Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
With Digital Shadows SearchLight™, a manufacturing firm discovered that a third party contractor exposed sensitive Non Disclosure Agreements signed by its customers via NAS.
Learn more at https://resources.digitalshadows.com/
We found that while cyber security was named as the topmost future tech adoption for organizations in 2019, cyber security is now the second tech priority for 2021 but with a higher budget than previously allocated. We also discovered that cloud security currently holds more importance with CISOs, CTOs and CIOs than data security and privacy.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
With Digital Shadows SearchLight™, a manufacturing firm discovered that a third party contractor exposed sensitive Non Disclosure Agreements signed by its customers via NAS.
Learn more at https://resources.digitalshadows.com/
We found that while cyber security was named as the topmost future tech adoption for organizations in 2019, cyber security is now the second tech priority for 2021 but with a higher budget than previously allocated. We also discovered that cloud security currently holds more importance with CISOs, CTOs and CIOs than data security and privacy.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Company Named on Target List for Hacktivist CampaignDigital Shadows
With Digital Shadows SearchLight™, the security manager of a bank discovered that they had been named on the target list of a hacktivist operation's latest phase.
Learn more at https://resources.digitalshadows.com/
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
In this report we share our insight on the recruitment of cyber security professionals including information regarding the key drivers in the cyber security market, permanent and contract recruitment trends, transferable skills, the top job titles, salaries and qualifications analysis, a heat map of skills demands/talent pools across the UK, concluding with recommendations on attracting and retaining cyber security talent.
Commercial Real Estate - Cyber Risk 2020CBIZ, Inc.
Commercial real estate has always been an attractive cyber target offering sophisticated hackers a wealth of personal information store in banking, lease, and employment records and multiple transaction points. Enter COVID-19. Almost overnight, nearly all routine activities are tied to remote capabilities. Now, it’s cyber threat and cyber risk on steroids. Here's a cyber professional’s view of the situation and links to several additional resources.
Configuration File of Trojan Targets OrganizationDigital Shadows
With Digital Shadows SearchLight™, the IT security manager of a bank discovered a configuration file that indicated a banking trojan was targeting their customers.
Learn more at https://resources.digitalshadows.com/
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows
Streamline remediation of phishing threats that could impact your company’s revenue and brand reputation with the integration between Digital Shadows and Palo Alto Networks.
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
A copy of the slides I delivered at the inaugural BANG event in Sydney to a highly receptive audience of talented individuals from the resilience, business continuity, cybersecurity, and risk professions.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
For many companies, Cyber Security is achieved solely through the application of technological solutions to software and hardware challenges. Schneider-Electric takes a more holistic approach with a program built around complete product lifecycles and encompassing safety, maintenance and security. Discover Schneider-Electric's cyber security vision, from understanding how secure functionality is engineered into products through the tools and support available to manage updates and patches, plus specific procedures for handling potential vulnerabilities. A software and hardware ecosystem is only as strong as its weakest component, and Schneider-Electric is working to strengthen this through StruXureware and the evolution of platforms.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Company Named on Target List for Hacktivist CampaignDigital Shadows
With Digital Shadows SearchLight™, the security manager of a bank discovered that they had been named on the target list of a hacktivist operation's latest phase.
Learn more at https://resources.digitalshadows.com/
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
In this report we share our insight on the recruitment of cyber security professionals including information regarding the key drivers in the cyber security market, permanent and contract recruitment trends, transferable skills, the top job titles, salaries and qualifications analysis, a heat map of skills demands/talent pools across the UK, concluding with recommendations on attracting and retaining cyber security talent.
Commercial Real Estate - Cyber Risk 2020CBIZ, Inc.
Commercial real estate has always been an attractive cyber target offering sophisticated hackers a wealth of personal information store in banking, lease, and employment records and multiple transaction points. Enter COVID-19. Almost overnight, nearly all routine activities are tied to remote capabilities. Now, it’s cyber threat and cyber risk on steroids. Here's a cyber professional’s view of the situation and links to several additional resources.
Configuration File of Trojan Targets OrganizationDigital Shadows
With Digital Shadows SearchLight™, the IT security manager of a bank discovered a configuration file that indicated a banking trojan was targeting their customers.
