Ivan dragas get ahead of cybercrime

Get ahead of cybercrime
EY’s Global Information Security Survey

Agenda
► The cyber threat landscape
► The journey to cybersecurity maturity
► Activate
► Adapt
► Anticipate
► Summary
Get ahead of cybercrime — EY’s Global Information Security Survey 2014

The cyber threat landscape

Cyber attacks are headline news
► It is no longer possible to prevent attacks or breaches
► With organizations increasingly relying on vast amounts of
digital data to do business, cybercrime is growing ever more
damaging to an organization and its brands.
► The interconnectivity of people, devices and organizations
opens up new vulnerabilities.
► New technologies, regulatory pressure and changing business
requirements call for more security measures.
► What companies used to know and do to protect their most
valued information is no longer enough.
What everyone wants to know is “what can companies do about
cybercrime?”

The growing attacking power of cyber criminals
Cybercrime is big business. Today’s attackers:
► Are more organized – they are not just opportunists
► Have significant funding
► Are patient and sophisticated – they will often gain access and
wait until the right moment to pounce
Cybercrime is an organization-wide issue
► Attackers take advantage of vulnerabilities in the whole operating
environment – including people and process.
► Due to the relative ease of access via IP-addresses, operational
technology systems are often targets for cyber criminals

GISS 2014 results: “Who or what do you consider the most likely
source of an attack?”
41%
46%
27%
53%
14%
12%
10%
35%
57%
Lone wolf hacker
Hacktivists
State sponsored attacker
Criminal syndicates
Other business partner
Supplier
Customer
External contractor working on our site
Employee
Respondents were asked to choose all that apply.

The roadblocks facing today’s organizations
► Roadblock 1 — Lack of agility
► Organizations admit there are still known vulnerabilities in their cyber
defences and they are not moving fast enough to mitigate these. They
are therefore lagging behind in establishing foundational cybersecurity.
► 65% tell us that they lack real-time insight on cyber risks
► Roadblock 2 — Lack of budget
► For the first time, we see more organizations reporting that their
information security budgets will not increase. There is a need for
more money and resources to face the growing threats effectively.
► Roadblock 3 — Lack of cybersecurity skills
► The lack of specialists is a constant and growing issue. Organizations
also need to build skills in non-technical disciplines (like analytics) to
integrate cybersecurity into the core business.

GISS 2014 results: Roadblocks
43%of respondents say that their
organization’s total information
security budget will stay approximately
the same in the coming 12 months
and a further 5% said that their budget
will actually decrease.
53%of organizations say that lack of
skilled resources is one of the main
obstacles that challenge their
information security.

The journey to cybersecurity maturity -
Activate > Adapt > Anticipate

How do you get ahead of cybercrime?
Focus on the three As.

A 3-stage improvement process
To get ahead of cybercrime we suggest that organizations adopt a
3-stage improvement process:
► Activate (a foundational approach)
► Organizations need to establish and improve the solid foundations of
their cybersecurity
► Adapt (a dynamic approach)
► Because organizations are constantly changing and cyber threats are
evolving, cybersecurity needs to be able to adapt to changing
requirements
► Anticipate (a proactive approach)
► Organizations need to make efforts to predict what is coming so they
can be better prepared for the inevitable cyber attacks

Activate

Activate: the need to establish
foundations
Organizations in this level can only deal with threats in a world
without change. They will typically have these capability shortfalls:
► Bolt-on cybersecurity
► Cybersecurity has been added on to current business processes and
activities, but it has not yet been integrated into the business.
► A focus on safeguarding the current environment
► Cybersecurity starts with looking at the risks the organization is
already aware of based on prior experience; the focus is on risk
assessments, controls efficiency and risk mitigation
► A static approach
► Cybersecurity aims to enable the business to carry out its known and
regular day-to-day functions securely. It will be rule-based and
compliance-driven, relying on metric-driven reporting.

GISS 2014 results: improvement needed
Across almost every cybersecurity
process, between 35% and 45% of
respondents rated themselves “still a
lot to improve.”
Nearly two thirds of organizations do
not have well-defined and automated
Identity and Access Management
programs.

GISS 2014 results: lack of real time insight on
cyber risk
37%say that real time insight on
cyber risk is not available.
42%of organizations do not
have a SOC.

GISS 2014 results: How long on average does it take for
your SOC to initiate an investigation on discovered/
alerted incidents?
33%
4%
13%
13%
25%
12%
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
Respondents were asked to choose one.

