27
http://www.pwc.ch/cybersecurity Cyber threat and cyber breach landscape 2015 How to protect enterprise data appropriately? Security Interest Group Switherland 3 March2015

cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

http://www.pwc.ch/cybersecurity

Cyber threat and cyber breach landscape 2015How to protect enterprise data appropriately?

Security Interest Group Switherland

3 March2015

Page 2: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

Agenda

1 The future: is bright and digital 1

2 The reality: not yet there 3

3 Problem and dilemma on the way to the digital transformation

7

4 Building confidence in the digital transformation 10

5 Five steps toward an appropriate cyber security 15

6 Summary, questions and answers 22

Page

Page 3: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

The future: is bright and digital

1

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 4: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

The future vision: ‘Digital me’ – always and everywhere!

2

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 1 – The future: is bright and digital

• Information is digital

• Information is available at my fingertips anytime, anywhere, anyhow

• The lines between the digital and physical world are blurring

• Software defines everything

• Everything is connected (the ‘internet of things’)

• Velocity, flexibility, dynamic, in the cloud

The vision:

Technology supports people and the environment to make the world a better place. Reliable and secure!

Page 5: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

The reality: not yet there

3

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 6: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Cyber Threats are real and affect business and life

4

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 2 – The reality: not yet there

91% of large organisations and

87% of smallbusinesses had

security breaches in the last year

• Cyber security is now a persistent business risk

• Organisations are undoubtedly worried about the rising tide of cybercrime

• Looking at security investments by industry shows that spending is down in most sectors, with a few notable exceptions.

• The black markets for stolen data are growing in size and complexity.

Source: PwC 2015 The Global State of Information Security Survey 2015

91%

87%

Page 7: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

63% of data breaches are recognised by third parties243 days was threats present before detection (average)

5

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 2 – The reality: not yet there

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

data breachesrecognised by third

parties

63%

0

50

100

150

200

250

300

350

400

Average # of days threats waspresent before detection

243

Sources:- - Verizon Breach Investigation Report http://www.verizonenterprise.com/ch/DBIR/

- Mandiant: https://www.mandiant.com/threat-landscape/

Page 8: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Greed, absence of ethics and weak prosecution / sanctions

6

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 2 – The reality: not yet there

Adversary motives and tactics evolve as business strategies change and business activities are executed.

Not only the ‘good guys’ use technology for their benefit (CCaS1)!

Organized crime

Hacktivists

Nation state

Adversary

Insiders

What’s most at risk?

Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emerging technologies

Executive travel

Automation

Health and safety records

Business deals information

Information and communication technology and data

Industrial ControlSystems (SCADA)

Geological surveys and industrial design (Intellectual Property)

Thirdparty connections

1) Cyber Crime as a Service

Page 9: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Problem and dilemma on the way to the digital transformation

7

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 10: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

What is a problem, what a dilemma

8

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 3 – Problem and dilemma on the way to the digital transformation

Problem: A perceived gap between the existing state and a desired state, or

a deviation from a norm, standard, or status quo.

Dilemma: A situation in which a difficult choice has to be made between two

or more alternatives, especially ones that are equally undesirable.

Source: http://www.businessdictionary.com

# Problem areas Dilemma

1 What is the value of digital information - Value for me- Value for others/ loss when absent- How to quantify and claim

2 “Physical” and “digital” world obey to different rules

- Tangible values are absent when stolen. Copy is difficult

- Jurisdiction in the global world

3 Doing the “right” thing (ethical compass) - Who or what is the moral judge?- Greed is a strong driver

Page 11: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

In a world of change, two things remain constant

9

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 3 – Problem and dilemma on the way to the digital transformation

• Username/password is not sufficient to identify a person reliably

• Only because goods are paid with John Doe’s credit card doesn’t necessarily mean John Doe legally bought goods from you

Guiding principles:

1a) We need to identify the

counterparty and segregate trusted from untrusted

b) We need to identify the device used to access data and segregate trusted from untrusted

c) We need to identify the network/ environment used and segregate trusted from untrusted

The options to react to adverse situations are

a) Hide: protect data and allow access only to ‘closed user group’

b) Run away: do not use internet or at least use separate infrastructure for internet and secret data

c) Fight: detect and respond quickly and effectively

2Business relationsneed trust

Page 12: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Building confidence in the digital transformation

10

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 13: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

How can we get there?

The future is not some place we

are going, but one we are

creating. The paths are not to be

found, but made. And the activity

of making them changes both the

maker and the destination.

John H. Schaar

“ If you know the enemy and

know yourself, you need not fear

the result of a hundred battles.

If you know yourself but not the enemy,

for every victory gained you will also

suffer a defeat. If you know neither the

enemy nor yourself, you will succumb in

every battle.

Sun TzuThe Art of War

““ “

Slide 13

9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?

Page 14: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Balance business opportunity with emerging threats

Customerexperience

Cloud-basedservices

Mobility

Big Dataanalytics

Cyber

resilience

12Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 4 – Building confidence in the digital transformation

Page 15: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

The dilemma: How to find the balance between innovation, functionality, compliance and security

13

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 4 – Building confidence in the digital transformation

Page 16: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Two options how to avoid digital data loss: protect and monitor or detect and respond

14

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 4 – Building confidence in the digital transformation

‘Crown jewels’ must be identified and their protection prioritised, monitored and adjusted accordingly.

