digital trust and cyber challenge now extends beyond the enterprise
TRANSCRIPT
www.pwc.com.au
October 2015
Digital Trust & Cyber challenge now extends beyond the Enterprise
PwC
Digital Trust Securing your future in the digital world
2
Peter Malan lead Partner presents ‘ Take control of your future by looking at risk differently’ Digital Trust https://takecontrol.pwc.com.au/digital-trust/
PwC
PwC’s 2015 Survey’s, what we are seeing.
3
PwC
2015 Global state of information security survey PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Key findings:
• 61% of customers would stop using a company’s product if there was a breach in their security.
• Cyber security came third at 44% , in the top 3 risks categories.
• Reported information security incidents globally rose 48% to 42.8 million.
• Losses of $20 million or more increased 92% from the previous year
• Estimated reported average financial loss from Cyber security incidents was $2.7 million – a 34% increase over 2013.
• Incidents caused by current employees increased 10%, service providers, consultants and contractors rose 15% and 17%.
• 75% of CEOs now regard digital security as a serious threat to their business.
• Only 49% of respondents say their organisation regularly convenes to discuss, coordinate, and communicate Cyber security issues.
• 34% of respondents do not allocate security spending to their most profitable lines of business.
• 88% of organisations are spending less than 1% of their revenue
Survey highlights
Cyber risks are a severe and present danger
1
Incidents and financial impacts continue to soar
2
Employees are the most cited culprits of incidents
3
As incidents rise, security spending is falling
4
There is a lack of involvement at the Board level
5
There has been a decline in fundamental security practices
6
4
PwC
2015 Global state of information security survey PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Survey highlights
Cyber risks are a severe and present danger
1
5
PwC
2015 Global state of information security survey Incidents caused by current employees increased 10%.
Survey highlights
Incidents and financial impacts continue to soar
2
Employees are the most cited culprits of incidents
3
As incidents rise, security spending is falling
4
6
PwC
2015 Global state of information security survey Disconnect between increased level of concern and organisations focus
Survey highlights
There is a lack of involvement at the Board level
5
7
of respondents review privacy or cybersecurity at every board meeting.
Only 8%
of respondents rated their Board’s oversight of privacy and cybersecurity risks as weak, or sufficient but needing improvement.
95%
Many organisations have yet to assign specific role to govern privacy and cybersecurity risks, and still view privacy and cybersecurity risks as a technology or legal / compliance issue.
Concern vs reality:
PwC
2015 Global state of information security survey PwC and CSO Magazine recently launched the 2015 Global State of Information Security Survey
Survey highlights
There has been a decline in fundamental security practices
6
8
PwC
The Digital World, an evolving perspective
9
PwC
Waves of digital transformation
10
PwC
The changing digital world
• Business is becoming ever increasingly interconnected
• The borders of where a business supply/value chain starts and ends is vague
• Governments around the world are placing a heightened level of focus and investment into combatting cyber criminals and cyber espionage
• Corporations are being targeted directly by ‘hackers’ and indirectly via their business partners
• Company Boards need to understand the risks to their business
- What risks are being inherited via third party suppliers?
- Is Cloud enhancing or undermining your business?
- Do only the right people have access to your systems in a more ‘open’ world?
- Data, availability, integrity and confidentiality are key to integration as part of the business supply chain?
• Digital Trust is a key attribute in the new digital business world.
11
PwC
Historical IT Security
Perspectives
Today’s Leading Digital security
Insights
Scope of the challenge • Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated • Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organized, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach • Prioritize and protect your “crown jewels”
Defense posture • Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself
• Public/private partnerships; collaboration with industry working groups
12
Evolving perspectives Considerations for businesses adapting to the new reality
PwC
Organisations are facing increasing digital challenges
13
Digital Trust
“eBay data breach sparks lawsuit”
Source: www.itnews.com.au
“Microsoft ordered to hand over overseas email”
Source: www.zdnet.com
“40 million card numbers and personal data stolen from Target systems in Nov/Dec 2013”
Source: www.target.com
“Hackers steal confidential personal data from Sony Pictures Entertainment resulting in lawsuits”
Source: WIKI
“Target shares tumble as retailer reveals cost of data breach”
Source: www.forbes.com
“Bank IT ‘glitch’ leaves bank facing £1bn bill”
Source: www.telegraph.co.uk
“Enterprises hacked after neglecting third-party risks”
Source: www.csoonline.com
“Bank chief blames lack of investment for IT systems failure ”
Source: www.ft.com
Each of these incidents has an impact on the level of perceived trust by customers and other key stakeholders
PwC 14
PwC 15
PwC
Data availability, integrity and confidentiality, key to integration as part of the business supply chain?