Learn more at https://resources.digitalshadows.com/
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows
Streamline remediation of phishing threats that could impact your company’s revenue and brand reputation with the integration between Digital Shadows and Palo Alto Networks.
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
A copy of the slides I delivered at the inaugural BANG event in Sydney to a highly receptive audience of talented individuals from the resilience, business continuity, cybersecurity, and risk professions.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
For many companies, Cyber Security is achieved solely through the application of technological solutions to software and hardware challenges. Schneider-Electric takes a more holistic approach with a program built around complete product lifecycles and encompassing safety, maintenance and security. Discover Schneider-Electric's cyber security vision, from understanding how secure functionality is engineered into products through the tools and support available to manage updates and patches, plus specific procedures for handling potential vulnerabilities. A software and hardware ecosystem is only as strong as its weakest component, and Schneider-Electric is working to strengthen this through StruXureware and the evolution of platforms.
In a world of digital disruption, how ready are Swiss companies to face the digital challenge? Accenture assessed the digital maturity of the largest Swiss companies and industries and offers insights into how to seize the digital opportunity.
Our new infographic looks at the key issues around major cyber security risks faced by people and organisations across the UK, both today and tomorrow.
Why not read our full report to find out how you can ensure your organisation is more cyber resilient: http://explore.atkinsglobal.com/cyber/
The State of Application Security: Hackers On SteroidsImperva
Organizations of all sizes face a universal security threat from today’s organized hacking industry. Why? Hackers have decreased costs and expanded their reach with tools and technologies that allow for automated attacks against Web applications.
This presentation will detail key insights from the Imperva Application Defense Center annual Web Application Attack Report. View this presentation for an in-depth view of the threat landscape for the year. We will:
- Discuss hacking trends and shifts
- Provide breach analysis by geography, industry, and attack type
- Detail next steps for improved security controls and risk management processes
Your mobile knows a lot about you and that brings a number of business risks – security breaches from company data held in emails or business apps, for example. We highlight the data and security risks of the phone in your pocket. -
See more at: http://www.grant-thornton.co.uk/en/Thinking/Beware-the-secrets-held-in-your-smartphone-/?previouspage=7260
Let’s read more on How to Start a Cyber Security Business? Step
1: Define Your Niche Step
2: Conduct Market Research Step
3: Create a Business Plan Step
4: Legal Considerations Step
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
In this evolving world, all businesses and organizations rely on IT infrastructure to protect them from cyberattacks. As more businesses embrace digital transformation, the risk of cyber attacks or crime will rise rapidly. Every organization should have strong cybersecurity for safety purposes. This blog will discuss the importance of cyber security for businesses.
Cybersecurity- What Retailers Need To KnowShantam Goel
The retail industry is favorite among cyber-attackers due to a large number of payment transactions on a regular basis. Protect your retail business from cyber-attacks. Cybersecurity is a major concern for retailers that need to be advanced with time.
Understanding the Biggest Cybersecurity Threats for Businesses Today.pdfVLink Inc
"Understanding the Biggest Cybersecurity Threats for Businesses Today.pdf" provides a comprehensive overview of contemporary cyber dangers confronting businesses. Delving into evolving tactics like ransomware, phishing, and data breaches, it equips readers with vital insights and strategies to safeguard their enterprises from digital threats in an increasingly interconnected world.
https://www.vlinkinfo.com/blog/biggest-cybersecurity-threats/
The Canadian business landscape walks a cybersecurity tightrope. Evolving threats like ransomware and sophisticated phishing campaigns lurk, coupled with industry-specific risks targeting vulnerabilities in healthcare, finance, and critical infrastructure. The tightrope narrows further with stringent regulations like PIPEDA and GDPR demanding robust data protection.
Remember, cybersecurity is an ongoing journey, not a destination. Our comprehensive cybersecurity solutions can be your trusted partner, providing:
Don't wait for a cyberattack to disrupt your business. Navigate the Canadian cybersecurity tightrope with confidence. Contact us today and let's build a secure future for your organization.
Intelligence-Driven Fraud Prevention
This RSA white paper discusses the need for new, intelligence-based approaches to manage fraud across digital channels.
