Cyber Security Privacy Brochure 2015

Working in partnership to help your business innovate and grow in a secure and resilient way

Cyber security and privacy

2 CYBER SECURITY AND PRIVACY

About us

Dynamic organisations know they need to apply both reason and instinct to decision making. At Grant Thornton, this is how we advise our clients every day. We combine award-winning technical expertise with the intuition, insight and confidence gained from our extensive sector experience and a deeper understanding of our clients.

Through empowered client service teams, approachable partners and shorter decision making chains, we provide a wider point of view and operate in a way that enables our clients to be fast and agile. The real benefit for dynamic organisations is more meaningful and forward-looking advice that can help to unlock their potential for growth.

Grant Thornton’s cyber security and privacy team has significant experience of assessing, improving and embedding controls to better align exposure to risk appetite. We have worked with organisations of all sizes across all industries and can tailor our services to meet specific client needs across a wide range of topics, including cyber security, cyber crime, digital security, vendor assurance and data privacy.

Grant Thornton UK LLP is the UK member firm of Grant Thornton International Ltd, one of the world’s leading organisations of independent assurance, tax and advisory firms. Over 40,000 Grant Thornton people, across 130 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work.

Cyber security governanceGrant Thornton has been helping organisations define and implement cyber security governance to manage cyber security risk. We have benchmarked the maturity of key controls to guard against the risk of cyber security, such as:

• governance committees and reporting

• roles and responsibilities

• risk appetite

• key risk indicators

• risk assessments and controls assurance

• incident management and reporting

• policies and procedures

• training and awareness.

This has reinforced to board members the importance of being involved in governing and overseeing cyber security decisions and investments.

CYBER SECURITY AND PRIVACY 3

Cyber security and privacy

To protect its reputation, innovate and grow, an organisation needs to protect its intellectual property, customer information and other critical information assets. As the business community continues to find new and innovative approaches to embrace the world wide web through emerging solutions such as cloud computing, the security threat increases in complexity. Recent security breaches, such as the theft of intellectual property and disclosure of customer sensitive information, have highlighted how such events can undermine or even close an organisation. Cybereconomics is a key differentiator for organisations that are able to provide a secure business environment for customers.

This realisation has raised the topic of cyber security and privacy to board level, with executives seeking assurances that such events could not affect their organisation. Robust cyber security measures are critical to protecting your organisation’s reputation, and meeting legal and regulatory requirements.

Who is responsible for the governance of cyber security risks in your organisation?Since the board is ultimately responsible for managing an organisation’s risks, they should be regularly briefed on the effectiveness of cyber security controls and exposures outside of the organisation’s risk appetite.

Governance, risk and compliance

Cyber crime

Digital security

Business resilience

Third party assurance

Data privacy

Payment security

Technology security

Identity and access management

Our cyber security and privacy team consists of highly specialised professionals with extensive experience of key areas, including:

Information is now seen as one of the most valuable

assets that any organisation holds


Cyber crime

Are you protected against cyber attacks?Cyber crime’s footprint is increasing significantly in the frequency and size of its operations. It is evident that technological defences alone are not sufficient to protect a business from attacks. Cyber crime has evolved from being the act of individuals to one of many tools used by organised crime syndicates, where highly specialised professionals are putting data, information and assets at a high risk of misuse.

No industry is safe from the possibility of a cyber attack, and being prepared is the best defence.

At Grant Thornton we can work with your organisation to prevent security vulnerabilities that could be exploited by cyber criminals to access your intellectual property and disrupt your business.

Case studies• A recently reported attack on

banks resulted in $1 billion being stolen during the last two years using trojan software installed from the internet onto internal workstations. The attack was successful, not because of the technology used, but because the attackers behaved like bank staff and learned the bank procedures to steal funds without detection

• Targeted cyber attacks have revealed confidential company and customer information from the biggest names in the film and gaming industry, large retailers and internet service providers

• A publisher’s products were stolen and copies made freely available online. As well as the loss of revenue, the cost of updating the systems and policies was more than £50,000

The estimated cost

of cyber crime to the UK is £27 billion per year, of which the

main loser – at a total estimated cost of £21 billion – is UK business, which suffers from high levels of intellectual property

theft and espionage1. Over the last year the average cost of the worst breach suffered has gone up significantly to £0.6 - £1.15

million for large organisations2.

