CYBER SECURITY Nick Kervin – Partner, IT Advisory August 2017 Page 1
CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page 2
WHAT IS AT RISK Page 3
WHAT IS AT RISK 2017 World Economic Forum Page 4 S ource: The Global Risk Report 2017 – World Economic Forum
WHAT IS AT RISK Who are the adversaries and what are their motives? Adversary Motives Targets Impact • • • Hacktivists Influence polit ical and / or Corporat e secret s Disrupt ion of business social change act ivities • S ensit ive business information • Pressure business t o change • Brand and reput ation • Informat ion relat ed t o key t heir pract ices • execut ives, employees, Loss of consumer confidence cust omers & business part ners • • • Cyber Immediat e financial gain Financial / payment syst ems Cost ly regulat ory inquiries criminals and penalt ies • Collect information for • Personally ident ifiable • fut ure financial gains information Consumer and shareholder lawsuit s • Payment card informat ion • Loss of consumer confidence • Prot ect ed healt h information • • • Nation state Economic, polit ical, and/ or Trade secret s Loss of compet it ive milit ary advantage advant age • S ensit ive business information • Disrupt ion t o crit ical • Emerging t echnologies infrast ruct ure • Crit ical infrast ruct ure Insiders • Personal advant age, • S ales, deals, market st rat egies • Trade secret disclosure monet ary gain • • Corporat e secret s, IP , R&D Operat ional disrupt ion • Professional revenge • Business operat ions • Brand and reput ation • Pat riot ism • • Personnel information Nat ional securit y impact Page 5
WHAT IS AT RISK The actors and the information they target Adversary What’s most at risk Industrial Control Emerging Hacktivists S ystems (S CADA) technologies Payment card and Advanced materials and related information manufacturing Cyber criminals / financial markets techniques R&D and / or product Energy data design data Nation state Healthcare, pharmaceuticals, and Business deals information related technologies Health records Information and Insiders and other communication personal data technology and data Motives and tactics evolve and what adversaries target vary depending on the organisation and the products and services they provide. Page 6
GLOBAL INDUSTRY TRENDS Page 7
INDUSTRY TRENDS Cyber attacks on user devices & persons are rising S ource: Verizon 2016 Dat a Breach Invest igat ions Report Page 8
INDUSTRY TRENDS Breach discovery methods are changing S ource: Verizon 2016 Dat a Breach Invest igat ions Report Page 9
INDUSTRY TRENDS Breaches are on the rise but industry spend has not kept track Cyber attacks are on the rise $500 The est imat ed annual cost of cyber-at t acks t o t he global economy was more t han $500 billion in 2015 wit h billion $230 billion in AP AC World Economic Forum recognise cyber breaches as one of the top threats to stability of global $2.1 economy trillion Cost of dat a breaches and malware infect ions will cost t he global economy $2.1 t rillion by 2019 Cyber threats are Boards’ fastest-growing concern, but investments are not keeping track with $75 breach costs billion $75 billion spend on cyber securit y in 2015 Estimated spend on Cyber Security by 2020 will be $175 billion $175 Cyber spend will more t han double over t he next five years wit h Cyber insurance expect t o grow t o $2.5 billion billion by 2020 S ource: Forbes Page 10
INDUSTRY TRENDS Cyber security skills are in high demand Solid growth in cyber security job market 1 million 1 million unfilled cyber security j obs globally in 2015 which is a 75% increase in the last five years Cyber security jobs in demand as investments increase 6 million There will be shortage in cyber security skills as the market is expected to grow to 6 million j obs by 2019 with a shortage of 2 million j obs Cyber job market in ANZ region is growing 21% The demand for cyber security skills in ANZ market will grow 21% over the next five years with expected shortage of 10,000 people by 2019 S ource: Forbes Page 11
BDO / AusCERT CYBER SECURITY SURVEY Page 12
BDO / AUSCERT CYBER SURVEY Australian Respondents • Over 400 respondents • 43% of Australian respondents from Queensland NZ Respondents by region Australian Respondents by state Page 13
