The Cyber Savvy CEO Getting to grips with today s growing cyber-threats

Transcription

1 The Cyber Savvy CEO Getting to grips with today s growing cyber-threats

2 Unprecedented opportunities The cyber domain is a world of opportunity yet media coverage of attacks has created a perception that it is mainly characterised by threats and risks Business and government must raise their game as cyber is different from the traditional physical world: it is an environment without barriers Organisations need to reshape themselves, by adopting new structures, governance and roles that transform their ability to manage cyber opportunities and threats Making your firm cyber-ready is not easy, and requires an organisation-wide initiative which only comes with a shift in top management s attitude. Ajay Bhalla Professor Cass Business School UK 2

3 s taxonomy of attacks Financial crime - This involves criminals, often highly organised and well-funded using technology as a tool to steal money and other assets Espionage - Theft of intellectual property is a persistent threat, and the victims often do not even know it has happened Warfare - This may involve states attacking private sector organisations and especially the critical national infrastructure Terrorism - This overlaps with warfare but attacks are undertaken by (possibly state-backed) terrorist groups, again attacking either state or private assets Activism - This overlaps with other categories, but the attacks are undertaken by proponents of an idealistic cause In a recent / Information Security Forum Quick Poll - 85% of the organisations had suffered a cyber-attack in the past six months 3

4 Some key barriers to effective cyber security The people engaged in securing cyberspace face the challenge of continuing to raise their game faster than the attackers Cyber security is still pigeon-holed as an IT issue, creating a communications gap between managers in the business and the security teams Traditional organisational structures tend to be too slow and rigid to enable the speed and flexibility of response needed in the cyber world The cyber world continues to represent a powerful and effective way for HMRC to engage with and support its customers. It also presents a series of new challenges and risks which need to be fully understood. Jeff Brooker Director HMRC UK 4

5 There are a broad range of emerging drivers Processes and people are overlooked components when developing approaches to cyber security There will be a reversion to technology driven by increases in the volume of data, speed of processing and communication technology, and the emergence of more complex threats Infrastructure revolution Data explosion An always-on, always-connected world Future finance Tougher regulation and standards Multiple internets New identity and trust models 5

6 1 Infrastructure revolution Business in the cyber world means a disruption of traditional perimeter thinking. The task of cyber security is to enable users doing their business securely, everywhere, on every device, with everyone. Dr. Gunter Bitz SAP Germany Communication infrastructure is evolving in a number of ways: Substantial increase in penetration of high speed broadband and wireless networks Centralisation of computing resources and widespread adoption of cloud computing Proliferation of IP (internet protocol) connected devices and growth in functionality Blurring work/personal life divide and Bring Your Own approach to enterprise IT Evolution in user interfaces and emergence of potentially disruptive technologies 6

7 2 Data explosion We will see much more automated attacks systems that can data mine from social networking sites, making highly customised, realistic looking attacks. There is also likely to be more targeting of high value individuals or high value groups. Cyber Security Expert The volume of electronic data at rest and in motion is growing rapidly as is the nature of data itself. Over the next decade, there will be: - Greater sharing of sensitive data between organisations and individuals - A multiplication of devices and applications generating traffic - A significant increase in visual data - Greater automated traffic from devices - A greater need for the classification of data 7

8 3 Security will become the enabler. It will allow individuals living in tomorrow s collaborative world to use any device they want for personal or business uses. Virtual business applications will run on these devices, using federated security services provided through the cloud. Jason Creasy Information Security Forum UK An always on, always connected world Connectivity is set to increase significantly in a number of ways: Greater connectivity between people driven by social networking and other platforms Increasingly seamless connectivity between devices Increasing information connectivity and data mining Increased critical national infrastructure (CNI) and public services connectivity 8

9 4 Future finance There is demand for anonymous electronic payments. There is no current equivalent to cash and even the new contactless payment cards leave a paper trail. Cyber Security Expert A significant proportion of cyber crime is financially motivated. Key developments in e-finance over the next decade will include: Rising levels of electronic and mobile commerce and banking Growth in new payment models Development of new banking models Emergence of digital cash 9

10 Privacy will be profoundly shaped by companies desires to share information for business intelligence and to derive revenue from direct and interactive marketing, the increasing inclusion of specific security controls in privacy laws, and the changes and the advent of electronic health records. 5 Jim Koenig LLP US Tougher regulation and standards Regulation and standards will be important drivers but will need to keep pace and evolve as technology and its uses develop. There are three key themes that will impact organisations: Increasing regulation relating to privacy Globalisation and net neutrality as opposing forces to regulation and standardisation Increasing standards on cyber security 10

11 6 In the future, there may be a centralised agency overseeing the internet law enforcement function. There may even be two levels of the internet the policed bit and the anarchic bit. Julia Harris BBC UK Multiple internets, will one size fit all? There are a number of trends that could potentially lead to segmentation of the web: Greater censorship Political motivations driving new state/regional internets New more secure internets Evolution in user interfaces and emergence of potentially disruptive technologies Closed social networks Growth in paid content 11

12 7 New identity and trust models You can t just assume that an eye scan offers better protection than a username and password. The scan can still be manipulated by a hacker, who may try to switch out the master scan with their own. If you go to DNA identification, then people will get blood samples from hospitals. Every lock has a key. James Carnell Cyveillance UK Identity and trust are key concepts to all aspects of cyber security and will be increasingly important as: The effectiveness of current identity concepts continues to decline Identity becomes increasingly important in the move from perimeter to information based security New models of trust develop for people, infrastructure, including devices, and data 12

13 Five steps to the cyber-ready organisation 1. Clarify roles and responsibilities at the C-suite This may require the creation of new roles at boardroom level 2. Achieve 360-degree situational awareness Gain a clear understanding of the scope and scale of the organisation s evolving cyber risks and opportunities 3. Create a cyber response team which cuts across the organisation Organisations should create a cyber response team to ensure information, intelligence and decisions can flow quickly 4. Nurture and share skills Invest in skills for the cyber world 5. Take an active and transparent stance Adopt a more active stance towards attackers 13

14 Thank you Questions? William Beer This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PricewaterhouseCoopers LLP. All rights reserved. In this document, "" refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. HB CG