Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander

Transcription

1 Institute of Internal Auditors Cyber Security Birmingham Event 15 th May 2014 Jason Alexander

2 Introduction

3 Boards growing concern with Cyber Risk Cyber risk is not new, but incidents have increased in frequency and severity. Protecting key information assets is of critical strategic importance to the sustainability and competitiveness of businesses today. Organisations may traditionally have been well prepared for organised crime but new sources of threat such as economic espionage and hacktivism have different capabilities and targets. Organised crime has embraced electronic attacks, but finding organisation systems generally robust they are targeting customer systems. Nation-state-sponsored attacks, historically focused on diplomatic and military targets, are gathering information such as investment strategies and M&A pricing as a source of strategic advantage and in order to enhance economic well-being'. Hacktivists, motivated by ideological and political goals rather than money, are aiming to disrupt financial services organisations. Disgruntled and disaffected insiders are stealing information when they leave, and in extreme cases sabotaging data and systems. Journalists are hacking corporate systems to gain access to information to allow them to scoop stories. Although technical controls are important, they are insufficient if addressed in isolation. Managing cyber risk effectively requires protection based upon better awareness, recognition and willingness to change processes and behaviour reinforced by mature detection and response systems and processes. Readiness of systems to prevent, detect and react to incidents is vital but cyber extends more widely than just technology. People must be aware and be trained to be robust in the face of attacks, i.e. know how to recognise incidents, and how to how to respond and report them. It is not cost effective to completely eliminate cyber risk, how organisations respond during an incident is key to managing reputational harm and reducing cost. Board members need to ask the right questions to gain assurance that cyber risk is being managed within appetite. Investors, governments and regulators are increasingly challenging board members to actively demonstrate diligence in this area. Regulators expect personal information to be protected, reductions in financial crime, and systems to be resilient to accidents and deliberate attacks. 2

4 Boards growing concern with Cyber Risk Board members globally report Cyber risk has risen from 12 th to 3 rd in the last two years in their priorities. Given financial services reliance on information and systems this is representative of the focus across these boards as well. A series of high profile incidents, coupled with increased customer, media and regulatory attention has driven this change in awareness at a board level. Loss of customers/cancelled orders Talent and skills shortage Reputational risk Currency fluctuation Changing legislation Cost and availability of credit Price of material inputs Inflation Corporate liability High taxation Loss of customers/cancelled orders Cyber risk Price of material inputs Excessively strict regulation Changing legislation Inflation Cost and availability of credit Rapid technological changes Excessively strict regulation Currency fluctuation Rapid technological changes Interest rate changes Cyber risk (malicious) Talent and skills shortage Source: Lloyd s board risk index 3

5 Threat landscape each threat has their own motivations, capabilities and targets Typical assets they target Relevance Organised Crime global, difficult to trace and prosecute Financial assets Personal data, including financial records Financial services have long been the target and are generally well prepared Banks have invested heavily in this area and their success is displacing activities to other FS organisations and beyond Nation States cyber espionage and warfare Intellectual Property Strategic/Operational Plans M&A activity Critical Infrastructure (for cyber warfare) Extending attacks beyond diplomatic and military targets to gain economic advantage Particular focus on M&A pricing data with Board members a particular target Disruptive attacks at times of heightened tension Hacktivists hacking inspired by ideology Reputation public and media perception Publications websites Services disruption Targeting those providing services to or investments in oil and natural resource extraction, animal experimentation or other controversial areas Anti-capitalist attacks against FS organisations The Insider disgruntled by change and uncertainty Customer and client lists Processes and plans Services disruption Increased staff turnover and economic uncertainty results in leavers taking data Cost savings programmes with headcount reduction can drive disgruntled staff to sabotage Journalist Investigative reporting Confidential information through leaks and hacking Newspapers targeting voice mail accounts of not only celebrities and politicians but also business leaders Undercover journalists investigating customer treatment 4

