Security Incident Response Readiness

An insight into organization’s ability to Sense, Resist and React to a Security Incident

Page 2

Introduction

1970s - Mainframes• Ready for natural

hazards• Physical response

measures in place• Call for external

assistance

1980s – Client / Server• Reliance on new

technologies• Basic disaster recovery in

response to system failures

• Virus protection• Identity and access

management

1990s - Internet• Enterprise- wide risk

management introduced• Regulatory compliance

commonplace• Business continuity in focus

2000 – E-commerce• Advances in information and

cyber security• Switch to online• Third party outsourcing• Connectivity of devices

Recent Times - Digital• Global shocks (terrorist, climate, political)• Business resilience• Internet of Things• Critical infrastructure• State sponsored cyber espionage and cyber

attacks

Times are changing and so are the risks and threats

Page 3

Understanding the challenges

Recover Adapt & reshape

ThreatsSense

Risk appetite

Resist Three lines of defense

Critical assets

Intellectualproperty (IP)

Revenue Reputation

React

Technology is increasing organization’s vulnerability to be attacked

Increased online presence, Broader use of social media, Mass

adoption of BYOD (Bring Your Own Device), Increased usage of cloud

services

• Collection/analysis of big data

• Inherent connectivity of people, device & organization has enhanced

vulnerability

Ref: Global Information Security Survey 2016

It is the ability of organizations to predict and detect cyber threats.

Sense

It starts with how much the risk an organization is prepared to take across its ecosystem.

Resist

If the sense fails and there is a breakdown in the resist, organizations need to be ready to deal with the disruptions and manage the crisis.

React

Page 4

Survey Assessment – Leaderships' Role

Cybersecurity a board level agenda. The success of any cybersecurity program depends on supportfrom executive leadership and its alignment with business objectives

Management is also realizing the risks to business, however this is just the start and lot of workneeds to be completed before the management can be sure of gain enough confidence in theircybersecurity function.

Over 70% organizationsdo not have theircybersecurity strategyaligned with businessobjectives.

58% of our respondents lack confidence in their organization’s cybersecurity program

Over 33% of ourrespondents do nothave a cyber securitystrategy whichconsiders next 1-3years.

Business Alignment

missingLow confidence Short sightedness

Page 5

Budget Is it enough?

75% of respondents have dedicatedbudget allocated for cybersecurity.Moreover, 20% of respondents have abudget of over USD $2mn.

$$$49% of the organizations witha budget of $0.5m - $2mexpect their budget to increaseby 10-20% in the next 12months.

36%

36% organizations having no budget allocation for cybersecurity have experienced cyberattacks in last 12 months.

Page 6

Identifying Crown- Jewels

Over 39% ranked employee or customer or supplier personally identifiableinformation (PII) as the number 1 information most valuable to cyber criminals in theorganization.

Only 18% ranked senior executive / board member personal information as thenumber 1 information valuable to cyber criminals in the organization.

19

18

16

21

42

24

16

19

25

22

17

29

30

20

13

17

25

25

20

17

29

18

16

20

12

Senior executive/ Board memberpersonal information

Company financial information

Corporate strategic plans

Login credentials

Employees or customers or suppliers orvendors personally identifiable…

P 1 P 2 P 3 P 4 P 5

Contd..

Page 7

Identifying Crown- Jewels

Over 30% ranked Phishing / Spam as the number 1 or number 2 source of cyberattack, followed by Malware attacks which is further followed by external cyberattacks and Internal employees.

0

12

10

19

19

26

8

7

9

15

24

23

13

10

16

12

22

13

24

15

22

5

8

12

27

16

14

12

12

5

14

26

15

23

1

7

Espionage (e.g., by competitors)

Zero-day attacks

Internal attacks (e.g., by disgruntledemployees)

Cyber-attacks (e.g., to disrupt or deface theorganization, to steal financial information, to…

Malware (e.g., viruses, worms and Trojanhorses)

Phishing/ spam

P 1 P 2 P 3 P 4 P 5 P 6

Page 8

Incident Response Framework

Over 70% of our respondents have a defined cyber security incident management program.

While 84% of organizations with acyber security incident managementprogram have a dedicated Incidentresponse team set up within theirorganization.

Organizations are taking steps toimprove their incidentmanagement posture; haveinitiated cyber security incidentprograms and trying to includebusiness teams to assist in cybersecurity incident managementprogram.

84%

61% of organizations have an Incident response team (IRT) in place without a cyber security incident management program.

61%

Page 9

Where should organizations focus to better resisttoday’s attacks?

The point noted also get further strengthened by the factthat:

36% of organizations believe that higher professionalstaffing and training would help in improved incidentresponse, this is followed by development of an improvedpatch management process.

37% of the organizations that have a dedicated IRT believe that the staff is not adequate and require additional skills and trainings.

Incident response team must deliver

14%

8%

18%

24%

36%

Better incident responsecapabilities

Threat intelligence

Improved vulnerability auditsand assessments

Improved patch managementprocess

Higher professional staffingand training

87% organizations have a defined process for communication.

Page 10

Collaboration is vital

75

47 50

14

CERT- ComputerEmergency Response

Team

Law enforcement andgovernment entities

Industry peers We neither receive orshare any information

87% of organizations receive or share information with CERT, Law enforcementagencies and industry peers.

Potential Collaboration within the ecosystem

Page 11

Effective measurement is critical

47% of the respondents who don’t have defined indicators have suffered a cyber attack in the last 12 months.

47%

The indicators shall be evaluated to find out the status ofeffectiveness of current cybersecurity framework.

70% respondents have defined performance indicators to measure the effectiveness of the program.

16%

20% 21%

12%

31%

No definedfrequency/adhoc basis

On amonthly

basis

On aquarterly

basis

On anannualbasis

On anongoing

basis

Page 12

The board must become more involved in cybersecurity and understand cyber risk

The board must understand:

► The suitability of the governance structure

► The appropriateness of the cyber risk management program

► The appropriateness of the cyber risk disclosures required by regulators

► How insider threats should be managed

Page 13

Just protecting your organisation isn’t enough anymore

Guiding Principles

► Focus on impact

► Enhance cyber skills and capabilities

► Benchmark results

Strategic Goals

► Protect Crown Jewels

► Determine risk appetite

► Set up Operating Model and Culture

Detect

GovernRespond Protect

Recover Identify

Based on

Cybersecurity

framework

“It is going to be a continual and likely never-ending battle to stay ahead of [cybercrime] -and, unfortunately, not every battle will be won.”

Jamie Dimon, after JP Morgan Chase’s breach

Page 15

Jaspreet Singh

Partner, Advisory Services

Jaspreet.singh@in.ey.com

Let’s Connect

Page 16

Thank you!

Page 17

Survey methodology

106respondents

19industry sectors

2.9%

18.6%

2.0%

1.0%

3.9%

6.9%

2.9%

7.8%

2.9%

9.8%

22.5%

3.9%

2.9%

2.0%

3.9%

2.0%

2.0%

1.0%

1.0%

Automotive

Banking

Building Materials

Business Services

Consulting and advisory…

Telecommunications

Engineering

Finance

Healthcare

Insurance

IT Consulting and Services

Manufacturing

Retailing

Media

Energy and Infrastructure

Law and Legal Outsourcing

Processed Products

Electric Utility

Logistics and supply chain

Respondents by industry sector

Page 18

Survey methodology

40%

16%

44%

1000 to 10000

Less than 1000

More than 10000

Respondents by number of employees

8%

35%

57%

1 Million USD

100 Million USD

more than 100 Million USD

Respondents by total annual company revenue