Central Asian Information Security

Survey Results (2014)

Insight into the information security
maturity of organisations, with a
focus on cyber security
Introduction and Executive summary

From September to November 2014 Deloitte performed its first “information security Executive summary
survey” in Central Asia to better understand the current state of information security
The survey identified the five most relevant conclusions on the current state of
programmes and governance structures at organisations in the region. The survey
information security programmes (cyber security) in Central Asia, as follows:
covers various industries and addresses how organisations view, formulate,
implement and maintain their information security programmes. 1. Majority of companies have not been exposed to cybersecurity incidents.

The 39 survey questions covered the following areas: 2. Information security policies, procedures and responsibilities are mostly in place
and defined.
1. organisational information
3. Insufficient controls to ensure third parties, (i.e. vendors / partners), comply with
2. information security attacks and threats
appropriate security standards.
3. information security data and technologies and
4. Awareness of business (senior) management and end-user around
4. monitoring and reaction to identified security threats cybersecurity risks is insufficient.

The survey focused on cyber security risks and to that end we approached 5. Though basic security measures are in place, more advanced solutions are
approximately 100 companies to fill in the online survey questionnaire. uncommon.

We stipulate that we present the survey results without making a distinction by Later in this report we provide more detailed insight on survey findings.
industry or organisation size and that the results are ‘anonymous’ to avoid making
reference to individual organisations.

We would like to thank those organisations that participated in the survey for their
cooperation. We would like to encourage other companies to participate in the next
Deloitte “information security survey”.

© 2015 Deloitte LLP 2

Comparing global trends with the information security
status in Central Asia

The number of information security incidents has been increasing globally, ranging Question 1: Have you suffered a breach in the last 12 months (multiple answers
from passive monitoring of communications to close-in attacks. possible)?

Undoubtedly, the recent Sony Pictures cyber attack, which involved hackers
Information not available
accessing some of the corporation’s most confidential data, has garnered a lot of
media attention, as did a massive data breach at JPMorgan Chase & Co. that Others
ended up in 76 million records being stolen. Another example relates to the
Weaknesses higlighted during testing
company “Home Depot” where credit card details of 56 million customers where
Lost assets (lost/stolen laptops or memory
syphoned, using Malware installed on cash register system. cards)
Malware
Central Asia has also seen a number of security incidents making it to the news,
However compared to other regions, the number of attacks appears to be limited Hacker attacks
and for the ones that have been reported, little information is available on the Virus attacks
actual impact. According to the responses in this survey, approximately 65% of
We were not exposed to hacking
respondents have not experienced cyber attacks directed at their organisation (see
question 1). 0% 10% 20% 30% 40% 50% 60% 70%

Although the number of publicly known cyber attacks appears to be small, this
does not mean that organisations in the region are immune, and could ever be
existing under a false sense of security. Given global trends and the increased The majority of companies have not
number of attacks and attention given to cyber security, it could very well be that
Central Asia may become the next target for hackers in the near future. When - not been exposed to cybersecurity
if - this happens, organisations need to be prepared.
incidents. However, evidence is
insufficient as to whether this is reality
or merely perception.
© 2015 Deloitte LLP 3
Profile of Central Asian
Information Security survey
respondents

© 2015 Deloitte LLP 4

Profile of Central Asian Information Security survey
respondents (1/2)

Unsurprisingly, 65% of the respondents are in the Telecommunications and The majority of respondents (58%) employ more than 10 people in their IT-
Finance industry (see question 2), which is not surprising as they are the Departments. However, the survey also includes smaller IT-departments as show in
industries most prone to cyber attacks. question 3 below.

Question 2: Which industry is your organisation in? Question 3: How many people does your IT-department employ?

Finance
1-2
Mining 14%
22%
Retail trade (retail) 3-5
36%
43% Manufacturing
14%
Telecommunications 6-10
14%
Technology
11-15
Energy 14%
7%
Transport and Logistics >15
14% 22%
Others

In the meantime, governments have started to pay increased attention to the

security of their strategic activities and assets (such as refineries and power
stations) to protect critical IT-infrastructure - so called SCADA systems - from
unauthorised access. For that reason, the expectation is that senior management
in the resources industry (oil, gas, energy and utilities) should also be focusing
on information security.

