CYBER SECURITY
Nick Kervin – Partner, IT Advisory
Page 1
August 2017
CYBER SECURITY
1. What is at risk?
2. Global industry trends
3. BDO/AusCERT survey
4. Recent cyber case studies
5. Cyber risk mitigation strategies
Page 2
Overview
WHAT IS AT RISK
Page 3
Page 4
2017 World Economic Forum
Source: The Global Risk Report 2017 – World Economic Forum
WHAT IS AT RISK
WHAT IS AT RISK
Adversary Motives Targets Impact
Hacktivists • Influence political and /or social change
• Pressure business to change their practices
• Corporate secrets• Sensitive business information• Information related to key
executives, employees, customers & business partners
• Disruption of business activities
• Brand and reputation• Loss of consumer confidence
Cyber criminals
• Immediate financial gain• Collect information for
future financial gains
• Financial / payment systems• Personally identifiable
information• Payment card information• Protected health information
• Costly regulatory inquiries and penalties
• Consumer and shareholder lawsuits
• Loss of consumer confidence
Nation state • Economic, political, and/or military advantage
• Trade secrets• Sensitive business information• Emerging technologies• Critical infrastructure
• Loss of competitive advantage
• Disruption to critical infrastructure
Insiders • Personal advantage, monetary gain
• Professional revenge• Patriotism
• Sales, deals, market strategies • Corporate secrets, IP, R&D• Business operations• Personnel information
• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact
Page 5
Who are the adversaries and what are their motives?
WHAT IS AT RISK
Page 6
The actors and the information they target
Cyber criminals
Hacktivists
Nation state
Insiders
Adversary What’s most at risk
Motives and tactics evolve and what adversaries target vary depending on the organisation and the products and services they provide.
Emerging technologies
Energy data
Advanced materials and manufacturing techniques
Healthcare, pharmaceuticals, and related technologies
Business deals information
Health records and other personal data
Industrial Control Systems (SCADA)
R&D and / or product design data
Payment card and related information / financial markets
Information and communication technology and data
GLOBAL INDUSTRY TRENDS
Page 7
INDUSTRY TRENDS
Page 8
Cyber attacks on user devices & persons are rising
Source: Verizon 2016 Data Breach Investigations Report
INDUSTRY TRENDS
Page 9
Breach discovery methods are changing
Source: Verizon 2016 Data Breach Investigations Report
INDUSTRY TRENDS
Cyber attacks are on the riseThe estimated annual cost of cyber-attacks to the global economy was more than $500 billion in 2015 with $230 billion in APAC
World Economic Forum recognise cyber breaches as one of the top threats to stability of global economyCost of data breaches and malware infections will cost the global economy $2.1 trillion by 2019
Cyber threats are Boards’ fastest-growing concern, but investments are not keeping track with breach costs$75 billion spend on cyber security in 2015
Estimated spend on Cyber Security by 2020 will be $175 billion Cyber spend will more than double over the next five years with Cyber insurance expect to grow to $2.5 billion by 2020
Page 10
Breaches are on the rise but industry spend has not kept track
$500 billion
$175billion
$2.1trillion
$75billion
Source: Forbes
INDUSTRY TRENDS
Solid growth in cyber security job market1 million unfilled cyber security jobs globally in 2015 which is a 75% increase in the last five years
Cyber security jobs in demand as investments increaseThere will be shortage in cyber security skills as the market is expected to grow to 6 million jobs by 2019 with a shortage of 2 million jobs
Cyber job market in ANZ region is growingThe demand for cyber security skills in ANZ market will grow 21% over the next five years with expected shortage of 10,000 people by 2019
Page 11
Cyber security skills are in high demand
1 million
21%
6 million
Source: Forbes
BDO / AusCERT CYBER SECURITY SURVEY
Page 12
Australian Respondents by state
NZ Respondents by region
Page 13
