safeguarding company from cyber-crimes and ...€¦ · financial losses increase two-fold: losses...
TRANSCRIPT
www.pwc.com
Safeguarding company from cyber-crimes and other technology scams
ASSOCHAM
Rahul Aggarwal - Director
PwC
The new ‘digital’ business ecosystem is complex and highly interconnected
1
Enterprise
Service providers
Suppliers
Industry
Customer
Consumer
JV/Partners
The new business ecosystem An always on, Always connected
world
Data explosion
Infrastructure revolution
Future finance
Tougher regulations and standards
New identity and trust models
1
2
3
4
5
6
Together will define
future security models
PwC
Evolving business ecosystem..
2
Advancements in technology –Adoption of cloud-enabled services;Internet of Things (“IoT”) securityimplications; BYOD usage
Value chain collaboration andinformation sharing – Persistent‘third party’ integration; tieredpartner access requirements; usageand storage of critical assetsthroughout ecosystem
Operational fragility – Real-timeoperations; product manufacturing;service delivery; customerexperience
Business objectives and initiatives– M&A transactions; emergingmarket expansion; sensitiveactivities of interest toadversaries
Historical headlines have primarily been driven by compliance and disclosure requirements
Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and shareholder value
Unmanaged risks with potential
long-term, strategic
implications
However, the real impact is often not recognized, appreciated, or reported
PwC
Information Security Incidents rising Globally…
3
Red October
BlackEnergy Regin Shamoon
PwC
Cyber crime ranks as one of the top economic crimes perceived by the businesses across the world
4
Cyber crime the second most important crime across the world
64%
32%
24%
23%
18%
12%
11%
69%
24%
27%
29%
22%
15%
11%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Asset Misappropriation
Cybercrime
Bribery & Corruption
Procurment Fraud
Accounting Fraud
Human Resources Fraud
Money Laundering
Types of Economic Crime Experienced
2014 2016
PwC global economic crime survey
PwC
Security incidents have increased multi-fold in last couple of years..
5
Security Incidents handled by CERT-In, CERT-In Annual Report 2014 Source : -http://www.cert-in.org.in/
# Security Incidents in 2014 No. of incidents
1. Phishing 1,122
2. Network Scanning/ Probing 3,317
3. Virus/ Malicious Code 4,307
4. Website defacements 25,037
5. Spam 85,659
6. Website intrusion and malware propagation 7,286
7. Others 3,610
Total 1,30,338
10315 13301 22060
71780
130338
0
50000
100000
150000
2010 2011 2012 2013 2014
SECURITY INCIDENTS HANDLED
PwC
Number of registered cases of cyber crime registered under IT Act in India are increasing at an alarming rate
6
Cyber crime has been increasing at an alarming rate in India. The number of cybercrime cases registered under the IT Act in 2011 were 1791, an 85% increase since 2010.This has increased to 2876 in 2012, 4356 in 2013 and 7201 in 2014.
Significant increase in the number of registered cases
Number of cyber crime cases registered under the IT Act
‘Crime in India’ report 2011-2014, (National Crime Record Bureau), PwC Analysis
288 420966
17912876
4356
7201
0
1000
2000
3000
4000
5000
6000
7000
8000
2008 2009 2010 2011 2012 2013 2014
CYBER CRIME CASES IN INDIA
PwC
Financial losses increase two-fold: Losses increased by 135% over the previous year
7PwC global state of information security survey
36%
38%
25%
32%
31%
17%
8%
10%
40%
44%
38%
0% 10% 20% 30% 40% 50%
Financial losses
Theft of 'soft' intellectual property
Theft of 'hard' intellectual property
Brand/reputation compromised
Loss of customers
Legal exposure/lawsuit
Other
Unknown
Business
Loss or damage of internal records
Customer records compromised
Employee records compromised
Data
Impact of security incidents on business and data
PwC
Security incidents caused by insiders have dominated those caused by external actors.
PwC global state of information security survey
2.2
1.10.9
1.5
0
0.5
1
1.5
2
2.5
2012 2013 2014 2015
Ratio of security incidents caused by insiders as compared to external actors
8
PwC 9
Third party security focus should be top priority
In today’s interconnected ecosystem, the compliance of third parties to relevant security policies andprocedures is important to maintain the overall security posture of the organization
24% of respondents cited former business partners and suppliers ascauses of incidents.
Surprisingly, we noted that 50% of companies do not ensure thatthird parties comply with their privacy policies, and around 40% oftotal organisations do not have established baseline standards for thirdparties.
