1. Telindus Cybersecurity Report 2019
With the support of
39%
29%
32%
41 respondents
Finance
Public
Industry & Services
Contain the attack and prevent expansion of the compromised set of IT assets
Prevent recurrence of similar incidents
Reduce time to recover to normal activity to preserve business activities
Improve cybersecurity awareness and internal culture
44% 49% 57% 54% 69
56% 51% 43%
57%
43% 46% 31
51%
12%
Preparation Detection Analysis Containment Eradication Reco
37%
37%
27%
Morethan500people
Between100&500people
Lessthan100people
36%
44% 49% 57% 54% 69%
AFTER12MONTHS
63% 39%
56% 51% 43%
57%
43% 46% 31% 61%37%
Defense
Detection
Reactive
Preventive
Proactive
79%
39%
40% 9% 31% 15% 43%
54%
46%
41%
33%
2
15%
3
63%
56%
76%
Preparation Detection Analysis Containment Eradication Recovery Post-incident Com & PR
ECONOMIC SECTORS COMPANY SIZE
37%
27%
Morethan500people
Between100&500people
Lessthan100people
36%
54% 69%
AFTER12MONTHS
63% 39%57%
43% 46% 31% 61%37%
Defense
Detection
Reactive
Preventive
Proactive
Compliance
Offensive
79%
39%
40% 9% 9% 1%31% 15% 43%
54%
46%
41%
33%
23%
21%
15%
32%
20%
63%
56%
76%
Containment Eradication Recovery Post-incident Com & PR
37%
27%
56%
Ope
Morethan500people
Between100&500people
Lessthan100people
36%
AFTER12MONTHS
34%
Defense
Detection
Reactive
Preventive
Proactive
Compliance
Offensive
79%
39%
40% 9% 9% 1%31% 15% 43%
54%
46%
41%
33%
23%
21%
15%
32%
20%
63%
56%
76%
37%
27%
Morethan500people
Between100&500people
Lessthan100people
36%
AFTER12MONTHS
63% 39%
61%37%
Defense
Detection
Reactive
Preventive
Proactive
Compliance
Offensive
79%
39%
40% 9% 9% 1%31% 15% 43%
54%
46%
41%
33%
23%
21%
15%
32%
20%
63%
56%
76%
y Post-incident Com & PR
84% Human weaknesses
exploitation throught social
engineering and phishing
Main causes of incidents
Gain insights on how Companies currently manage cybersecurity incidents in Luxembourg,
discover which major issues and pitfalls to avoid.
Impacts of a security breach
“Thecriticalsuccessfactorofacybersecurityincident
management strategy consists in demonstrating the
impact on the business by emphasizing this objective,
forinstanceintermsofreductionofthetimetorecover
normal activities to preserve business activities.
SuchaclearmappingwillraisetheManagementCommittee’sawareness
and will remove reluctance from the top-management.„
EXPERT ADVICE
telindus.lu
Survey conducted from May 5th
to June 15th
, 2019. Profile of respondents: CISO, ISO, RSSI, IT Manager.
48% Human errors.
Obstacles for information sharing
EXECUTIVE SUMMARY
Thesurvivalofacompanyincaseofasecurityincidentisinverselyproportionaltothetimeelapsingbetweenthecompromise&itsdetectionandresponse.
Efforts should be prioritised to increase readiness and response capabilities in conjunction with the increase of the detection capabilities.
Nowadayscompaniescannotmanageincidentsbythemselveswithoutinformationontheglobalcurrentstateofplay.Cybersecurityincidentmanagement
strategy shall no more be exclusively based on the prevention of recurring past known incidents. It is now mandatory to enhance detection, analysis and
response capabilities by leveraging the strength of the community information sharing. The barriers of information sharing will be lifted by identifying
and validating from a compliance and regulatory point of view a series of indicators that can be shared without risk of leakage of information.
Maintaining a high level of efficiency of the response capabilities (analysis, containment, eradication, recovery) is mandatory to preserve the business
processes,butnotsufficienttomanageacrisisincaseofanincident.Effortsshallalsobeallocatedtosupportbefore-crisisprocessessuchthepreparation
to detect and react to a cybersecurity incident, but also during a crisis including Communication, notification and public relations during / post crisis
situations.
