Cyber Security in Real Estate

Transcription

1 Cyber Security in Real Estate Protecting against a very real risk Mark Brown Executive Director, Cyber Security & Resilience

2 The question is not if your company will be breached, or even when. It has already happened. The real questions are: are you aware of it, and how well are you protected for the future?

3 Increasing cyber risk

4 Cyber attacks are now headline news Why effective cybersecurity is increasingly complex to deliver The security defences of organisations are under increasing pressure, further eroding the traditional perimeter and, in turn, creating more motivation for threat actors. Reporting of cyber breaches is now common place and Boardrooms are recognising the impact not just on technology but on the corporate brand when a breach occurs. Page 4

5 Today s cyber security threat Business now is dependent on technology. Digital systems are now the lifeblood of your company - they also have the potential to bring about its demise. Given the mission-critical nature of data in nearly every aspect of modern enterprise, organisations are facing not simply escalating risk, but the nearcertainty that they will suffer an Cyber security breach. Cyber security threats are evolving with unparalleled speed, complexity and impact, with reported breaches of Cyber security rising annually by more than 50% - organisations are no longer asking are we secure, but how can we ensure that the information most important to our business will be secure enough? The harsh reality of today s cyber threat environment means that there may be only two kinds of organisations - those that have been breached and know it, and those that remain dangerously oblivious to it. Which are you? Page 5

6 Cyber security threats are constantly evolving Cyber security threats are constantly evolving, and target global corporations. Attackers today are patient, persistent, and sophisticated, and attack not only technology, but increasingly, people and processes. The challenges faced today that have altered expectations, strained resources, and caused a paradigm shift in Cyber security processes. Page 6

7 Board responsibility Page 7

8 Cyber security is an organisational risk issue that belongs in the boardroom Organisations are still struggling to deliver the right response to the mounting risks. In particular, they find it hard to align their security strategies with their real-world business strategies. The best prepared businesses now recognise that responsibility for deflecting cyber-attacks can no longer be shunted off to their IT departments. This is a boardroom issue. The only sure way to counter the threat is with a strategic approach that roots your digital security in the real world of your business, whatever the sector. Page 8

9 Changing the way real estate organisations think about Cyber security With so much at stake intellectual property, customer, operations and financial data, and organisational reputation informed leaders are realising that it is time for a fundamental rethink of how Cyber security is understood and positioned within their organisation. Organisations need to view their Cyber Security function in a new light. Today s cybersecurity programs need to fight cyber threats, but they are also challenged to effectively deliver value while managing business risk. Cybersecurity is not a barrier to fast-paced emerging technology and go-to-market strategies - when done right, it gives you a competitive advantage. Your Cybersecurity function should be a strategic advisor to the business. Page 9

10 Why are Real Estate organisations reluctant to tackle cyber security? A crowded agenda Cyber security is just one of many pressing issues demanding attention, particularly during economic uncertainty The IT silo Digital security has traditionally been viewed as an IT issue - protecting the IT systems that process and store information rather than on the strategic value of the information itself. Not our problem Cyber security is often (wrongly) viewed as a significant problem only in sectors like the military or financial services. The risks are difficult to gauge Cyber threats are hard to predict, making the risks and potential impact difficult to gauge. Senior leaders may feel they lack the expertise necessary to make enterprisewide decisions or may be wary of being pulled too deeply into technical processes. Invisible pay-off With scarce resources, it s hard to invest money, people and time in the unknown and unpredictable. Page 10

11 Balancing cost, risk and value Cyber security programs struggle with the balancing act of reducing costs while identifying gaps in existing security capabilities; and making strategic prioritised investments to address business needs, increase value to the organisation, and keep the organisation secure. Page 11

