Get ahead of cybersecurity

Tiffy Isaac,

Partner, EY LLP

Page 2

Agenda

► Introduction

► The cyber threat landscape

► What are organizations doing?

► Get ahead of cybercrime

Page 3

Introduction

Internet of Things “IoT” can be defined as physical objects that connect to the internet through embedded systems

and sensors, interacting with it to generate meaningful results and convenience to the end-user community.

New business opportunit

ies

Improved decision-making

Safety and

security

Improved

citizen

experience

Cost

reductions

Potential for

business

revenue

growth

Opportunities does IoT offer?

What will be future…

The ever-expanding IoT world

Smart life Smart mobility

Smart city Smart manufacturing

Page 4

Some facts…

The cloud provides a platform for IoT to flourish, however, there are still many challenges.

With the plethora of data that they will hold, storage servers will have to be updated and secured all

the time.

According to industry estimates,

machine-to-machine communications

alone will generate approximately

US$900 billion in revenues by 2020.

India is planning to invest approximately

US$11 billion for developing 100 smart

cities. A draft policy framework document

of IoT was released in October 2014 by

the Indian government.

The interconnectivity of people, devices and organizations opens up new vulnerabilities.

$

New technologies, regulatory pressure and changing business requirements call for more security

measures.

Per EY’s 17th Global Information Security Survey 2014, which captures the responses of 1,825 C-

suite leaders and information security and IT executives/managers - 56% of respondents say that it

is “unlikely or highly unlikely” that their organization would be able to detect a sophisticated attack.

Page 5

IOT will affect different business sectors

Healthcare

Personal information that could tell medics not

only about individuals’ medical history, but also

about potential diseases

Sensors and microcomputers fitted in the

human body that could monitor health

conditions and even alarm emergency

services in case of any distress

.

Education

IoT in the education sector has already

started to make the conventional education

system more automated

Internet-enabled remote classrooms will be a

milestone for developing countries, making

deep penetration in areas where setting up a

traditional school infrastructure is not possible.

.

Financial Services

Financial services are already leveraging the

internet for many of their services.

Improvement in digital infrastructure and IoT-

enabled products could further lead the growth of

the financial sector, with innovations, such as smart

wearable and smart monitoring devices, helping

customers to keep better track of their money.

Telcos

Telcos could face a surge in data usage due

to IoT-enabled devices, thus raising their

ARPU (average revenue per user), while on

the other hand, they will also have to deal with

some concerns, such as privacy and

infrastructure security.

Page 6

E.g. Connected car and cyber security

Context

Triggers

Question

Response

How can automotive sector organization keep up with the changing

vulnerability landscape, while many are lagging in establishing

foundational cybersecurity practices?

Traditional IT security

measures are no longer

enough

Research shows that attacks

on vehicles are possible

Today’s attackers are

organized, well funded,

patient and sophisticated

key imperatives need to be followed by the

automotive industry to embrace connectivity, and

at the same time ensure IT security

Automakers launch several connectivity offerings, the

interconnectivity of people, devices and organizations

opens up new vulnerabilities. However, …

Page 7

Recent academic research and dummy hacking trials on connected cars have shaken the confidence of regulators and consumers

Details of hacking Action taken by the

automaker/affected brand

Brand

affected

A team from the Defense Advanced Research Projects

Agency (DARPA), demonstrated how it was able to wirelessly

hack into the computer systems and take over several

functions, including the brakes of a Chevrolet Impala during a

controlled situation

GM is developing a fix for its OnStar

telematics system in light of the

cyberattack

ADAC, a German motoring association, found they could lock

and unlock car doors by mimicking mobile communications

and sending signals to a SIM card installed in affected

vehicles

BMW sent over-the-air out software

patches to the 2.2 million cars

equipped with Connected Drive to

prevent similar breakages in future

Sources: News articles, EY analysis

Recent examples of dummy hacking by researchers

Page 8

The cyber threat landscape

Page 9

EY GISS 2014 results: “Who or what do you consider the most likely source of an attack?”

41%

46%

27%

53%

14%

12%

10%

35%

57%

Lone wolf hacker

Hacktivists

State sponsored attacker

Criminal syndicates

Other business partner

Supplier

Customer

External contractor working on our site

Employee

Respondents were asked to choose all that apply.

Page 10

EY GISS 2014 results: “Which threats & vulnerabilities have increased your risk exposure over the last 12 months?” Respondents were asked to select any five of these items, with 1 as the highest priority, down to 5 as their lowest priority

Page 11

The roadblocks facing today’s organizations

43% of respondents say that their organization’s total

information security budget will stay approximately the

same in the coming 12 months and a further 5% said

that their budget will actually decrease.