Cyber Defense Group is a trusted cyber security consultancy located in Los Angeles, CA formed by cyber security professionals from multiple industries.
We work with your IT department and internal IT security staff in order to analyze your system from a top-level perspective, looking for patterns to determine what’s driving the vulnerabilities we’ve identified.
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
Security and privacy are crucial elements for protecting digital assets. As the use of technology continues to increase, so does the risk of cyber-attacks and data breaches.
Preparing your enterprise against cyber-attacks is no longer a luxury but a necessity. And only those who have leveraged technology without any fear of being destroyed with a single cyber-attack can only be considered to have a digital advantage. This will not only enhance their performance but also put them one step ahead of the competition. Learn how cybersecurity is linked with digital maturity with the following link.
1. Working in partnership to help your business innovate and grow
in a secure and resilient way
Cyber security and privacy
2. 2 CYBER SECURITY AND PRIVACY
About us
Dynamic organisations know they need to
apply both reason and instinct to decision
making. At Grant Thornton, this is how we
advise our clients every day. We combine
award-winning technical expertise with the
intuition, insight and confidence gained from
our extensive sector experience and a deeper
understanding of our clients.
Through empowered client service teams, approachable partners and
shorter decision making chains, we provide a wider point of view and
operate in a way that enables our clients to be fast and agile. The real
benefit for dynamic organisations is more meaningful and forward-
looking advice that can help to unlock their potential for growth.
Grant Thornton’s cyber security and privacy team has significant
experience of assessing, improving and embedding controls to better
align exposure to risk appetite. We have worked with organisations of
all sizes across all industries and can tailor our services to meet specific
client needs across a wide range of topics, including cyber security,
cyber crime, digital security, vendor assurance and data privacy.
Grant Thornton UK LLP is the UK member firm of
Grant Thornton International Ltd, one of the world’s leading
organisations of independent assurance, tax and advisory firms. Over
40,000 Grant Thornton people, across 130 countries, are focused on
making a difference to clients, colleagues and the communities in which
we live and work.
Cyber security governance
Grant Thornton has been helping
organisations define and implement
cyber security governance to
manage cyber security risk. We have
benchmarked the maturity of key
controls to guard against the risk of
cyber security, such as:
• governance committees and
reporting
• roles and responsibilities
• risk appetite
• key risk indicators
• risk assessments and controls
assurance
• incident management and
reporting
• policies and procedures
• training and awareness.
This has reinforced to board
members the importance of being
involved in governing and overseeing
cyber security decisions and
investments.
3. CYBER SECURITY AND PRIVACY 3
Cyber security
and privacy
To protect its reputation, innovate and grow, an
organisation needs to protect its intellectual property,
customer information and other critical information assets.
As the business community continues to find new and
innovative approaches to embrace the world wide web
through emerging solutions such as cloud computing, the
security threat increases in complexity. Recent security
breaches, such as the theft of intellectual property and
disclosure of customer sensitive information, have
highlighted how such events can undermine or even close
an organisation. Cybereconomics is a key differentiator
for organisations that are able to provide a secure business
environment for customers.
This realisation has raised the topic of cyber security and
privacy to board level, with executives seeking assurances
that such events could not affect their organisation. Robust
cyber security measures are critical to protecting your
organisation’s reputation, and meeting legal and regulatory
requirements.
Who is responsible for the governance of cyber
security risks in your organisation?
Since the board is ultimately responsible for managing an
organisation’s risks, they should be regularly briefed on
the effectiveness of cyber security controls and exposures
outside of the organisation’s risk appetite.
Governance, risk and compliance
Cyber crime
Digital security
Business resilience
Third party assurance
Data privacy
Payment security
Technology security
Identity and access management
Our cyber security and privacy team consists of highly
specialised professionals with extensive experience of
key areas, including:
Information is
now seen as one of
the most valuable
assets that any
organisation holds
4. 4 CYBER SECURITY AND PRIVACY
Cyber crime
Are you protected against cyber attacks?
Cyber crime’s footprint is increasing significantly in the
frequency and size of its operations. It is evident that
technological defences alone are not sufficient to protect a
business from attacks. Cyber crime has evolved from being
the act of individuals to one of many tools used by organised
crime syndicates, where highly specialised professionals are
putting data, information and assets at a high risk of misuse.
