Ivan dragas get ahead of cybercrime

Get ahead of cybercrime

EY’s Global Information Security Survey

Get ahead of cybercrime — EY’s Global Information Security Survey 2014

Agenda

► The cyber threat landscape

► The journey to cybersecurity maturity► Activate► Adapt► Anticipate

► Summary


The cyber threat landscape


Cyber attacks are headline news

► It is no longer possible to prevent attacks or breaches

► With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more damaging to an organization and its brands.

► The interconnectivity of people, devices and organizations opens up new vulnerabilities.

► New technologies, regulatory pressure and changing business requirements call for more security measures.

► What companies used to know and do to protect their most valued information is no longer enough.

What everyone wants to know is “what can companies do about cybercrime?”


The growing attacking power of cyber criminals

Cybercrime is big business. Today’s attackers:

► Are more organized – they are not just opportunists

► Have significant funding

► Are patient and sophisticated – they will often gain access and wait until the right moment to pounce

Cybercrime is an organization-wide issue

► Attackers take advantage of vulnerabilities in the whole operating environment – including people and process.

► Due to the relative ease of access via IP-addresses, operational technology systems are often targets for cyber criminals


GISS 2014 results: “Who or what do you consider the most likely source of an attack?”

Lone wolf hacker

State sponsored attacker

Other business partner

Customer

Employee

41%

46%

27%

53%

14%

12%

10%

35%

57%

Respondents were asked to choose all that apply.


The roadblocks facing today’s organizations

► Roadblock 1 — Lack of agility► Organizations admit there are still known vulnerabilities in their cyber

defences and they are not moving fast enough to mitigate these. They are therefore lagging behind in establishing foundational cybersecurity.

► 65% tell us that they lack real-time insight on cyber risks

► Roadblock 2 — Lack of budget► For the first time, we see more organizations reporting that their

information security budgets will not increase. There is a need for more money and resources to face the growing threats effectively.

► Roadblock 3 — Lack of cybersecurity skills► The lack of specialists is a constant and growing issue. Organizations

also need to build skills in non-technical disciplines (like analytics) to integrate cybersecurity into the core business.


GISS 2014 results: Roadblocks

43%of respondents say that their organization’s total information security budget will stay approximately the same in the coming 12 months and a further 5% said that their budget will actually decrease.

53%of organizations say that lack of skilled resources is one of the main obstacles that challenge their information security.

The journey to cybersecurity maturity - Activate > Adapt > Anticipate



How do you get ahead of cybercrime? Focus on the three As.


A 3-stage improvement process

To get ahead of cybercrime we suggest that organizations adopt a 3-stage improvement process:

► Activate (a foundational approach)► Organizations need to establish and improve the solid foundations of

their cybersecurity

► Adapt (a dynamic approach)► Because organizations are constantly changing and cyber threats are

evolving, cybersecurity needs to be able to adapt to changing requirements

► Anticipate (a proactive approach)► Organizations need to make efforts to predict what is coming so they

can be better prepared for the inevitable cyber attacks


Activate


Activate: the need to establish foundations

Organizations in this level can only deal with threats in a world without change. They will typically have these capability shortfalls:

► Bolt-on cybersecurity► Cybersecurity has been added on to current business processes and

activities, but it has not yet been integrated into the business.

► A focus on safeguarding the current environment► Cybersecurity starts with looking at the risks the organization is

already aware of based on prior experience; the focus is on risk assessments, controls efficiency and risk mitigation

► A static approach► Cybersecurity aims to enable the business to carry out its known and

regular day-to-day functions securely. It will be rule-based and compliance-driven, relying on metric-driven reporting.


GISS 2014 results: improvement needed

Across almost every cybersecurity process, between 35% and 45% of respondents rated themselves “still a lot to improve.”

Nearly two thirds of organizations do not have well-defined and automated Identity and Access Management programs.


GISS 2014 results: lack of real time insight on cyber risk

37%say that real time insight on cyber risk is not available.

42%of organizations do not have a SOC.


GISS 2014 results: How long on average does it take for your SOC to initiate an investigation on discovered/ alerted incidents?

Unknown

Longer than 1 day

Within 1 day

Within 4 hours

Within 1 hour

Within 10 minutes

33%

4%

13%

13%

25%

12%

Respondents were asked to choose one.


