www.pwc.com Safeguarding company from cyber-crimes and other technology scams ASSOCHAM Rahul Aggarwal - Director
The new digital business ecosystem is complex and highly interconnected The new business ecosystem 1 An always on, Always connected world Industry 2 Data explosion Customer Consumer Enterprise Suppliers Service providers 3 4 Infrastructure revolution Future finance Together will define future security models JV/ Partners 5 Tougher regulations and standards 6 New identity and trust models 1
Evolving business ecosystem.. Advancements in technology Adoption of cloud-enabled services; Internet of Things ( IoT ) security implications; BYOD usage Value chain collaboration and information sharing Persistent third party integration; tiered partner access requirements; usage and storage of critical assets throughout ecosystem Operational fragility Real-time operations; product manufacturing; service delivery; customer experience Business objectives and initiatives M&A transactions; emerging market expansion; sensitive activities of interest to adversaries Unmanaged risks with potential long-term, strategic implications Historical headlines have primarily been driven by compliance and disclosure requirements However, the real impact is often not recognized, appreciated, or reported Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and shareholder value 2
Information Security Incidents rising Globally Red October BlackEnergy Regin Shamoon 3
Cyber crime ranks as one of the top economic crimes perceived by the businesses across the world Cyber crime the second most important crime across the world Types of Economic Crime Experienced Money Laundering Human Resources Fraud Accounting Fraud Procurment Fraud 11% 11% 15% 12% 22% 18% 23% 29% Bribery & Corruption Cybercrime 27% 24% 24% 32% Asset Misappropriation 69% 64% 0% 10% 20% 30% 40% 50% 60% 70% 80% 2014 2016 global economic crime survey 4
Security incidents have increased multi-fold in last couple of years.. 150000 SECURITY INCIDENTS HANDLED 130338 100000 71780 50000 10315 13301 22060 0 2 010 2 011 2 012 2 013 2 014 # Security Incidents in 2014 No. of incidents 1. Phishing 1,122 2. Network Scanning/ Probing 3,317 3. Virus/ Malicious Code 4,307 4. Website defacements 25,037 5. Spam 85,659 6. Website intrusion and malware propagation 7,286 7. Others 3,610 Total 1,30,338 Security Incidents handled by CERT-In, CERT-In Annual Report 2014 Source : -http://www.cert-in.org.in/ 5
Number of registered cases of cyber crime registered under IT Act in India are increasing at an alarming rate Cyber crime has been increasing at an alarming rate in India. The number of cyber crime cases registered under the IT Act in 2011 were 1791, an 85% increase since 2010. This has increased to 2876 in 2012, 4356 in 2013 and 7201 in 2014. Number of cyber crime cases registered under the IT Act 8000 7000 6000 5000 4000 3000 2000 1000 0 CYBER CRIME CASES IN INDIA 7201 4356 2876 1791 966 288 420 2008 2009 2010 2011 2012 2013 2014 Significant increase in the number of registered cases Crime in India report 2011-2014, (National Crime Record Bureau), Analysis 6
Financial losses increase two-fold: Losses increased by 135% over the previous year Impact of security incidents on business and data Data Employee records compromised Customer records compromised Loss or damage of internal records 38% 44% 40% Business Unknown Other Legal exposure/lawsuit Loss of customers Brand/reputation compromised Theft of 'hard' intellectual property Theft of 'soft' intellectual property Financial losses 10% 8% 17% 31% 32% 25% 38% 36% 0% 10% 20% 30% 40% 50% global state of information security survey 7
Security incidents caused by insiders have dominated those caused by external actors. 2.5 Ratio of security incidents caused by insiders as compared to external actors 2.2 2 1.5 1 1.1 0.9 1.5 0.5 0 2012 2013 2014 2015 global state of information security survey 8
Third party security focus should be top priority In today s interconnected ecosystem, the compliance of third parties to relevant security policies and procedures is important to maintain the overall security posture of the organization 24% of respondents cited former business partners and suppliers as causes of incidents. Surprisingly, we noted that 50% of companies do not ensure that third parties comply with their privacy policies, and around 40% of total organisations do not have established baseline standards for third parties. Compliance with privacy policies Compliance audit to check PII safeguards Established security baselines/standards 50% 55% 62% 9 global state of information security survey
Technological Investments required to fight the cyber crimes Vulnerability scanning tools have seen an increase in adoption and are up from 57% to 62% Intrusion detection tools have increased from 55% to 62% 53% of organizations have listed implementation of newer technologies as their top priority in the next 12 months Organizations adopting various security technologies Use of virtual desktop interface (VDI) 53% 56% Malware or virus protection software 68% 71% Vulnerability scanning tools 57% 62% Intrusion detection tools 55% 62% 2014 2015 Tools to discover unauthorised devices 53% 59% Malicious code detection tools 56% 61% Biometrics 52% 58% 0% 10% 20% 30% 40% 50% 60% 70% 80% 10 global state of information security survey
