequately protected –                Digital collaboration between
 wherever they may be located.”                         our employees

                                                        Remote and flexible working

                                                        Allowing employees to use their own
                                                        devices at work

                                                        Collaboration with business partners
Cyber Security: The Innovation Accelerator Cloud computing, the Internet of Things and security         18

Businesses that use cloud
computing and IoT approach
security differently
Most innovative businesses are now using                 Because they help businesses realise new,
cloud computing or IoT. This could involve,              innovative outcomes and enable the shift to
for example, a colocation agreement, a                   the much talked about as-a-service culture,
multinational infrastructure-as-a-service                cloud and IoT are vital tools for businesses
project or any of a broad range of applications          now and in the future.
covered by the Internet of Things. IoT
connects objects, turning them into                      Companies that use IoT and cloud
‘intelligent’ assets that can communicate
with people, applications and each other.
                                                         computing are more likely to see
It enables things like cars, buildings and               security as an enabler of new
machines to communicate about their status               opportunities and innovation
and environment – creating many new                      In a previous section, we noted that 73% of
opportunities for businesses.                            businesses saw cyber security as an enabler
According to Vodafone’s Cloud Barometer                  of new opportunities, rather than a barrier.
research, 70% of enterprises use or would                This figure was higher for businesses that
consider using the cloud for mission-critical            use IoT (82%) and those that use the cloud
enterprise applications. 63% of businesses are           (76%). Their management teams also better
already using IoT, or plan to within 12 months,          understand the importance of security,
according to Vodafone’s IoT Barometer                    with 79% (companies using cloud) and 83%
research.                                                (companies using IoT) compared with 77%
                                                         for all businesses.

  Percentage who see security as an                         Percentage of businesses whose
   Percentage  of businesses
    enabler of new            that
                    opportunities                          Percentage
                                                          senior        of management
                                                                 management              that the
                                                                                understands
   saw cyber security as an enabler                         saw  cyber security as an enabler
                                                              importance of cyber security
        of new opportunities                                      of new opportunities

     73%             82%             76%                       77%             83%                79%
     All    Businesses           Businesses                    All          Businesses Businesses
 businesses using IoT            using cloud               businesses        using IoT using cloud
Cyber Security: The Innovation Accelerator Cloud computing, the Internet of Things and security                                                 19

Companies that use IoT and cloud Companies that use IoT and
computing are more likely to              cloud computing see greater
have ‘state-of-the-art’ security          financial returns from having
Companies that use cloud and IoT are also stronger security
more likely to consider that they have ‘state-                    Because companies that use cloud and IoT
of-the-art’ cyber security measures in place.                     are more likely to see security as an enabler
74% of companies using cloud believe their                        of new opportunities, allowing them to be
measures are state-of-the-art, while the figure                   more innovative and try new ways of working,
is 82% for companies using IoT – compared                         their management teams better understand
with 69% for all companies.                                       the importance of security and their measures
                                                                  are more state-of-the-art. It is not surprising
  “Cloud is a fast-moving, business                               that they also see greater financial benefits
  transformative technology,” says Colin                          from having stronger security.
  Robbins, innovation director at Nexor.                          The average business expects to see 5.0
  “In 2017, major UK government                                   financial benefits from security, but this rises
  departments have adopted cloud                                  to 5.3 financial benefits for companies using
  technology – not least the National                             cloud and 6.2 financial benefits for companies
  Cyber Security Centre. This demonstrates                        using the Internet of Things. Examples of the
  that when approached in a systematic                            increased financial benefits for cloud and IoT
  way, adopting good risk management                              adopters are shown in the three bar charts
  practice, cloud solutions can be built                          at the foot of this page.
  with appropriate security controls.”