No industry is safe from the
possibility of a cyber attack, and
being prepared is the best
defence.
At Grant Thornton
we can work with your
organisation to prevent
security vulnerabilities
that could be exploited
by cyber criminals to
access your intellectual
property and disrupt
your business.
Case studies
• A recently reported attack on
banks resulted in $1 billion being
stolen during the last two years
using trojan software installed
from the internet onto internal
workstations. The attack was
successful, not because of the
technology used, but because the
attackers behaved like bank staff
and learned the bank procedures
to steal funds without detection
• Targeted cyber attacks have
revealed confidential company
and customer information from
the biggest names in the film and
gaming industry, large retailers and
internet service providers
• A publisher’s products were stolen
and copies made freely available
online. As well as the loss of
revenue, the cost of updating the
systems and policies was more
than £50,000
The estimated cost
of cyber crime to the UK is
£27 billion per year, of which the
main loser – at a total estimated cost of
£21 billion – is UK business, which suffers
from high levels of intellectual property
theft and espionage1
. Over the last year the
average cost of the worst breach suffered
has gone up significantly to £0.6 - £1.15
million for large organisations2
.
1
Detica, Office
of Cyber Security and
Information Assurance in
the Cabinet Office “The Cost
of Cyber Crime” (2011)
2
Information Security Breaches
Survey by Department for
Business Innovation and
Skills (2014)
5. CYBER SECURITY AND PRIVACY 5
Digital security
Does your organisation know where cyber security
threats will first appear?
A company’s information infrastructure consists of many
different facets, each of which may be a path through which
attackers attempt to breach your defences to obtain access
to or corrupt critical information.
An effective digital security stance requires an
organisation to know both the location and value of
its critical information, and the means by which that
information might be accessed.
The creation and
maintenance of an
information asset register
is a key step to identifying
critical systems to
prioritise for protection.
Even for small organisations
this is a significant effort.
Data leakage
One major avenue for the loss of intellectual property
from your organisation is through data leakage.
There are a wide range of routes that can be used
to steal information from your organisation, from
walking out the door with a hardcopy document to
using complex software to copy and extract data by
transferring it over the web.
Grant Thornton can help you understand the data
leakage methods to which your organisation may be
exposed, the skills and experience required to exploit
them and what preventative or detective controls
could be deployed to reduce risk.
Each of these require appropriate controls to ensure they
cannot be leveraged to gain access to your organisation’s
critical information assets.
We can assist your organisation by providing assurance
to management on the maturity of digital security controls,
highlight high risk exposures and develop a roadmap to
protect your digital assets.
Some of the possible
digital pathways used to
gain access to critical
information include:
e-Commerce
gateways and interfaces
Online
service portals
Internal
hardware and software
Internal networks
(wired and wireless)
Third party
service providers
Non-standard
and mobile devices
6. 6 CYBER SECURITY AND PRIVACY
Business resilience
Does your organisation have the resilience to stand up
to a high profile cyber security incident?
Business resilience is the ability of an organisation to
minimise disruption and be able to function during an
incident. It covers all aspects of business continuity,
technology disaster recovery, incident management and
financial resilience.
Business resilience is pivotal to maintaining business
activities in the modern age of inter-connected global
operations, just in time production and complex
operational relationships. Maintaining your reputation
and delivering on time are fundamental to all professional
relationships.
Organisations need to anticipate and have proven
strategies to effectively respond to disruptive events,
maintain critical operations and learn from events to better
prepare for future challenges.
By partnering with us and using our wealth of
experience, we can better prepare organisations to face the
challenges that these disruptive events create.
Grant Thornton can assist to assess the readiness of
your organisation to handle, recover from and respond to a
cyber security incident, including both the public relations
and business resilience aspects.
Crisis management
Incident
management
Cyber resilience Business continuity Disaster recovery
Industry guidance
Our business resilience services are based on the guidance
contained in relevant British and international standards,
including:
Crisis management:
guidance to good
practice
BS 11200
Organisational
resilience: guidance
BS 65000
Business continuity
management systems:
requirements
ISO 22301
Business continuity
management systems:
guidance
ISO 22313
Case study
Grant Thornton was requested to provide support to a large
construction and support services firm to assess their level of
resilience and provide recommendations for improvement.
