Cybercrime Prevention Act Sponsorship Speech - "Quashing Cybercrime" (05.11.2011)
Ivan dragas get ahead of cybercrime
-
Upload
dejan-jeremic -
Category
Internet
-
view
150 -
download
0
Transcript of Ivan dragas get ahead of cybercrime
Get ahead of cybercrime
EY’s Global Information Security Survey
Page 2 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Agenda
► The cyber threat landscape
► The journey to cybersecurity maturity► Activate► Adapt► Anticipate
► Summary
Page 3 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
The cyber threat landscape
Page 4 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Cyber attacks are headline news
► It is no longer possible to prevent attacks or breaches
► With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more damaging to an organization and its brands.
► The interconnectivity of people, devices and organizations opens up new vulnerabilities.
► New technologies, regulatory pressure and changing business requirements call for more security measures.
► What companies used to know and do to protect their most valued information is no longer enough.
What everyone wants to know is “what can companies do about cybercrime?”
Page 5 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
The growing attacking power of cyber criminals
Cybercrime is big business. Today’s attackers:
► Are more organized – they are not just opportunists
► Have significant funding
► Are patient and sophisticated – they will often gain access and wait until the right moment to pounce
Cybercrime is an organization-wide issue
► Attackers take advantage of vulnerabilities in the whole operating environment – including people and process.
► Due to the relative ease of access via IP-addresses, operational technology systems are often targets for cyber criminals
Page 6 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: “Who or what do you consider the most likely source of an attack?”
Lone wolf hacker
State sponsored attacker
Other business partner
Customer
Employee
41%
46%
27%
53%
14%
12%
10%
35%
57%
Respondents were asked to choose all that apply.
Page 7 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
The roadblocks facing today’s organizations
► Roadblock 1 — Lack of agility► Organizations admit there are still known vulnerabilities in their cyber
defences and they are not moving fast enough to mitigate these. They are therefore lagging behind in establishing foundational cybersecurity.
► 65% tell us that they lack real-time insight on cyber risks
► Roadblock 2 — Lack of budget► For the first time, we see more organizations reporting that their
information security budgets will not increase. There is a need for more money and resources to face the growing threats effectively.
► Roadblock 3 — Lack of cybersecurity skills► The lack of specialists is a constant and growing issue. Organizations
also need to build skills in non-technical disciplines (like analytics) to integrate cybersecurity into the core business.
Page 8 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: Roadblocks
43%of respondents say that their organization’s total information security budget will stay approximately the same in the coming 12 months and a further 5% said that their budget will actually decrease.
53%of organizations say that lack of skilled resources is one of the main obstacles that challenge their information security.
Page 9
The journey to cybersecurity maturity - Activate > Adapt > Anticipate
Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Page 10 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
How do you get ahead of cybercrime? Focus on the three As.
Page 11 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
A 3-stage improvement process
To get ahead of cybercrime we suggest that organizations adopt a 3-stage improvement process:
► Activate (a foundational approach)► Organizations need to establish and improve the solid foundations of
their cybersecurity
► Adapt (a dynamic approach)► Because organizations are constantly changing and cyber threats are
evolving, cybersecurity needs to be able to adapt to changing requirements
► Anticipate (a proactive approach)► Organizations need to make efforts to predict what is coming so they
can be better prepared for the inevitable cyber attacks
Page 12 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Activate
Page 13 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Activate: the need to establish foundations
Organizations in this level can only deal with threats in a world without change. They will typically have these capability shortfalls:
► Bolt-on cybersecurity► Cybersecurity has been added on to current business processes and
activities, but it has not yet been integrated into the business.
► A focus on safeguarding the current environment► Cybersecurity starts with looking at the risks the organization is
already aware of based on prior experience; the focus is on risk assessments, controls efficiency and risk mitigation
► A static approach► Cybersecurity aims to enable the business to carry out its known and
regular day-to-day functions securely. It will be rule-based and compliance-driven, relying on metric-driven reporting.
Page 14 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: improvement needed
Across almost every cybersecurity process, between 35% and 45% of respondents rated themselves “still a lot to improve.”
Nearly two thirds of organizations do not have well-defined and automated Identity and Access Management programs.
Page 15 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: lack of real time insight on cyber risk
37%say that real time insight on cyber risk is not available.
42%of organizations do not have a SOC.
Page 16 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: How long on average does it take for your SOC to initiate an investigation on discovered/ alerted incidents?
