Get ahead of cybercrime. EY s 2014 Global Information Security Survey

Transcription

1 Get ahead of cybercrime EY s 2014 Global Information Security Survey

2 Agenda Introduction The cyber threat landscape The journey to cybersecurity maturity Activate Adapt Anticipate Summary Page 2

3 EY s Global information Security Survey 2014 EY s Global Information Security Survey (GISS) 2014 captures the responses of 1,825 C-suite leaders and Information Security and IT executives/managers, representing most of the world s largest and most-recognized global companies. Responses were received from 60 countries around the world and across nearly all industries. This is the 17th year the survey has taken place it provides EY with some of our most valuable insights into the state of cybersecurity today. Page 3

4 Helping you get ahead of cybercrime Today we will: Identify global changes in the cybersecurity landscape Look at the ways organizations are coping with cybersecurity at the moment Discuss how you can improve your current cybersecurity approach Suggest what you need to do to proactively get ahead of cybercrime Page 4

5 The cyber threat landscape Page 5

6 Cybersecurity What is the current risk landscape? Resources devoted to cyber-based threats are expected to eclipse resources devoted to terrorism. The Honorable James B. Comey, Jr., Director of the Federal Bureau of Investigation, Statement of the Federal Bureau of Investigation before the Committee on Homeland Security and Governmental Affairs, United States Senate, November 14, The constant threat of cyber attack is real, lasting and cannot be ignored. Luis Aguilar, Commissioner of the Securities and Exchange Commission SEC Cybersecurity Roundtable, March 26, Page 6

7 Cyber attacks are headline news What everyone wants to know is what can organizations do about cybercrime? It is no longer possible to prevent attacks or breaches With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more damaging to an organization and its brands The interconnectivity of people, devices and organizations opens up new vulnerabilities New technologies, regulatory pressure and changing business requirements call for more security measures What organizations used to know and do to protect their most valued information is no longer enough 56% of EY 2014 Global Information Security Survey (GISS) respondents say that it is unlikely or highly unlikely that their organization would be able to detect a sophisticated attack Page 7

8 GISS 2014 results: Who or what do you consider the most likely source of an attack? Respondents were asked to choose all that apply. Employee 57% External contractor working on our site 35% Customer Supplier Other business partner 10% 12% 14% Criminal syndicates 53% State sponsored attacker 27% Hacktivists 46% Lone wolf hacker 41% Page 8

9 Organizations are simply not prepared for today s cyber threats - never mind tomorrow s 56% of GISS 2014 respondents say that it is unlikely or highly unlikely that their organization would be able to detect a sophisticated attack. Page 9

10 GISS 2014 results: Roadblocks 43% of respondents say that their organization s total information security budget will stay approximately the same in the coming 12 months and a further 5% said that their budget will actually decrease. 53% of organizations say that lack of skilled resources is one of the main obstacles that challenge their information security. Page 10

11 GISS 2014 results: Budget restrictions 63% cite budget constraints as the main obstacle to making a contribution and delivering value. Nearly 50% will see no increase in budget over the coming 12 months. Page 11

12 The journey to cybersecurity maturity - Activate > Adapt > Anticipate Page 12

13 How do you get ahead of cybercrime? Focus on the three As. Page 13

14 Metrics Leadership discussions Incident management Activate. Adapt. Anticipate. Where are you? ACTIVATE ADAPT ANTICIPATE A foundational approach Bolt-on cybersecurity A focus on safeguarding the current environment A static approach A dynamic approach Built-in cybersecurity A focus on the changing environment A dynamic approach A proactive approach Built-beyond cybersecurity A focus on the future environment A proactive approach Where am I? Check the boxes below and identify how many of the characteristics of your organization meet the Activate profile. Check the boxes below and identify how many of the characteristics of your organization meet the Adapt profile Check the boxes below and identify how many of the characteristics of your organization meet the Anticipate profile Never had an incident Third party releases information publicly or notifies you Unsure who would respond No single person nominated to disclose information publicly No incident response plan Organization identifies and reacts to its own incidents Incident response plan notifications of participation Incident response teams include IT leadership Public relations established Acceptance a breach will occur, or has already occurred Organization prepares for oncoming breaches based on threat scenarios Corporate senior leadership is part of response team External communication is controlled and fact--based defensible positions Not a boardroom issue Leadership conversations focus on tools and policies Business not engaged as security leadership team Disaster recovery plans Regulatory landscape and impacts IT leadership and business leaders discuss reality of breach occurrence and impact Standing boardroom agenda item IT leadership and business leaders discuss how security enhances business Leadership level cooperation with peers Headcount Maturity models Budget Page 14 Compliance Attacks/incidents Revenue support/growth/protection from Revenue impact of breach security Advanced risk analysis and scoring Alignment to business objectives

