Data, Dollars & Cyber Security dollars cyber security.pdf · Lost business Activities associated...
Transcript of Data, Dollars & Cyber Security dollars cyber security.pdf · Lost business Activities associated...
Enterprise transformation - Business Opportunities
Disruption forces
Technology Globalization Demographics
Digital is creating unprecedented disruption; digital innovations and other forces
are acting as solvents, and industry boundaries are melting
Workforce ecosystems are changing due to technologies that autonomously
perform human work; full-time roles are replaced by contractors, freelancers
and gig workers
Interconnectivity of people, devices and organizations opens up new
vulnerabilities; work is becoming unbundled from physical location
Opening technology doors
Enterprise transformation initiatives and supporting technologies create opportunities and unforeseen implications
Threats
The number of unfilled
cybersecurity positions globally will rise to 3.5m by 2021.
Ransomware and malware attacks are on the rise,
demanding organizations to improve their
application security programs.
Trends in cybersecurity (AI,
RPA) are being exploited to
perpetrate fraud.
Over 1.4b records were lost to data breaches in
March 2019 alone, many of which involved
cloud servers.
By 2020, 40% of enterprises engaged in DevOps will secure
developed applications by adopting application security
self-testing, self-diagnosing and self-protection technologies.
IaaS is forecast to grow 35.9% in 2018 to reach $40.8b. Top 10 providers to account for
nearly 70% of the IaaS market by 2021, up from 50% in 2016.
RPA enabling automation 24 hours a day, 7 days a week, 365 days a year saves 25%—50% in
costs.
Opportunities
Opening technology doors
It is no longer possible to prevent attacks or breaches
Threats
The number of unfilled
cybersecurity positions globally
will rise to 3.5m by 2021.
Ransomware and malware attacks are
on the rise, demanding
organizations to improve their
application security programs.
Trends in cybersecurity (AI,
RPA) are being exploited to
perpetrate fraud.
Over 1.4b records were lost to data
breaches in March 2019 alone, many of which involved cloud
servers.
2006 2019
Cost of a Data Breach
Small businesses face disproportionately larger costs relative to larger organizations
Per employee
Breach costs at organizations with more than 25,000 employees
Per employee
Breach costs at organizations with between 500 to 1,000 employees
Organizations subject to rigorous regulatory requirements have a higher cost of a data breach
$6.45 $5.86 $5.60 $5.20
The Four Cost Components
Notification
Activities that enable a company notify individuals who had data compromised in the breach and regulators
Post data breach response
Processes set up to help customers communicate with the company, and costs associated with redress and reparation
!Detection and escalation
Activities that enable a company to detect the breach and report it to appropriate personnel
$
Lost business
Activities associated with cost of lost business including revenue loss, business disruption, system downtime, new customer acquisition
Lost business (averaged $1.40) was the biggest contributor to data breach costs, accounting for 36% of the total cost of a breach
Data Breach Lifecycle
4 December 2019 Presentation titlePage 7
Data Breach Identification206 days
Data Breach Containment73 days
67% 53%67% of the cost of a data breach occur in the first year
In highly-regulated environments, 53% of costs occur in the first year
4.9%Increase over the 2018
breach lifecycle
37%Less costly when lifecycle is less than 200 days - a
difference of $1.22 million
Cost Reducing Factors
Factors that decreased cost (cost mitigators)
• Incident Response (IR) team
• Extensive test of the IR plan
• Extensive use of encryption
• Using a DevSecOps approach
• Automation of security
• Data loss prevention
Although the consequences of data breaches are severe, organizations can mitigate costs and potentially improve their overall security posture.
IR team reduced total cost by
$360,000
Testing IR plan reduced total cost by
$320,000
Encryption reduced total cost by
$360,000Extensive cloud migration increased total cost by
$300,000
Third Party breach increased total cost by
$370,000
OT infrastructure increased total cost by
$260,000
Cyber Security Regulation Trends
• “Reasonable” security features must be implemented “to protect information, technology and digital services from unauthorized access, destruction, use, modification, or disclosure”
• Accountability - The Cybersecurity is the management responsibility
• Transparency - annual self-attestation of Management and boards of directors
• Implement coherent risk management and resilience framework
• Breach notification
• Penalties $2.1 million to $20 million
• Create harmonization across different jurisdictions and amongst regulators, to reduce fragmentation of regulatory baseline
What companies knew and did in the past in order to protect their most valued information (‘crown jewels’) is no longer enough
C – Level Reporting
• What organization type do we want to be?
• If your firm is subject to an attack or data breach, and lacks a clear view of the risks – how prepared will it be?
• What are the consequences of reputational risk and loss of trust in your organization?
• If an incident is mentioned in the media, would you take a different approach to the response?
%of firms are not getting adequate
board level reporting for cyber
risk.
If boards’ risk and audit
committees lack the data they
need, how can they effectively
influence changes?
Inadequate board-level reporting
Executive management must recognize the existing challenges and change the approach to fraud and cybersecurity risk management
“
Cybersecurity is now a board-level issue
The time and effort the board spends on cybersecurity signifies whether it is a priority for the company
• Tone at the Top
• Do we have the appropriate focus on cybersecurity?
• Do we educate ourselves and seek external consultants to enhance the board’s cyber competency?
• Do we send a clear message to management that prioritizing cybersecurity is part of the company’s DNA?
• Do we set the right tone to emphasize that cybersecurity risk is not just an IT concern, but an enterprise-wide business issue that cuts across all divisions and functions?
Page 11
Cybersecurity is now a board-level issue
The time and effort the board spends on cybersecurity signifies whether it is a priority for the company
• Protection
• What are our most valuable assets?
• Who is targeting us and how would they attack us?
• Do we have a full IR plan in place?
• Optimization
• Do we invest and prioritize security according to the risk?
• Do you understand the value at risk in dollar terms?
• What cybersecurity activities could we automate or undertake more cost effectively?
• Growth
• How can we design and build secure new channels and differentiate around security and privacy for growth?
Page 12
Thank you
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2019 Kost Forer Gabbay & Kasierer
All Rights Reserved
ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com