12 Building Information Modelling (BIM) Systems a real life example Building information modelling (BIM) is the creation of a digital prototype of an entity s design, construction and future function. Every bolt, pile and piece of track bed laid by HS2 will have started life as a digital representation. Currently being explored for full use by Crossrail, HS2 plan to create a full model of the rail line from London to Birmingham. Created centrally and shared with multiple parties, BIM enables collaborative working across teams and allows modern asset management beyond the build stage. BIM greatly leverages the value of information across multiple parties, enabling gains in project time, cost and quality. Crossrail s use of BIM for Liverpool Street Station innovation/ Arup Mott McDonald Laing O Rourke Bombardier BIM High Speed 2 railway line Watson s Steel Balfour Beatty CH2M Hill Ferrovial Siemens Page 12

13 Potential solutions Page 13

14 Being attacked is unavoidable, so how prepared are you? Can you answer yes to these five key questions? 5. Do you have a plan to react to an attack and minimise the harm caused? Valued assets 4. Would you know if you were being attacked and if the assets have been compromised? Intellectual property 3. Do you understand how these assets could be accessed or disrupted? People information 2. Do you know how your business plans could make these assets more vulnerable? 1. Do you know what you have that others may want? Financial information Business information (strategy performance transactions) Page 14

15 Cyber security system building blocks - the 3A s What it is Cybersecurity system building blocks Status Anticipate is about looking into the unknown. Based on cyber threat intelligence, potential hacks are identified; measures are taken before any damage is done. Adapt is about change. The cybersecurity system is changing when the environment is changing. It is focused on protecting the business of tomorrow. Activate sets the stage. It is a complex set of cybersecurity measures focused on protecting the business as it is today. Anticipate Adapt Activate Anticipate is an emerging level. More and more organisations are using cyber threat intelligence to get ahead of cybercrime. It is an innovative addition to the below. Adapt is not broadly implemented yet. It is not common practice to assess the cybersecurity implications every time an organisation makes changes in the business. Activate is part of the cybersecurity system of every organisation. Not all necessary measures are taken yet; there is still a lot to do. Page 15

16 Building Information Modelling (BIM) and Cybersecurity Think of an action film with a planned heist or attack; it might be The Italian Job, Die Hard or Mission Impossible. Blueprints of a building are accessed, analysed and the strategy planned using them. Vulnerabilities in air conditioning ducts, power lines and the comms room are all detailed on BIM databases, making them desirable to threat actors. Potential threat actors include: Organised crime for financial gain signers_unveil_designs_for_highspeed_train_for_british_rail_ the_mercury.php Terrorism through safety & security fears State sponsored attacks through espionage Real estate organisations should ensure that they protect against this threat through services including: Third party assurance security reviews Continuous monitoring of supplier security compliance Penetration testing of BIM solutions Major construction projects use BIM leveraging the experience of: Engineering consultancies Construction Asset owners SaaS BIM providers Page 16

17 Cycle of improvement in cyber risk management Take charge Ensure visible executive management leadership Executive leader accountability, all business leaders tied in through scorecards Accept tough decisions and set timetable Reassess and continue Be willing to change and continue driving change Measure against defined metrics and track improvement Manage risks and dependencies Challenge through critical thinking and assessment Seek external advice Never-ending cycle of improvement Spread the word Integrate and align cybersecurity strategy with key business and strategy Establish network of champions across the organisation to drive integration and cyber enabled business performance Build awareness and confidence that everyone feels responsible for Implement and innovate Deliver enterprise-wide improvement program Be bold and creative in transforming thinking and operations Ensure a proportional and pragmatic cyber risk response not based on compliance Page 17

18 Further information See the full report: Get ahead of cybercrime EY s Global Information Security Survey 2014: View more of EY s insights on cybersecurity on: For further GRC thought leadership, please refer to our Insights on governance, risk and compliance series on: To discuss your cybersecurity issues further, please contact: Mark Brown Executive Director - Cyber Security & Resilience : : : mbrown1@uk.ey.com Page 18

19 EY Assurance Tax Transactions Advisory Ernst & Young LLP Ernst & Young LLP. Published in the UK. All Rights Reserved. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC and is a member firm of Ernst & Young Global Limited. Ernst & Young LLP, 1 More London Place, London, SE1 2AF. ey.com