Cyber threats and risks for companies Managing cyber risks in an interconnected world

Cyber threats and
risks for companies
Managing cyber risks in
an interconnected world
Roman Chaplygin
Cyber risks: A severe and present danger
every day we meet cyber security news
Public company in Poland
• Organized cyber attack related to electronic commerce
• Ineffective procedures for attack detection and incident
response
PwC
Cyber risks: A severe and present danger
every day we meet cyber security news
PwC
Cyber risks: A severe and present danger
everything is under attack
PwC
•
Government agency
•
Media
•
Energy
•
Retail
•
Power & utilities
•
Agriculture
•
Metal & mining
•
Banking & finance
•
Insurance
•
Private equity
•
Oil & gas
•
Telecommunications
•
Manufacturing
Cyber risks become Business risks
because they directly impact on the business
TOP-10 threat for business growing
PwC Banking CEO Survey 2014
PwC
TOP-5 unlikely issue
WEF Global Risks 2014 Report
Incidents and financial impacts continue to soar
and this is just an iceberg tip
Some companies
doesn’t disclose
their incidents
and
many others don’t
know about them
PwC
Incidents and financial impacts continue to grow
Larger companies detect more incidents and they are more interesting to attack
Small companies have less resources
to detect attacks
large companies are more attractive
PwC
5%
64%
44%
Incidents and financial impacts continue to grow
Incidents are more costly to large organizations
The annual cost of cybercrime to the
global economy ranges from
$375 billion to
as much as $575 billion
PwC
Incidents and financial impacts continue to grow
large companies have to spend more for defense
While big corporations may have the expertise and
resources to build a sophisticated cybersecurity
fusion center that enables sharing of threat
intelligence and response techniques, that is not
practical for smaller firms. But they can obtain the
same benefits through managed security services.
Another option to address risks might be purchase
of cyber insurance.
PwC
Nation-states, hackers, and organized crime groups are
the cybersecurity villains that everybody loves to hate
Employees are the mostcited culprits of incidents
That’s not to say that all
employees exhibit malicious
behavior.
In many cases, they may
unwittingly compromise data
through loss of mobile devices
or targeted phishing schemes.
PwC
Nation-states, hackers, and organized crime groups are
the cybersecurity villains that everybody loves to hate
The percentage of incidents attributed to
current and former service providers,
consultants, and contractors increased to
18% and 15%, respectively, in 2014.
PwC
Nation-states, hackers, and organized crime groups are
the cybersecurity villains that everybody loves to hate
… it is easier, cheaper, and quicker to steal IP and
trade secrets than to develop capabilities
themselves.
PwC
Nation-states, hackers, and organized crime groups are
the cybersecurity villains that everybody loves to hate
Organized crime groups are typically
motivated by financial gain. A
successful cyber attack can net
millions of payment card records that
can be quickly monetized.
In addition to credit and debit card
data, these criminals increasingly
target patient health care data or
other personally identified
information
that has considerable value in the
underworld of information resellers.
PwC
Nation-states, hackers, and organized crime groups are
the cybersecurity villains that everybody loves to hate
59% of respondents say their organizations’
executives are worried about government
surveillance
PwC
As incidents rise, security spending falls
many organizations struggle to understand how much to spend on security
and how to determine the return on investments
The average information security budget
dipped to $4.1 million, down 4% over last year.
Security spending remains stalled at only 3.8%
of the overall IT budget.
PwC
As incidents rise, security spending falls
at the same time, few organizations are aware about the value of their risks,
and counted them
PwC
As incidents rise, security spending falls
so how to spend the available budget
PwC
PwC
Prevent
Protect
As incidents rise, security spending falls
so how to spend the available budget
PwC
PwC
Detect
Respond
Security practices must keep pace with constantly
evolving threats and security requirements
Security tools
are not enough,
often the proper
organization of cyber
security processes is also
very important:
Only 49% of respondents say their
organization has a crossorganizational
team that regularly convenes to discuss,
coordinate, and communicate
information security issues. It also will
require that the C-suite and Board be
directly involved.
• correlation of business and cyber
security goals and objectives
• proper security management
with business involvement
• vendor management and thirdparty assurance
Only 50% perform risk assessments on
thirdparty vendors, and just 50% have
conducted an inventory of all third
parties that handle personal data of
employees and customers. Just over half
(54%) of respondents say they have a
formal policy requiring third parties to
comply with their privacy policies.