1 Detica, Office of Cyber Security and

Information Assurance in the Cabinet Office “The Cost

of Cyber Crime” (2011)2 Information Security Breaches

Survey by Department for Business Innovation and

Skills (2014)


Digital security

Does your organisation know where cyber security threats will first appear?A company’s information infrastructure consists of many different facets, each of which may be a path through which attackers attempt to breach your defences to obtain access to or corrupt critical information.

An effective digital security stance requires an organisation to know both the location and value of its critical information, and the means by which that information might be accessed.

The creation and maintenance of an information asset register is a key step to identifying critical systems to prioritise for protection. Even for small organisations this is a significant effort.

Data leakageOne major avenue for the loss of intellectual property from your organisation is through data leakage.

There are a wide range of routes that can be used to steal information from your organisation, from walking out the door with a hardcopy document to using complex software to copy and extract data by transferring it over the web.

Grant Thornton can help you understand the data leakage methods to which your organisation may be exposed, the skills and experience required to exploit them and what preventative or detective controls could be deployed to reduce risk.

Each of these require appropriate controls to ensure they cannot be leveraged to gain access to your organisation’s critical information assets.

We can assist your organisation by providing assurance to management on the maturity of digital security controls, highlight high risk exposures and develop a roadmap to protect your digital assets.

Some of the possible digital pathways used to gain access to critical information include:

e-Commerce gateways and interfaces

Online service portals

Internal hardware and software

Internal networks (wired and wireless)

Third party service providers

Non-standard and mobile devices


Business resilience

Does your organisation have the resilience to stand up to a high profile cyber security incident?Business resilience is the ability of an organisation to minimise disruption and be able to function during an incident. It covers all aspects of business continuity, technology disaster recovery, incident management and financial resilience.

Business resilience is pivotal to maintaining business activities in the modern age of inter-connected global operations, just in time production and complex operational relationships. Maintaining your reputation and delivering on time are fundamental to all professional relationships.

Organisations need to anticipate and have proven strategies to effectively respond to disruptive events, maintain critical operations and learn from events to better prepare for future challenges.

By partnering with us and using our wealth of experience, we can better prepare organisations to face the challenges that these disruptive events create.

Grant Thornton can assist to assess the readiness of your organisation to handle, recover from and respond to a cyber security incident, including both the public relations and business resilience aspects.

Crisis managementIncident

managementCyber resilience Business continuity Disaster recovery

Industry guidanceOur business resilience services are based on the guidance contained in relevant British and international standards, including:

Crisis management: guidance to good practice

BS 11200

Organisational resilience: guidance

BS 65000

Business continuity management systems: requirements

ISO 22301

Business continuity management systems: guidance

ISO 22313

Case studyGrant Thornton was requested to provide support to a large construction and support services firm to assess their level of resilience and provide recommendations for improvement.

Using a hybrid approach of interviews, document review and on-site inspections, conclusions were benchmarked against industry good practice. The review established that although controls were in a reasonable position, improvements and efficiencies could be delivered Quick win insights were provided during the review so urgent issues could be swiftly addressed. Longer term recommendations were delivered to improve their strategic approach to resilience and provide a standardised approach across the organisation.

Operationally, a number of gaps and overlaps were identified along with opportunities for efficiencies, combined with improvements to the risk management processes. By closing out the items highlighted, management confidence significantly increased in the resilience framework across the entire organisation.


How secure is your cloud?Grant Thornton has performed third party sourcing reviews to assess relevant controls, such as:

• the maturity of security controls embedded into the supplier management framework

• whether the business could procure cloud based services directly without involving sourcing

• whether services purchased from cloud based providers were on the list of approved vendors.

