Embed Size (px)
Citation preview
Cyber Risk– a threat to energy securityBy Vincent Loy, PwC
October 2014
PwC
Agenda
1
• Cyber- Opportunities and Threats
• Cyber Threats – Why, Who, What and How?
• Where are We?
• Putting Cyber Threats in Perspective
PwC
2
• Cyber- Opportunities and Threats
PwCDRAFT
PwC
The New Global Business Ecosystem- The Opportunities
Enterprise
Consumer
Suppliers
JV/Partners
ServiceProviders
Customer
Industry/Competitors
Technology
En
vir
on
me
nta
l
Economic
• An increase in reliance on technology
• Technology-led innovation has enabledbusiness models to evolve
• Convergence of information technology,operational technology and consumertechnology
• Information and data throughout thebusiness ecosystem
• The extended enterprise has movedbeyond supply chain and consumerintegration
• Connectivity and collaboration nowextends to all facets of business
• Transactions and operations spanningmultiple parties
• Organisations built on trust andcollaboration
PwC
The New Global Business Ecosystem- The Risks
5
Pressures and changes whichcreate opportunity and risk
• Traditional boundaries have shifted; companiesoperate in a dynamic environment that isincreasingly interconnected, integrated, andinterdependent.
• The ecosystem is built around a model ofopen collaboration and trust—the veryattributes being exploited by an increasingnumber of global adversaries.
• Constant information flow is the lifebloodof the business ecosystem. Data isdistributed and disbursed throughout theecosystem, expanding the domain requiringprotection.
• Adversaries are actively targeting criticalassets throughout the ecosystem—significantlyincreasing the exposure and impact tobusinesses.
• Years of underinvestment in security hasimpacted organizations’ ability to adapt andrespond to evolving, dynamic cyber risks.
PwC
6
• Cyber Threats – Who, What and How?
PwC
Who are we protecting against
NationState
Hacktivism
OrganisedCrime
CyberTerrorists
INSIDER
DRAFT
PwC
The Actors and The Information They Target
8
Adversary
Input from Office of the National Counterintelligence Executive, Report to Congresson the Foreign Economic Collection and Industrial Espionage, 2009-2011, October2011.
Emergingtechnologies
Militarytechnologies
Advanced materials andmanufacturing techniques
Healthcare,pharmaceuticals, andrelated technologies
Business dealsinformation
What’s most at risk?
Nation State
Organized Crime
Insiders
Hacktivists
Health records andother personal data
Industrial ControlSystems (SCADA)
R&D and / or productdesign data
$ Payment card and relatedinformation / financialmarkets
Adversary motives and tactics evolve as business strategies change and business activities are executed;‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.
Information andcommunicationtechnology and data
PwC
Profiles of Threat Actors
9
Nation State
Insiders
OrganizedCrime
Hacktivists
• Economic, political,and/or military advantage
• Immediate financial gain• Collect information for
future financial gains
• Personal advantage,monetary gain
• Professional revenge• Patriotism
• Influence political and /orsocial change
• Pressure business to changetheir practices
MotivesAdversary
• Trade secrets• Sensitive business
information• Emerging technologies• Critical infrastructure
• Financial / Payment Systems• Personally Identifiable
Information• Payment Card Information• Protected Health Information
• Sales, deals, market strategies• Corporate secrets, IP, R&D• Business operations• Personnel information
• Corporate secrets• Sensitive business information• Information related to key
executives, employees,customers & business partners
Targets
• Loss of competitiveadvantage
• Disruption to criticalinfrastructure
• Costly regulatory inquiriesand penalties
• Consumer and shareholderlawsuits
• Loss of consumer confidence
• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact
• Disruption of businessactivities
• Brand and reputation• Loss of consumer confidence
Impact
PwCDRAFT
PwC
Organizations have not kept pace
11
Years of underinvestment in certain areas has left organizations unable to adequately adapt andrespond to dynamic cyber risks.
Product & ServiceSecurity
PhysicalSecurity
OperationalTechnology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& ScenarioPlanning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
BreachInvestigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch &ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Process andTechnology
Fundamentals
ThreatIntelligence
Incidentand Crisis
Management
Ris
ka
nd
Imp
ac
tE
va
lua
tio
nR
es
ou
rc
eP
rio
ritiz
atio
n
Security Program, Functions, Resources and Capabilities
ComplianceRemediation
Security Cultureand Mindset
Monitoringand Detection
Critical AssetIdentification and
Protection
PwC
12
• Where are We?
(Based on PwC Global Information Security Survey 2015)
PwC
High growth in high-profile crimes
13
86% jump in incidents by
nation-states (with China, HK
and India with the highest values)
64% rise in compromises
by competitors
26% increase in incidents by
organised crime.
Incidents attributed to nation-states, organised crime, and
competitors increased sharply in 2014.
PwC
The number of security incidents continues
to soar
The total number of security incidents
detected globally by survey respondents
climbed to 42.8 million this year, an
increase of 48% over 2013.
14
It’s the equivalent of 117,339 incoming
attacks per day, every day. And that’s
just the compromises that were
discovered.