© 2015 Deloitte LLP 5

Profile of Central Asian
Information Security survey
respondents (2/2)
When asked about IT-governance standards (see question 4), the majority of
organisations referred to internal (head office) policies (65%) and regulatory
requirements (50%) rather than international standards such as COBIT or ITIL.

Question 4: Does your organisation adhere to IT process or security frameworks

and/or standards, and if so, which ones (multiple answers possible)?

Others

Yes, ISO / IEC 27000

Yes, COBIT

Yes, ITIL

Yes, regulatory standards

Yes, parent organisation standards

No

0% 10% 20% 30% 40% 50% 60% 70%

© 2015 Deloitte LLP 6

Corporate information
security maturity in Central
Asia

© 2015 Deloitte LLP 7

Corporate information security maturity in Central Asia
(1/4)

A number of survey questions refer to information security maturity with respect

to the following topics: (1) respondents’ perception of their network security, (2) Most respondents have information security
the existence of policies, (3) the extent to which responsibilities around
information security are defined, (4) current maturity levels and (5) the key policies and procedures in place (or will
challenges to improving corporate information security. introduce them in the near future), with
64% of respondents consider their organisation has sufficient security policies responsibilities for information security
and procedures in place (see question 5) and, interestingly, the number of
respondents citing weak or insufficient security policies and procedures was
defined.
zero.
It appears that the majority of respondents have policies and procedures in place;
mostly related to (1) IT-security strategy and (2) business continuity plans (see
Question 5: How secure do you think your organisation’s network is?
question 6). However, only a limited number of respondents indicated that they had
developed a response plan for cyber security incidents.

Question 6: Which of the following (policies / procedures) has your organisation

Sufficiently secure documented and approved (multiple answers possible)?
7%

Secure to a certain extent None of the below

Cyber incident response plans

29%
Information not available
Information security roadmap

Business continuity plans

64% Not secure
Not developed but due to be developed
over the next 12 months
Highly secure Information security governance structure

Information security strategy

0% 10% 20% 30% 40% 50% 60%

© 2015 Deloitte LLP 8

Corporate information security maturity in Central Asia
(2/4)

Question 7 shows that 57% of the respondents employ a security officer (or Question 8: Who does your information security organisation’s executive(s) report
equivalent), while the remaining 43% stated that they had not yet defined to?
information security duties.
Chief Information Officer (CIO)
Question 7: Does your organisation have a (dedicated) department Chief Financial Officer (CFO)
responsible for network security?
Reports not available

Chief Executive Officer (CEO)

No Others

Board (Board of Directors)

Yes, dedicated department / division
0% 5% 10% 15% 20% 25% 30% 35% 40%

Yes, but as part of another department The majority (close to 80%) of organisations stay up to date on information security
(IT or Internal Control Department) developments through publications and journals, mailing lists and the Internet (see
question 9 and 10).
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Question 9: What has raised your awareness of information security attacks (multiple
answers possible)?
Information security reports tend not to be sent to the Chief Information Officer
(CIO), but rather to the CEO (36%) or Board of Directors (14%). See question 8. Other
Presentations and discussions at
conferences
Publications in magazines, on websites
and mailing lists
Legal and / or regulatory requirements
The infrastructure of our organization was
under attack
Clients of our organization were attacked

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

© 2015 Deloitte LLP 9
Corporate information security maturity in Central Asia
(3/4)

Given that each organisation is structured differently and faces different security We asked respondents to indicate their current information security status based on
threats (see question 13), the expectation was that more organisations would stay up our 5-level model. Approximately 30% of respondents admitted being at level 3 (see
to date through unique events and specific sources, such as conferences and question 11), implying “the presence of a set of defined and documented standard
consultants. processes, and some degree of improvement over time”.

Question 10: How do you keep informed of new forms of information security Question 11: What maturity level is your organisation currently at?
attacks and threats (multiple answers possible)?