Foundational activities all
organizations need to “activate”
1. Conduct a cyber threat assessment and design an implementation
roadmap
2. Get Board-level support for a security transformation
3. Review and update security policies, procedures and supporting
standards
► Implement an information security management system
4. Establish a Security Operations Center (SOC)
► Develop monitoring and incident response procedures
5. Design and implement cybersecurity controls
► Assess the effectiveness of data loss prevention and identity and
access management processes.
► Harden the security of IT assets.
6. Test business continuity plans and incident response procedures

Adapt

Adapt: a dynamic approach
If an organization doesn’t adapt, its cybersecurity foundation will
quickly be obsolete. The Adapt stage adds:
► Built-in security
► Cybersecurity is considered and involved in everything the
organization does and cybersecurity requirements are built in to all
business processes
► A focus on the changing environment
► Cybersecurity continuously adapts to ongoing changes in the business
and its environment. Increased situational awareness enables the
organization to react to expected changes in the threat landscape.
► A dynamic approach
► Cybersecurity is flexible, agile and under constant revision. It
continually adapts to better protect the business.

The need to be adaptable
Organizations are undergoing constant change:
► The necessity to integrate new technologies into business
processes
► Mobile devices blurring the lines between the business and
personal world
► The growth in managed services and remote hosting
► The integration of process control infrastructure with the back
office and the outside world
► Rapidly changing regulatory environment and requirements
As a result, organizations have to cope with a never-ending cycle
of new threats and challenges requiring the adoption of a never-
ending cycle of improvement and re-evaluation of the changing
cybersecurity capabilities.

Cybersecurity not aligned to the
business
In order to get ahead of cybercrime, it is essential to keep your
cybersecurity measures 100% aligned with your business.
Organizations are
continuing to improve
their cybersecurity, but
the changes in the
threat are travelling at
an even faster rate,
meaning they are
effectively going
backwards. 2013 2104
Instead of an expected increase
in the number of organizations
reporting that their Information
Security function fully meets the
needs of their organization, our
survey found a decrease.
2013 2104
Instead of an increase in the number
of organizations reporting that their
Information Security function
partially meets their needs and that
improvements are under way, there
has been a decrease of 5%.

GISS 2014 results: Cybersecurity not meeting the
needs of many organizations
GISS 2014 explored why cybersecurity measures are not meeting the
needs of so many organizations, for example in breach detection:
Respondents were asked to choose one.
9%
20%
24%
31%
16%
We have a formal and advanced detection function that brings together each
category of modern technology (host-based malware detection, antivirus, network-
based malware detection, DLP, IDS, next-gen firewalls, log aggregation) and uses
sophisticated data analytics to identify anomalies, trends and correlations. We have
formal processes for threat collection, dissemination, integration, response,
escalation and prediction of attacks
We have a formal detection program that leverages modern technologies (host-
based and network-based malware detection, behavioral anomaly detection, etc.) to
monitor both internal and external traffic. We use ad hoc processes for threat
collection, integration, response and escalation
We utilize a security information and event management (SIEM) solution to actively
monitor network, IDS/IPS and system logs. We have an informal response and
escalation processes in place
We have perimeter network security devices (i.e., IDS). We do not have formal
processes in place for response and escalation
We do not have a detection program

GISS 2014 results: How do you ensure that your
external partners, vendors or contractors are
protecting your organization’s information?
13%
8%
24%
34%
27%
27%
27%
56%
No reviews or assessments performed
Fourth parties (also known as sub-service organizations) are identified and assessments
performed (e.g., questionnaires issued, reliance placed on your vendor's assessment
processes)
Only critical or high-risk third parties are assessed
Self-assessments or other certifications performed by partners, vendors or contractors
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16,
ISAE-3402)
Accurate inventory of all third-party providers, network connections and data transfers is
maintained and regularly updated
All third parties are risk-rated and appropriate diligence is applied
Assessments performed by your organization’s information security, IT risk, procurement
or internal audit function (e.g., questionnaires, site visits, security testing)
Respondents were asked to choose all that apply.

