Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Becoming resilient against modern cyberthreats


Published on

This presentation delivered at a BCI Swiss Chapter event in April 2017

Published in: Business
  • Be the first to comment

  • Be the first to like this

Becoming resilient against modern cyberthreats

  1. 1. BCI – Swiss Chapter 5. April 2017 Becoming Resilient Against Modern Cyberthreats
  2. 2. PwC Digital Services Introduction and Context 01 2
  3. 3. PwC Digital Services As high profile cyber attacks become more common, executive management teams and boards of directors are deeply concerned Is the business resilient to a cyber attack? Are there gaps in our cybersecurity capabilities? Which threats should we be most concerned about? How much risk are we willing to take? Could a cyber incident impact our business? Where are we most vulnerable? 3
  4. 4. PwC Digital Services The World Economic Forum cited “data fraud or theft” and “cyber attacks” amongst the top ten global risks most likely to occur Source: World Economic Forum Global Risks Report 2017 Global Risks Landscape Top 10 1 – Extreme Weather Events 2 – Large-scale involuntary migration 3 – Natural Disasters 4 – Terrorist Attacks 5 – Data Fraud or Theft 6 - Cyberattacks 7 – Illicit Trade 8 – Man-made environmental disasters 9 – Interstate conflict 10 – Failure of National Governance 4 Most Important Driver of Risks – Emerging Technologies
  5. 5. PwC Digital Services Cloud and Data Protection context Digital revolution Growing cyber risk More regulation Cloud ‘IoTs’ Social media Big data Evolving threats More connections Talent shortage Arms race NIS Directive GDPR
  6. 6. PwC Digital Services What are cyber business risks? 6 Data Disclosure Customer accounts are taken over by criminals and sensitive information is disclosed to an unauthorized recipient A few examples… Fraud / Theft Hackers compromise the low touch order management system and execute unauthorized financial transactions Business Outage / Service Disruption A denial of service attack causes an extended outage of the business platform Client Dissatisfaction Loss of brand loyalty and trust following a cyber attack that leads to significant customer defection Data Manipulation Malicious or inadvertent manipulation of critical business information (e.g., market data) Insider Trading Non-public data is compromised during a cyber attack and used for financial gain (e.g., to trade on the stock market)
  7. 7. PwC Digital Services What does it mean to be(come) cyber resilient? 02 7
  8. 8. PwC Digital Services Cyber resilience ensures that organizations are well positioned to keep pace with cyber threats and minimize damage, negative publicity or loss of trust What does it mean to be cyber resilient?  Executive management owns and manages cyber risks  Cyber risk governance is in place and effective  Cyber risk management is a shared responsibility between IT and the business  Cyber threat intelligence information is meaningful  Adjustments to the cyber risk and control posture are dynamic and can be made in real- time 9
  9. 9. PwC Digital Services How does an organization become cyber resilient? 1. Establish cyber risk governance and oversight 2. Understand the cyber organizational boundary 3. Identify critical business processes and related assets 4. Identify, assess and manage cyber business risks 5. Improve collection, analysis and reporting of cyber related data 6. Plan and respond – through development of playbooks, information analysis and use of relevant cybersecurity technology Resiliency evolves as an organization gains more insight into its threats and obtains a better understanding of what it needs to protect 1 2 3 4 6 5 10
  10. 10. PwC Digital Services 1. Establish cyber risk governance and oversight The executive team should be responsible for establishing cyber risk governance  Cyber risk governance processes should provide visibility to executive management and the board  There are three key functions: - Cyber Risk Governance - Cyber Risk Oversight - Cyber Risk Operations  Membership of each function should comprise IT, the business and executive management  Ultimately, the goal is to ensure cyber risks are managed through an informed decision making process 1 11
  11. 11. PwC Digital Services 2. Understand the cyber organizational boundary 2 Vulnerabilities extend to customers as well as third and fourth parties where data is stored, transmitted and accessed  Any weakness in the extended perimeter becomes your vulnerability - this challenge will increase as the organizational boundary expands  The following action should be taken: - Develop an enterprise level view of where critical data resides - Determine what systems and networks the data traverses - Understand all data that is shared with customers, third parties and fourth parties  With the onset of cloud computing and mobile device usage, organizations find themselves defending a perimeter which they can no longer completely manage 12