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
33%
4%
13%
13%
25%
12%
Respondents were asked to choose one.
Page 17 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Foundational activities all organizations need to “activate”
1. Conduct a cyber threat assessment and design an implementation roadmap
2. Get Board-level support for a security transformation
3. Review and update security policies, procedures and supporting standards
► Implement an information security management system
4. Establish a Security Operations Center (SOC)► Develop monitoring and incident response procedures
5. Design and implement cybersecurity controls► Assess the effectiveness of data loss prevention and identity and
access management processes. ► Harden the security of IT assets.
6. Test business continuity plans and incident response procedures
Page 18 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Adapt
Page 19 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Adapt: a dynamic approach
If an organization doesn’t adapt, its cybersecurity foundation will quickly be obsolete. The Adapt stage adds:
► Built-in security► Cybersecurity is considered and involved in everything the
organization does and cybersecurity requirements are built in to all business processes
► A focus on the changing environment► Cybersecurity continuously adapts to ongoing changes in the business
and its environment. Increased situational awareness enables the organization to react to expected changes in the threat landscape.
► A dynamic approach► Cybersecurity is flexible, agile and under constant revision. It
continually adapts to better protect the business.
Page 20 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
The need to be adaptable
Organizations are undergoing constant change: ► The necessity to integrate new technologies into business
processes► Mobile devices blurring the lines between the business and
personal world► The growth in managed services and remote hosting► The integration of process control infrastructure with the back
office and the outside world► Rapidly changing regulatory environment and requirements
As a result, organizations have to cope with a never-ending cycle of new threats and challenges requiring the adoption of a never-ending cycle of improvement and re-evaluation of the changing cybersecurity capabilities.
Page 21 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Cybersecurity not aligned to the business
In order to get ahead of cybercrime, it is essential to keep your cybersecurity measures 100% aligned with your business.
Organizations are continuing to improve their cybersecurity, but the changes in the threat are travelling at an even faster rate, meaning they are effectively going backwards. 2013 2104
Instead of an expected increase in the number of organizations reporting that their Information Security function fully meets the needs of their organization, our survey found a decrease.
2013 2104
Instead of an increase in the number of organizations reporting that their Information Security function partially meets their needs and that improvements are under way, there has been a decrease of 5%.
Page 22 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: Cybersecurity not meeting the needs of many organizations
GISS 2014 explored why cybersecurity measures are not meeting the needs of so many organizations, for example in breach detection:
Respondents were asked to choose one.
9%
20%
24%
31%
16%
We have a formal and advanced detection function that brings together each category of modern technology (host-based malware detection, an-
tivirus, network-based malware detection, DLP, IDS, next-gen firewalls, log aggregation) and uses sophisticated data analytics to identify anomalies,
trends and correlations. We have formal processes for threat collection, dis-semination, integration, response, escalation and prediction of attacks
We have a formal detection program that leverages modern technologies (host-based and network-based malware detection, behavioral anomaly de-
tection, etc.) to monitor both internal and external traffic. We use ad hoc processes for threat collection, integration, response and escalation
We utilize a security information and event management (SIEM) solution to actively mon-itor network, IDS/IPS and system logs. We have an informal response and escalation pro-
cesses in place
We have perimeter network security devices (i.e., IDS). We do not have formal pro-cesses in place for response and escalation
We do not have a detection program
Page 23
GISS 2014 results: How do you ensure that your external partners, vendors or contractors are protecting your organization’s information?
Get ahead of cybercrime — EY’s Global Information Security Survey 2014
No reviews or assessments performed
Fourth parties (also known as sub-service organizations) are identified and assessments performed (e.g., questionnaires issued, reliance placed on your vendor's assessment processes)
Only critical or high-risk third parties are assessed
Self-assessments or other certifications performed by partners, vendors or contractors
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16, ISAE-3402)
Accurate inventory of all third-party providers, network connections and data transfers is maintained and regularly updated
All third parties are risk-rated and appropriate diligence is applied
Assessments performed by your organization’s information security, IT risk, procurement or internal audit function (e.g., questionnaires, site visits, security testing)
13%
8%
24%
34%
27%
27%
27%
56%
Respondents were asked to choose all that apply.
Page 24
Adapt - take action to improve and transform
1. Design and implement a transformation program► Get external help in designing the program, and providing program
management.
