when, not if strategies on guarding against cyber risk€¦ · cyber security trends 2016...

When, not if – Strategies on guarding

against cyber risk

Nick Galletto

Marc MacKinnon

Agenda…

Canada’s Best Managed Companies

The evolving cyber threat landscape

Anatomy of an attack

Cyber myths and realities for private companies

Transforming your defenses: Secure. Vigilant. Resilient

Closing thoughts

The evolving

cyber threat

landscape


The landscape is changing…

• Cyber risks are reputational and operational

risks to information and assets

• External forces transforming cyber from what

has historically been a technology-driven issue

to a multi-faceted business risk issue

• Customer expectations

– Third-party obligations

– Legislation

– Regulatory action

– Media attention


Examples of cyber risks:

• IP/confidential information theft

• Business disruption and outages

• Data and software loss

• Cyber crime/cyber fraud

• Breach of personal identifiable

information events

• Physical asset loss

• Regulatory investigations and fines

• Reputational impact

Cyber crime is

evolving in volume,

sophistication,

and impact

Global

Cost of

Cyber

Crime*:

$445B$3T impact

on

Technology

and

Business

Innovation*

*McAfee http://www.telegraph.co.uk/technology/internet-security/10886640/Cyber-crime-costs-global-economy-445-bn-annually.html

**WEF Risk and Responsibility in Hyperconnected world

Digital revolution = Business innovation and growth + new

and emerging cyber threats

In World Economic Forum’s Global Risk 2016 report, cyber risk is firmly positioned as a major risk

Cyber criminal may not be what

you envision

“Today, the average age of a

cyber criminal is 35, and 80 % of

are affiliated with organized

crime…. Leading to the creation

of increasingly sophisticated

criminal organizations …”

Business and technology trends

trigger cyber risks

New business model(s)

Mobile

workforce

Innovative

economy

Peer to Peer

Models

Extended

Enterprise

Commoditized

Data / Intelligence

Technology forces

Analytics Cloud Big DataMobile Social IoT


http://www.telegraph.co.uk/technology/internet-security/10886640/Cyber-crime-costs-global-economy-445-bn-annually.html

It starts with asking the right questions…


What tactics

might they use?

• Spear phishing, drive by download, etc.

• Software or hardware vulnerabilities

• Third party compromise

• Stolen credentials

• Control systems compromise

• Integrity attacks

• Ransomware

• Cyber criminals

• Hactivists (agenda driven)

• Nation states

• Malicious insiders

• Rogue suppliers

• Competitors

• Skilled individual hacker

Who might attack?

• Sensitive data

• Financial fraud

(e.g., wire transfer, payments)

• Business disruption

(building systems, etc.)

• Threats to health and safety

What are they after

and what key business

risks must we mitigate?

Cyber security trends 2016


Scarcity and high cost of qualified talent in mature geographies

Attacks more frequent, targeted, and sophisticated

Increased number of connected systems and devices continues to expand an organization’s attack surface

Ransomware and data integrity attacks will increase in sophistication and frequency

Supply chain or business partner poisoning or lateral entry are on the rise

Poor security hygiene continue to plague organizations

Asymmetrical warfare capabilities through crime as a service platform

Rising costs of prevention and remediation

Attack patterns increasingly looking like normal behavior

Anatomy of

an attack


Fulfill objective

Pre-compromise

Compromise

Exploit

TargetVulnerability

Strategic assets,

financial assets,

data and

intelligence

Your business

What How

Anatomy of an attack


Cyber myths and

realities for private

companies


Demystifying the myths

Breaches only happen to large and publicly traded organizations

While breaches of named brand organizations grab the headlines, cyberattackers are increasingly

targeting small and mid-sized businesses as well

Given the lack of security and privacy regulations – the majority of breaches go unreported

We are just too small to be of interest to cyber criminals

While one small organization in isolation may not seem like a worthwhile target, collectively they are a

goldmine or you may either be a lateral way into a much more strategic target or used to launch an attack

against another target

As many as 30,000 websites are infected everyday – 80% of those belong to legitimate small businesses

?

Our company’s data is just not that valuable

Your companies data is more valuable than you think and the cost of data breaches can be devastating.

Between 2014-2015, the cost of data breaches due to malicious or criminal attacks has increased from an

average of $159 to $174 per record

These costs do not include potential liability issues or intangible damage

such as brand and reputation

?


?

We haven’t been breached to date

We feel we are secure

Have you had someone validate that assumption?

You need to continually manage, update and fine-tune your security systems, and keep your

employees aware.

It takes only one attacker being right once – as an enterprise, you need to defend 100 percent of the time.

?

Demystifying the myths

Are you so sure?

Advanced attacks and malware typically resides in infected systems for long periods of time (low/slow)

before detected – If detected at all


?

Top 5 cyber challenges for private companies

Still a major lack of enterprise risk awareness/culture – CFO ‘money scam’1

Operate without formality and centralized security policies and standards2

Insider threats are often ignored or not considered3

Primary focus on locking down the perimeter – At expense of defense in depth4

Cyber incident response capabilities are basic or non-existent5


Transforming

your defenses

Secure.Vigilant.Resilient


Secure.Vigilant.Resilient.TM

Being

VIGILANT

means having threat intelligence and

situational awareness to anticipate and

identify harmful behavior.

Being

RESILIENT

means being prepared and having the ability

to recover from cyber incidents and minimize

their impact.

Being

SECURE

means having risk-prioritized controls to

defend critical assets against known and

emerging threats.

Through an ongoing program to become secure, vigilant and resilient, an organization can become more confident in their ability to experience value

of their strategic investments

…Building a robust cyber risk program


…recommendations for private companies

Fortify your

organization and

establish risk-prioritized

controls to protect

against threats

Patch holes and

manage patches

Develop S/W securely

Manage physical

security

Focus on what matters

Crown jewels and

relationships

Proactively assess

your cyber risk

Know what to look for

and how to detect

threats (incidents and

anomalies) both

conventional and

emerging

Focus on awareness

to build a

multilayered defense

Develop a program

that encompasses your

organization,

employees, customers

and partners

Prepare for the

inevitable

Establish the ability to

handle critical

incidents, quickly

return to normal

operations, repair

damage to the

business and brand

RESILIENTVIGILANT SECURE


Closing thoughts


Reality Adversaries have motives, funding

and means

Strategy Protect the things that matter

Reality Traditional cyber defenses are not enough

Strategy Cyber intelligence and advanced security

monitoring expands your view into threats

and response capabilities

Reality Your organization is a target

Strategy Be proactive: align, assess, educate,

monitor, and practice

Reality Focusing on “secure” only provides a

false sense of security

Strategy Be secure, vigilant, and resilient

Reality You can’t go at it alone

Strategy Understand where you need help and

engage a managed security

service provider

Closing thoughts


Questions


Marc MacKinnon Toronto Cyber Risk Services Leader

Deloitte

[email protected]


Thank you

mailto:[email protected]

when, not if strategies on guarding against cyber risk€¦ · cyber security trends 2016...

Documents