• Technology risk strategy

• Security architecture

• Target operations model

• Security governance

• Security assessments

‘Data protection by design’ by considering people, processes and technology

• Breach indicator assessment

• Data analytics for security information

• Threat intelligence

Detect malware, attacks and data exfiltration quickly and reliably

• Incident response

• Forensic services

• Crisis management

• eDiscovery

• Data analytics

Respond to incidents efficiently and effectively. Remediate and learn.

Detect

Prevent & Protect

Respond &Remediate

Page 17: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Five steps toward an appropriate cyber security

15

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 18: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Each organisation has a unique environment and therefore specific requirements

16

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 5 – Five steps toward an appropriate cyber security

Technology Risks

Your business

vision

Business

processes

Business

applications

Devices,

systems and

platforms

Network and

communication

Digitaldata

Identify valuable data Identify threats & risks Apply appropriate protection

Page 19: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Five Steps toward holistic cyber security

17

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 5 – Five steps toward an appropriate cyber security

Assess cyber risks and ensure risk landscape is aligned with risk appetite. Reduce, avoid or transfer inacceptable risks

Select applicable cyber threat scenarios (10-15) and analyse impact to your business data and customer data

Identify your most valuable information assets, align your cyber security strategy with business objectives and get funding

Analyse current safeguards and their effectiveness, assess vulnerabilities in your infrastructure and supply chain

Implement safeguards, monitor effectiveness, improve processes for earlier detection and reduce the time from detect to respond

1

2

3

4

5

Page 20: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

How to determine cyber risks / technology risks?

18

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 5 – Five steps toward an appropriate cyber security

Assets

Protection

Pro

tec

tio

n

Protection

Pro

tec

tio

n

Vulnerabilities

Measures

Threat

𝑹𝒊𝒔𝒌 = 𝑰𝒎𝒑𝒂𝒄𝒕 × 𝑳𝒊𝒌𝒆𝒍𝒊𝒉𝒐𝒐𝒅 ≈ 𝑨𝒔𝒔𝒆𝒕 𝑽𝒂𝒍𝒖𝒆 ×𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒚 × 𝑻𝒉𝒓𝒆𝒂𝒕 𝑳𝒊𝒌𝒆𝒍𝒊𝒉𝒐𝒐𝒅

𝑷𝒓𝒐𝒕𝒆𝒄𝒕𝒊𝒐𝒏 𝒎𝒂𝒔𝒖𝒓𝒆𝒔, 𝑺𝒂𝒇𝒆𝒈𝒖𝒂𝒓𝒅𝒔

Page 21: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

What to do with identified risks ?

19

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 5 – Five steps toward an appropriate cyber security

Avoid: (run away) do not further use that service and void the risk (and the opportunity)

Accept: The balance between opportunity and threat is acceptable – no additional safeguards required

Reduce: Apply additional security controls to reduce risk to an acceptable level

Transfer: Buy an insurance or use outsourcing with sufficient liability

Page 22: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

There are three stages to consider in cyber security

20

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 5 – Five steps toward an appropriate cyber security

1 Pre-breach(to assess)

For a real view of the current situation, a self-assessment questionnaire and a remote scan is not sufficient!

3 Post-breach(to respond)

Ensure data breaches are detected in a timely manner. Respond quickly and effectively with professional team to reduce damage

2

Databreach

Incident handling

Detection

Vulnerability handling

Triage

Announcements and alerts

Analysis

… other IM services …

Incident response

Incidentmanagement

Incidenthandling

Inter-nal

testing

Phish-ing

attack

Threat based

testing

Web and

mobile apps

Mal-ware

attack sim

Exter-nal

testing

Host based

re-views

Extensive security testing

suitVulner-abilities

Page 23: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

Standards that might help

Security Governance and Maturity

What:

How:

A security professional may well be a cost – but does this for a living!

Main challenge

Understand the standard, adapt to your specific needs and environment, expertise

COSO / COBIT / 27001

27005 / 27003 / ITIL

Security and Service Management

What:

How:

COBIT, 27001, ITIL

ITIL, 27002,3,5,ISO 9000, NIST, ENSIA

COSO

COBIT

ITIL

ISO9000

ISO2700x

What How

Scope of coverage

Slide 23

9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?

Page 24: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Summary, questions and answers

22

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Page 25: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

3 March2015

Summary and next steps

23

Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately?

Section 6 – Summary, questions and answers

Tasks

2 Identify your ‘crown jewels’ and assess threats/risks/capabilities

Define, apply and monitor ‘appropriate’ cyber security measures

1 Cyber security is not a product or a status – it is a continuous practice

Detect data breach in a timely manner and react effectively3

Deliverables/artefacts

• ‘Cyber security architecture’ combining people, processes and technology

• Data classification and data ownership (controller, processor)

• Risk-based cyber security approach. Consider security as a separate layer

• Monitoring and event management, incident response, learning from incidents

Page 26: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

PwC

Questions, comments?

Slide 26

9 February 2015IIS – Cyber Risk • Cyber threats and cyber breaches – What do you need to consider?

Page 27: cybersecurity Cyber threat and cyber breach landscape 2015 ... · Cyber threat and cyber breach landscape 2015 • How to protect enterprise data appropriately? Section 5 –Five

Jan SchreuderPwC, Partner+41 58 792 24 [email protected]

Thomas KochPwC, Director+41 58 792 29 [email protected]

Lorenz NeherPwC, Senior Manager+41 58 792 47 [email protected]

© 2015 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.

visit www.pwc.ch/cybersecurity