16
PwC 17
Digital technology is changing customer behaviour and business models at an exponential rate and creating extraordinary and unforeseen opportunities for growth and development.
Trust + Opportunity = Business Growth
Opportunity and Danger
• Looking at digital security through the lens of
trust means you are considering the wider
business context in which you operate.
• In the digital space, your customers rely on you
to protect their information and privacy. If your
systems fail you, they will feel that you have
failed them.
PwC 18
Digital Trust, business enablers
• Build Trust – • Focus on people and process not just technology • Education and awareness - Raise digital knowledge and
awareness across internal staff. • Focus on departmental relationships and trust • Relational business partnership • Be proactive and present a cooperative and collaborative face
of digital security. • Being directors of change and thought leaders in the space. • Present innovation, be solution • Change how you present Cyber or security, it is all in the
wording… • Does you organisation have an aversion with “Cyber’’ or
“Security” use Digital/trust?
• Opportunities – • Mobile, cloud, analytics – technology to enhance • Be approachable - the business will seek advice and
solutioning, they will come to you. • The relationship will yield opportunities
Trust + Opportunity = Business Growth
PwC 19
Building trust in the digital age
Managing risk and building trust underpins the digital agenda as digital platforms become increasingly central to the delivery of business strategy. To build trust you will need confidence in each of these five areas:
Confidence in your security .
Confidence in your data
Confidence in your systems
Confidence to take risks
Confidence in your digital transformation programme
Supplier Security Ongoing Security Identity Management
Privacy and Data
Cloud Assurance Oracle ERP Controls SAP ERP Controls
Continuity and Resilience IT Risk Diagnostic
Project Assurance
PwC 20
Key focus areas we too easily forget
• The majority of organisation has a multitude of technologies.
• Data indicates that technology is not usually the key issue, it is the lack of people and business process that support the technologies and its process:
• People – Roles and responsibilities.
• Education and awareness (training).
• Processes – Lack of policies, standards etc.
• Governance offering the business . assurance .
1
People, Process & Technology
PwC 21
Key focus areas we too easily forget
• We too easily forget what end–to- end digital security management is for.
• Availability
• Integrity
• Confidentiality
• We need to help the business through Education and awareness as to why Digital security supports all 3 areas of the business. Security is not just about technology.
• We have for too long segregated the business from IS.
• IS needs to become the conduit or integration layer between the business and the new Digital Enterprise (Trust).
• Trust + Opportunity = Growth
2
Availability, Integrity & Confidentiality
of respondents rated their Board’s oversight of privacy and cybersecurity risks as weak, or sufficient but needing improvement.
95%
of respondents review privacy or cybersecurity at every board meeting.
Only 8%
PwC
Where to from here?
22
PwC
The oil and gas industry has traditionally lagged behind other sectors in cybersecurity practices.
• 81% of organizations have implemented an overall information security strategy, the basic foundation for cybersecurity.
• Last year, the US National Institute of Standards and Technology (NIST) compiled a range of these global standards into a single model for risk-based cybersecurity.
• Among US oil and gas participants,
• 25% say they have adopted the voluntary NIST Cybersecurity Framework; an additional
• 13% say adoption is a future priority.
• Hiring a Chief Information Security Officer (CISO) to lead the information security program, a tactic that 77% of oil and gas businesses have embraced.
• Over the past two years, the number of respondents who employ a CISO has spiked 57%.
• The majority of oil and gas respondents follow this best practice: Their CISOs are most likely to report to the COO, legal counsel, the Board, or the CEO.
23
Improvements in key strategic safeguards Companies are getting serious about business-focused cybersecurity strategies.
PwC
Linking information security/digital trust and risk
• As security incidents continue to proliferate, it has become clear that cyber risks can never be completely eliminated.
• Protective measures remain important, of course, but they cannot reliably be guaranteed to stop determined and highly skilled adversaries.
• Businesses may need to reposition their security strategy by more closely linking technologies, processes, and people skills with overall risk management activities.
• While a well-designed cybersecurity program will not deter all risks, it can enable:
- businesses to better manage threats through an informed decision-making process,
- boost efficiencies in security safeguards, and create a more resilient security program.
24
Improvements in key Strategic Safeguards
PwC
How do you become a 'digitally trusted' company?
• Trust is hard won and easily eroded. Ultimately it's about having confidence that you have the right systems, processes and controls in place.
• Boards and their risk committees have an important role to play by asking the right questions of management. Too often boards ask 'how strong are our security controls?', when they should be asking 'do our customers and other key stakeholders trust us and how do we maintain this trust?'