15 Activate Page 15

16 Activate: the need to establish foundations Organizations in this level can only deal with threats in a world without change. They will typically have these capability shortfalls: Bolt-on cybersecurity Cybersecurity has been added on to current business processes and activities, but it has not yet been integrated into the business. A focus on safeguarding the current environment Cybersecurity starts with looking at the risks the organization is already aware of based on prior experience; the focus is on risk assessments, controls efficiency and risk mitigation A static approach Cybersecurity aims to enable the business to carry out its known and regular day-to-day functions securely. It will be rule-based and compliance-driven, relying on metric-driven reporting. Page 16

17 The foundational components of cybersecurity Component What are the issues? Implications Executive buy-in Leadership on cybersecurity strategy, plan and execution comes from lower organizational levels or is seen as an IT issue. There is not a consistent threat management system in place; threats are not regularly discussed in the boardroom. Organizations need to involve senior leadership in cybersecurity. Lack of executive buy-in opens the doors to mistakes and cyber criminals; cybersecurity will miss the necessary direction and investments Resources Cybersecurity tasks are not adequately resourced and/or performed by skilled people. Cybersecurity teams do not have visibility and knowledge about attacks Performance Many organizations are spread too thin: they maintain too many cyber capabilities and as a result with moderate effectiveness. The effectiveness of cybersecurity is not measured. Cyber threats are overlooked or the response is too late. Cyber criminals successful using phishing are a result of a lack of security awareness. Foundational cybersecurity processes are not working properly, leaving a broad range of options for those performing an advanced persistent threat (APT). Access to data Employees are a risk to cybersecurity, and their Identity and Access management (IAM) program is weak Excessive manual processing and irregular reviews or reports make it too easy for employees to have inappropriate access to data. Movers, leavers and joiners are a key cyber risk area. We have seen that employees are seen as a huge threat for cybersecurity; while organizations are looking for hackers coming in from the outside, fraud is already happening from the inside. Cost vs. value Too many organizations view the costs of cybersecurity as considerable Organizations do not appreciate the benefits of the measures they already have. Page 17 Organizations significantly underestimate the potential cost of a cyber Get ahead attack. of cybercrime EY s Global Information Security Survey 2014 Organizations must understand they are under daily attack, the attackers show no signs of giving up, they are getting smarter and more targeted. The next breach could be fatal.

18 GISS 2014 results: lack of real time insight on cyber risk 42% of organizations do not have a SOC. 37% say that real time insight on cyber risk is not available. Page 18

19 GISS 2014 results: How long on average does it take for your SOC to initiate an investigation on discovered/ alerted incidents? Respondents were asked to choose one. Within 10 minutes 12% Within 1 hour 25% Within 4 hours 13% Within 1 day 13% Longer than 1 day 4% Unknown 33% Page 19

20 Foundational activities all organizations need to activate 1. Conduct a cyber threat assessment and design an implementation roadmap 2. Get Board-level support for a security transformation 3. Review and update security policies, procedures and supporting standards 4. Establish a Security Operations Center (SOC) Develop monitoring and incident response procedures 5. Design and implement cybersecurity controls Assess the effectiveness of data loss prevention and identity and access management processes. Harden the security of IT assets. 6. Test business continuity plans and incident response procedures Page 20

21 Adapt Page 21

22 Cybersecurity not aligned to the business In order to get ahead of cybercrime, it is essential to keep your cybersecurity measures 100% aligned with your business. Organizations are continuing to improve their cybersecurity, but the changes in the threat are travelling at an even faster rate, meaning they are effectively going backwards Instead of an expected increase in the number of organizations reporting that their Information Security function fully meets the needs of their organization, our survey found a decrease Instead of an increase in the number of organizations reporting that their Information Security function partially meets their needs and that improvements are under way, there has been a decrease of 5%. Page 22

23 Make vital improvements Improve your Security Operating Center SOCs are overly focused on the technology. Interaction with the business is key Create a core cybersecurity team By establishing the cybersecurity knowledge in a core team, organizations will be able to adapt to new threats more easily Focus on training, skills and awareness Establish accountability Make cybersecurity a performance metric Take breaches of information security protocols very seriously Make employees the eyes and ears of the organization Go beyond the borders Consider the impact of an attack on your business ecosystem Share best practice with your business partners, suppliers and vendors Page 23

24 Anticipate Page 24

25 Being attacked is unavoidable, so how prepared are you? Can you answer yes to these five key questions? 5. Do you have a plan to react to an attack and minimize the harm caused? Valued assets 4. Would you know if you were being attacked and if the assets have been compromised? Intellectual property 3. Do you understand how these assets could be accessed or disrupted? People information 2. Do you know how your business plans could make these assets more vulnerable? 1. Do you know what you have that others may want? Financial information Business information (strategy performance transactions) Page 25