    Percentage of businesses that have
state-of-the-art security measures in place

                                                                                          74%
                                                                                     of companies using
                                                                                      cloud believe their
        69%                82%                  74%                                 security measures are
                                                                                       state-of-the-art

        All             Businesses Businesses
    businesses           using IoT using cloud

              Percentage of businesses expecting the following significant financial benefits
                                     from improved cyber security

       46%            55%          49%                  36%             46%           39%             43%             50%           46%
    All businesses   Businesses   Businesses          All businesses   Businesses   Businesses      All businesses   Businesses   Businesses
                      using IoT   using cloud                           using IoT   using cloud                       using IoT   using cloud

           Enhanced customer                                Greater confidence to                         Ability to launch new
                loyalty                                     allow remote/flexible                         products and services
                                                               working by staff
Cyber Security: The Innovation Accelerator Challenges, threats and risks                                        20

Businesses are concerned
about security threats but are
struggling to find the solutions
Businesses are concerned about                              “We had an incident not too long ago,
their cyber security not being                              where the competition had stolen some
strong enough                                               research data. They sent us a Trojan and
Despite many businesses securing                            through this managed to install spyware.”
management buy-in, businesses remain
concerned about their cyber security not                 Smaller businesses (those with between
being strong enough, with 64% worrying                   10 and 99 employees) fear permanent loss
about it affecting their organisation (just 14%          of their data or lost revenue more than
are not worrying). This is unsurprising given            their peers in larger businesses.
the increase in the volume and sophistication
of cyber security threats. Businesses in                 Regulation and compliance issues are top
Singapore and the United States show                     of mind, with 44% of businesses saying they
heightened levels of concern, with 73% each.             consider security issues because of legal
                                                         obligations (rising to 60% for the public
But what worries them? Loss of data, network             sector) and 33% because of the potential
breaches or reputational damage are the top              risk of fines.
three fears, though there were 13 individual
consequences feared by at least one-quarter              A senior respondent based in Ireland and
of businesses, ranging from downtime to                  working in the international governance and
ransomware, showing the broad variety                    risk team for a global insurance company said,
of security issues facing businesses.
                                                            “We have to ensure that we effectively
  “The main risk is that someone from the                   respond and adhere to not just insurance
  outside world would get access to our                     sort of requirements and regulations,
  data. Spyware is particularly an issue in                 but that we also – although we’re not a
  our sector because of the research data,”                 bank – adhere to as many banking rules
  says the Chief Executive Officer of a                     and regulations, as well, in terms of the
  manufacturer working in the medical                       investment piece. We have a lot of those
  sector in Germany.                                        (regulations) because we are global and
                                                            we have to ensure they are picked up for
                                                            each country.”

     Percentage of businesses that worry about cyber security affecting their organisation

     52%            68%             55%            61%            73%        72%          63%             73%
   Germany          India           Italy         Ireland      Singapore     Spain       England          USA
Cyber Security: The Innovation Accelerator Challenges, threats and risks                                    21

The frequency of incidents                               Many businesses have a
appears to be under reported                             simplistic view of cyber threats
within businesses and externally                         The research indicates that businesses have
                                                         taken a simplistic view of cyber security
          of businesses acknowledge being                threats, with the largest major perceived
 22%      affected by a security incident                threats being viruses/malware, hacking and
          in the last 12 months                          being targeted by cybercriminals (just 34%,
                                                         29% and 26% of respondents respectively).
          of these businesses say a data
 65%                                                     For all threats, the severity rating most
          breach resulted
                                                         commonly awarded by businesses was
                                                         moderate, with ‘minor’ being selected by the
It is likely that the actual figures are far higher
                                                         greatest number of businesses for attacks by
than this as many businesses do not wish to
                                                         insiders and former employees and for being
reveal publicly that they have been affected,
                                                         targeted by competitors or foreign states.
due to possible reputational damage, or
the individual involved was not aware of a               This indicates that some businesses may not
breach that actually occurred. Among those               fully understand the prevalence and variety
whose primary role is in IT, 29% said that their         of security threats, which have increased
company had experienced a security incident              markedly in the last 12 months.
in the last 12 months, whereas the figure was
only 13% for decision-makers working outside             The perceived risk of every threat listed in the
the IT department. This indicates that there             research is higher for organisations that have
may be a lack of transparency within                     witnessed a security incident in the last 12
a business’s leadership team as to the threats           months, indicating that actual security events
and incidents faced. Any opaqueness should               markedly change businesses’ views on cyber
be addressed urgently so the business’s                  security risk.
response to a future incident is not impaired.           The impact of a security breach is also not
                                                         always what businesses expect. We discussed
                                                         that loss of data, network breaches and
                                                         reputational damage were the top three fears.

