CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page - - PowerPoint PPT Presentation

CYBER SECURITY

Nick Kervin – Partner, IT Advisory

Page 1

August 2017

CYBER SECURITY

1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies

Page 2

Overview

WHAT IS AT RISK

Page 3

Page 4

2017 World Economic Forum

S

• urce: The Global Risk Report 2017 – World Economic Forum

WHAT IS AT RISK

WHAT IS AT RISK

Adversary Motives Targets Impact Hacktivists

• Influence polit ical and / or

social change

• Pressure business t o change

t heir pract ices

• Corporat e secret s
• S

ensit ive business information

• Informat ion relat ed t o key

execut ives, employees, cust omers & business part ners

• Disrupt ion of business

act ivities

• Brand and reput ation
• Loss of consumer confidence

Cyber criminals

• Immediat e financial gain
• Collect information for

fut ure financial gains

• Financial / payment syst ems
• Personally ident ifiable

information

• Payment card informat ion
• Prot ect ed healt h information
• Cost ly regulat ory inquiries

and penalt ies

• Consumer and shareholder

lawsuit s

• Loss of consumer confidence

Nation state

• Economic, polit ical, and/ or

milit ary advantage

• Trade secret s
• S

ensit ive business information

• Emerging t echnologies
• Crit ical infrast ruct ure
• Loss of compet it ive

advant age

• Disrupt ion t o crit ical

infrast ruct ure Insiders

• Personal advant age,

monet ary gain

• Professional revenge
• Pat riot ism
• S

ales, deals, market st rat egies

• Corporat e secret s, IP

, R&D

• Business operat ions
• Personnel information
• Trade secret disclosure
• Operat ional disrupt ion
• Brand and reput ation
• Nat ional securit y impact

Page 5

Who are the adversaries and what are their motives?

WHAT IS AT RISK

Page 6

The actors and the information they target

Cyber criminals Hacktivists Nation state Insiders

Adversary What’s most at risk

Motives and tactics evolve and what adversaries target vary depending

• n the organisation and the products and services they provide.

Emerging technologies Energy data Advanced materials and manufacturing techniques Healthcare, pharmaceuticals, and related technologies Business deals information Health records and other personal data Industrial Control S ystems (S CADA) R&D and / or product design data Payment card and related information / financial markets Information and communication technology and data

GLOBAL INDUSTRY TRENDS

Page 7

INDUSTRY TRENDS

Page 8

Cyber attacks on user devices & persons are rising

S

• urce: Verizon 2016 Dat a Breach Invest igat ions Report

INDUSTRY TRENDS

Page 9

Breach discovery methods are changing

S

• urce: Verizon 2016 Dat a Breach Invest igat ions Report

INDUSTRY TRENDS

Cyber attacks are on the rise The est imat ed annual cost of cyber-at t acks t o t he global economy was more t han $500 billion in 2015 wit h $230 billion in AP AC World Economic Forum recognise cyber breaches as one of the top threats to stability of global economy Cost of dat a breaches and malware infect ions will cost t he global economy $2.1 t rillion by 2019 Cyber threats are Boards’ fastest-growing concern, but investments are not keeping track with breach costs $75 billion spend on cyber securit y in 2015 Estimated spend on Cyber Security by 2020 will be $175 billion Cyber spend will more t han double over t he next five years wit h Cyber insurance expect t o grow t o $2.5 billion by 2020

Page 10

Breaches are on the rise but industry spend has not kept track

$500 billion $175 billion $2.1 trillion $75 billion

S

• urce: Forbes

INDUSTRY TRENDS

Solid growth in cyber security job market 1 million unfilled cyber security j obs globally in 2015 which is a 75% increase in the last five years Cyber security jobs in demand as investments increase There will be shortage in cyber security skills as the market is expected to grow to 6 million j obs by 2019 with a shortage of 2 million j obs Cyber job market in ANZ region is growing The demand for cyber security skills in ANZ market will grow 21%