BDO / AUSCERT CYBER SURVEY Primary industry of all respondents coloured by type Wholesale trade Transport, post al and warehousing Retail t rade Rental, hiring and real est at e services Public administ ration and safet y Professional, scientific and t echnical services Other Mining Manufact uring Information media and telecommunicat ions Health care and social assist ance Financial and insurance services Elect ricit y, gas, wat er and waste services Educat ion and t raining Const ruct ion Art s and recreation services Agriculture, forest ry and fishing Administ rative and support services Accommodation and food services 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% S t at e Government Federal Government Local/ regional Government Not -for-profit Private limit ed company Public listed company S ole t rader / Part nership Page 14
BDO / AUSCERT CYBER SURVEY Cyber security incidents experienced in 2016 • Ransomware Websit e defacement Unaut horised modificat ion of informat ion • Phishing Unaut horised access t o informat ion by int ernal user • Malware Unaut horised access t o informat ion by external user • DDoS Theft of lapt ops or mobile devices Ransomware Phishing / t arget ed malicious e-mails Malware / troj an infect ions Email addresses or websit e(s) blacklist ed Brute force at t ack Denial of service att ack Dat a loss / t heft of confident ial informat ion Dat a breach and t hird part y provider / supplier 0% 5% 10% 15% 20% 25% 30% 35% Healthcare All Respondents Page 15
BDO / AUSCERT CYBER SURVEY Cyber security incidents expected in 2017 Websit e defacement Unaut horised modificat ion of informat ion Unaut horised access t o informat ion by int ernal user Unaut horised access t o informat ion by external user Theft of lapt ops or mobile devices Ransomware Phishing / t arget ed malicious e-mails Malware / troj an infect ions Email addresses or websit e(s) blacklist ed Brute force at t ack Denial of service att ack Dat a loss / t heft of confident ial informat ion Dat a breach and t hird part y provider / supplier 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% Healthcare All Respondents Page 16
BDO / AUSCERT CYBER SURVEY Likely source of Cyber security Incidents • Cyber criminals • Insiders / current employees • Activists Suppliers / business Customers partners 4% 4% • Third party hosting providers Competitors 6% Former employees Cyber criminals / 8% organised crime 33% Foreign Governments / Nation States 10% Third party hosting Insiders / current provider employees 10% 13% Activists 12% Page 17
BDO / AUSCERT CYBER SURVEY Likely source of cyber security incidents Third part y hosting provider S uppliers / business part ners Insiders / current employees Former employees Foreign Government s / Nat ion S t at es Cyber criminals / organised crime Cust omers Compet it ors Act ivist s 0% 5% 10% 15% 20% 25% 30% 35% All Respondents Healthcare Page 18
BDO / AUSCERT CYBER SURVEY Cyber security awareness programs reduce incidents overall All Respondents 50% 40% 30% 20% 10% 0% Ransomware Phishing Malware/ Troj an All Other Page 19
BDO / AUSCERT CYBER SURVEY Security Operations Centres reduce incidents by 79% All Respondents 40% 30% 20% 10% 0% Ransomware Phishing Malware/ Troj an All Other Page 20
BDO CYBER SURVEY Does your organisation utilise intelligence sharing networks No - we feel we don't Yes - we gain a great need to deal of value from 11% doing so 23% No - we don't know if such a Yes - but the network exists process is overly 39% expensive/ time consuming 5% Yes - but its usefulness is limited 18% No - it doesn’ t provide us value 4% Page 21
BDO / AUSCERT CYBER SURVEY Only 28% of respondents have cyber insurance cover Yes - we have this cover as an extension to another insurance policy 8% 14% Yes - we have a standalone cyber policy 12% Yes - but do not know how the 9% policy was arranged Not yet - we are considering it 9% 5% No - we were not aware of this type of insurance No - we self-insure 18% 25% No - we don't feel we need it Page 22
ASX 100 CYBER HEALTH CHECK REPORT Page 23
ASX 100 CYBER HEALTH CHECK REPORT What is it? • The AS X 100 Cyber Health Check is the first attempt to gauge how the boards of Australia’s largest publicly listed companies view and manage their exposure to the rapidly evolving cyber world • 76% of the AS X 100 responded to the survey • Currently, only 11% of companies proactively reassure customers and investors about their approach to cyber security • S urvey is available at: www.asx.com.au/ AS X100-Cyber Page 24
Recommend
More recommend