          22              %
                                                         But when security breaches occurred, what
                                                         was actually top of the list of impacts were
                                                         tangible business criteria – downtime and lost
                                                         revenue – as well as loss of data.
         said that their company
            had experienced a
         security incident in the
              last 12 months
                                                Organisations that
                                                 have witnessed a

                                            security
                                             threat
                                            in the last 12 months have
                                            a higher perception of risk
Security decision-makers have                        devices (46%), with failure to follow company
difficulty finding solutions                         policies stated by 40% and shadow (personal)
                                                     IT stated by 39%. Though stories of security
Many security decision-makers themselves             incidents regarding insecure public Wi-Fi
admitted to difficulties finding solutions           connections have been circulating for over
to cyber security challenges. A hefty 41%            a decade, this was still rated as the second
said they were unsure who could help                 top employee concern (43%) providing further
with cyber security challenges, and this             evidence that businesses are struggling to
increased further to 52% for construction            keep up with the latest most potent threats.
and engineering companies.
This is likely to be partly due to the supplier           “No doubt things could be improved but
landscape containing lots of start-up niche               we’re doing everything we can at the
suppliers and partly due to threats rapidly               moment,” said a UK-based security
evolving.                                                 decision-maker. “We’ve always got it in
                                                          the back of our minds that we’re doing
Decision-makers also shared their concerns
                                                          99.9% of this and that we’re looking
regarding the skills and knowledge of
                                                          out for 0.1% that could come and cause
company employees. The top fear was the
                                                          us some damage.”
careless sharing of information on mobile

   Percentage of businesses that are unsure of who can help them with cyber security challenges

    48%            33%           52%              43%          22%          45%         41%          32%
   Tech and Manufacturing Engineering         Financial        Public     Education     Retail     Healthcare
    media                     and                and           sector                                 and
                          construction        business                                           pharmaceutical
                                              services
Small businesses are at risk from
                                                    “It’s not surprising that six out of ten
poor infrastructure and visibility                  SMEs feel uninformed on security
Many cyber security challenges are more             matters, because the nature of an SME is
acute for smaller businesses. While 78% of          they tend to be focused on being experts
enterprises (over 250 employees) believe that       at what they do, using technology to
their technology is state-of-the-art, this figure   innovate and bring efficiency”, says Colin
falls markedly to 58% for small businesses          Robbins, Innovation Director at Nexor.
with 10–49 employees.
                                                    “Security process and technical expertise
Smaller businesses also say that they suffer        is not a usual skill found in the direct
from a lack of visibility on security risks (55%    SME employee base, and consulting
compared with 42% of enterprises) and are           engagements are deemed expensive.
more likely to not have the security staff          A solution being increasingly used by
needed to monitor security (45% for small           SMEs, especially start-ups without a
businesses compared with 28% for large              legacy to manage, is the adoption of
businesses).                                        cloud technology. By applying due
                                                    diligence on the security credentials of
These issues are being compounded by a lack
                                                    a cloud provider, a lot of the security risk
of IT budget made available for security, with
                                                    mitigation challenges can effectively be
4 percentage points less being made available
                                                    outsourced (remembering business risk
for security in small businesses compared
                                                    itself cannot be outsourced).”
with enterprises.

             55             %
            of smaller businesses
           say that they suffer from
             a lack of visibility on
                 security risks
60% of SMEs feel uninformed                    According to Mike Sapien, chief analyst at
about security – our experts                   Ovum, hindrances caused by a lack of scale
analyse the causes and                         can be a major issue for smaller businesses
                                               when it comes to cyber security.
implications of this
Steve Durbin, Managing Director, Information     “Most SMEs tend to have few skilled
Security Forum, notes that privacy and           security staff and tools to really identify
compliance concerns may be more acute            security issues and the scale to support
for smaller businesses. He says:                 the required security investment which
                                                 begs for both a simple solution and a
 “The fact that 60% of SMEs feel                 qualified managed provider to address
 uninformed about security solutions and         their security requirements.
 who can help is a concerning statistic.
 This will become even more important            Ovum sees great value in aligning
 from a privacy standpoint as we move            with strong service partners including
 closer to the EU GDPR (General Data             traditional telco providers who can
 Protection Regulation) coming into              provide many network-centric security
 effect in May 2018.                             offers, especially for these SMEs who
                                                 need simple solutions with security
 With only 22% of the sample in Europe           wrapped around their network and
 being aware of GDPR and having taken            mobile services. Most SMEs need to
 action to ensure compliance, many               align with a service partner to ensure
 companies are potentially leaving               that they have a stronger, more secure
 themselves exposed to non-compliance            environment to keep up with the
 and associated sanctions being imposed          growing number of security threats.”
 by regulators. But more importantly,
 they are potentially leaving an open door
 for cyber threat actors to gain access to

                                                           60             %
 valuable information.”