It is important to increase the communication toward the Board of Directors by demonstrating the close-link between the incident management strategy
and associated processes and practices with the preservation of the value creation process. CISOs and IT Managers should focus their strategy on
demonstrating that it reduces time to recover to normal activity to preserve business activities to change the reluctant mindeset consisting in thinking
security is not an executive level priority
Telinduscanassistyourdigitaljourneyfortheprotectionofyourbusinessandthatofyourcustomer’sbusinessbyprovidingofferswithabroadrangeband
of cybersecurity services, from strategic advices to the operational implementation of detection and defense mechanisms, involvement in cybersecurity,
preparation and support to react to incident and simulation exercises of your current posture.
THEY WOULD THUS SEE THE DIRECT LINK BETWEEN THE INCIDENT
MANAGEMENT STRATEGY AND ITS CONTRIBUTION
TO VALUE CREATING ACTIVITIES.
WANT TO KNOW MORE?
GET IN TOUCH WITH OUR CYBERSECURITY EXPERTS:
CYBERSECURITY@TELINDUS.LU
Z.A. Bourmicht -18, rue du Puits Romain | L-8070 Bertrange - Luxembourg
ABOUT YOUR INCIDENT MANAGEMENT STRATEGY
ABOUT CYBERSECURITY INCIDENTS MANAGEMENT
78% of companies report having had
to manage incident over the past year.
83%
78%
54%
94%
Fina
nce
Industry & Se
rvices
Publi
c
Surprising to
note that not all
companies had
to manage incident
19% External technical
attacks and hacking
Self-assessment of confidence level of confidence in respondent’s own capabilities
“Confidence in current detection capabilities is currently low.
A shift is expected to occur soon as the improvement of detection
capabilities is listed as the 2nd
most important priority for the
coming year.„
Lessthan100people
36%
44% 49% 57% 54% 69% 63% 39%
56% 51% 43%
57%
43% 46% 31% 61%37%
Preparation Detection Analysis Containment Eradication Recovery Post-incident Com & PR
“Knowing and monitoring your vulnerabilities
is the first step towards remediation. It is best
to identify them before attackers discover and
exploit them against you.„
EXPERT ADVICE
ARE ALL MEANS USED TO DETECT INCIDENTS?
‘’Financialimpactsofdirectlossofrevenuearethethirdmost
important concern for financial and industrial sectors.’’
Financial impacts
are UNKNOWN
to 17% of respondents.
44%
56%
22%
During the last
12 MONTHS
Operations ReputationLegal & regulatory
Less than 6
(once every two months or less)
Between 6 & 12
(once a month or less)
More than 12
(more than once a month)
None
46%
17%
14%
54% 50% 25%
66%34%
1
2
59% 63% 88%
44%
56%
22%
During the last
12 MONTHS
Operations ReputationLegal & regulatory
Less than 6
(once every two months or less)
Between 6 & 12
(once a month or less)
More than 12
(more than once a month)
None
46%
17%
14%
54% 50% 25%
66%34%
1
2
59% 63% 88%
2%
Reputationlatory
Less than 6
(once every two months or less)
Between 6 & 12
(once a month or less)
More than 12
(more than once a month)
None
17%
14%
% 25%
88%
39%
29%
32%
41 respondents
Finance
Public
Industry & Services
Contain the attack and prevent expansion of the compromised set of IT assets
Prevent recurrence of similar incidents
Reduce time to recover to normal activity to preserve business activities
Improve cybersecurity awareness and internal culture
44% 49% 57% 54% 69% 63% 39%
56% 51% 43%
57%
43% 46% 31% 61%37%
51%
12%
Preparation Detection Analysis Containment Eradication Recovery Post-incident Com &
37%
Cybersecurity incident management strategy
No such strategy
Strategy in place
Strategy under development
“A strategy that is not based on a holistic approach
can only be limited because it is free from
the characteristic of today’s threats (because
of the globality and industrialization of threats
as the Internet has no borders and attackers
exchange information to optimize their gains).„
EXPERT ADVICE
IS YOUR STRATEGY ALREADY OBSOLETE OR LIMITED?