• ver the next five years

with expected shortage of 10,000 people by 2019

Page 11

Cyber security skills are in high demand

1 million 21% 6 million

S

• urce: Forbes

BDO / AusCERT CYBER SECURITY SURVEY

Page 12

Australian Respondents by state NZ Respondents by region

Page 13

BDO / AUSCERT CYBER SURVEY

• Over 400 respondents
• 43%
• f Australian respondents from

Queensland

Australian Respondents

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% Accommodation and food services Administ rative and support services Agriculture, forest ry and fishing Art s and recreation services Const ruct ion Educat ion and t raining Elect ricit y, gas, wat er and waste services Financial and insurance services Health care and social assist ance Information media and telecommunicat ions Manufact uring Mining Other Professional, scientific and t echnical services Public administ ration and safet y Rental, hiring and real est at e services Retail t rade Transport, post al and warehousing Wholesale trade S t at e Government Federal Government Local/ regional Government Not -for-profit Private limit ed company Public listed company S

• le t rader / Part nership

BDO / AUSCERT CYBER SURVEY

Page 14

Primary industry of all respondents coloured by type

0% 5% 10% 15% 20% 25% 30% 35% Dat a breach and t hird part y provider / supplier Dat a loss / t heft of confident ial informat ion Denial of service att ack Brute force at t ack Email addresses or websit e(s) blacklist ed Malware / troj an infect ions Phishing / t arget ed malicious e-mails Ransomware Theft of lapt ops or mobile devices Unaut horised access t o informat ion by external user Unaut horised access t o informat ion by int ernal user Unaut horised modificat ion of informat ion Websit e defacement Healthcare All Respondents

Page 15

BDO / AUSCERT CYBER SURVEY

Cyber security incidents experienced in 2016

• Ransomware
• Phishing
• Malware
• DDoS

0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Dat a breach and t hird part y provider / supplier Dat a loss / t heft of confident ial informat ion Denial of service att ack Brute force at t ack Email addresses or websit e(s) blacklist ed Malware / troj an infect ions Phishing / t arget ed malicious e-mails Ransomware Theft of lapt ops or mobile devices Unaut horised access t o informat ion by external user Unaut horised access t o informat ion by int ernal user Unaut horised modificat ion of informat ion Websit e defacement Healthcare All Respondents

Cyber security incidents expected in 2017

Page 16

BDO / AUSCERT CYBER SURVEY

• Cyber criminals
• Insiders / current employees
• Activists
• Third party hosting providers

Page 17

Likely source of Cyber security Incidents

Suppliers / business partners 4% Customers 4% Competitors 6% Former employees 8% Foreign Governments / Nation States 10% Third party hosting provider 10% Activists 12% Insiders / current employees 13% Cyber criminals /

• rganised crime

33%

BDO / AUSCERT CYBER SURVEY

Page 18

Likely source of cyber security incidents

BDO / AUSCERT CYBER SURVEY

0% 5% 10% 15% 20% 25% 30% 35% Act ivist s Compet it ors Cust omers Cyber criminals / organised crime Foreign Government s / Nat ion S t at es Former employees Insiders / current employees S uppliers / business part ners Third part y hosting provider All Respondents Healthcare

Cyber security awareness programs reduce incidents overall

Page 19

BDO / AUSCERT CYBER SURVEY

0% 10% 20% 30% 40% 50% Ransomware Phishing Malware/ Troj an All Other

All Respondents

Security Operations Centres reduce incidents by 79%

Page 20

BDO / AUSCERT CYBER SURVEY

0% 10% 20% 30% 40% Ransomware Phishing Malware/ Troj an All Other

All Respondents

Does your organisation utilise intelligence sharing networks

Page 21

BDO CYBER SURVEY

No - we feel we don't need to 11% No - we don't know if such a network exists 39% No - it doesn’ t provide us value 4% Yes - but its usefulness is limited 18% Yes - but the process is overly expensive/ time consuming 5% Yes - we gain a great deal of value from doing so 23%

Only 28%

• f respondents have cyber insurance cover

Page 22 14% 9% 5% 25% 18% 9% 12% 8% Yes - we have this cover as an extension to another insurance policy Yes - we have a standalone cyber policy Yes - but do not know how the policy was arranged Not yet - we are considering it No - we were not aware of this type of insurance No - we self-insure No - we don't feel we need it

BDO / AUSCERT CYBER SURVEY

ASX 100 CYBER HEALTH CHECK REPORT

Page 23

ASX 100 CYBER HEALTH CHECK REPORT

Page 24

What is it?

• The AS

X 100 Cyber Health Check is the first attempt to gauge how the boards of Australia’s largest publicly listed companies view and manage their exposure to the rapidly evolving cyber world

• 76%
• f the AS

X 100 responded to the survey

• Currently, only 11%
• f companies proactively reassure

customers and investors about their approach to cyber security

• S

urvey is available at: www.asx.com.au/ AS X100-Cyber

DETECT, RESPOND AND MANAGE

Page 25

Are you prepared?