PwC
Security practices must keep pace with constantly
evolving threats and security requirements
At most organizations, the Board of Directors does not participate in key
information security activities
PwC
Gains in select security initiatives
survey respondents are starting to see the value of working with others
PwC
Gains in select security initiatives
evolving from security to cyber risk management
PwC
How PwC helps clients manage modern cyber risks
wide range of services adaptable for your business
Industry and sector aligned solutions
Align with the business
Prioritize investments, allocate resources,
and align security capabilities with the
strategic imperatives and initiatives of
the organization.
Strategy,
Governance &
Management
Sustainable
Emerging
Technologies
Security &
Market
Trends
Behaviours
Manage risk and regulations
Efficiently and effectively identify,
evaluate and manage risk to the
business while addressing the evolving
regulatory requirements.
Secure by design
Security
Security
Architecture &
Strategy
Services
Adapt to the future
Assess the opportunities and security
related risks of new technology adoption
and dynamically changing
business models.
We combine our industry specific experience and perspectives to address relevant
trends, challenges and opportunities our clients face in their industry and the
markets they serve.
Cyber
Risk &
Compliance
Crisis
Management
Response
Create sustainable security solutions to provide foundational
capabilities and operational discipline.
Threat,
Security
Intelligence &
Governance
and
Vulnerability
Management
Compliance
Strategy
through
Execution
--- + --Attest &
Assure
Address threats and weaknesses
Anticipate changes in the risk
landscape through situational
awareness of the internal and external
factors impacting the
business ecosystem.
Enable secure access
Identity &
Cyber
Threat
Access
Assessment
Management
Provide integrated and secure
processes, services, and infrastructure
to enable appropriate controls over
access to critical systems and assets.
Incident &
Anticipate and respond to security crises
Technology
Crisis
Management
Plan, detect, investigate, and react timely and thoroughly to
security incidents, breaches and compromises.
Business led approach – diverse capabilities
We leverage and integrate our business, technical, regulatory, analytical, and
investigative knowledge and know-how to deliver actionable and sustainable solutions.
PwC
Safeguard critical assets
Information
& Privacy
Protection
Identify, prioritize, and protect
sensitive or high value
business assets.
How PwC helps clients manage modern cyber risks
high quality and professionalism
180,000 38,000
PwC
staff worldwide
PwC
consultants worldwide
PwC applies its local and global experience
and resources equally to create value for
clients when carrying out diverse projects,
ranging from strategy development to
implementation.
Leader in IT-enabled
business transformation
Forrester, 3Q 2012
PwC
9,600
2,000
PwC
IT consultants worldwide
PwC
Cyber security
consultants worldwide
Our global network of firms includes
776 offices in 158 countries worldwide
PwC has broad experience
in providing consulting
services to universities and
higher educational
institutions
Leader in
business consulting
IDC Marketscape, 2012
PwC CEE has a highly
talented pool of certified
Cyber security consulting
staff with a full range of
skills:
CISA – 39 people
CISM– 7 people
CRISC – 5 people
CISSP – 4 peopl
ISO 27001– 12 people
and others
Thank you for your attention!
Roman Chaplygin
Director,
Risk Assurance, Information Security
Services, PwC
Tel: +7 (495) 967 6056
Mob: +7 (903) 272 1620
E-mail: [email protected]
www.pwc.ru/cybersecurity
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, PwC Russia, its members, employees
and agents do not accept or assume any liability, responsibility or duty of care for any
consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
© 2014 PricewaterhouseCoopers Russia B.V. All rights reserved.
PwC refers to PricewaterhouseCoopers Russia B.V. or, as the context requires, other member
firms of PricewaterhouseCoopers International Limited, each of which is a separate legal
entity.
PwC Russia (www.pwc.ru) provides industry-focused assurance, tax, legal and business
consulting services. Over 2,600 professionals working in PwC offices in Moscow, St
Petersburg, Ekaterinburg, Kazan, Novosibirsk, Rostov-on-Don, Krasnodar, Voronezh,
Yuzhno-Sakhalinsk and Vladikavkaz share their thinking, experience and solutions to develop
fresh perspectives and practical advice for our clients. The global network of PwC firms brings
together more than 184,000 people in 157 countries.
"PwC" is the brand under which member firms of PricewaterhouseCoopers International
Limited (PwCIL) operate and provide services.
"PwC Russia" refers to PwCIL member-firms operating in Russia.