EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOK … · EMERGING CYBER SECURITY THREATS: A FUTURE...
Transcript of EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOK … · EMERGING CYBER SECURITY THREATS: A FUTURE...
EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOKLeonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Asse ssor14 February 2016
CYBER INCIDENTS CONTRIBUTE TO SIGNIFICANT ECONOMIC LOSSES
Ponemon Institute
IP Theft in United States
>$ 300 BillionIP Commission Report
Singapore
$ 1 BillionSymantec
Losses from Cybercrime
$ 575 BillionMcAfee
CYBERSECURITY FROM DIRECTORS’ POINT OF VIEW
>65% of board of director respondents indicated that the cybersecurity risks were at a high level or had increased.
Only 14% were actively involved while 58% said they should have been more involved.
PESTLE MODEL
Figure 1: The
PESTLE model P
P
OL IT IC
A
L
PP
OL I T I C
A
L
TTECH
NO L O
G
ICAL
EE
CON O M
IC
SSO C I A
L
LL E G A L
EENVIR
O NME
NTAL
Threat 1.1The Internet of Things leaks sensitive information
Impact : • Growing regulatory fines and legal expenses as breaches occur
• Increased regulatory burden
• Reputational risk
Recommendations:• Prior to IoT deployment, seek consent and apply data protection principles
• Ensure policies, terms & conditions are transparent and compliant
• Look IoT holistically instead of a category of device
• Update policies, standards, guidelines, processes
Threat 1.2Opaque algorithms compromise integrity
Impact : • Poorly maintained algorithm lead to loss of revenue and delays
• Disruption to critical systems is heightened due to lack of specialised skill
• Reputation is questioned after an incident
Recommendations:• Identify exposure to algorithm controlled systems, understand liability
• Update code maintenance policies
• Identify alternative ways of treating risks from algorithm-related incidents
• Conduct robust business continuity and resiliency planning
Threat 1.3Rogue governments use terrorist groups to launch cyber attacksImpact : • Brand damage, loss of revenue or even bankruptcy
• Severe business disruption as SIEM systems are evaded by persistent attackers
Recommendations:• Adapt risk management processes to account for threats actors with new
capabilities
• Review existing controls and focus on increasing resiliency
• Explore possibilities for threat intelligence collaboration with governments and organisations facing similar threats.
Threat 2.1Unmet board expectations exposed by major incidents
Impact : • Costly incidents due to incomplete risk assessment,
• Inability to deal with threats and incidents, inhibiting decision making
Recommendations:• Engage with the board regularly to provide credible view of cyber risks
• Align the board’s expectation of security improvements based on current and future capability of CISO and information security function
• Initiate talent program to transform CISO and Information Security function from specialists to trusted business partner
• Learn from others
Threat 2.2Researchers silenced to hide security vulnerabiliti es
Impact : • Business disruption due to insecure software that could have been fixed
• Lost of sales for manufacturers when their actions to suppress vulnerabilities made public
• Damage to manufacturers that surpress vulnerabilities resulting in loss of life
Recommendations:• Consider financial reward for responsible researchers
• Use mediation services to agree satisfactory disclosure practices
• Insist greater transparency during procurement process
Threat 2.3Cyber Insurance safety net is pulled away
Impact : • Organisations are exposed as there lose access to transfer risks
• High cost of alternative treatment
• Credit ratings may slow down cyber insurance market
Recommendations:• Reassess risk management strategy in advance, and identify risks to be
transferred through cyber insurance
• Examine cyber insurance for potential costly exclusions
Threat 3.1Disruptive companies provoke government
Impact : • Large fines for organisations that resist, rather than, engage with
governments
• Companies (in technology sectors) are subjected to higher scrutiny.
Recommendations:• Avoid political opposition by understanding local context of product &
services delivery
• Develop a clear strategy for political influence and engagement, focusing on principle-based system of regulation.
• Explore possibilities for collective influence
Threat 3.2Regulations fragment the cloud
Impact : • Disruptions to operation and production as cloud services are divided to
multiple countries
• Additional resources to deal with cloud compliance required
• Organisation forced to comply with data protection requirements
Recommendations:• Understand current and proposed regulation will evolve.
• Be proactive and devise strategy before it is too late.
Threat 3.3Criminal capabilities and gaps in international pol icing
Impact : • Brand damage as organisations’ technical capabilities are surpassed by
cyber criminals
• Incurred losses compounded by growing e-commerce and inadequate international law enforcement cooperation.
• Degraded ability to conduct business abroad
Recommendations:• Improve threat intelligence and increase resiliency
• Proactively work and influence government to cooperate and build international framework
SECURE-BY-DESIGN AND PRIVACY-BY-DESIGN
1. Technology should have adequate security feature and configured securely before reaching the customer.
2. Personal data protection principles should be bui lt-in with the product features and operation.
3. Customers should be able to secure any products with reasonable effort and without requiring specialisedskills .
4. The burden of securing products should be less on the consumer side.
ETHICAL TECHNOLOGY DEVELOPMENT
1. Pharmaceutical, medical and legal industries have intensive testing and certification. Reduction of accidents, bad medicine, and less than desirable professionals
2. Technology development should go through proper testing from social, safety, and privacy issues.
3. Secure-by-design and Privacy-by-design should be independently tested .
KEY TAKE -AWAYS
1. Cost & frequency of cyber attacks will continue to increase
2. Total losses from Intellectual Property theft is far greater than the cost of cybercrime
3. Cybercrime is a ‘tax’ to business and innovators
4. Disruptive technologies missing robust security and privacy protection.
5. The need to implement code of ethics in technology developments