26 GISS 2014 results: Which statement best describes the maturity of your threat intelligence program? We do not have a threat intelligence program 36% We have an informal threat intelligence program that incorporates information from trusted third parties and distribution lists 32% We have a formal threat intelligence program that includes subscription threat feeds from external providers and internal sources, such as a security incident and event management tool 17% We have a threat intelligence team that collects internal and external threat and vulnerability feeds to analyze for credibility and relevance in our environment 10% We have an advanced threat intelligence function with internal and external feeds, dedicated intelligence analysts and external advisors that evaluate information for credibility, relevance and exposure against threat actors 5% Page 26

27 GISS 2014 results: Organizations are not planning for the future 58% of organizations do not have a role or department focused on emerging technologies and their impact on information security. 36% of respondents do not have a threat intelligence program. Page 27

28 Limit the damage of cyber incidents be prepared Poor handling of cyber incidents (internally and externally) have led to harsh impacts on many companies. Be confident that everyone knows exactly what to do if an attack takes place. Be ready to set in motion the appropriate handling mechanisms for a breach. Consider stakeholders, customers, employees, PR, regulators, etc. Being in a state of readiness requires that the organization will have already rehearsed many different attack scenarios Introduce board-level cybersecurity simulations and war gaming Page 28

29 Anticipate: take action - and get ahead 1. Design and implement a cyber threat intelligence strategy Use threat intelligence to support strategic business decisions 2. Define and encompass the organization s extended cybersecurity ecosystem Define RACI and trust models and enact cooperation, sharing capabilities where advantageous 3. Take a cyber economic approach Understand the value of your most vital cyber assets 4. Use forensics and analytics Use the latest technical tools to analyze where the likely threats are coming from and when 5. Ensure everyone understands what s happening Strong governance, user controls and regular communications Page 29

30 Summary Page 30

31 Take the initiative to get ahead of cybercrime Organizations must look ahead and look beyond the business new threats are being created today and you need to get ahead of the game. Proactive, intelligent cybersecurity should become the norm for every organization. The focus should be on enhancing the cybersecurity capabilities and outlook of your organization: 1. Mastering the foundation 2. Introducing innovative new approaches 3. Using powerful new tools making you stronger and safer than ever. Take the initiative to take away the power of the hacker and get ahead of cybercrime Page 31

32 Cybersecurity system building blocks - the 3A s What it is Cybersecurity system building blocks Status Anticipate is about looking into the unknown. Based on cyber threat intelligence, potential hacks are identified; measures are taken before any damage is done. Adapt is about change. The cybersecurity system is changing when the environment is changing. It is focused on protecting the business of tomorrow. Activate sets the stage. It is a complex set of cybersecurity measures focused on protecting the business as it is today. Anticipate Adapt Activate Anticipate is an emerging level. More and more organizations are using cyber threat intelligence to get ahead of cybercrime. It is an innovative addition to the below. Adapt is not broadly implemented yet. It is not common practice to assess the cybersecurity implications every time an organization makes changes in the business. Activate is part of the cybersecurity system of every organization. Not all necessary measures are taken yet; there is still a lot to do. Page 32

33 Feel free to contact me Terry Jost Principal EY Dallas, TX Page 33

34 Further information See the full report: Get ahead of cybercrime EY s Global Information Security Survey 2014: View more of EY s insights on cybersecurity on: For further GRC thought leadership, please refer to our Insights on governance, risk and compliance series on: To discuss your cybersecurity issues further, please contact your EY representative: Page 34

35 Want to learn more? Please visit our Insights on governance, risk and compliance series at Cyber program management: identifying ways to get ahead of cybercrime Achieving resilience in the cyber ecosystem To be published December 2014 Cyber threat intelligence: how to get ahead of cybercrime Published November 2014 Security Operations Centers - helping you get ahead of cybercrime Privacy trends 2014: privacy protection in the age of technology Maximizing the value of a data protection program Identity and access management: beyond compliance Building trust in the cloud: creating confidence in your cloud ecosystem Big data: changing the way businesses compete and operate Page 35

36 Disclaimer This presentation is proprietary to Ernst & Young LLP and the information contained herein is confidential. Without Ernst & Young LLP s prior written permission, this document, either in whole or in part, must not be reproduced in any form or by any means or disclosed to others or used for purposes other than its evaluation. It may not be disclosed to any third party even for the purposes of evaluation, except as expressly authorized by Ernst & Young LLP in each case. Where we have mentioned our clients by name we stipulate that no contact be made with any such client without our prior written approval in each case. Any comments on, or opinions stated in this presentation regarding the functional and technical capabilities of any products proposed or referred to in this presentation, whether or not expressed as being those of Ernst & Young LLP, are based on the information provided by the product vendors to Ernst & Young LLP and, while Ernst & Young LLP does not have reason to believe that this information is in any way inaccurate or incomplete, responsibility for its accuracy and completeness does not rest with Ernst & Young LLP. While care and attention has been exercised in the preparation of this document, it remains subject to contract and all warranties whether express or implied by statute, law or otherwise are hereby disclaimed and excluded. Page 36