What trends will 2018 bring for Business Continuity Professionals?

What trends will
2018 likely bring for
business continuity professionals?

What trends will 2018 likely bring for business continuity professionals?Copyright © 2018 Deloitte Development LLC. All rights reserved
2
Introductions
David Feeney, CPP, PMP Andrea LeStarge, MS
Advisory /Consulting
Energy/Utilities
Private Sector
GSOC
Security Operations
Technology
Advisory / Consulting
National Lab
Federal & State Gov’t
Fusion Centers
Risk Assessments
Training

3
Baselining: Terminology 4
Looking deeper into likely trends: Who, what, how 5
Looking deeper into likely trends: New technologies 6
Looking deeper into likely trends: Cyber 7
Looking deeper into likely trends: Data breach 8-9
Looking deeper into likely trends: Internet of Things (IoT) 10-11
Looking deeper into likely trends: Physical 12
Impact on business continuity planning 13-15
Executive sponsorship, stakeholder buy-in 16
Top actions & questions for executives 17
Agenda

4
Baselining: Terminology
Vulnerabilities
Threats
Business Continuity
Risk Management

5
Looking deeper into likely trends:
Who, what, how • Cyber criminals
• Hacktivists (agenda
driven)
• Nation states
• Insiders / partners
• Competitors
• Skilled individual hacker
• Theft of intellectual
property
or strategic plans
• Financial fraud
• Reputation damage
• Business disruption
• Destruction of critical
infrastructure
• Threats to health & safety
Who might attack?
What are they after;
What are the key business risks I need to
mitigate?
What tactics might they use?
• Spear phishing, drive
by download, etc.
• Software or hardware
vulnerabilities
• Third-party
compromise
• Multi-channel attacks
• Stolen credentials
• … and others

Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
6
The digital revolution is driving business
innovation and growth, yet also exposing
users to new and emerging threats.
Exciting technological innovations bring
fantastic opportunities:
 Driving down costs;
 Increasing integration; and
 Driving efficiencies.
But opportunity brings risk:
New avenues of exploitation mean businesses
have a greater exposure to cyber attacks than
ever before.
New technology
YOU
The increasing prevalence of cyber attacks means that new
techniques and tools are needed
New Technology = New Threats

7
Looking deeper into likely trends: Cyber
“63% of confirmed data
breaches leverage a
weak, default, or stolen
password.”
“30% of phishing emails are
opened. And ~12% of targets
go on to click the link or
attachment.”
“Crypto-style
ransomware grew 35
percent in 2015.”
“59% of employees
steal proprietary
corporate data when
they quit or are fired.”
“99% of computer users
are vulnerable to exploit
kits (software
vulnerabilities).”
BITSIGHT. 2018. 28 Data breach statistics that will inspire you (to protect
yourself). Retrieved from: https://www.bitsighttech.com/blog/data-breach-
statistics

8
Data breach
“In 2016, there were
454 data breaches with
nearly 12.7 million
records exposed.”
“In 93% of breaches,
attackers take minutes
or less to compromise
systems.”
“4 out of 5 victims of a
breach don’t realize
they’ve been attacked
for a week or more.”
“The forecast average
loss for a breach of
1,000 records is
between $52,000 and
$87,000.”
BITSIGHT. 2018. 28 Data breach statistics that will inspire you (to protect
yourself). Retrieved from: https://www.bitsighttech.com/blog/data-breach-
statistics

9
Data breach (Cont’d)
Ponemon Institute, Cybersponse, 2018.
Retrieved from: https://cybersponse.com/dont-
be-a-statistic-these-numbers-are-scary
$400B+
50%
90%
63%8%
11%
18%
Healthcare Financial Services Educational Government
229
99.9%
27.5%increase in the data
breaches in various
industries from
2013
15%
o f i n c i d e n t s
s t i l l t a k e
d a y s t o
d i s c o v e r
Average
number of
days attackers
maintained
presence after
infiltration and
before
detection
chance that at least one
person will fall prey to a
phishing campaign with just
10
emails
recipients open emails
and click on phishing
links within the first hour
of receiving them
$154
$201
$217
Global
Average
2014
2015
Per capita cost of data breach
was highest in US in 2015
$217
of the exploited
vulnerabilities were
compromised more
than a year after
CVE was published
Numbers denote industry wise breakup of 2014 data breach
incidents
is the annual cost
to the global
economy from
cybercrime
o f i n c i d e n t s
i n v o l v e a b u s e
o f p r i v i l e g e d
a c c e s s
55%