Using a hybrid approach of interviews, document review and on-site
inspections, conclusions were benchmarked against industry good
practice. The review established that although controls were in a
reasonable position, improvements and efficiencies could be delivered
Quick win insights were provided during the review so urgent issues
could be swiftly addressed. Longer term recommendations were
delivered to improve their strategic approach to resilience and provide
a standardised approach across the organisation.
Operationally, a number of gaps and overlaps were identified along
with opportunities for efficiencies, combined with improvements to
the risk management processes. By closing out the items highlighted,
management confidence significantly increased in the resilience
framework across the entire organisation.
7. CYBER SECURITY AND PRIVACY 7
How secure is your cloud?
Grant Thornton has performed third party
sourcing reviews to assess relevant
controls, such as:
• the maturity of security controls
embedded into the supplier
management framework
• whether the business could procure
cloud based services directly without
involving sourcing
• whether services purchased from cloud
based providers were on the list of
approved vendors.
Some reviews have identified that
business staff could procure cloud based
services directly, without going through
controlled sourcing channels.
Third party
assurance
How do you gain assurance that the third parties you’ve
outsourced operations to are secure?
Over the past decade there has been a paradigm shift in the
way organisations operate, and many now recognise the
clear value and benefits to be gained from leveraging business
process outsourcing and third party services.
Consequently, many operational activities that were once
perceived as core are now outsourced, such as activities
performed by technology, operations and human resources
departments. There has also been the explosion in the use of
cloud based services.
These new ways of doing business present wonderful
opportunities for cost efficiencies, but also create
complex challenges and risks
that need to be assessed and
appropriately managed.
At Grant Thornton
we leverage our
experience to report
to the board on
the maturity of
controls operated
by key third
parties, in particular
through assurance and
contractual reviews.
Third party security
Third party
contracts
Third party
assurance
Third party
exit management
Recent research
has found that the use
of third party internet based
services without formal approval,
is widespread – 76% of CIOs
are aware of the commission and
use of third party cloud based
products with no input from the
technology department1
.
1
British
Telecom’s
‘Creativity and the
Modern CIO’ –
December 2014
8. 8 CYBER SECURITY AND PRIVACY
Data privacy
How will the proposed EU data protection regulation affect
your organisation?
While the draft general data protection regulation still has
some way to go before becoming law, there are a number
of changes likely to impact your organisation. Beyond the
headline that organisations in breach of the rules could
face penalties of up to €€100 million or up to 5% of their
worldwide turnover, other anticipated changes include:
• data breaches will need to be reported to impacted
individuals without undue delay
• businesses will be required to complete privacy impact
assessments at least annually
• the scope will be expanded to include non-European
companies that trade in the EU.
Many of these changes are already being adopted by
organisations as best practice, especially disclosure of
breaches and conducting privacy impact assessments.
At Grant Thornton we can leverage our experience to
help organisations prepare for and adhere to forthcoming
regulatory changes.
Privacy and security online
Grant Thornton has performed privacy and
security reviews to provide assurance over high
profile internet-based services by:
• assessing cloud-based services against
privacy and security best practice
• reviewing third party privacy and security
contractual obligations
• performing assurance testing of key controls.
Some reviews have highlighted where key
controls were inconsistent with risk appetite,
resulting in follow-on activity to address risk
exposures.
9. CYBER SECURITY AND PRIVACY 9
Payment security
Are your payment systems secure?
In 2013, payments businesses handled $425 trillion in non-
cash transactions, more than five times global GDP. By
2023 the value of non-cash transactions is expected to reach
$780 trillion1
. In developing economies the growth will be
significantly higher.
At the same time, regulatory challenges to the payments
industry are increasing as regulators extend their remit
to include payment institutions. There is also increased
competition and market disruption by new entrants,
including the rise of mobile payments, digital wallets and the
use of Bitcoin.