Other Information not available

To date, there is no way our organization

can trace cybercrime promptly, but we
consider this question Level 5 - Optimised: focus is on continuous
improvement and innovation.
Consulting firms/ external consulting
Level 4 - Managed: benchmarking process,
Scientific publications effective management control, adaptation
without losing quality.

Providers (vendors) Level 3 - Fixed: a set of defined and

documented standard processes, some
degree of improvement over time.
Social network
Level 2 - Repeatable: some processes are
repeated, perhaps with reliable results,
News on websites / blogs / from poor discipline process, agreed
professional associations benchmarks.

Security conferences Level 1 - Basic: undocumented, dynamic

change, ad hoc, uncontrolled and reactive,
individual heroics
Mailing lists
0% 5% 10% 15% 20% 25% 30%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

© 2015 Deloitte LLP 10

Corporate information security maturity in Central Asia
(4/4)

To qualify for the 3rd maturity level, it is important that policies and procedures Question 12: What do you think will help improve your organisation’s security levels
are not only defined but also implemented within an organisation. We are unable (multiple answers possible)?
to comment to what extent organisations have truly implemented policies and
procedures as that would require a more detailed assessment or audit. However,
experience indicates that in reality, the majority of organisations in Central Asia Others
are at maturity level 2, with only some at 3.
Finally we asked the respondents to indicate what would help them to improve Advanced security technology
information security maturity. The majority referred to the need for: (1) more
advanced tooling, (2) increased awareness and (3) commitment from senior
management to improve information security (see question 12). IT steering committees

Employee reward / disciplinary systems

Better employee security awareness

Although IT-departments are aware of
Increased security department staff
cybersecurity risks, business numbers

management and end-user awareness Larger budgets

is considered to be insufficient. Senior management commitment

0% 10% 20% 30% 40% 50% 60% 70% 80%

© 2015 Deloitte LLP 11

Overview of the most
commonly implemented
security measures

© 2015 Deloitte LLP 12

Overview of the most commonly implemented security
measures (1/2)

This section of the report provides an overview of the information security threats Questions 14 and 15 show that most respondents have basic security measures in
respondents consider to be most relevant for their organisation and the security place such as anti-virus solutions, firewalls and access control lists. However, more
measures that have been implemented to control these threats, specifically with advanced solutions such as intrusion prevention systems, file encryption, vulnerability
regards to cyber security. management systems and event log management (including active reviews) are not as
common. Given that hackers globally are rapidly becoming more sophisticated in their
We asked respondents what risk they thought to be most relevant (see question hacking methods, the current state of security measures could pose an increased threat
13). The results were quite diverse, indicating a wide range of cyber security risks to companies in Central Asia.
faced by the organisations in the region.

Question 13: What do you consider to be your greatest security risk (multiple Question 14: Which security measures has your organisation implemented
answers possible)? (multiple answers possible)?

Information not available Information not available

Others Others

Uncontrolled portable devices Safety endpoints

Incorrect configuration Managing event logs (solutions SIEM)

Data Loss Prevention / file encryption
Internet downloads (memory)

Malware Vulnerability Management

Intrusion Detection Systems / Intrusion
E-mail viruses Prevention Systems
Anti-spam / spyware / phishing solutions
Hacking attempts by hackers
Firewalls
Insider attacks
Antivirus
0% 10% 20% 30% 40% 50% 60%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

© 2015 Deloitte LLP 13

Overview of the most commonly implemented security
measures (2/2)

Most respondents have basic security measures in place such as anti-virus solutions, firewalls
and access control lists. However, more advanced solutions such as intrusion prevention
systems, file encryption and vulnerability management system are uncommon.

Question 16 indicates that companies in Central Asia mainly make use of Question 16: What tools does your organisation use to detect attacks (multiple
commercial products to secure their environment rather than company specific answers possible)?
solutions. When relying on commercial products, it is important to perform
periodic (security) updates to ensure reasonable protection against the most
Information not available
common security risks.