PwC15
As security incidents grow in frequency, the costs of managing
and mitigating breaches also are rising.
Globally, the annual estimated reported average financial loss
attributed to cybersecurity incidents was US$2.7 million,
a jump of 34% over 2013.
Not surprising, but certainly attention grabbing, is the finding
that big losses are more common: Organisations reporting
financial hits of US$20 million or more increased 92% over
2013.
The financial cost of security incidents is
high and rising
• Incidents and financial impacts continue to soar
PwC
Number of Security incidents detected in thepast 12 months
PwC
Estimated total financial losses as a result of allsecurity incidents (USD)
PwC
Monetary losses stretch into the billions of dollars…
The estimated global cost of cybercrime detected by respondents this year is more than US$23
billion.
Again, it’s important to note this figure represents only detected compromises.
It is almost important to note that the value of certain kinds of information – intellectual property
and trade secrets, in particular – is very difficult to ascertain.
18
PwC
Despite elevated risks, security budgets decline in 2014
19
Many organisations are undoubtedly worried about the
rising tide of cybercrime, yet most have not increased their
investment security initiatives.
In fact, global IS budgets actually decreased 4%
compared with 2013. And security spending as a percentage
of the total IT budget has remained stalled at 4% or less
for the past five years.
PwC
Incidents attributed to insiders rises while security preparedness falls
20
Current and former employees are the most-cited
culprits of security incidents, but implementation of
key insider-threat safeguards is declining.
• 56% have privileged user-access tools (65% in
2013) as compared to 61% of respondents in APAC.
• 51% have an employee security training and
awareness program
(60% in 2013) as compared to 55.6% in APAC.
Compromises attributed to third parties with
trusted access increases while due diligence
weakens.
• In Asia Pacific, 55% of respondents require third
parties to comply with their privacy policies
(vs. 53.55% of the global average).
• Employees are the most cited culprits of incidents
PwC
21
• Putting Cyber Threats in Perspective
PwC
Putting cybersecurity into perspective
22
• Cybersecurity represents many things to many different people
• Key characteristics and attributes of cybersecurity:
─ Broader than just information technology and not limited to just the enterprise
─ Increasing attack surface due to technology connectivity and convergence
─ An ‘outside-in view’ of the threats and potential impact facing an organization
─ Shared responsibility that requires cross functional disciplines in order to plan,protect, defend and respond
PwC
HistoricalIT Security
Perspectives
Today’s LeadingCybersecurity
Insights
Scope of the challenge • Limited to your “four walls” andthe extended enterprise
• Spans your interconnected globalbusiness ecosystem
Ownership andaccountability
• IT led and operated • Business-aligned and owned; CEO andboard accountable
Adversaries’characteristics
• One-off and opportunistic;motivated by notoriety, technicalchallenge, and individual gain
• Organized, funded and targeted;motivated by economic, monetary andpolitical gain
Information assetprotection
• One-size-fits-all approach • Prioritize and protect your “crownjewels”
Defense posture • Protect the perimeter; respond ifattacked
• Plan, monitor, and rapidly respondwhen attacked
Security intelligence andinformation sharing
• Keep to yourself • Public/private partnerships;collaboration with industry workinggroups
23
Evolving perspectivesConsiderations for businesses adapting to the new reality
PwCDRAFT
PwC
Product & ServiceSecurity
PhysicalSecurity
OperationalTechnology
Security
Public/PrivateInformation
Sharing
ThreatModeling
& ScenarioPlanning
TechnologyAdoption andEnablement
Ecosystem &Supply Chain
Security
GlobalSecurity
Operations
BreachInvestigationand Response
Notificationand
Disclosure
Privileged AccessManagement
SecurityTechnology
Rationalization
Patch &ConfigurationManagement
consecteturadipiscing elit
InsiderThreat
UserAdministration
TechnologyDebt
Management
Secure Mobileand CloudComputing
Security Strategy and Roadmap
Board, Audit Committee, and Executive Leadership Engagement
Business Alignment and Enablement
Ris
ka
nd
Imp
ac
tE
va
lua
tio
nR
es
ou
rc
eP
rio
ritiz
atio
n
Security Program, Functions, Resources and Capabilities
ComplianceRemediation
Have you kept pace?
25
Questions to consider when evaluating your ability to respond to thenew challenges.
Security Cultureand Mindset
Process andTechnology
Fundamentals
ThreatIntelligence
Monitoringand Detection
Critical AssetIdentification and
Protection
Incidentand Crisis
Management
Develop a cross-functional incidentresponse plan for effective crisismanagement
• Have your business leaders undertakencyberattack scenario planning?
• Do you have a defined cross functionalstructure, process and capability to respond?
• Are you enhancing and aligning your plan toongoing business changes?
Evaluate and improve effectiveness ofexisting processes and technologies
• Have you patched and upgraded your coreplatforms and technology?
• How are you securing new technology adoptionand managing vulnerability with your legacytechnology?
• Have you evolved your security architecture andassociated processes?