50%
Compliance with privacy policies
55%
Compliance audit to check PII safeguards
62%
Established security baselines/standards
PwC global state of information security survey
PwC 10
Technological Investments required to fight the cyber crimes
Vulnerability scanning tools have seen an increase in adoption and are up from 57% to 62% Intrusion detection tools have increased from 55% to 62% 53% of organizations have listed implementation of newer technologies as their top priority in
the next 12 months
58%
61%
59%
62%
62%
71%
56%
52%
56%
53%
55%
57%
68%
53%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Biometrics
Malicious code detection tools
Tools to discover unauthorised devices
Intrusion detection tools
Vulnerability scanning tools
Malware or virus protection software
Use of virtual desktop interface (VDI)
Organizations adopting various security technologies
2014
2015
PwC global state of information security survey
PwC 11
Organizations collaborate and the involvement of executives and the board evolves
As more businesses share more data with an expanding roster of partners and customers, it makes sense for them toswap intelligence on cyber security threats and responses. Indeed, over the past three years, the number oforganisations embracing external collaboration has steadily increased.
Benefits of external collaboration
Share and receive information from industry peers 63%
Improved threat intelligence and awareness 58%
Share and receive information from government 46%
Share and receive more information from law enforcement 46%
Receive more timely threat intelligence alerts 49%
Benefits of board participation
51%Identification and communication of
key risks
50%Encouragement of
organisational culture of
information security
51%Information
security programme
funding
38%Internal and
external collaboration and communications
PwC global state of information security survey
PwC
Taking measures to address the risks due to emerging technologies. . .
12PwC global state of information security survey
64%
52%
62%
51%
57%
41%
59%
46%
0% 10% 20% 30% 40% 50% 60% 70%
Risks related to malware/malicious apps
Risks related to hardware/device platforms
Verification/provisioning processes
End-user risks and vulnerabilities
Protection of customer personal information
Tokenisation and encryption
Strong authentication
Work with issuing banks
Steps taken to secure mobile payment services
Internet of things (IoT)
IoT has come a long way from being a futuristicconcept just a few years ago to transforming intoreal products, services, and applications; thisoffers miscreants an enlarged surface area toattack leading to highly publicized consequences.
Going mobile with payments
With the increase in sales of smartphones andaccess to the Internet, m-commerce, m-paymentis set to grow rapidly. However, it also brings withit cyber, privacy and compliance risks thatorganisations need to address.
PwC 13
The big impact of Big Data
In a world where data is gaining importance, and companies are leveraging big data analytics for business decision,a growing number of organizations are also employing big data analytics to monitor security threats, quicklyrespond to incidents and audit and review data to understand how it is used, by whom and when.
PwC global state of information security survey
PwC 14
9th June 2000 23rd December 2008 11th April 2011
Ma
tur
ity
Legal Recognition for E-Commerce• Digital Signatures and Regulatory
Regime for Digital Signatures• Electronic Documents are now
Treated at Par with Paper DocumentE-Governance• Electronic Filing of Documents
Defines Civil wrongs, Offences, Punishments• Appellate Regime• Right of Investigation and
Adjudication
• Section 43 A – Personal Data Protection
• Section 66 – Computer related offences
• Section 69B – Cyber Security
• Section 67C – Intermediary responsibilities
• Section 70A & B – CERT-IN Powers
• Various Provisions – Inspections, interceptions and disclosures
• Defines Sensitive personal data or information
• Body corporate to provide policy for privacy and disclosure of information
• Collection of information
• Disclosure of information
• Transfer of information
• Reasonable Security Practices and Procedures
Ov
er
vie
w
• Legal recognition for transactions carried out by means of electronic data interchange
• Other means of electronic, communication
• Penal actions for violationsOb
jec
tiv
e • Specific provisions on data protection
• Provisions on cyber security, national security, encryption policy, cyber crimes
• Strengthen the data protection regime in the country.
• Strengthen the data protection regime in India thereby providing legal assurance to the clients, governments, regulators and end customers abroad that India is a secure destination for outsourcing.
IT Act, 2000 IT Act, 2000IT Act Amendment,
2008IT Act Rules, 2011
The legal framework in India for privacy and data security . . .
PwC 15
Keeping pace with the new reality – Key considerations
Security Culture and
Mindset
Process and Technology
Fundamentals
Threat Intelligence
Monitoring and Detection
Critical Asset Identification and
Protection
Incident and Crisis
Management
Develop a cross-functional incident response plan for effective crisis management
Evaluate and improve effectiveness of existing processes and technologies
Enhance situational awareness to detect and respond to security events
Identify, prioritize, and protect the assets most essential to the business
Establish values and behaviours to create and promote security effectiveness
Understand the threats to your industry and your business
PwC
Thank you
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.