Question 15: What measures do you usually take to mitigate network attacks Self-developed tools
targeted at your organisation’s infrastructure / customers (multiple answers
possible)?
Open source software

Information not available

Commercial products
Others
Destination-based remote-triggered 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
blackholes
Source-based remote-triggered blackholes We believe that continuous investment in security threat knowledge, including any
tools and practices that could be used to reduce security risk to acceptable levels,
Intrusion Prevention Systems
is paramount. This involves developing measures that focus on company-specific
Firewalls characteristics, i.e. industry and data types, and intellectual property). We stress
that effective information security governance requires both preventive and
Access Control Lists / packet filters investigative controls.

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

© 2015 Deloitte LLP 14

Information security
awareness within the
organisation

© 2015 Deloitte LLP 15

Information security awareness within the organisation
(1/2)

As shown in questions 9 and 10, IT-department awareness of cyber security risks Question 18: How difficult is it, in your opinion, to convince management to invest
is mainly through publicly available information and reports. Although IT- in security solutions?
departments appear to be informed about and aware of cyber security risks, end-
40%
user and (senior) management awareness is less apparent (see question 17).
35%
30%
Question 17: Does your organisation provide employee training to raise 25%
information security awareness? 20%
15%
10%
No 5%
0%
Very difficult Somewhat Easy Very easy Information not
Yes, other training
difficult available

Yes, but only where mandated by law /

Questions 19 and 20 show that a significant number of respondents did not provide
regulations
information on (a) the current IT-security expenses and (b) the expected expense
trends.
Yes, through general training

Yes, according to job role and function Question 19: What percentage of your IT-budget was spent on security in the last 12
months?
0% 10% 20% 30% 40% 50% 60%
50%
Having cyber security on corporate leadership’s agenda is therefore also 40%
considered one of the key challenges IT-departments are facing in the coming
30%
period (see question 18).
20%
10%
0%
0-10% 11-30% 31-50% More than 50% Information not
available

© 2015 Deloitte LLP 16

Information security awareness
within the organisation (2/2)

This could either imply that respondents consider this information confidential or it is
simply not available. If the latter is the case, we would strongly recommend improving
how finances around information security are tracked as this type of information is
essential to ensure an effective decision-making process (i.e. in the case of a cost-
benefit analysis for proposed security measures).

Question 20: Can you describe year-to-year spending in terms of your information
security budget?

60%
50%
40%
30%
20%
10%
0%
Budget Budget has not Budget was No information Information not
increased changed reduced security budget available
was allocated

Although it is not clear whether respondents’ responses were caused by a genuine

lack of information on actual and expected expenses or whether the information was
simply not shared for the purpose of this survey, we should point out that organisations
need to be aware of their current and future financial status as senior management
needs to consider whether investment covers potential costs in the event of incidents.

© 2015 Deloitte LLP 17

Third party control should be
a key focus areas for
organisations in Central Asia

© 2015 Deloitte LLP 18

Third party control should be a key focus areas for
organisations in Central Asia (1/2)

One of the most significant survey results is that information security control over Question 21: How does your organisation ensure an adequate and appropriate level
third parties (contractors, vendors, and partners) is mainly based on contractual of information security over third parties (multiple answers possible)?
requirements and trust.

• 50% of respondents state that control is governed through confidentiality Information not available
agreements
Not applicable
• 36% of respondents state that control is contractually enforced
Others
Even though 50% of respondents also indicate that governance is ensured
through ‘access policies’, a significantly lesser percentage has more stringent Regularly monitors and reviews third party
services
controls in place such as (a) reviews, spot checks or audits of third parties or (b)
requesting third parties to provide formal certification (see question 21). Requires independent attestation (e.g.
ISAE3402, ISO27001:2005 certification)
Performs random spot checks of third-

Controls to ensure that third parties, party sites

Controls third-party access to systems and
such as suppliers and partners, data
Where permitted, performs background
comply with appropriate security verification checks on selected high-risk,…
Imposes corporate security policy and
standards, seem to be insufficient. controls on third parties
Signs confidentiality and/or non-disclosure
agreements
Addresses information security issues in a
contract
Identifies risks related to third parties as
part of information risk assessments

0% 10% 20% 30% 40% 50% 60%

© 2015 Deloitte LLP 19
Third party control should be a key focus areas for
organisations in Central Asia (2/2)