                                                          of SMEs feel uninformed
                                                          about security solutions
                                                              and who can help
Cyber Security: The Innovation Accelerator The next generation of security decision-maker                 25

The next generation of security
decision-makers is digitally
savvy and customer focused
Five behaviours of younger                               2. Younger decision-makers
security decision-makers                                 believe in automation
Digitally savvy and customer focused, with               Younger decision-makers also believe in the
high expectations for cyber security: the next           benefits of automating security, with 73%
generation of security decision-makers                     48%
                                                         believing that automating their business’s
is profoundly different.                                 security will help their business become
                                                         more secure (compared to 67% of over 35s).
The research compared the attitudes and
                                                         Automation is likely to become increasingly
expectations of security decision-makers
                                                         necessary due to the rapidly increasing
younger than 35 years of age with those over
                                                         volume and variety of threats, and information
35 years of age and saw profound differences.
                                                         about threats, which already cannot be
                                                         handled in sufficient detail by human
1. Younger decision-makers                               responses alone.
are more likely to work for
digital businesses                                       3. Younger decision-makers
Younger decision-makers are more likely                  believe in cyber security enabling
to work for businesses that use digital                  growth and transformation,
technologies. For example:
                                                         and better customer outcomes
                                                         Younger decision-makers are also more likely
     of under 35-year old security
 69% decision-makers work for                            to believe in strong cyber security being an
                                                         enabler of growth and transformation projects
     businesses that use cloud
                                                         – and they are more focused on security
     computing, compared with 61% for
                                                         driving customer benefits.
     over 35 year old decision-makers

     of under 35-year old decision-                            of under 35-year old decision-
 51% makers work for organisations                         43% makers believe that supporting
     that use IoT, compared to 34%                             growth or transformation is a
     of over 35s                                               driver for increased security spend,
                                                               compared to 38% of over 35s
     of under 35s work for
 52% organisations that use big data                           of under 35s believe that the
     compared to 44% for over 35s                          41% requirements of customers and
                                                               shareholders will drive security
This may be due to younger decision-makers                     spend, compared to 33% of over 35s
being more digitally savvy themselves, but
is also likely to be due to them being more                    of under 35s believe that strong
                                                           50% security will bring enhanced
attracted to innovative, digitally progressive
organisations.                                                 customer loyalty and trust,
                                                               compared with 44% of over 35s
Cyber Security: The Innovation Accelerator The next generation of security decision-maker                 26

4. Younger decision-makers                               5. But there is evidence
are more aware and have                                  of complacency
higher expectations                                      However, we’d urge a note of caution over
Younger decision-makers appear more                      the apparent complacency of some under
aware of cyber security threats and expect               35 year old decision-makers with regards
more in turn from their organisation. Under              to data loss.
35s identify a quarter more threats as major             This is an area which older decision-makers
compared with their older counterparts                   take much more seriously. Just 40% of under
(3.46 compared with 2.74). And a massive                 35s said they feared losing critical data:
91% expect that cyber security budgets will              11 percentage points lower than over 35s
need to rise over the next three years to meet           and a massive 23 percentage points lower
these toughening challenges (compared to                 than over 55s.
85% of over 35s).
                                                         While younger decision-makers’ increased
                                                         use of cloud may mean that they are more
                                                         likely to have a business continuity, disaster
                                                         recovery or back-up strategy in place to help

       91
                                                         to mitigate any data loss, any complacency

                          %                              on protecting an organisation’s data should
                                                         raise a red flag for business owners which
                                                         should be acted on.

        of decision-makers under
        35 expect cyber security
           to rise over the next

                                                   40              %
                three years

                                                      of under 35s said
                                                     they feared losing
                                                         critical data
Cyber Security: The Innovation Accelerator The next generation of security decision-maker                            27

               Attitudes and behaviours
               of security decision-makers
                                                                             18-34 year old DMs   35+ year old DMs