Some reviews have identified that business staff could procure cloud based services directly, without going through controlled sourcing channels.


How do you gain assurance that the third parties you’ve outsourced operations to are secure?Over the past decade there has been a paradigm shift in the way organisations operate, and many now recognise the clear value and benefits to be gained from leveraging business process outsourcing and third party services.

Consequently, many operational activities that were once perceived as core are now outsourced, such as activities performed by technology, operations and human resources departments. There has also been the explosion in the use of cloud based services.

These new ways of doing business present wonderful opportunities for cost efficiencies, but also create complex challenges and risks that need to be assessed and appropriately managed.

At Grant Thornton we leverage our experience to report to the board on the maturity of controls operated by key third parties, in particular through assurance and contractual reviews.

Third party securityThird party contracts


Third partyexit management

Recent research

has found that the use of third party internet based

services without formal approval, is widespread – 76% of CIOs

are aware of the commission and use of third party cloud based

products with no input from the technology department1.

1 British Telecom’s

‘Creativity and the Modern CIO’ –

December 2014


Data privacy

How will the proposed EU data protection regulation affect your organisation?While the draft general data protection regulation still has some way to go before becoming law, there are a number of changes likely to impact your organisation. Beyond the headline that organisations in breach of the rules could face penalties of up to €€100 million or up to 5% of their worldwide turnover, other anticipated changes include:

• data breaches will need to be reported to impacted individuals without undue delay

• businesses will be required to complete privacy impact assessments at least annually

• the scope will be expanded to include non-European companies that trade in the EU.

Many of these changes are already being adopted by organisations as best practice, especially disclosure of breaches and conducting privacy impact assessments.

At Grant Thornton we can leverage our experience to help organisations prepare for and adhere to forthcoming regulatory changes.

Privacy and security onlineGrant Thornton has performed privacy and security reviews to provide assurance over high profile internet-based services by:

• assessing cloud-based services against privacy and security best practice

• reviewing third party privacy and security contractual obligations

• performing assurance testing of key controls.

Some reviews have highlighted where key controls were inconsistent with risk appetite, resulting in follow-on activity to address risk exposures.


Payment security

Are your payment systems secure?In 2013, payments businesses handled $425 trillion in non-cash transactions, more than five times global GDP. By 2023 the value of non-cash transactions is expected to reach $780 trillion1. In developing economies the growth will be significantly higher.

At the same time, regulatory challenges to the payments industry are increasing as regulators extend their remit to include payment institutions. There is also increased competition and market disruption by new entrants, including the rise of mobile payments, digital wallets and the use of Bitcoin.

Given the volumes of funds moved on a daily basis, the risks associated with the payments industry include:

• reputational and financial costs of system failure

• fraud committed by criminal hackers

• increased volatility in the payments landscape caused by customers changing their mobile payment habits

• difficulties funding projects for continuous improvement and innovation in a competitive and rapidly changing market

• regulatory censure and subsequent loss of reputation arising from abuse of the service, eg money laundering

• payment market disrupters proposing alternate payment services.

At Grant Thornton we can leverage the expertise of our in depth payment specialists to help ensure major wholesale and consumer facing payment systems remain available and are secure.

Case studiesGrant Thornton has reviewed the development and implementation of a mobile payment system project. Our team:

• reflected the current status of the project to executive management

• assessed implementation roadblocks holding back delivery of the project, including commercial, technical security and legal risks

• suggested improvements to the project’s governance and risk management.

Our portfolio of payment system review work includes the following:

• organisations clearing transactions on behalf of third parties with highly developed and resilient payment infrastructures

• payment system compliance reviews for organisations, such as large retail banks.

