Internet of Things “IoT” can be defined as physical objects that connect to the internet through embedded systems and sensors, interacting with it to generate meaningful results and convenience to the end-user community. According to industry estimates, machine-to-machine communications alone will generate approximately US$900 billion in revenues by 2020.

1. Get ahead of cybersecurity
Tiffy Isaac,
Partner, EY LLP

2. Page 2
Agenda
► Introduction
► The cyber threat landscape
► What are organizations doing?
► Get ahead of cybercrime

3. Page 3
Introduction
Internet of Things “IoT” can be defined as physical objects that connect to the internet through embedded systems
and sensors, interacting with it to generate meaningful results and convenience to the end-user community.
New
business
opportunit
ies
Improved
decision-
making
Safety
and
security
Improved
citizen
experience
Cost
reductions
Potential for
business
revenue
growth
Opportunities does IoT offer?
What will be future…
The ever-expanding IoT world
Smart life Smart mobility
Smart city Smart manufacturing

4. Page 4
Some facts…
The cloud provides a platform for IoT to flourish, however, there are still many challenges.
With the plethora of data that they will hold, storage servers will have to be updated and secured all
the time.
According to industry estimates,
machine-to-machine communications
alone will generate approximately
US$900 billion in revenues by 2020.
India is planning to invest approximately
US$11 billion for developing 100 smart
cities. A draft policy framework document
of IoT was released in October 2014 by
the Indian government.
The interconnectivity of people, devices and organizations opens up new vulnerabilities.
$
New technologies, regulatory pressure and changing business requirements call for more security
measures.
Per EY’s 17th Global Information Security Survey 2014, which captures the responses of 1,825 C-
suite leaders and information security and IT executives/managers - 56% of respondents say that it
is “unlikely or highly unlikely” that their organization would be able to detect a sophisticated attack.

5. Page 5
IOT will affect different business sectors
Healthcare
Personal information that could tell medics not
only about individuals’ medical history, but also
about potential diseases
Sensors and microcomputers fitted in the
human body that could monitor health
conditions and even alarm emergency
services in case of any distress
.
Education
IoT in the education sector has already
started to make the conventional education
system more automated
Internet-enabled remote classrooms will be a
milestone for developing countries, making
deep penetration in areas where setting up a
traditional school infrastructure is not possible.
.
Financial Services
Financial services are already leveraging the
internet for many of their services.
Improvement in digital infrastructure and IoT-
enabled products could further lead the growth of
the financial sector, with innovations, such as smart
wearable and smart monitoring devices, helping
customers to keep better track of their money.
Telcos
Telcos could face a surge in data usage due
to IoT-enabled devices, thus raising their
ARPU (average revenue per user), while on
the other hand, they will also have to deal with
some concerns, such as privacy and
infrastructure security.

6. Page 6
E.g. Connected car and cyber security
Context
Triggers
Question
Response
How can automotive sector organization keep up with the changing
vulnerability landscape, while many are lagging in establishing
foundational cybersecurity practices?
Traditional IT security
measures are no longer
enough
Research shows that attacks
on vehicles are possible
Today’s attackers are
organized, well funded,
patient and sophisticated
key imperatives need to be followed by the
automotive industry to embrace connectivity, and
at the same time ensure IT security
Automakers launch several connectivity offerings, the
interconnectivity of people, devices and organizations
opens up new vulnerabilities. However, …

7. Page 7
Recent academic research and dummy hacking trials on connected
cars have shaken the confidence of regulators and consumers
Details of hacking Action taken by the
automaker/affected brand
Brand
affected
A team from the Defense Advanced Research Projects
Agency (DARPA), demonstrated how it was able to wirelessly
hack into the computer systems and take over several
functions, including the brakes of a Chevrolet Impala during a
controlled situation
GM is developing a fix for its OnStar
telematics system in light of the
cyberattack
ADAC, a German motoring association, found they could lock
and unlock car doors by mimicking mobile communications
and sending signals to a SIM card installed in affected
vehicles
BMW sent over-the-air out software
patches to the 2.2 million cars
equipped with Connected Drive to
prevent similar breakages in future
Sources: News articles, EY analysis
Recent examples of dummy hacking by researchers

8. Page 8
The cyber threat landscape

9. Page 9
EY GISS 2014 results: “Who or what do you consider the
most likely source of an attack?”
41%
46%
27%
53%
14%
12%
10%
35%
57%
Lone wolf hacker
Hacktivists
State sponsored attacker
Criminal syndicates
Other business partner
Supplier
Customer
External contractor working on our site
Employee
Respondents were asked to choose all that apply.