BDO / AUSCERT CYBER SURVEY
• Over 400 respondents
• 43% of Australian respondents from Queensland
Australian Respondents
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
Accommodation and food services
Administrative and support services
Agriculture, forestry and fishing
Arts and recreation services
Construction
Education and training
Electricity, gas, water and waste services
Financial and insurance services
Health care and social assistance
Information media and telecommunications
Manufacturing
Mining
Other
Professional, scientific and technical services
Public administration and safety
Rental, hiring and real estate services
Retail trade
Transport, postal and warehousing
Wholesale trade
State Government Federal Government Local/regional Government Not-for-profit
Private limited company Public listed company Sole trader / Partnership
BDO / AUSCERT CYBER SURVEY
Page 14
Primary industry of all respondents coloured by type
0% 5% 10% 15% 20% 25% 30% 35%
Data breach and third party provider / supplier
Data loss / theft of confidential information
Denial of service attack
Brute force attack
Email addresses or website(s) blacklisted
Malware / trojan infections
Phishing / targeted malicious e-mails
Ransomware
Theft of laptops or mobile devices
Unauthorised access to information by external user
Unauthorised access to information by internal user
Unauthorised modification of information
Website defacement
Healthcare All Respondents
Page 15
BDO / AUSCERT CYBER SURVEYCyber security incidents experienced in 2016• Ransomware
• Phishing
• Malware
• DDoS
0.00% 5.00% 10.00% 15.00% 20.00% 25.00%
Data breach and third party provider / supplier
Data loss / theft of confidential information
Denial of service attack
Brute force attack
Email addresses or website(s) blacklisted
Malware / trojan infections
Phishing / targeted malicious e-mails
Ransomware
Theft of laptops or mobile devices
Unauthorised access to information by external user
Unauthorised access to information by internal user
Unauthorised modification of information
Website defacement
Healthcare All Respondents
Cyber security incidents expected in 2017
Page 16
BDO / AUSCERT CYBER SURVEY
• Cyber criminals
• Insiders / current employees
• Activists
• Third party hosting providers
Page 17
Likely source of Cyber security Incidents
Suppliers / business partners
4%
Customers4%
Competitors6%
Former employees8%
Foreign Governments / Nation States
10%
Third party hosting provider
10%
Activists12%
Insiders / current employees
13%
Cyber criminals / organised crime
33%
BDO / AUSCERT CYBER SURVEY
Page 18
Likely source of cyber security incidentsBDO / AUSCERT CYBER SURVEY
0% 5% 10% 15% 20% 25% 30% 35%
Activists
Competitors
Customers
Cyber criminals / organised crime
Foreign Governments / Nation States
Former employees
Insiders / current employees
Suppliers / business partners
Third party hosting provider
All Respondents Healthcare
Cyber security awareness programs reduce incidents overall
Page 19
BDO / AUSCERT CYBER SURVEY
0%
10%
20%
30%
40%
50%
Ransomware Phishing Malware/Trojan All Other
All Respondents
Security Operations Centres reduce incidents by 79%
Page 20
BDO / AUSCERT CYBER SURVEY
0%
10%
20%
30%
40%
Ransomware Phishing Malware/Trojan All Other
All Respondents
Does your organisation utilise intelligence sharing networks
Page 21
BDO CYBER SURVEY
No - we feel we don't need to
11%
No - we don't know if such a network exists
39%
No - it doesn’t provide us value4%
Yes - but its usefulness is limited
18%
Yes - but the process is overly expensive/time
consuming5%
Yes - we gain a great deal of value from
doing so23%
Only 28% of respondents have cyber insurance cover
Page 22
14%
9%
5%
25%18%
9%
12%
8%
Yes - we have this cover as anextension to another insurancepolicy
Yes - we have a standalone cyberpolicy
Yes - but do not know how thepolicy was arranged
Not yet - we are considering it
No - we were not aware of thistype of insurance
No - we self-insure
No - we don't feel we need it
BDO / AUSCERT CYBER SURVEY
ASX 100 CYBER HEALTH CHECK REPORT
Page 23
ASX 100 CYBER HEALTH CHECK REPORT
Page 24
What is it?