Enhance situational awareness to detect andrespond to security events
• How are you gaining visibility into internal andexternal security events and activities?
• Are you applying correlation and analytics toidentify patterns or exceptions?
• How do you timely and efficiently determinewhen to take action?
Identify, prioritize, and protect the assetsmost essential to the business
• Have you identified your most critical assetsand know where they are stored andtransmitted?
• How do you evaluate their value and impact tothe business if compromised?
• Do you prioritize the protection of your crownjewels differently than other informationassets?
Establish values and behaviors to create andpromote security effectiveness
• How is leadership engaged and committed toaddressing cyber risks facing the business?
• What sustained activities are in place to improveawareness and sensitivity to cyber risks?
• How have your business practices evolved toaddress the threats to your business?
Understand the threats to your industry andyour business
• Who are your adversaries and what are theirmotivations?
• What information are they targeting and whattactics are they using?
• How are you anticipating and adapting yourstrategy and controls?
PwC
Recap of Key points to takeaway
Proprietary - Confidential - Internal Use Only
New Ecosystem - Business models have evolved into a moreinterconnected, integrated, and interdependent environment.
Q: What is the cyber risk strategy of your service provider?
Crown Jewels - identify and enhance the protection of “crown jewels”.
Q: What information assets can impact your market value?
Tone at the top - awareness and commitment from the highestexecutive levels.
Q: What is your role in cybersecurity?
OSHI - Sophisticated groups are actively exploiting cyber weaknesses;organized crime , State Sponsored, Hacktivists and Internal.
Q: Who are your enemies and what is being said about your company insocial media?
Know your ecosystem and therisk landscape
Know your Crown Jewels
Know your culture
Know youradversary – motives, means,
and methods
26
Know your business risksEmbed cyber risk into board oversight and executive-level decisionmakingQ: How has cyber risk been considered as a business issue?
PwC
For more information on Cyber Risks…
Section 1 – Appendix
United States:www.pwc.com/cybersecurity
− Results of 2014 Global State of Information Security
− 10Minutes on the stark realities of cybersecurity (available in severallanguages)
− Cybersecurity risk on the board’s agenda
− Cyber Video Series
− A response to the President’s Cybersecurity Executive Order
United Kingdom:http://www.pwc.co.uk/cyber-security/cyber-security
− Insights
− Cyber Video Series
Australia:http://www.pwc.com.au/consulting/cyber/
Others:Belgium
GermanySwitzerland
Scandinavia
27
PwC
Our global team and credentialsOur team helps organizations understand dynamic cyber challenges, adapt and respond to risksinherent to their business ecosystem, and prioritize and protect the most valuable assetsfundamental to their business strategy.
"PwC has very strong global deliverycapabilities, and the firm offers solid,comprehensive services with the abilityto address almost all of the security andrisk challenges that clients will face”2
• Focused on consulting, solutionimplementation, incident response,and forensic investigation
• Knowledge and experience acrosskey industries and sectors
• Largest professional securityconsulting provider as ranked byGartner1
• Technical security and forensicslabs located in forty countries
• Designed to conduct assessments,design and test security solutions,and conduct cyber forensic analysisand investigations
.
• Extensive library of templates,tools, and accelerators
• Cyber threat intelligence fusionand big data analysis platforms toprocess data related to cyberthreats and incidents
• Advanced degrees and certifications including
─ Certified Information System Security Professional (CISSP)
─ Encase Certified Examiner (EnCE)
─ Certified Information Security Manager (CISM)
─ Certified Ethical Hacker (CEH)
─ Oracle Diamond Partner – Identity Management Specialization
• Former federal and international law enforcementand intelligence officers
• Security clearances that allow for classifieddiscussions that often stem from cyber relatedincidents
We provide pragmatic insight and a balanced view ofhow to prioritize investments in people, processesand technology solutions needed to address thecybersecurity challenge
Knowledge & Experience1,600+ professionals
‘Leader’ ranking by
Forrester Research
60+ labs
Proprietarytools and methods
1Gartner: Competitive Landscape: Professional Security Consulting Services, Worldwide, 20132The Forrester Wave: Information Security and Risk Consulting Services, Q1 2013, Forrester Research, Ed Ferrara and Andrew Rose, February 1, 2013
28
PwC
Questions
© 2014 PricewaterhouseCoopers Consulting Hong Kong Limited. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers Consulting HongKong Limited, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
This proposal is provided solely in connection with your Request for Proposal received 24th October 2013 - MetLife Asia Digital Direct 2.0 Project. This is a proposaland does not constitute a contract of engagement with PwC. In the event that our proposal to you is successful, we will agree formal contractual terms with youbefore we begin any substantive work. In the meantime, this document is provided on the basis that PwC accepts no liability—whether in contract, tort (includingnegligence), or otherwise—to MetLife, Inc ("MetLife") or to any other person in respect of MetLife Asia Digital Direct 2.0 Project. In addition, our acceptance of theengagement will be contingent upon the completion of all our internal engagement acceptance procedures.This proposal must not be made available or copied in whole or in part to any other person without our express written permission.
Thank you.