MAIN OBJECTIVESifYES
ifNO
53%
3
60%
2
Lack of
internal
skills
Priority is given
to other (business)
activities
Lack of
management
support
100%
1
Recognition of the cybersecurity
skills of local partners: 0%
of the respondents has identified
the lack of a cybersecurity partner
in Luxembourg as an obsctacle.
39%
37%
27%
29%
32%
41 respondents
Finance
Public
Industry & Services
Morethan500people
Contain the attack and prevent expansion of the compromised set of IT assets
Prevent recurrence of similar incidents
Reduce time to recover to normal activity to preserve business activities
Improve cybersecurity awareness and internal culture
Between100&500people
Lessthan100people
36%
44% 49% 57% 54% 69%
AFTER12MONTHS
63% 39%
56% 51% 43%
57%
43% 46% 31% 61%37%
51%
12%
Defense
Detection
Reactive
Preventive
Proactive
79%
39%
40% 9% 31% 15% 43%
54%
46%
41%
33%
15%
63%
56%
76%
Preparation Detection Analysis Containment Eradication Recovery Post-incident Com & PR
37%
BIGGEST OBSTACLES FOR ADOPTING AN EFFICIENT
CYBERSECURITY INCIDENT MANAGEMENT STRATEGY
ABOUT CYBERSECURITY INCIDENT RESPONSE STRATEGY
Incident response plans are not systematically tested
66%
51%
44%
Incident
Response
Plansinplace
Incident
Management
Strategyinplace
Incident
Response
Planstested
61%
Incident
Response
Strategyinplace
TO ENSURE THE CONTINUITY OF THEIR ACTIVITIES,
COMPANIES PRIORITIZE ACTION AND RESPONSE TO INCIDENTS
MORE THAN THE GLOBAL SECURITY STRATEGY.
33% have tested the plans during a real crisis
67% have tested the plans during a crisis simulation
THE TEST MODES VARY:
“Trust does not exclude control. The survival of the company
in case of an incident clearly depends on the preparation,
sensitization and testing of the teams and the whole ICT chain
during crisis simulation exercises to systematize the right reflex
to be followed in case of a real incident.„
EXPERT ADVICE
Mapping the incident management strategy with business objectives to get support from top-management
Shift of cybersecurity incident management practices
CURRENT PRACTICES vs PRIORITIES FOR THE NEXT 12 MONTHS
“The expected shift from «Defensive / Detective
/ Reactive» to «Proactive / Detective / Preventive»
reflects the position that it is cheaper to prevent
threats and incidents instead of reacting
and correcting from occurring.
• Proactive measures can consists of Threat Hunting.
• Detective measures consist in massively
investing into SOC.
• Preventive measures consist in performing
security awareness.„
EXPERT ADVICE
Defensive
Detective
Reactive
Preventive
Proactive
Compliance
Offensive
39
79
63
54
15
46
56
51
76
33
32
23
20
21
Containtheattackandprevent
expansionof thecompromised
setof ITassets(Accordingto100%
ofrespondentsofthissector)
Prevent recurrence
of similar incidents
Prevent recurrence
of similar incidents
(Accordingto100%ofrespondents
ofthissector)
Prevent recurrence
of similar incidents
Reduce time to recover
to normal activity and preserve
business activities
Reduce time to recover
to normal activity and preserve
business activities
Improve cybersecurity
awareness internal culture
Contain the attack and prevent
expansion of the compromised
set of IT assets
Contain the attack and prevent
expansion of the compromised
set of IT assets
NEXT 12 MONTHSCURRENT
Sponsored by
61%
NO INFORMATION TO SHARE
Lack of human, technical or time capability to collect and share data,
too much data making difficult the selection of data of interest,
value of available data is not know.
CONSTRAINTS OF THE COMPLIANCE FRAMEWORK
Risk of information leak considered too high and legal an regulatory
compliance framework does not allow information sharing.
LACK OF TIME TO PROCESS OR CONTRIBUTE INDICATORS
Focus is set on deliverying business activities.
68%
66%