Given the volumes of funds moved on a daily basis, the
risks associated with the payments industry include:
• reputational and financial costs of system failure
• fraud committed by criminal hackers
• increased volatility in the payments landscape caused by
customers changing their mobile payment habits
• difficulties funding projects for continuous improvement
and innovation in a competitive and rapidly changing
market
• regulatory censure and subsequent loss of reputation
arising from abuse of the service, eg money laundering
• payment market disrupters proposing alternate payment
services.
At Grant Thornton we can leverage the expertise of our in
depth payment specialists to help ensure major wholesale and
consumer facing payment systems remain available and are
secure.
Case studies
Grant Thornton has reviewed the development
and implementation of a mobile payment system
project. Our team:
• reflected the current status of the project to
executive management
• assessed implementation roadblocks holding
back delivery of the project, including
commercial, technical security and legal risks
• suggested improvements to the project’s
governance and risk management.
Our portfolio of payment system review work
includes the following:
• organisations clearing transactions on behalf
of third parties with highly developed and
resilient payment infrastructures
• payment system compliance reviews for
organisations, such as large retail banks.
In 2013,
payments businesses
handled $425 trillion in
non-cash transactions, more
than five times global GDP. By
2023 the value of non-cash
transactions is expected to
reach $780 trillion1
1
Source: Boston
Consulting Group
Global Payments
Review 2014
10. Penetration testing
• red team/penetration
testing (infrastructure, web
application, wireless networks)
• mobile application assessment
• wireless LAN security
• cyber security architects
• security configuration review
10 CYBER SECURITY AND PRIVACY
Technology
security
Your organisation’s systems are only as secure as the
weakest link – where’s yours?
In today’s complex and ever changing world, systems used
to help your organisation innovate and grow are updated
or changed on a regular basis. In such an environment it
is essential to be assured that the hardware and software
infrastructure supporting your everyday business activities
is robust and secure, especially as more and more processes
become automated and move online.
We can leverage our experience to perform
penetration tests to assess the security
and maturity of controls over your
infrastructure, networks and
applications, and identify
vulnerabilities and angles of
attack that could be exploited
and how these should be
mitigated.
Application security Database security
Operating system
security
Network security Perimeter security
Infrastructure security assessments
Grant Thornton has performed deep
technical security reviews of complex
infrastructure environments, including
a variety of banking mainframes.
Such reviews cover many layers of
control that contribute to the security
of critical systems, such as processing
the bank accounts of a large national
customer base.
Some reviews have identified
material risks resulting in
recommendations to strengthen
the environment and improve
the security oversight and
monitoring processes.
Recent events
have reinforced the direct
correlation between successful
attacks, brand reputation and share price.
Some of the challenges faced by organisations
include:
• constantly evolving cyber threats, with new
security vulnerabilities being discovered on a
regular basis
• organisations have to be on the front
foot in respect to patching, upgrades
and security event
monitoring.
11. CYBER SECURITY AND PRIVACY 11
Identity and
access management
Joiners, movers and leavers
Access recertification
Toxic combinations
Privileged access
Developer access
Could your organisation be exposed to financial crime by
staff with excessive system access?
Even though the topic of unauthorised access is an auditor’s
favourite, dating back many decades, many organisations
today still face challenges ensuring they have robust controls
over system access and segregation of duties.
Some of the more common challenges still faced by
organisations today include:
Access recertification becoming the detective
control of choice, without preventative controls to
remove access when individuals move role
Cost reduction programmes – such as offshoring
and outsourcing – making it more complex to
govern access permissions
Defining toxic access combinations that pose a
segregation of duties risk, and deploying controls to
prevent (or detect) such access violations
Balancing controls that restrict privileged and
developer access to production systems, with the
need for high systems availability
Access management coverage
When thinking about the maturity of your identity
and access management controls, it is wise to think
about the variety of systems in use across your
organisation, including:
• Applications
• Databases
• Operating systems
• Network file shares
• Collaboration sites
While much attention has been given to application
access controls, effort is also required to restrict
privileged access to databases and operating
systems, as well as end user access to network file
shares and collaboration sites, such as SharePoint.
At Grant Thornton we can leverage our experience to
benchmark the maturity and coverage of access management
controls, and develop a roadmap to take things forward.