• The ASX 100 Cyber Health Check is the first attempt to gauge how the boards of Australia’s largest publicly listed companies view and manage their exposure to the rapidly evolving cyber world
• 76% of the ASX 100 responded to the survey
• Currently, only 11% of companies proactively reassure customers and investors about their approach to cyber security
• Survey is available at: www.asx.com.au/ASX100-Cyber
DETECT, RESPOND AND MANAGE
Page 25
Are you prepared?
1. More needs to be done around proactive detection
2. The rise of the SOC
3. Who has an Incident Response Plan
4. Do you know what your breach reporting obligations are?
LEADERSHIP
Page 26
Are you doing enough?
1. Very large percentage admits that there is more to do
2. Only 20% have a standalone cyber budget
3. 20% of the respondents have no plans to include a board member with cyber expertise
RECENT CYBER CASE STUDIES
Page 27
DATA BREACH CASE STUDY
Page 28
Early Sept ‘16: Donor
information accessible
via website
25 Oct ’16: Troy Hunt contact AusCERT who
then notifies Red Cross
24 Oct ’16: Data set discovered by anonymous
source and notified Troy Hunt
26 Oct ’16: Red Cross learns of file containing
donor information
14 Nov ’16: Forensic investigation concludes,
only one person accessed the file
28 Oct ’16: Red Cross chief executive
Shelly Park makes public statement
DATA BREACH CASE STUDY – TARGET
Page 29
27 November - 15 December ‘13: Malware
installed to infect Target’s POS system -
personal information of customers are exposed
to fraud
14 December ’13: Target hires Verizon to investigate the
hack
13 December ’13:Department of Justice notifies Target of the
breach
15 December ’13: Target removes malware from
“virtually all” registers in U.S. stores
19 December ’13: Target publicly acknowledges the
breach
18 December ’13: Data and security blog
KrebOnSecurity reports the data breach
20 December ’13: Target says they believe few credit cards were compromised,
offer customers 10% discount in store
DATA BREACH CASE STUDY – TARGET
Page 30
23 December ’13: Target’s general
counsel, Tim Baer, hosts 30-minute conference
call with state attorneys general
10 January ’14: Target says an additional 70m
customers had data stole
27 December ’13: Ongoing investigation finds that
encrypted debit card PIN information was accessed during the breach – Target believes the PIN numbers
remain secure
22 January ’14: Target laysoff 475 employees at its headquarters and leaves
another 700 positions unfilled
18 February ’14: Costs associated with the data breach topped $200m,
according to report from the Consumer Bankers Association and Credit
Union National Association
4 February ’14: Target CFO John Mulligan
testifies before the U.S. Senate Judiciary
Committee
30 April ’14: Target says it has committed $100m
to update technology
5 May ’14: Bob DeRodestakes over as Target’s CIO. Target CEO Gregg
Steinhafel resigns.
CYBER RISK MITIGATION STRATEGIES
Page 31
CYBER RISK MITIGATION STRATEGIES
Historical IT Security Perspectives Today’s Leading Cyber security
Insights
Scope of the challenge
• Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated • Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organised, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach • Prioritise and protect your “crown jewels”
Defense posture • Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself • Public/private partnerships; collaboration with industry working groups
Page 32
Changing landscape - businesses need to adapt the new reality
CYBER RISK MITIGATION STRATEGIES
Page 33
How you can become more cyber resilient
• Know the value of your data / assets
• Know where your data / assets are
• Know who has access to it
• Know who is responsible for protecting it
• Know how well it is protected
• Know if the level of protection is within your risk appetite
• Know what to do when you are breached
Source: Expanded from Telstra’s “Five Knowns of Cyber Security”
CYBER RISK MITIGATION STRATEGIES
Page 34
Educate, educate, educate!
QUESTIONS?
NEED MORE INFORMATION?
Nick Kervin Download the report:[email protected] http://bdoaus.co/2gJ5aQu
Page 35
Top Related