Organizations collaborate and the involvement of executives and the board evolves As more businesses share more data with an expanding roster of partners and customers, it makes sense for them to swap intelligence on cyber security threats and responses. Indeed, over the past three years, the number of organisations embracing external collaboration has steadily increased. Benefits of external collaboration Share and receive information from industry peers 63% Improved threat intelligence and awareness 58% Share and receive information from government 46% Share and receive more information from law enforcement 46% Receive more timely threat intelligence alerts 49% Benefits of board participation 51% Identification and communication of key risks 50% Encouragement of organisational culture of information security 51% Information security programme funding 38% Internal and external collaboration and communications 11 global state of information security survey
Taking measures to address the risks due to emerging technologies... Internet of things (IoT) IoT has come a long way from being a futuristic concept just a few years ago to transforming into real products, services, and applications; this offers miscreants an enlarged surface area to attack leading to highly publicized consequences. Going mobile with payments With the increase in sales of smartphones and access to the Internet, m-commerce, m-payment is set to grow rapidly. However, it also brings with it cyber, privacy and compliance risks that organisations need to address. Steps taken to secure mobile payment services Work with issuing banks Strong authentication Tokenisation and encryption Protection of customer personal information End-user risks and vulnerabilities Verification/provisioning processes Risks related to hardware/device platforms Risks related to malware/malicious apps 46% 59% 41% 57% 51% 62% 52% 64% 0% 10% 20% 30% 40% 50% 60% 70% global state of information security survey 12
The big impact of Big Data In a world where data is gaining importance, and companies are leveraging big data analytics for business decision, a growing number of organizations are also employing big data analytics to monitor security threats, quickly respond to incidents and audit and review data to understand how it is used, by whom and when. 13 global state of information security survey
Overview Maturity Objective The legal framework in India for privacy and data security... IT Act Amendment, IT Act, 2000 IT Act, 2000 2008 IT Act Rules, 2011 Legal recognition for transactions carried out by means of electronic data interchange Other means of electronic, communication Penal actions for violations Specific provisions on data protection Provisions on cyber security, national security, encryption policy, cyber crimes Strengthen the data protection regime in the country. Strengthen the data protection regime in India thereby providing legal assurance to the clients, governments, regulators and end customers abroad that India is a secure destination for outsourcing. Legal Recognition for E- Commerce Digital Signatures and Regulatory Regime for Digital Signatures Electronic Documents are now Treated at Par with Paper Document E-Governance Electronic Filing of Documents Defines Civil wrongs, Offences, Punishments Appellate Regime Right of Investigation and Adjudication Section 43 A Personal Data Protection Section 66 Computer related offences Section 69B Cyber Security Section 67C Intermediary responsibilities Section 70A & B CERT-IN Powers Various Provisions Inspections, interceptions and disclosures Defines Sensitive personal data or information Body corporate to provide policy for privacy and disclosure of information Collection of information Disclosure of information Transfer of information Reasonable Security Practices and Procedures 9 th June 2000 23 rd December 2008 11 th April 2011 14
Keeping pace with the new reality Key considerations Identify, prioritize, and protect the assets most essential to the business Understand the threats to your industry and your business Evaluate and improve effectiveness of existing processes and technologies Critical Asset Identification and Protection Threat Intelligence Process and Technology Fundamentals Monitoring and Detection Incident and Crisis Management Security Culture and Mindset Enhance situational awareness to detect and respond to security events Develop a crossfunctional incident response plan for effective crisis management Establish values and behaviours to create and promote security effectiveness 15
Thank you 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.