53% of organizations say that lack of skilled resources

is one of the main obstacles that challenge their

information security.

Roadblock 1 — Lack of agility

Roadblock 2 — Lack of budget

Roadblock 3 — Lack of cybersecurity skills

Page 12

It is not easy to get ahead of cybercrime

Getting ahead Cybersecurity

function

Page 13

What are organizations doing?

Page 14

What are organizations doing?

► Designing and implementing a cyber threat intelligence strategy to support strategic

business decisions and leverage the value of security

► Defining and encompassing the organizations extended cybersecurity ecosystem,

including partners, suppliers, services and business networks

► Know your Crown Jewels - Taking a cyber economic approach — understanding your

vital assets and their value, and investing specifically in their protection

► Use forensic data analytics and cyber threat intelligence to analyze and anticipate

where the likely threats are coming from and when, increasing your readiness

Page 15

How do you get ahead of cybercrime? … A 3-stage improvement process

To get ahead of cybercrime we suggest that organizations adopt a 3-stage improvement

process:

► Activate (a foundational approach) ► Organizations need to establish and improve the solid foundations of their cybersecurity)

► Adapt (a dynamic approach) ► Because organizations are constantly changing and cyber threats are evolving, cybersecurity needs to

be able to adapt to changing requirements)

► Anticipate (a proactive approach) ► Organizations need to make efforts to predict what is coming so they can be better prepared for the

inevitable cyber attacks)

Page 16

Activate. Adapt. Anticipate. Where are you?

Activate Adapt Anticipate

Page 17

Activate: the need to establish foundations

Organizations in this level

can only deal with threats

in a world without change

Page 18

Adapt: a dynamic approach

If an organization

doesn’t adapt, its

cybersecurity

foundation will quickly

be obsolete.

Page 19

Anticipate: a proactive state of readiness

‘Anticipate’ means embracing cybersecurity as a core aspect of the

business and being in a proactive state of readiness

value

Page 20

Vital to foundational cybersecurity – a Security Operations Center

A Security Operations Center (SOC) centralizes, structures and coordinates the processes and

technology that support the Information Security function. It is therefore concerning that:

► Over 40% of organizations surveyed do not have a SOC.

Of those that do:

► Over half of respondents did not know how well their SOC met business operations’ needs

► Over 50% do not know how their SOC stays up to date with the latest threats

► The technology infrastructure and endpoints of the SOC need to be improved.

If more of the benefits of a SOC were being realized, then the general ability of an organization to protect

itself in even the most basic functions would start to deliver benefits.

37% say that real time insight on

cyber risk is not available.

42% of organizations do not have

a SOC. 33%

4%

13%

13%

25%

12%

Unknown

Longer than 1 day

Within 1 day

Within 4 hours

Within 1 hour

Within 10 minutes

EY GISS 2014 results: How long on average does it take for your SOC to initiate an investigation on discovered/ alerted incidents?

Page 21

…..get ahead of cybercrime

Page 22

Take the initiative to get ahead of cybercrime

Thank you….

Page 23

Focus on 3 As…

1. Conduct a cyber threat assessment

and design an implementation

roadmap

2. Get Board-level support for a

security transformation

3. Review and update security policies,

procedures and supporting

standards

► Implement an information

security management system

4. Establish a Security Operations

Center (SOC)

► Develop monitoring and incident

response procedures

5. Design and implement cybersecurity

controls

► Assess the effectiveness of data

loss prevention and identity and

access management processes.

► Harden the security of IT assets.

6. Test business continuity plans and

incident response procedures

1. Design and implement a

transformation program

► Get external help in designing

the program, and providing

program management.

2. Decide what to keep in-house and

what to outsource

3. Define a RACI matrix for

cybersecurity

4. Define the organization’s

ecosystem

► Make moves to eliminate or

lessen potential security gaps

in your interaction with third

parties

5. Introduce cybersecurity awareness

training for employees

1. Design and implement a cyber threat

intelligence strategy

► Use threat intelligence to support

strategic business decisions

2. Define and encompass the

organization’s extended cybersecurity

ecosystem

► Define RACI and trust models

and enact cooperation, sharing

capabilities where advantageous

3. Take a cyber economic approach

► Understand the value of your

most vital cyber assets

4. Use forensics and analytics

► Use the latest technical tools to

analyze where the likely threats

are coming from and when

5. Ensure everyone understands what’s

happening

► Strong governance, user controls

and regular communications

Adapt - take action to improve

and transform

Anticipate: take action -

and get ahead

Activate: the need to establish

foundations