                   Digitally savvy
                   Use Cloud                                                      69%                 61%
                   Use IoT                                                        51%                 34%
                   Use big data                                                   52%                 44%
                   Automation
                   Automating our security will help our business
                   to be more secure
                                                                                  73%                 67%
                   Growth and customer focused
                   Supporting growth or transformation is a driver
                   for increased security spend
                                                                                  43%                 38%

                   Expect strong security to bring enhanced
                   customer loyalty and trust
                                                                                  50%                 44%

                   Believe that requirements from customers and
                   shareholders will drive increases in security spend
                                                                                  41%                 33%
                   Higher expectations
                   Number of security issues considered as
                   a major threat
                                                                                  3.46                2.74

                   Expect to see information security budget
                   increase over the next three years
                                                                                  91%                 85%
                   Complacency
                   Fear permanent loss of critical data                           40%                 51%
Cyber Security: The Innovation Accelerator Our view of the future                                                              28

Our view of the future
This report identified some clear indicators of cyber activity and
resulting business preparation and behaviour – especially the
positive link between strong cyber security and business growth
and innovation. From these insights and Vodafone’s cyber security
experience, we believe that there are six key future disruptors that
will shape how businesses manage digital risk and build resilience.
These disruptors cannot be ignored as they will force direct and
significant change upon businesses, governments and individuals –
how you approach them, and your ability to adapt and innovate, will
be critical to your future business growth.

1. Cyber adversaries will continue                                       2. New cyber technologies
to out-think, out-innovate and                                           and service models will help
out-invest traditional models                                            to address the scale of the
for cyber defence                                                        challenge and the scarcity
The continued rise of global cyber crime                                 of cyber expertise
cartels, the weaponisation of cyber space                                The ability of businesses to monitor, detect
and sophistication of attacks will further                               and respond will take a leap forward by
increase the gap in capabilities between                                 leveraging cognitive and behavioural
cyber adversaries and businesses.                                        analytics, contextual cyber intelligence
It is an arms race that is being fuelled by                              and real-time automated incident response.
an explosion of new technology, ubiquitous                               These advances allow building new types
connectivity, IoT integration and artificial                             of enterprise-grade security operations
intelligence-based services.                                             and services that can be deployed at scale,
                                                                         through consumption adoption models,
                                                                         extending to encompass the user and their
                                                                         data – not just the infrastructure.

                         $445bn                                                                  120 days
                         is the annual cost of global                                            is the average number
                         cyber crime, overtaking                                                 of days it takes a business
                         the global drugs trade.                                                 to know its data has been
                         There are 16 cyber crimes                                               compromised. According
                         committed every second,                                                 to a 2016 UK government
                         with a rise of ransomware                                               report, 25 of the large
                         attacks such as WannaCry                                                firms who detected a cyber
                         and Petya1                                                              security breach or attack
                                                                                                 in the past year experience
                                                                                                 a breach at least once
                                                                                                 per month2

Source: 1. A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty
2. The Cyber Security Breaches Survey 2017, Department for Digital, Culture, Media & Sport
Cyber Security: The Innovation Accelerator Our view of the future                                           29

3. Regulation, legislation and                           4. Cyber security awareness
litigation will become powerful                          at a societal level will change
drivers for cyber investment                             behaviours and determine
Security and privacy regulation has shaped               the value of protection
cyber security spend over the past 20 years.             As digital adoption accelerates, businesses
Yet many organisations use these                         and their employees have never been more
requirements to “admire the problem” in                  cyber-aware. The implications on society
specific areas of their business rather than             of cyber crimes, digital disruption and the
address essential security controls on their             blurring of the physical and digital worlds
mission-critical data.                                   are becoming better understood. Schools
We anticipate regulation, legislation and                are increasingly teaching cyber security skills,
litigation issues will continue to be significant        yet a divide exists between digital natives
drivers of investment. The (re-)definition of            and digital immigrants. We will start to move
privacy, as enshrined in the EU’s General Data           away from passwords to biometric identity
Protection Regulation (GDPR) highlights the              controls and behaviour monitoring, but we
significant gap many organisations have in               have a long way to go before cyber risk is
protecting their data. And GDPR affects every            understood and managed at a personal
business that does business within the EU,               level. Increased visibility and accountability
regardless of what country they are based in.            of core levels of security will be inherent
                                                         in all products and services, while a price
Nations are pushing cyber capability through             premium for additional protection will
regulation, legal frameworks are being                   become part of the value proposition.
bent and changed to accept digital risk
and negligence, yet there is little common
ground on cyber law enforcement. As a result,
brand damage and personal reputations will
continue to take the hit.