Foundational activities all organizations need to “activate”

1. Conduct a cyber threat assessment and design an implementation roadmap

2. Get Board-level support for a security transformation

3. Review and update security policies, procedures and supporting standards

► Implement an information security management system

4. Establish a Security Operations Center (SOC)► Develop monitoring and incident response procedures

5. Design and implement cybersecurity controls► Assess the effectiveness of data loss prevention and identity and

access management processes. ► Harden the security of IT assets.

6. Test business continuity plans and incident response procedures


Adapt


Adapt: a dynamic approach

If an organization doesn’t adapt, its cybersecurity foundation will quickly be obsolete. The Adapt stage adds:

► Built-in security► Cybersecurity is considered and involved in everything the

organization does and cybersecurity requirements are built in to all business processes

► A focus on the changing environment► Cybersecurity continuously adapts to ongoing changes in the business

and its environment. Increased situational awareness enables the organization to react to expected changes in the threat landscape.

► A dynamic approach► Cybersecurity is flexible, agile and under constant revision. It

continually adapts to better protect the business.


The need to be adaptable

Organizations are undergoing constant change: ► The necessity to integrate new technologies into business

processes► Mobile devices blurring the lines between the business and

personal world► The growth in managed services and remote hosting► The integration of process control infrastructure with the back

office and the outside world► Rapidly changing regulatory environment and requirements

As a result, organizations have to cope with a never-ending cycle of new threats and challenges requiring the adoption of a never-ending cycle of improvement and re-evaluation of the changing cybersecurity capabilities.


Cybersecurity not aligned to the business

In order to get ahead of cybercrime, it is essential to keep your cybersecurity measures 100% aligned with your business.

Organizations are continuing to improve their cybersecurity, but the changes in the threat are travelling at an even faster rate, meaning they are effectively going backwards. 2013 2104

Instead of an expected increase in the number of organizations reporting that their Information Security function fully meets the needs of their organization, our survey found a decrease.

2013 2104

Instead of an increase in the number of organizations reporting that their Information Security function partially meets their needs and that improvements are under way, there has been a decrease of 5%.


GISS 2014 results: Cybersecurity not meeting the needs of many organizations

GISS 2014 explored why cybersecurity measures are not meeting the needs of so many organizations, for example in breach detection:

Respondents were asked to choose one.

9%

20%

24%

31%

16%

We have a formal and advanced detection function that brings together each category of modern technology (host-based malware detection, an-

tivirus, network-based malware detection, DLP, IDS, next-gen firewalls, log aggregation) and uses sophisticated data analytics to identify anomalies,

trends and correlations. We have formal processes for threat collection, dis-semination, integration, response, escalation and prediction of attacks

We have a formal detection program that leverages modern technologies (host-based and network-based malware detection, behavioral anomaly de-

tection, etc.) to monitor both internal and external traffic. We use ad hoc processes for threat collection, integration, response and escalation

We utilize a security information and event management (SIEM) solution to actively mon-itor network, IDS/IPS and system logs. We have an informal response and escalation pro-

cesses in place

We have perimeter network security devices (i.e., IDS). We do not have formal pro-cesses in place for response and escalation

We do not have a detection program

GISS 2014 results: How do you ensure that your external partners, vendors or contractors are protecting your organization’s information?


No reviews or assessments performed

Fourth parties (also known as sub-service organizations) are identified and assessments performed (e.g., questionnaires issued, reliance placed on your vendor's assessment processes)

Only critical or high-risk third parties are assessed

Self-assessments or other certifications performed by partners, vendors or contractors

Independent external assessments of partners, vendors or contractors (e.g., SSAE 16, ISAE-3402)

Accurate inventory of all third-party providers, network connections and data transfers is maintained and regularly updated

All third parties are risk-rated and appropriate diligence is applied

Assessments performed by your organization’s information security, IT risk, procurement or internal audit function (e.g., questionnaires, site visits, security testing)

13%

8%

24%

34%

27%

27%

27%

56%

Respondents were asked to choose all that apply.

Adapt - take action to improve and transform

1. Design and implement a transformation program► Get external help in designing the program, and providing program

management.