10
IoT
“The number of
connected devices is
expected to grow
from 15.4 billion in
2015 to 30.7 billion
by 2020 and 75.4
billion by 2025.”
“Global spending on
IoT across all markets
is expected to grow
from $737 billion in
2016 to $1.29 trillion
by 2020.”
“In 2017, 60% of global
manufacturers will use
analytics data recorded
from connected devices to
analyze processes and
identify optimization
possibilities.”
VisionCritical. 2018. 13 stunning stats on the Internet of Things.
Retrieved from: https://www.visioncritical.com/internet-of-things-
stats/

11
IoT (Cont’d)
Enable security by default through unique, hard to crack default user names and
passwords. User names and passwords for IoT devices supplied by the manufacturer are
often never changed by the user and are easily cracked. Botnets operate by continuously
scanning for IoT devices that are protected by known factory default user names and
passwords. Strong security controls should be something the industrial consumer has to
deliberately disable rather than deliberately enable
Build the device using the most recent operating system that is technically viable and
economically feasible. Many IoT devices use Linux operating systems, but may not use
the most up-to-date operating system. Using the current operating system ensures that
known vulnerabilities will have been mitigated
Use hardware that incorporates security features to strengthen the
protection and integrity of the device. For example, use computer chips that
integrate security at the transistor level, embedded in the processor, and
provide encryption and anonymity
Design with system and operational disruption in
mind. Understanding what consequences could flow from
the failure of a device will enable developers,
manufacturers, and service providers to make more
informed risk-based security decisions. Where feasible,
developers should build IoT devices to fail safely and
securely, so that the failure does not lead to greater
systemic disruption.
1
2
3
4
US DHS. 2016. Strategic Principles for Securing the IoT. Retrieved
from:
https://www.dhs.gov/sites/default/files/publications/Strategic_Princi
ples_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf

12
Looking deeper into likely trends: Physical
It is important to understand the actual physical threats for specific
organizations, and specifically for individual lines of business or support
functions.
Active Shooter
Workplace Violence
Improvised
Explosive Devices
Insider Threat
Physical security is changing for many of our Nation’s critical infrastructure sectors and the need for assistance is growing at a
tremendous rate.
Companies are feeling the strain traditional risk mitigation measures place on human resources. Security officers that used to
work 9-to-5 are being replaced with automated security measures that are 24/7 and provide enhanced security technologies.
With these advanced technologies, company policies and procedures are in need of updating to account for the technology
and mechanisms that are in place to protect against a wide variety of both internal and external threats.
Strong BIA strategies help organizations have strong security management and corporate governance of the organization.
With well planned and developed business continuity programs, liabilities, and costs can be reduced in numerous areas.
Growing Need for Structural Safeguarding

13
Convergence(s)
• Renaissance of physical & cyber convergence
• Integrate business continuity into all organizational functions (not just IT).
• Business continuity practitioners should engage asset owners as a trusted advisor
Impact on business continuity planning
Physical
Threats
Cyber
Threats

14
 Enterprise Security Risk Management (ESRM)
 Business continuity (BC) across the
enterprise
 Asset owner is stakeholder
 BC is trusted advisor
(Cont’d)
 ESRM Process
 Identify asset
 Identify risk
 Prioritize risk
 Plan for risk

15
 Focus on resilience vs impenetrability
 Resilience: Having the ability to recover from and reduce the impact of cyber incidents
 Resilience accepts to some degree that mitigation strategies are not impenetrable
(Cont’d)