In 2013, payments businesses

handled $425 trillion in non-cash transactions, more

than five times global GDP. By 2023 the value of non-cash transactions is expected to

reach $780 trillion1

1 Source: Boston Consulting Group Global Payments

Review 2014

Penetration testing• red team/penetration

testing (infrastructure, web application, wireless networks)

• mobile application assessment

• wireless LAN security

• cyber security architects

• security configuration review


Technology security

Your organisation’s systems are only as secure as the weakest link – where’s yours?In today’s complex and ever changing world, systems used to help your organisation innovate and grow are updated or changed on a regular basis. In such an environment it is essential to be assured that the hardware and software infrastructure supporting your everyday business activities is robust and secure, especially as more and more processes become automated and move online.

We can leverage our experience to perform penetration tests to assess the security and maturity of controls over your infrastructure, networks and applications, and identify vulnerabilities and angles of attack that could be exploited and how these should be mitigated.

Application security Database securityOperating system

securityNetwork security Perimeter security

Infrastructure security assessmentsGrant Thornton has performed deep technical security reviews of complex infrastructure environments, including a variety of banking mainframes.

Such reviews cover many layers of control that contribute to the security of critical systems, such as processing the bank accounts of a large national customer base.

Some reviews have identified material risks resulting in

recommendations to strengthen the environment and improve the security oversight and monitoring processes.

Recent events have reinforced the direct

correlation between successful attacks, brand reputation and share price.

Some of the challenges faced by organisations include:

• constantly evolving cyber threats, with new security vulnerabilities being discovered on a

regular basis

• organisations have to be on the front foot in respect to patching, upgrades

and security event monitoring.


Identity and access management

Joiners, movers and leavers

Access recertification

Toxic combinations

Privileged access

Developer access

Could your organisation be exposed to financial crime by staff with excessive system access?Even though the topic of unauthorised access is an auditor’s favourite, dating back many decades, many organisations today still face challenges ensuring they have robust controls over system access and segregation of duties.

Some of the more common challenges still faced by organisations today include:

Access recertification becoming the detective control of choice, without preventative controls to remove access when individuals move role

Cost reduction programmes – such as offshoring and outsourcing – making it more complex to govern access permissions

Defining toxic access combinations that pose a segregation of duties risk, and deploying controls to prevent (or detect) such access violations

Balancing controls that restrict privileged and developer access to production systems, with the need for high systems availability

Access management coverageWhen thinking about the maturity of your identity and access management controls, it is wise to think about the variety of systems in use across your organisation, including:

• Applications

• Databases

• Operating systems

• Network file shares

• Collaboration sites

While much attention has been given to application access controls, effort is also required to restrict privileged access to databases and operating systems, as well as end user access to network file shares and collaboration sites, such as SharePoint.

At Grant Thornton we can leverage our experience to benchmark the maturity and coverage of access management controls, and develop a roadmap to take things forward.

How Grant Thornton can help

© 2015 Grant Thornton UK LLP. All rights reserved.

‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires.

Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL).GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for oneanother’s acts or omissions.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining fromacting as a result of any material in this publication.

grant-thornton.co.uk V24930

Sandy KumarPartnerHead of Business Risk Services T +44 (0) 20 7728 3248E [email protected]

Contact us

Manu SharmaDirectorHead of Cyber Security and Privacy T +44 (0) 20 7865 2406E [email protected]

Our team of experts bring a wealth of experience from across all industry sectors and can help your organisation to:

• assess the effectiveness of your current systems, controls and processes, identifying key risks and creating a roadmap that puts you on the path to achieving strong assurance for all key stakeholders

• identify key systems at risk of attack or exploitation and help you implement changes to minimise the disruption to your business in the event of an attack, through reduced detection time and effective response

• review third party and key partners’ security arrangements and provide an accurate representation of the assurance that can be placed on them – as well as providing pre-selection reviews before any engagement with new suppliers/providers

• ensure that your systems and services comply with industry, regulatory and legal standards - including preparing non-European companies for entry into the EU marketplace

• design multi-year on-going programmes that will not only maintain but develop the maturity and effectiveness of your cyber security and privacy systems.

Documents

Cyber Security Privacy Brochure 2015