10. Page 10
EY GISS 2014 results: “Which threats & vulnerabilities have
increased your risk exposure over the last 12 months?”
Respondents were asked to select any five of these items, with 1 as the highest priority, down to 5 as their lowest priority

11. Page 11
The roadblocks facing today’s organizations
43%
of respondents say that their organization’s total
information security budget will stay approximately the
same in the coming 12 months and a further 5% said
that their budget will actually decrease.
53%
of organizations say that lack of skilled resources
is one of the main obstacles that challenge their
information security.
Roadblock 1 — Lack of agility
Roadblock 2 — Lack of budget
Roadblock 3 — Lack of cybersecurity skills

12. Page 12
It is not easy to get ahead of cybercrime
Getting aheadCybersecurity
function

13. Page 13
What are organizations doing?

14. Page 14
What are organizations doing?
► Designing and implementing a cyber threat intelligence strategy to support strategic
business decisions and leverage the value of security
► Defining and encompassing the organizations extended cybersecurity ecosystem,
including partners, suppliers, services and business networks
► Know your Crown Jewels - Taking a cyber economic approach — understanding your
vital assets and their value, and investing specifically in their protection
► Use forensic data analytics and cyber threat intelligence to analyze and anticipate
where the likely threats are coming from and when, increasing your readiness

15. Page 15
How do you get ahead of cybercrime?
… A 3-stage improvement process
To get ahead of cybercrime we suggest that organizations adopt a 3-stage improvement
process:
► Activate (a foundational approach)
► Organizations need to establish and improve the solid foundations of their cybersecurity)
► Adapt (a dynamic approach)
► Because organizations are constantly changing and cyber threats are evolving, cybersecurity needs to
be able to adapt to changing requirements)
► Anticipate (a proactive approach)
► Organizations need to make efforts to predict what is coming so they can be better prepared for the
inevitable cyber attacks)

16. Page 16
Activate. Adapt. Anticipate. Where are you?
Activate Adapt Anticipate

17. Page 17
Activate: the need to establish foundations
Organizations in this level
can only deal with threats
in a world without change

18. Page 18
Adapt: a dynamic approach
If an organization
doesn’t adapt, its
cybersecurity
foundation will quickly
be obsolete.

19. Page 19
Anticipate: a proactive state of readiness
‘Anticipate’ means embracing cybersecurity as a core aspect of the
business and being in a proactive state of readiness
value

20. Page 20
Vital to foundational cybersecurity –
a Security Operations Center
A Security Operations Center (SOC) centralizes, structures and coordinates the processes and
technology that support the Information Security function. It is therefore concerning that:
► Over 40% of organizations surveyed do not have a SOC.
Of those that do:
► Over half of respondents did not know how well their SOC met business operations’ needs
► Over 50% do not know how their SOC stays up to date with the latest threats
► The technology infrastructure and endpoints of the SOC need to be improved.
If more of the benefits of a SOC were being realized, then the general ability of an organization to protect
itself in even the most basic functions would start to deliver benefits.
37%
say that real time insight on
cyber risk is not available.
42%
of organizations do not have
a SOC.
33%
4%
13%
13%
25%
12%
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
EY GISS 2014 results: How long on average does it
take for your SOC to initiate an investigation on
discovered/ alerted incidents?

21. Page 21
…..get ahead of cybercrime

22. Page 22
Take the initiative to get ahead of cybercrime
Thank you….

23. Page 23
Focus on 3 As…
1. Conduct a cyber threat assessment
and design an implementation
roadmap
2. Get Board-level support for a
security transformation
3. Review and update security policies,
procedures and supporting
standards
► Implement an information
security management system
4. Establish a Security Operations
Center (SOC)
► Develop monitoring and incident
response procedures
5. Design and implement cybersecurity
controls
► Assess the effectiveness of data
loss prevention and identity and
access management processes.
► Harden the security of IT assets.
6. Test business continuity plans and
incident response procedures
1. Design and implement a
transformation program
► Get external help in designing
the program, and providing
program management.
2. Decide what to keep in-house and
what to outsource
3. Define a RACI matrix for
cybersecurity
4. Define the organization’s
ecosystem
► Make moves to eliminate or
lessen potential security gaps
in your interaction with third
parties
5. Introduce cybersecurity awareness
training for employees
1. Design and implement a cyber threat
intelligence strategy
► Use threat intelligence to support
strategic business decisions
2. Define and encompass the
organization’s extended cybersecurity
ecosystem
► Define RACI and trust models
and enact cooperation, sharing
capabilities where advantageous
3. Take a cyber economic approach
► Understand the value of your
most vital cyber assets
4. Use forensics and analytics
► Use the latest technical tools to
analyze where the likely threats
are coming from and when
5. Ensure everyone understands what’s
happening
► Strong governance, user controls
and regular communications
Adapt - take action to improve
and transform
Anticipate: take action -
and get ahead
Activate: the need to establish
foundations