2. Decide what to keep in-house and what to outsource

3. Define a RACI matrix for cybersecurity

4. Define the organization’s ecosystem► Make moves to eliminate or lessen potential security gaps in your

interaction with third parties

5. Introduce cybersecurity awareness training for employees



Anticipate


Anticipate: a proactive state of readiness

‘Anticipate’ means embracing cybersecurity as a core aspect of the business and being in a proactive state of readiness:

► Built-beyond security► Cybersecurity capabilities are part of a dynamic decision process► Prioritize your “crown jewels” - understand the impact of a breach

► A focus on the future environment► Understand the wider threat landscape and how it relates to the

organization – use cyber threat intelligence ► Continually learn and evolve in a cycle of continual improvement

► A proactive approach► Be confident in your incident response and crisis response

mechanisms► Regularly rehearse your incident response capabilities


GISS 2014 results: Organizations are not planning for the future

58%of organizations do not have arole or department focused onemerging technologies and theirimpact on information security.

36%of respondents do not have a threat intelligence program.


Companyone

Companytwo

Collaboration

Climate

Collaboration within the ecosystem


Share knowledge and skills with your ecosystem

All organizations face the same challenges and are learning that collaboration bears fruit, especially if done in a targeted fashion.

► Collaboration provides the organization with greater awareness of its partners and supply chain, and the ability to influence and learn from the whole ecosystem.

► Larger organizations’ security capabilities are often far more mature than those of some of their suppliers, so knowledge-sharing around cybersecurity, or coordinating cybersecurity activities with suppliers can be much more effective than going it alone.

► A shared solution tightens the protective layers in and around your ecosystem.

► Any incident response exercises should include third parties and other players in your wider ecosystem.


Anticipate: take action - and get ahead

1. Design and implement a cyber threat intelligence strategy► Use threat intelligence to support strategic business decisions

2. Define and encompass the organization’s extended cybersecurity ecosystem

► Define RACI and trust models and enact cooperation, sharing capabilities where advantageous

3. Take a cyber economic approach► Understand the value of your most vital cyber assets

4. Use forensics and analytics► Use the latest technical tools to analyse where the likely threats are coming

from and when

5. Ensure everyone understands what’s happening► Strong governance, user controls and regular communications


Summary


Anticipate

Adapt

Activate

Cybersecurity system building blocks - the 3A’s

What it is Cybersecurity system building blocks Status

Anticipate is about looking into the unknown. Based on cyber threat intelligence, potential hacks are identified; measures are taken before any damage is done.

Anticipate is an emerging level. More and more organizations are using cyber threat intelligence to get ahead of cybercrime. It is an innovative addition to the below.

Adapt is about change. The cybersecurity system is changing when the environment is changing. It is focused on protecting the business of tomorrow.

Adapt is not broadly implemented yet. It is not common practice to assess the cybersecurity implications every time an organization makes changes in the business.

Activate sets the stage. It is a complex set of cybersecurity measures focused on protecting the business as it is today.

Activate is part of the cybersecurity system of every organization. Not all necessary measures are taken yet; there is still a lot to do.


Want to learn more?

Achieving resilience in the cyber ecosystem

www.ey.com/cyberecosystem

Reducing risk with Cyber Threat

Intelligence

www.ey.com/CTI

Security Operations Centers:- helping you get ahead of cybercrime

www.ey.com/SOC

Privacy trends 2014: privacy protection in the age of technology

www.ey.com/privacy2014

Identity and access management: beyond compliance

www.ey.com/IAM

Building trust in the cloud:creating confidence in your cloud ecosystem

www.ey.com/cloudtrust

Big data: changing the way businesses compete and operate

www.ey.com/bigdatachange

Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights

Cyber program management:identifying ways to get ahead of cybercrime

www.ey.com/CPM


Further information

See the full report: Get ahead of cybercrime – EY’s Global Information Security Survey 2014:www.ey.com/giss2014

View more of EY’s insights on cybersecurity on: www.ey.com/cybersecurity

For further GRC thought leadership, please refer to our Insights on governance, risk and compliance series on: www.ey.com/GRCinsights

To discuss your cybersecurity issues further, please contact your EY representative:Ivan Dragaš, [email protected]

http://www.ey.com/giss2014

http://www.ey.com/cybersecurity

http://www.ey.com/GRCinsights

Thank you for your attention!

Ivan dragas get ahead of cybercrime

Internet

Transcript of Ivan dragas get ahead of cybercrime