China seen to emerge as a front runner in driving information security initiatives

Increased focus on R&D creating higher demand for better and stronger data security measures for companies in China.

The 2012 Global State of Information Security Survey® reveals that 43% of global companies think they have an effective information security strategy in place and are proactively executing their plans, placing them in the category of information security “Front-runners.” Twenty-seven percent of respondents identified themselves as “Strategists” while the remaining identified themselves as “Tacticians” and “Firefighters” (15% and 14% respectively). The study, the largest of its kind, is conducted by PwC in conjunction with CIO and CSO magazines.

The 9th annual survey of more than 9,600 security executives from 138 countries found that 72% of survey respondents report confidence in the effectiveness of their organisation’s information security activities - however confidence has declined significantly since 2006. The findings of the survey have helped carve a new definition of a true information security leader. Even though 43% see themselves as front runners which may indicate a false sense of security, according to the survey only a minority of respondents (13%) made the, “leader cut” and they have: an overall information security strategy in place, a CSO, CISO or executive equivalent who reports to the top of the organisation, both measured and reviewed security policy effectiveness on at least a yearly basis, and have a good understanding of the security breaches facing the organisation in the past year.

Owing to the increasing number of high profile security incidents in recent years which have helped to raise the awareness of company executives, companies now have greater insights than ever before into the landscape of cyber crime and other security events, according to a PwC report.

“Just a few years ago, almost half of this survey’s respondents couldn’t answer the most basic questions about the nature of security-related breaches, now approximately 80% or more of respondents can provide specific information about the frequency, type and source of security breaches their organisations faced this year” said Kenneth Wong, a partner in PwC Hong Kong’s Risk & Controls Solutions practice based in Hong Kong.

“China has since appeared to emerge as a front runner in driving information security initiatives due to a number of significant changes in the business environment. There has been an increased emphasis on the protection of confidential corporate data and intellectual properties owned by Chinese companies, as well as tougher regulatory measures and an increased focus on R&D, however there is still a long way to go,” said Mr. Wong.

This year, a significant percentage of respondents across industries agreed that one of the most dangerous cyber threats is the Advanced Persistent Threat (APT) attack which usually refers to a group of highly skilled individuals with the capability, resources and intent to persistently and effectively target a specific entity through a cyber attack, which is different from individuals, such as an individual hacker, who are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target. 

“This year, significant percentages (83%) of China respondents from various industries agree that APT drives their organisation’s security spending, yet only 28% say their company has a security policy that addresses APT. So, although China respondents lead their global counterparts, many are not adequately prepared to combat this new threat.” said Samuel Sinn, a partner in PwC China’s Risk & Controls Solutions practice based in Beijing.

According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten global respondents and six out of 10 China respondents report that their organisation uses some kind of cloud computing services – 69% for software-as-a-service, 47% for infrastructure-as-a-service and 33% for platform-as-a-service. Although 54% of organisations say that cloud technologies have improved security perhaps because of better / easier access to security technologies made available through cloud service providers; while 23% say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies and the lack of transparency on how security is proactively managed by cloud service providers.

Mobile devices and social media represent a significant new line of risk – and a demand for prevention. Globally, 57% of respondents do not have a security strategy and policy for employee use of personal devices, 63% do not have a security strategy and policy for mobile devices and 68% do not have a security strategy and policy for social media. This may pose new risks as mobile devices and social media are increasingly being used by employees and customers.

Managing security-related risks associated with partners, vendors and suppliers has always been an issue – according to this year’s survey it is getting worse. Twenty-three per cent of China respondents identify partners and suppliers as the source of security breaches, up from last year (7%). For years the most commonly suspected source of breaches has been employees, both current and former – and they still are according to this year’s survey results. Forty-three per cent of China respondents identify former and current employees as the source of security breaches, up significantly from last year (11%).

For several years, Asia (including China), has been firing up its investments in security technology. The number of Asian and Chinese respondents who expect security funding to increase over the next 12 months has leapt to 74% and 83% respectively this year – an expectation rate far higher than any other region. However, despite the optimism in security technology spending, most organisations in China still lag behind in terms of aligning, and getting an appropriate balance between, “people”, “process” and “technology”. “Very often, we have seen organisations in China under-investing in having regular independent assessment to be conducted to evaluate the operating effectiveness of their security policies and procedures” said Charlie Fu, a partner in PwC China’s Risk & Controls Solutions practice based in Shanghai.