2. Decide what to keep in-house and what to outsource
3. Define a RACI matrix for cybersecurity
4. Define the organization’s ecosystem► Make moves to eliminate or lessen potential security gaps in your
interaction with third parties
5. Introduce cybersecurity awareness training for employees
Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Page 25 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Anticipate
Page 26 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Anticipate: a proactive state of readiness
‘Anticipate’ means embracing cybersecurity as a core aspect of the business and being in a proactive state of readiness:
► Built-beyond security► Cybersecurity capabilities are part of a dynamic decision process► Prioritize your “crown jewels” - understand the impact of a breach
► A focus on the future environment► Understand the wider threat landscape and how it relates to the
organization – use cyber threat intelligence ► Continually learn and evolve in a cycle of continual improvement
► A proactive approach► Be confident in your incident response and crisis response
mechanisms► Regularly rehearse your incident response capabilities
Page 27 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
GISS 2014 results: Organizations are not planning for the future
58%of organizations do not have arole or department focused onemerging technologies and theirimpact on information security.
36%of respondents do not have a threat intelligence program.
Page 28 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Companyone
Companytwo
Collaboration
Climate
Collaboration within the ecosystem
Page 29 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Share knowledge and skills with your ecosystem
All organizations face the same challenges and are learning that collaboration bears fruit, especially if done in a targeted fashion.
► Collaboration provides the organization with greater awareness of its partners and supply chain, and the ability to influence and learn from the whole ecosystem.
► Larger organizations’ security capabilities are often far more mature than those of some of their suppliers, so knowledge-sharing around cybersecurity, or coordinating cybersecurity activities with suppliers can be much more effective than going it alone.
► A shared solution tightens the protective layers in and around your ecosystem.
► Any incident response exercises should include third parties and other players in your wider ecosystem.
Page 30 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Anticipate: take action - and get ahead
1. Design and implement a cyber threat intelligence strategy► Use threat intelligence to support strategic business decisions
2. Define and encompass the organization’s extended cybersecurity ecosystem
► Define RACI and trust models and enact cooperation, sharing capabilities where advantageous
3. Take a cyber economic approach► Understand the value of your most vital cyber assets
4. Use forensics and analytics► Use the latest technical tools to analyse where the likely threats are coming
from and when
5. Ensure everyone understands what’s happening► Strong governance, user controls and regular communications
Page 31 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Summary
Page 32 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Anticipate
Adapt
Activate
Cybersecurity system building blocks - the 3A’s
What it is Cybersecurity system building blocks Status
Anticipate is about looking into the unknown. Based on cyber threat intelligence, potential hacks are identified; measures are taken before any damage is done.
Anticipate is an emerging level. More and more organizations are using cyber threat intelligence to get ahead of cybercrime. It is an innovative addition to the below.
Adapt is about change. The cybersecurity system is changing when the environment is changing. It is focused on protecting the business of tomorrow.
Adapt is not broadly implemented yet. It is not common practice to assess the cybersecurity implications every time an organization makes changes in the business.
Activate sets the stage. It is a complex set of cybersecurity measures focused on protecting the business as it is today.
Activate is part of the cybersecurity system of every organization. Not all necessary measures are taken yet; there is still a lot to do.
Page 33 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Want to learn more?
Achieving resilience in the cyber ecosystem
www.ey.com/cyberecosystem
Reducing risk with Cyber Threat
Intelligence
www.ey.com/CTI
Security Operations Centers:- helping you get ahead of cybercrime
www.ey.com/SOC
Privacy trends 2014: privacy protection in the age of technology
www.ey.com/privacy2014
Identity and access management: beyond compliance
www.ey.com/IAM
Building trust in the cloud:creating confidence in your cloud ecosystem
www.ey.com/cloudtrust
Big data: changing the way businesses compete and operate
www.ey.com/bigdatachange
Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights
Cyber program management:identifying ways to get ahead of cybercrime
www.ey.com/CPM
Page 34 Get ahead of cybercrime — EY’s Global Information Security Survey 2014
Further information
See the full report: Get ahead of cybercrime – EY’s Global Information Security Survey 2014:www.ey.com/giss2014
View more of EY’s insights on cybersecurity on: www.ey.com/cybersecurity
For further GRC thought leadership, please refer to our Insights on governance, risk and compliance series on: www.ey.com/GRCinsights
To discuss your cybersecurity issues further, please contact your EY representative:Ivan Dragaš, [email protected]
Page 35
Thank you for your attention!