Cyber RiskA Threat to the Digital Agenda
Vincent Loy, PwC Singapore
Strictly Privateand Confidential
June 2015
PwCJanuary 2015
3
Table of Contents
1 Cyber – Opportunities and Threats
2 Cyber Threats – Why, Who, What and How?
3 Putting Cyber Threats in Perspective
PwC 3
The New Dynamic- New Opportunities
The digital age provides many opportunities for growth
Automation Mobile/Socialmedia
Innovation Costefficiency-
Cloud
Hyper-connectivity
& Integration
ExpandedSphere
Collaboration &Trust
Trust + Opportunity = Growth
Data and Digital Footprint
PwC 4
The New Global Business Ecosystem- The Risks
Pressures and changes whichcreate opportunity and risk
• Interconnected, integrated,and interdependent
environments
• Constant information flow isthe lifeblood of the businessecosystem
• Adversaries are activelytargeting critical assets
• Years of underinvestment
• An ecosystem built around amodel of open collaborationand trust
PwC 5
The Risks- Organizations have not kept pace
Years of underinvestment in certain areas has left organizations unable to adequately adapt andrespond to dynamic cyber risks.
Product & ServiceSecurity
PhysicalSecurity
OperationalTechnology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& ScenarioPlanning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
BreachInvestigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch &ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process andTechnology
Fundamentals
ThreatIntelligence
Incidentand Crisis
Management
Ris
ka
nd
Imp
ac
tE
va
lua
tio
nR
es
ou
rc
eP
rio
ritiz
atio
n
Security Program, Functions, Resources and Capabilities
ComplianceRemediation
Security Cultureand Mindset
Monitoringand Detection
Critical AssetIdentification and
Protection
PwC 8
The Actors and The Information They Target
Adversary
Input from Office of the National Counterintelligence Executive, Report to Congresson the Foreign Economic Collection and Industrial Espionage, 2009-2011, October2011.
Emergingtechnologies
Militarytechnologies
Advanced materialsand manufacturingtechniques
Healthcare,pharmaceuticals, andrelated technologies
Businessdealsinformation
What’s most at risk?
Nation State
Organized Crime
Insiders
Hacktivists
Health recordsand otherpersonal data
IndustrialControl Systems(SCADA)
R&D and / or productdesign data
$ Payment card andrelated information /financial markets
Information andcommunicationtechnology and data
PwC
Cyber Attacks – Significant business impacts
9
Financial losses
Share price
Regulatory
Costs of remediation &investigation
Brand & reputation
PwC 12
Putting cybersecurity into perspective
Key characteristics and attributes of cybersecurity :
• Broader than just information technology and not limited to just the enterprise
• Increasing attack surface due to technology connectivity and convergence
• An ‘outside-in view’ of the threats and potential impact facing an organization
• Shared responsibility that requires cross functional disciplines in order to plan,protect, detect and respond
Cybersecurity represents many things to many different people
PwC 13
HistoricalIT Security
Perspectives
Today’s LeadingCybersecurity
Insights
Scope of the challenge• Limited to your “four walls” and
the extended enterprise• Spans your interconnected global
business ecosystem
Ownership andaccountability
• IT led and operated• Business-aligned and owned; CEO and
board accountable
Adversaries’characteristics
• One-off and opportunistic;motivated by notoriety, technicalchallenge, and individual gain
• Organized, funded and targeted;motivated by economic, monetary andpolitical gain
Information assetprotection
• One-size-fits-all approach• Prioritize and protect your “crown
jewels”
Defense posture• Protect the perimeter; respond if
attacked• Plan, monitor, and rapidly respond
when attacked
Security intelligence andinformation sharing
• Keep to yourself • Public/private partnerships;collaboration with industry workinggroups
Evolving perspectivesConsiderations for businesses adapting to the new reality
PwC 14
Key success factors
People
Technology
Go
vern
an
ce Pro
cess
People
Governance Technology
Process
Incident& CrisisManage
ment
Third-party
VendorManage
ment
Identify andProtect
Detect
Response
RecoverThreat &
VulnerabilityManagement
SecurityArchitecture
SecurityManagement
IdentityManagement
Awareness &Education
Regulations &Policy
EmergingTechnologies
PwC 15
Product & ServiceSecurity
PhysicalSecurity
OperationalTechnology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& ScenarioPlanning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
BreachInvestigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch &ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Ris
ka
nd
Imp
ac
tE
va
lua
tio
nR
es
ou
rc
eP
rio
ritiz
atio
n
Security Program, Functions, Resources and Capabilities
ComplianceRemediation
Process…Questions to consider when evaluating your ability to respond to thenew challenges.
Security Cultureand Mindset
Process andTechnology
Fundamentals
ThreatIntelligence
Monitoringand Detection
Critical AssetIdentification and
Protection
Incidentand Crisis
Management
Develop a cross-functional incident responseplan for effective crisis management
Evaluate and improve effectiveness of existingprocesses and technologies
Enhance situational awareness to detect andrespond to security events
Identify, prioritize, and protect the assetsmost essential to the business
Establish values and behaviors to create andpromote security effectiveness
Understand the threats to your industry andyour business
17
Cyber Risk
Lack of Board Cyber Education/Training and CIO Briefings
Understanding your current cyber security posture
Third party Security Risks
Cyber Risk: not part of ERM, poor MI
Immature Cyber Incident ResponseManagement Process
Difficulties in identifying/valuing Information Assets
Challenges
Thank you.
This publication has been prepared for general guidance on matters of interest only, and does notconstitute professional advice. You should not act upon the information contained in this publicationwithout obtaining specific professional advice. No representation or warranty (express or implied) isgiven as to the accuracy or completeness of the information contained in this publication, and, to theextent permitted by law, [insert legal name of the PwC firm], its members, employees and agents donot accept or assume any liability, responsibility or duty of care for any consequences of you or anyoneelse acting, or refraining to act, in reliance on the information contained in this publication or for anydecision based on it.
© 2015 PwC Singapore. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopersLLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm ofwhich is a separate legal entity.
Contacts Us:
Vincent Loy
Partner
Maggie Leong
Senior Manager