  12. 12. PwC Digital Services 3. Identify critical business process and related assets Organizations should determine what comprises their most valuable business assets, where these assets are, and who has access to them  It is essential to understand which business assets, if compromised, would cause significant harm  Organizations should also identify key facilities that house or support critical systems and data – commonly referred to as “crown jewels”  The following action should be taken: - Identify critical asset and important business processes - Determine value of each asset and business process - Establish the necessary levels of protection for each critical asset 3 13
  13. 13. PwC Digital Services 4. Identify, assess and manage cyber business risks Effective cyber resiliency focuses on the business risks that cyber threats represent  Recent incidents have shown the far reaching business and customer impacts of cyber attacks  To ensure that mitigation efforts are effective, they should be aligned to a specific set of business risks and associated cyber threats  For example: - Customer Account Takeover - Trading Platform Outage - Insider Trading - Corruption of Market Data  Organizations should continuously monitor exposure to these risks – making dynamic adjustments to their controls as needed 4 14
  14. 14. PwC Digital Services 5. Improve collection, analysis and reporting of data The complex structure of many large organizations makes it challenging to analyze and consume threat intelligence information  Organizations should establish a robust threat intelligence capability - built on shared analysis and research from external sources  The Cyber Risk Operations team should perform regular analysis and provide executive management with the information it needs to make informed risk-based decisions  In summary: - Analyze cyber risk data - Report to leadership - Proactively respond 5 15
  15. 15. PwC Digital Services 6. Plan and respond A strong governing team with the right level of knowledge and expertise is required to appropriately respond to cyber events  Waiting to prepare a response until after a cyber attack is a recipe for disaster  Development of playbooks and rehearsal of threat scenarios is a necessary step in the response preparation process  There are five key steps: - Devise cyber threat scenarios - Mitigate the effects - Develop incident response plans - Decide what extra resources are needed - Rehearse, review and update  Using the intelligence gathered during this process, each playbook specifies who should take action and what their responsibilities are 6 16
  16. 16. PwC Digital Services Regulations and Data Protection 03 17
  17. 17. PwC Digital Services Regulatory Overview – EU GDPR will apply from May 2018 18 Compliance Strict new compliance requirements are imposed Data protection by design Software, systems and processes must consider compliance with the principles of data protection Breach disclosure Entities are required to report serious contraventions of the law to the regulators and to people affected Usage controls Personal data is subject to strict new usage controls Aggregation The ability to aggregate data to enable an individual to be profiled is severely curtailed Fines Serious contraventions of the law will be punishable by fines of up to either 20M Euros or 4% of group annual turnover Consent Obtaining consent to use personal data will be much harder to achieve and prove Bundling The ability to aggregate data to enable an individual to be profiled (a common objective in new digital projects) was severely curtailed. Supervision Regulators are also empowered to carry out audits and inspections of entities on demand. The EU General Data Protection Regulation (GDPR) is the overhaul of the Data Protection Directive 95/46/EC and sets principle standards for the processing of personal data within the EEA. It is supposed to harmonize the differences in national transposition and strives for an identical and fully consistent solution. The GDPR came into force in May 2016 and will be effective after a transposition period of two years (25 May 2018).
  18. 18. PwC Digital Services Suggestions on the way ahead 04 19
  19. 19. PwC Digital Services What next? Organizations should organize their cybersecurity programs around six core objectives Core Cybersecurity Objectives Identify and protect critical business assets Identify, manage and monitor cyber threats Understand the organizational boundary Build cyber resiliency Implement cyber risk dashboard and reporting Prepare and respond to cyber events  Cybersecurity in today’s business environment is a complex problem that requires management engagement, creative techniques and new capabilities  Adversaries are sophisticated, determined and patient. They can target individuals, companies and entire industries for malicious or criminal gain  An effective cybersecurity program should enable the organization to detect cyber threats, manage the corresponding risks and respond to cyber incidents to minimize business disruption 20
  20. 20. PwC Digital Services Questions and Answers 05 21
  21. 21. PwC Digital Services PwC Digital Services 22 Reto Häni Partner and Leader Cybersecurity +41 79 345 0124