EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOK

Transcription

1 EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOK Leonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Assessor 14 February 2016

2 AGENDA 1. The present state of Cybersecurity 2. Threat horizon Way forward 4. Key takeaways

3 THE STATE OF CYBER SECURITY

4 CYBER INCIDENTS CONTRIBUTE TO SIGNIFICANT ECONOMIC LOSSES IP Theft in United States >$ 300 Billion IP Commission Report Ponemon Institute Singapore $ 1 Billion Symantec Losses from Cybercrime $ 575 Billion McAfee

5 2015 GLOBAL CYBERSEC URITY STATUS REPORT 3,400+ RESPONDENTS WORLDWIDE

6

7 2015 GLOBAL CYBERSEC URITY STATUS REPORT 3,400+ RESPONDENTS WORLDWIDE

8 CYBERSECURITY FROM DIRECTORS POINT OF VIEW >65% of board of director respondents indicated that the cybersecurity risks were at a high level or had increased. Only 14% were actively involved while 58% said they should have been more involved.

9 THREAT HORIZON 2018 (ISF)

10 IC L PESTLE MODEL Figure 1: The P PESTLE model L PICAL ICA POLIT POL ICA LOG T EE CON O M S L IA SOC IRONMENTAL E ENV L L LEG A TEC HN O

11

12 Threat 1.1 The Internet of Things leaks sensitive information Impact: Growing regulatory fines and legal expenses as breaches occur Increased regulatory burden Reputational risk Recommendations: Prior to IoT deployment, seek consent and apply data protection principles Ensure policies, terms & conditions are transparent and compliant Look IoT holistically instead of a category of device Update policies, standards, guidelines, processes

13 Source: PerfectCloud.io

14 Threat 1.2 Opaque algorithms compromise integrity Impact: Poorly maintained algorithm lead to loss of revenue and delays Disruption to critical systems is heightened due to lack of specialised skill Reputation is questioned after an incident Recommendations: Identify exposure to algorithm controlled systems, understand liability Update code maintenance policies Identify alternative ways of treating risks from algorithm-related incidents Conduct robust business continuity and resiliency planning

15 Source: The Hacker News

16 Threat 1.3 Rogue governments use terrorist groups to launch cyber attacks Impact: Brand damage, loss of revenue or even bankruptcy Severe business disruption as SIEM systems are evaded by persistent attackers Recommendations: Adapt risk management processes to account for threats actors with new capabilities Review existing controls and focus on increasing resiliency Explore possibilities for threat intelligence collaboration with governments and organisations facing similar threats.

17 Source: Security Intelligence

18 Threat 2.1 Unmet board expectations exposed by major incidents Impact: Costly incidents due to incomplete risk assessment, Inability to deal with threats and incidents, inhibiting decision making Recommendations: Engage with the board regularly to provide credible view of cyber risks Align the board s expectation of security improvements based on current and future capability of CISO and information security function Initiate talent program to transform CISO and Information Security function from specialists to trusted business partner Learn from others

19 Source: Slash Gear

20 Threat 2.2 Researchers silenced to hide security vulnerabilities Impact: Business disruption due to insecure software that could have been fixed Lost of sales for manufacturers when their actions to suppress vulnerabilities made public Damage to manufacturers that surpress vulnerabilities resulting in loss of life Recommendations: Consider financial reward for responsible researchers Use mediation services to agree satisfactory disclosure practices Insist greater transparency during procurement process

21 Source: LinkedIn

22 Threat 2.3 Cyber Insurance safety net is pulled away Impact: Organisations are exposed as there lose access to transfer risks High cost of alternative treatment Credit ratings may slow down cyber insurance market Recommendations: Reassess risk management strategy in advance, and identify risks to be transferred through cyber insurance Examine cyber insurance for potential costly exclusions

23 Source: Business Insider

24 Threat 3.1 Disruptive companies provoke government Impact: Large fines for organisations that resist, rather than, engage with governments Companies (in technology sectors) are subjected to higher scrutiny. Recommendations: Avoid political opposition by understanding local context of product & services delivery Develop a clear strategy for political influence and engagement, focusing on principle-based system of regulation. Explore possibilities for collective influence

25 Source: Euractiv

26 Threat 3.2 Regulations fragment the cloud Impact: Disruptions to operation and production as cloud services are divided to multiple countries Additional resources to deal with cloud compliance required Organisation forced to comply with data protection requirements Recommendations: Understand current and proposed regulation will evolve. Be proactive and devise strategy before it is too late.

27 Source: Security Intelligence

28 Threat 3.3 Criminal capabilities and gaps in international policing Impact: Brand damage as organisations technical capabilities are surpassed by cyber criminals Incurred losses compounded by growing e-commerce and inadequate international law enforcement cooperation. Degraded ability to conduct business abroad Recommendations: Improve threat intelligence and increase resiliency Proactively work and influence government to cooperate and build international framework

29 WAY FORWARD

30 SECURE-BY-DESIGN AND PRIVACY-BY-DESIGN 1. Technology should have adequate security feature and configured securely before reaching the customer. 2. Personal data protection principles should be built-in with the product features and operation. 3. Customers should be able to secure any products with reasonable effort and without requiring specialised skills. 4. The burden of securing products should be less on the consumer side.

31

32 ETHICAL TECHNOLOGY DEVELOPMENT 1. Pharmaceutical, medical and legal industries have intensive testing and certification. Reduction of accidents, bad medicine, and less than desirable professionals 2. Technology development should go through proper testing from social, safety, and privacy issues. 3. Secure-by-design and Privacy-by-design should be independently tested.

33 KEY TAKE-AWAYS 1. Cost & frequency of cyber attacks will continue to increase 2. Total losses from Intellectual Property theft is far greater than the cost of cybercrime 3. Cybercrime is a tax to business and innovators 4. Disruptive technologies missing robust security and privacy protection. 5. The need to implement code of ethics in technology developments

34 DISCUSSIONS