1. More needs to be done around proactive detection 2. The rise of the S OC 3. Who has an Incident Response Plan 4. Do you know what your breach reporting obligations are?

LEADERSHIP

Page 26

Are you doing enough?

1. Very large percentage admits that there is more to do 2. Only 20% have a standalone cyber budget 3. 20%

• f the respondents have no plans to include a board member

with cyber expertise

RECENT CYBER CASE STUDIES

Page 27

DATA BREACH CASE STUDY

Page 28

Early Sept ‘16: Donor information accessible via website 25 Oct ’16: Troy Hunt contact AusCERT who then notifies Red Cross 24 Oct ’16: Data set discovered by anonymous source and notified Troy Hunt 26 Oct ’16: Red Cross learns of file containing donor information 14 Nov ’16: Forensic investigation concludes,

• nly one person

accessed the file 28 Oct ’16: Red Cross chief executive Shelly Park makes public statement

DATA BREACH CASE STUDY – TARGET

Page 29

27 November - 15 December ‘ 13: Malware installed to infect Target’ s POS system - personal information of customers are exposed to fraud 14 December ’ 13: Target hires Verizon to investigate the hack 13 December ’ 13: Department of Justice notifies Target of the breach 15 December ’ 13: Target removes malware from “ virtually all” registers in U.S . stores 19 December ’ 13: Target publicly acknowledges the breach 18 December ’ 13: Data and security blog KrebOnS ecurity reports the data breach 20 December ’ 13: Target says they believe few credit cards were compromised,

• ffer customers 10%

discount in store

DATA BREACH CASE STUDY – TARGET

Page 30

23 December ’ 13: Target’ s general counsel, Tim Baer, hosts 30-minute conference call with state attorneys general 10 January ’ 14: Target says an additional 70m customers had data stole 27 December ’ 13: Ongoing investigation finds that encrypted debit card PIN information was accessed during the breach – Target believes the PIN numbers remain secure 22 January ’ 14: Target lays

• ff 475 employees at its

headquarters and leaves another 700 positions unfilled 18 February ’ 14: Costs associated with the data breach topped $200m, according to report from the Consumer Bankers Association and Credit Union National Association 4 February ’ 14: Target CFO John Mulligan testifies before the U.S . S enate Judiciary Committee 30 April ’ 14: Target says it has committed $100m to update technology 5 May ’ 14: Bob DeRodes takes over as Target’ s

• CIO. Target CEO Gregg

S teinhafel resigns.

CYBER RISK MITIGATION STRATEGIES

Page 31

CYBER RISK MITIGATION STRATEGIES

Historical IT Security Perspectives Today’s Leading Cyber security Insights Scope of the challenge

• Limited to your “ four walls” and the

extended enterprise

• S

pans your interconnected global business ecosystem Ownership and accountability

• IT led and operated
• Business-aligned and owned; CEO and

board accountable Adversaries’ characteristics

• One-off and opportunistic; motivated

by notoriety, technical challenge, and individual gain

• Organised, funded and targeted;

motivated by economic, monetary and political gain Information asset protection

• One-size-fits-all approach
• Prioritise and protect your “ crown j ewels”

Defense posture

• Protect the perimeter; respond if

attacked

• Plan, monitor, and rapidly respond when

attacked Security intelligence and information sharing

• Keep to yourself
• Public/ private partnerships; collaboration

with industry working groups

Page 32

Changing landscape - businesses need to adapt the new reality

CYBER RISK MITIGATION STRATEGIES

Page 33

How you can become more cyber resilient

• Know the value of your data / assets
• Know where your data / assets are
• Know who has access to it
• Know who is responsible for protecting it
• Know how well it is protected
• Know if the level of protection is within your risk appetite
• Know what to do when you are breached

S

• urce: Expanded from Telst ra’ s “ Five Knowns of Cyber S

ecurit y”

CYBER RISK MITIGATION STRATEGIES

Page 34

Educate, educate, educate!

QUESTIONS?

NEED MORE INFORMATION?

Nick Kervin Download the report: nick.kervin@ bdo.com.au ht t p:/ / bdoaus.co/ 2gJ5aQu

Page 35