16
Executive sponsorship,
stakeholder buy-in
Board & CEO
Senior
Management
(COO, CAO, CRO)
IT Leadership
(CIO)
IT Risk Leadership
(CISO / CITRO)
Tone at the top, establish
senior management
accountability and a Business
Continuity (BC)-aware culture
Define the organization’s
risk appetite and be
accountable for BC
Program. Empower the
extended leadership team.
Lead (not delegate) in
defining and executing the
strategy to execute the BC
Program. Establish an
effective interaction model
with cyber and physical
branches.
Define the right balance
between threat-centric
vs. compliance-centric
programs. Be a business
enabler, without shying
away from the role of BC
Program custodian.
Line of Business
Leaders
Support integration of BC
Program processes into
business growth and
development activities.
Appoint line-of-business
BC Program officers.
Architecture
&
Engineering
Infrastructure
Application
Development
Security
Operations
IT DOMAINS Manage
and report on risks
Execute on
strategy
Other
functions…
GOVERNANCE
Fully integrate BC into cyber
and physical disciplines –
design for Six Sigma, not
quality control. Integrate
current technologies and
people processes to address
the latest threats per the
business impact analysis
results.

17
Top actions and questions for
executives
• Put a senior executive at the helm.
He or she must be able to lead in a crisis, and
also guide the program and enlist collaboration
across diverse functions.
• Map threats to the business assets
that matter.
Set direction, purpose, and risk appetite for the
program. Establish priorities, and ensure funding
and resourcing.
• Drive early “wins.”
Establish momentum by focusing on pilot
initiatives that measurably impact business
success. Use these to plant the seeds of long-
term cultural change.
• Accelerate behavior change.
Create active learning scenarios that instill
awareness of the impact of daily activity on cyber
risk. Embed cyber risk management goals into
evaluation of Top 100 executives.
• Trust but verify.
Conduct monthly or quarterly reviews about key
risks and risk metrics, and address roadblocks.
Key actions you
should own
Key questions
you should ask
• Are we focused on the right things?
Often said, but hard to execute. Understand how value is
created in your organization, where your critical assets
are, how they are vulnerable to key threats. Practice
defense-in-depth.
• Do we have the right talent?
Quality over quantity. There is not enough talent to do
everything in-house, so take a strategic approach to
sourcing decisions.
• Are we proactive or reactive?
Retrofitting for security is very expensive. Build it upfront
in your management processes, applications and
infrastructure.
• Are we incentivizing openness and
collaboration?
Build strong relationships with partners, law
enforcement, regulators, and vendors. Foster internal
cooperation across groups and functions, and ensure that
people aren’t hiding risks to protect themselves.
• Are we adapting to change?
Policy reviews, assessments, and rehearsals of crisis
response processes must be regularized to establish a
culture of perpetual adaptation to the threat and risk
landscape.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network
of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL
(also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US
member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective
affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see
www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2018 Deloitte Development LLC. All rights reserved.
36 USC 220506
This presentation contains general information only and Deloitte is not, by means
of this presentation, rendering accounting, business, financial, investment, legal,
tax, or other professional advice or services. This presentation is not a substitute
for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified
professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies
on this presentation.

19
ISO 22301
Training Courses
ISO 22301 Introduction
1 Day Course
ISO 22301 Foundation
2 Days Course
ISO 22301 Lead Implementer
5 Days Course
ISO 22301 Lead Auditor
5 Days Course
Exam and certification fees are included in the training
price.
https://pecb.com/iso-22301-training-courses
www.pecb.com/events

20
THANK YOU
?
www.deloitte.com
https://www.linkedin.com/in/davidfeeney/
https://www.linkedin.com/in/andrea-lestarge-
1b64a7a9/

What trends will 2018 bring for Business Continuity Professionals?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What trends will 2018 bring for Business Continuity Professionals?

Similar to What trends will 2018 bring for Business Continuity Professionals? (20)

More from PECB

More from PECB (20)

Recently uploaded

Recently uploaded (20)

What trends will 2018 bring for Business Continuity Professionals?

Editor's Notes