Unsurprisingly, almost all respondents are unsure that third parties involved in Question 23: Does your organisation share information on information security
(critical) operations adhere to the required information security standards (see attacks with third parties?
questions 22 and 23).
0%
Question 22: How confident are you in the information security practices of your
third parties?
Yes
No
40% 43%
Not applicable
35%
57%
30%
25%
20%
15%
10%
5%
Although, a good contract defining information security responsibilities and liabilities
does need to be in place, it should not be relied upon solely to govern a business
0%
Not confident Confident, to a Confident Very confident Not applicable
relationship with a third party. It is equally important to monitor third parties for
certain extent compliance with security standards. This can be done in several ways, some more far
reaching than others but all with the intention to ensure that agreements are truly
implemented and followed by contracting parties.

© 2015 Deloitte LLP 20

Auditing and testing
information security principles

© 2015 Deloitte LLP 21

Auditing and testing information security principles (1/2)

We asked respondents to indicate to what extent their organisations perform Question 25: How do you highlight information security weaknesses, risks and non-
security auditing and testing. In general, we noted that although “deep packet compliance in your organisation (multiple answers possible)?
inspections” (DPI) cannot be performed internally due to a lack of technical ability
60%
(see question 24), most organisations perform such auditing and testing in-house
(see questions 25 and 26). 50%
40%
Question 24: Does your organisation have the technical ability to perform
30%
network-wide deep-packet inspections?
20%
10%
0%

regulatory (non)

Others
Penetration testing

Formal risk analysis

Input from vendors

Input from peers

Internal audit

External audit

Informal risk analysis

Not applicable
Assessment of
Yes

compliance
21%
36%
No

Information not
available
Question 26: Has penetration testing ever been performed in your organisation?
43%

21% No
29%

Yes, by internal staff

Yes, by external staff

14%
36% Information not available

© 2015 Deloitte LLP 22

Auditing and testing information
security principles (2/2)

Auditing and testing can give important insights to senior management on the current maturity status
around information security practices within the organisation. In order for it to be effective, testing
and auditing needs to be performed by professionals with extensive knowledge of information
security, best practices and international developments so as to identify potential weaknesses that
could be exploited by hackers and to provide recommendations on how to resolve them. Regular
testing and audits will reduce the risk of becoming a victim of a cyber attack.

© 2015 Deloitte LLP 23

Contacts:

Michiel van Hulsteijn

Senior Manager Kazakhstan
Phone: +7 (727) 258 13 40 36 Al Farabi Avenue
Ext. 2796 Almaty Financial District
Fax +7 (727) 258 13 41 Almaty, 050059
Mobile: +7 (777) 438 4518 Tel.: +7 (727) 258 13 40
E-mail: mvanhulsteijn@deloitte.kz Fax: +7 (727) 258 13 41
Kyrgyzstan
Sergei Buhanov Office 905/906, Business Centre "Russia"
Director 19, Razzakov Street
Phone:+7 (495) 580-9778 Bishkek, 720040
Ext. 3032 Tel.: +996 (312) 39 82 88
Fax: +7 (495) 787 06 01 Fax: +996 (312) 39 82 89
Mobile: +7 (985) 787 6054
E-mail: sbuhanov@Deloitte.ru Tajikistan
Office 307, S.A.S. Business Centre
24A Ayni Street
Aituar Akimzhanov
Dushanbe, 734012
Senior consultant
Tel.: +992 (44) 600 62 00
Phone: +7 (727) 258 13 40
Fax: +992 (44) 600 62 01
Ext. 2782
Fax: +7 (727) 258 13 41 Uzbekistan
Mobile: +7 (707) 555 5988 Inkonel Business Centre
E-mail: aakimzhanov@deloitte.kz 75 Mustakillik Avenue
Tashkent, 100000
Tel.: +998 (71) 120 44 45/46
Fax: +998 (71) 120 44 47

© 2015 Deloitte LLP 24

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”),
its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.com/about for a more detailed description of DTTL and its member firms. Please see
www.deloitte.com/ru/about for a detailed description of the legal structure of Deloitte CIS

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple
industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings
world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex
business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms,
or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional
advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person
who relies on this communication.

© 2015 Deloitte, LLP. All rights reserved.