                          $20m                                            2,356,000
                          or 4% of global annual                          instances of bank account
                          turnover for the preceding                      fraud were reported over
                          financial year, whichever is                    the 12 months leading
                          the greater, is the maximum                     up to June 2016. It is the
                          financial penalty in place                      most common form of
                          for breaches of the                             cyber crime in the UK4
                          upcoming GDPR3

Source: 3.The Official Journal of the EU (OJEU)
4. Office for National Statistics
5. Cyber capability and                                        6. The real-world implications
expertise will become the                                      of cyber attacks will change
most scarce resource                                           our view of safety
The constantly shifting sands of technology                    As IoT rapidly spreads sensors and semi-
adoption and vulnerability, aligned to                         intelligent devices across the globe, smart
the explosion of digital business models,                      cities and smart transport systems route
will accentuate an already acute lack of                       and manage our movements and critical
cyber expertise. Cyber capacity requires                       infrastructure and services are digitised –
organisations to take advantage of new                         we will expose ourselves to huge safety risk.
service models as businesses will be unable
to find enough appropriate resources.                          Attacks on power grids, autonomous cars
                                                               and health services will continue and we will
As our report shows, the winners in the                        finally see cyber bridge the digital and the
digital economy will be those with access                      physical world.
to cyber expertise. Businesses that partner
with cyber security experts will be best
placed to overcome challenges and meet
their growth objectives.

                     1m                                                               152,000
                     was the number of cyber                                          consumer IoT devices were
                     security job openings                                            used by hackers during
                     globally in 2016. Demand                                         the September 2016 DDoS
                     is expected to rise to                                           (Distributed Denial of
                     6 million by 2019, with                                          Service) attacks on a large
                     a projected shortfall                                            French hosting provider.
                     of 1.5 million5                                                  They were able to inundate
                                                                                      the company with 1Tbps
                                                                                      of traffic, causing mayhem
                                                                                      for customers around
                                                                                      the world6

Source: 5. Mitigating the Cybersecurity Skills Shortage, Cisco & statement by Michael Brown, CEO at Symantec
6. The Register – http://www.theregister.co.uk/2016/09/27/152463_hacked_cameras_deliver_990gbps_recordbreaking_dual_ddos/
Cyber Security: The Innovation Accelerator Recommendations                                             31

Recommendations
At Vodafone we believe that cyber security is both a fundamental
business requirement and an enabler for innovation and digital
transformation. We also understand that maintaining cyber resilience
in the face of the six key disruptors is a difficult and resource-intensive
activity. Resilience is critical, maintaining your organisation’s goals
and operations while facing a relentless and dynamic adversary.
In this section, we outline four areas that form the cornerstones
of a cyber-ready organisation.

Understanding              Building a cyber-             Cyber security            Cyber response
  cyber risk                ready culture                 operations                and recovery

Understanding cyber risk                             Building a cyber-ready culture
To understand cyber risk, an organisation            People are our most valuable resource.
must first identify its critical assets and the      They provide the first and most effective line
threats facing them. This starts with key data       of defence against cyber attacks, while also
assets, but also includes brand reputation,          playing a pivotal role in maintaining cyber
core operational processes and customer              resilience during disruption. People are also
information. At Vodafone we advocate the             the weak link in the security chain. Cyber
use of a ‘RISK Compass’ to help orientate            education and awareness must sit at the heart
to these risk areas (see next page).                 of any comprehensive cyber security strategy.
                                                     This is as relevant at the board level as it is
Organisations must think both in terms of            on the shop floor.
current and future risk exposure, as well as
regulatory requirements and industry/societal        Our safety is quite literally in our own hands.
benchmarks for risk appetite.                        Our digitally networked society means that
                                                     we each hold sensitive data in trust for many
From the board and exec committee, every             others; understanding that responsibility
group within the organisation should be              and also the protective measures and policies
able to articulate their key cyber risks and         in place can guide our behaviour.
the business impact they present. Executive
leadership requires a view of residual risk –
the delta between people, processes and
technologies in place to protect mission-
critical systems and data and the risks which
remain. Continuous risk reviews and risk
acceptance tracking along with ongoing
risk mitigation approaches are essential
for organisations.
You can also read