• Digital trust is as much about opportunity as it is risk. And it's the companies that are 'trusted' to whom customers will increasingly turn in the digital economy. How does your organisation stack up?
• Over leaf are some critical questions to determine how digitally trusted your company is:
25
Are you and your partners digitally trusted?
PwC 26
Assess you digital trust profile: Key Digital questions that you should be asking
Risk management Have we identified our risk appetite, the key risks and threats to our business presented by cyber? Are our controls 'right-sized'?
Strategic alignment Is our cyber security program aligned with our business strategy?
Information assets Do we know where our data is physically held? Do we know where the 'crown jewels' are (ie our most commercially sensitive and critical data)? What are our key systems and business processes?
Network & system architecture
Have we (and our service providers) segregated our systems and networks to minimise the impact of any potential cyber security breaches? Especially to protect the ‘crown jewels’.
Third party management
With the increased reliance on third parties to deliver services, including Cloud providers, what monitoring controls are in place and what ongoing assurance do we have to be sure those parties are handling our data appropriately?
PwC 27
Assess you digital trust profile:
Key Digital questions that you should be asking
Online and digital integration
With increasing connectivity (eg cloud, mobile, social networking) how are we managing the ways members or third parties access our systems and our data?
Identity and access management
How are we ensuring that the right people have access to our core systems and data, especially privileged access? How do we know that people (employees, suppliers or members) really are who they say they are?
Privacy & data protection
How are you meeting member expectations from a privacy and data protection perspective, particularly if we are keeping and analysing member data (ie 'big data')?
Regulation How are we sure that we are meeting our regulatory requirements in relation to Cyber security?
Incident response It's highly likely that we will be subject to a cyber security breach. What's our incident response plan? How will we rebuild trust? Do we know how to respond when we have been targeted?
PwC
Successful security models have the following characteristics:
• You continually monitor your risk profile. You understand what matters to the success of your business. You realise this changes as you move forward with your business.
• You understand in real time, the new threats within the digital landscape. You are fully aware of the risks you’re exposing the organisation to as you execute your strategic plan.
• You understand how digital is changing the fabric of your business, introducing new threats and changing your risk profile.
• Your eyes are fully open to digital threats.
• You recognise boundaries have shifted: your business architecture has changed, so have the risks within your digital supply chain. You are aware that threats can come from within your organisation as well as from outside it.
28
Our point of View What good looks like, going beyond best practise
PwC 29
Our point of View When is it time to Act
There are logical triggers in your business that prompt action. Here are some examples.
• Changes to regulation or legislation that will affect your business.
• Change in the form of new suppliers, new technology, acquisitions, new markets or a
change in leadership.
• Trends or developments in your market that are likely to affect your business and
where it’s better to respond proactively.
PwC 30
Our point of View How do you benefit
A well managed digital security program will gain the trust of your customers and clients. Provide you the confidence to realise the full potential of the digital environment for your business.
Below are the six confidences that will help you apply digital security to the heart of your business.
- Confidence in your people and processes
- Confidence in your technology
- Confidence in your connections
- Confidence to take risks
- Confidence during a crisis
- Confidence in your priorities
PwC 31
Our point of View How we can help
We provide market leading end–to-end solutioning across people, process and technology offering to help you build trust, capitalise on the opportunities and navigate the risks in the digital age – building growth.
We bring:
• Access to the largest network of global expertise and insights from helping leading organisations.
• A multidisciplinary offering to address the multifaceted and complex nature of digital risk and security.
• Innovation in our thinking and our tools to help you manage risk in the rapidly changing digital landscape.
www.pwc.com.au
References:
© 2015 PricewaterhouseCoopers. All rights reserved.
PwC refers to the Australian member firm, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
PwC’s 2016 Global State of Information Security Survey
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/data-
explorer.html
PwC’s 2015 State of Compliance Survey
http://www.pwc.com/us/en/risk-management/state-of-compliance-survey/downloads.html
PwC’s Digital IQ Survey – Examining the digital health of Australian businesses
http://www.pwc.com.au/consulting/publications/2015-global-digital-iq-survey.htm
Take control of you future by looking at Risk differently – Peter Malan https://takecontrol.pwc.com.au/digital-trust/ https://www.youtube.com/watch?v=BkkNifucWtE
www.pwc.com.au
If there is one question I leave with you today, ‘Why is the digital world more dangerous than the old world?
Questions time
PwC 34
Contact details Further question, please forward or just call me
Mourad Khalil
Senior Manager Digital Risk
M: +61 403 980 718