Adapt - take action to improve and
transform
1. Design and implement a transformation program
► Get external help in designing the program, and providing program
management.
2. Decide what to keep in-house and what to outsource
3. Define a RACI matrix for cybersecurity
4. Define the organization’s ecosystem
► Make moves to eliminate or lessen potential security gaps in your
interaction with third parties
5. Introduce cybersecurity awareness training for employees

Anticipate

Anticipate: a proactive state of
readiness
‘Anticipate’ means embracing cybersecurity as a core aspect of
the business and being in a proactive state of readiness:
► Built-beyond security
► Cybersecurity capabilities are part of a dynamic decision process
► Prioritize your “crown jewels” - understand the impact of a breach
► A focus on the future environment
► Understand the wider threat landscape and how it relates to the
organization – use cyber threat intelligence
► Continually learn and evolve in a cycle of continual improvement
► A proactive approach
► Be confident in your incident response and crisis response
mechanisms
► Regularly rehearse your incident response capabilities

GISS 2014 results: Organizations are not planning
for the future
58%of organizations do not have a
role or department focused on
emerging technologies and their
impact on information security.
36%of respondents do not have a threat
intelligence program.

Company
one
Company
two
Collaboration
Climate
Collaboration within the ecosystem

Share knowledge and skills with
your ecosystem
All organizations face the same challenges and are learning that
collaboration bears fruit, especially if done in a targeted fashion.
► Collaboration provides the organization with greater awareness
of its partners and supply chain, and the ability to influence and
learn from the whole ecosystem.
► Larger organizations’ security capabilities are often far more mature
than those of some of their suppliers, so knowledge-sharing around
cybersecurity, or coordinating cybersecurity activities with suppliers
can be much more effective than going it alone.
► A shared solution tightens the protective layers in and around your
ecosystem.
► Any incident response exercises should include third parties
and other players in your wider ecosystem.

Anticipate: take action - and get ahead
1. Design and implement a cyber threat intelligence strategy
► Use threat intelligence to support strategic business decisions
2. Define and encompass the organization’s extended cybersecurity
ecosystem
► Define RACI and trust models and enact cooperation, sharing capabilities
where advantageous
3. Take a cyber economic approach
► Understand the value of your most vital cyber assets
4. Use forensics and analytics
► Use the latest technical tools to analyse where the likely threats are coming
from and when
5. Ensure everyone understands what’s happening
► Strong governance, user controls and regular communications

Summary

Anticipate
Adapt
Activate
Cybersecurity system building blocks - the 3A’s
What it is Cybersecurity system building blocks Status
Anticipate is about looking into
the unknown. Based on cyber
threat intelligence, potential
hacks are identified; measures
are taken before any damage
is done.
Anticipate is an emerging level.
More and more organizations
are using cyber threat
intelligence to get ahead of
cybercrime. It is an innovative
addition to the below.
Adapt is about change. The
cybersecurity system is
changing when the environment
is changing. It is focused on
protecting the business of
tomorrow.
Adapt is not broadly
implemented yet. It is not
common practice to assess the
cybersecurity implications every
time an organization makes
changes in the business.
Activate sets the stage. It is a
complex set of cybersecurity
measures focused on protecting
the business as it is today.
Activate is part of the
cybersecurity system of every
organization. Not all necessary
measures are taken yet; there is
still a lot to do.

Want to learn more?
Achieving resilience in the
cyber ecosystem
www.ey.com/cyberecosystem
Reducing risk with Cyber Threat
Intelligence
www.ey.com/CTI
Security Operations Centers:
- helping you get ahead of
cybercrime
www.ey.com/SOC
Privacy trends 2014: privacy
protection in the age of technology
www.ey.com/privacy2014
Identity and access
management:
beyond compliance
www.ey.com/IAM
Building trust in the cloud:
creating confidence in your cloud
ecosystem
www.ey.com/cloudtrust
Big data: changing the way
businesses compete and operate
www.ey.com/bigdatachange
Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights
Cyber program management:
identifying ways to get ahead of
cybercrime
www.ey.com/CPM

Further information
See the full report: Get ahead of cybercrime –
EY’s Global Information Security Survey 2014:
www.ey.com/giss2014
View more of EY’s insights on cybersecurity on:
www.ey.com/cybersecurity
For further GRC thought leadership, please refer
to our Insights on governance, risk and
compliance series on:
www.ey.com/GRCinsights
To discuss your cybersecurity issues further,
please contact your EY representative:
Ivan Dragaš, CISA
ivan.dragas@rs.ey.com

Thank you for your attention!

Ivan dragas get ahead of cybercrime

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Ivan dragas get ahead of cybercrime

Ähnlich wie Ivan dragas get ahead of cybercrime (20)

Mehr von Dejan Jeremic

Mehr von Dejan Jeremic (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Ivan dragas get ahead of cybercrime

Hinweis der Redaktion