An In-depth Study on Security

One-on-one In-depth Interviews
Interviewees	Head of IT dept. or person in charge of IT management in the target industry.
Number of Interviewees	6
Interview Duration and Time	The interviews were conducted in April and Aug 2020, one hour per session.
Interview Location	Phone interview, video conference, interviewee's office, or other convenient locations.
Key Interviewer	IX team

Internet Survey Methodology
Target	Supervisors or employees who have Internet-connected systems* and the authorization to maintain or make decisions for the systems in Taiwanese enterprises.
Target Population	Taiwanese enterprises with Internet-connected systems - hospitality and manufacturing.
Survey Duration	Pretest: May 22 - May 25 2020 Formal Test: June 1 - June 23 2020
Number of Samples	The minimum sample size is 529, with 95% of the confidence level and ±4.26% of the sampling errors.
Sampling Design	Purposive sampling and random sampling (increase the exporsure of questionnaires via newsletters and sample repositories adn then select qualified interviewees from questionnarire respondents)

Cyber Attacks and Damages

The result shows 26.5% of the enterprises suffered 'cyber attacks' in the past. More than 30% of the large companies whose IT department is staffed 11+ have encountered this problem. This means the larger the business size, the easier it becomes the target.

Experienced Cyber Attacks

Source: This report (2020)

Security Incident Reporting and Solution Assistance

Regarding the internal process for reporting incidents/attacks, 63.9% say they always escalate the issue to business owners irregardless of severity. This shows the majority of companies report incidents to their highest level of management in the incident handling mechanism.

In the event of security incidents, half of the enterprises will ask TWCERT/CC for help, especially businesses in hospitality. The percentage does not differ by size of business. In contrast, 40.5% of the companies do not seek help from external organizations, mainly businesses in manufacturing and SMEs.

Internal Incident
Reporting Process
Security Incident
Handling

n=529
Source: This report (2020)

Security Concerns

Whether the respondents have encountered cyber attacks previously, their biggest concern is unanimously the 'data loss' (30%) ─ the exposure of confidential data or customer/operation data leakage could subsequently impact daily operation/production.

Another 10% are concerned about 'cyber attacks,' including being hacked, system intrusion or DDoS. Nearly 10% are also worried about 'human factor,' meaning staff who lack of awareness or conceal the cyber attack without reporting.

Troubles When Handling Security Incidents

Source: This report (2020)

Enterprise Security Planning

Items to be selected/prioritized in internal security plans include 'staff', 'hardware' and 'software.' 'Staff' has the highest percentage, meaning corporations value employees' security literacy the most. Those who work in other industries and IT department staffed with 11+ show higher percentage than others.

Internal Security Prioritites

Staff

Staff training, regular courses, information

Hardware

Using security-related hardware/equipment and taking preventive measures

Software

Using security-related software appliances and taking preventive measures

As to where corporate security requirements are from, 'internal consensus' tops the list because more than half of the respondents mark this as the first, followed by 'regulatory requirement.' In comparison, 'competition within the industry' and 'industry norm' are two weaker motives.

Source of Security Requirement

Source: This report (2020)

Attitude Towards Security Planning

Concerning industry security awareness, a scale of 1 to 5 is used to evaluate the pro-activeness in security planning of the company's decision makers, the attitudes of industry peers and upstream/downstream business partners. For pro-activeness within one's own organization, the majority of respondents rate it as 4 (36.5%) or 5 points (24.8%) and the average score is 3.8.

Attitude Towards Security Planning

n=529
Source: This report (2020)

Attitudes Toward Industry Security Planning

n=529
Source: This report (2020)