6 Cyber attacks use a range of techniques exploiting both technical and human weaknesses Hacking/malware Flaws in software, systems with default or easily guessed passwords or confidential information sent or stored unencrypted allow hackers to gain access to steal or corrupt business information and systems. Weaknesses in the supply chain or unauthorised installations of software can add malicious code to existing applications to grant attackers remote control Social engineering/phishing Customers and staff can be conned into providing information or assistance through different psychological techniques: Authority posing as law enforcement, regulator or senior management Helpful offering help to resolve a problem they have caused Urgency posing as a fellow employee (often a new joiner) under pressure needing assistance Flattery appealing to the targets ego or offering a prize Threats highlighting negative consequences for non-compliance Convincing fake s or web sites can collect login credentials and other confidential information Entire false personas can be created to befriend and then defraud senior staff Distributed Denial of Service (DDoS) Online protests use floods of requests to overwhelm web servers, delivery and call centre switchboards to disrupt business, provide distractions for other crimes and extort protection money Defacement/squatting Leaking Taking over existing or generating fake customer communication channels on website or social media and using them to harm reputation or target customers for fraud Publishing internal information publically (up to entire boxes) or detailed files on senior staff to embarrass, or encourage others to harass organisations 5

7 Organised Crime 6

8 Economic Spy 7

9 Hacktivists 8

10 The Insider 9

11 FTSE 350 Review UK government so concerned they launched a cyber Vulnerability review across FTSE350 companies Big 4 audit teams all involved Results published and show one thing: there s work to do! 10

12 How do you see the cyber risk to the business? 2 out of 3 Expect cyber risk to increase 1 in 6 Significantly 1 in 3 Chairman are anxious about cyber risks 11

13 Who is in charge? 4 in 5 See responsibility for cyber threats sitting with board, exec or audit committee Only 1 in 5 See the CIO as the senior risk owner most say it is the CEO or CFO 12

14 Do you understand your information assets? Most firms don t have a very clear understanding of the value of the assets Most firms don t have a very clear understanding of the impact of losing those assets 13

15 How do you manage the cyber risk? Over Half Include cyber risk in their strategic risk register A quarter rate it as high importance Less than 1 in 5 Think the description is comprehensive 14

16 What do you base your discussions on? 2 out of 5 Have never received intelligence from CIO on cyber threats Only 1 in 4 Regularly receive cyber intelligence 15

17 What about cyber incidents? 1 in 5 Unsure about trend in cyber incidents over last year, Of the rest 1 in 3 said it had increased Most were Comfortable with how they responded and that employees would report losses 16

18 Have you heard of 10 Steps to Cyber security? 2 out of 5 Had assessed themselves against 10 steps most hadn t Most weren t Aware of the standards, guidelines or certifications 17

19 What about third parties? Half of firms Basic or better understanding of info/data assets shared with third parties But chairs didn t Have a strong understanding of how they dealt with third party risk 18

20 Are you doing enough? 2 of 3 Thought their board colleagues take cyber very seriously Only 1 in 4 Chairs had IT security/ cyber training in last 12 months 19

21 It s personal... Less than 1 in 5 Fully understand their personal cyber risk 1 in 6 Admit to a poor understanding... Most are marginal 20

22 Ten steps to reduce your cyber risk Home and Mobile Working Network Security Malware Protection Secure Configuration Monitoring Removable Media Controls Managing User Privileges Incident Management User Education and Awareness Information Risk Management Regime 21

23 Section 1 Ten steps to Cyber maturity Home and Mobile Working Develop a mobile working policy & train staff to adhere to it. Apply the secure baseline build to all devices. Protect data at all times. Network Security Malware Protection Secure Configuration Monitoring Removable Media Controls Managing User Privileges Incident Management User Education and Awareness Information Risk Management Regime Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access & malicious content. Monitor & test security controls. Produce relevant policy & establish anti-malware defences that are applicable & relevant to all business areas. Scan for malware across the organisation Apply security patches & ensure that the secure configuration of all ICT systems is maintained. Create a system inventory & define a baseline build for all ICT devices. Establish a monitoring strategy & produce supporting policies. Continuously monitor all ICT systems & networks. Analyse logs for unusual activity that could indicate an attack. Produce a policy to control all access to removable media. Limit media types & use. Scan all media for malware before importing onto corporate systems. Establish account management processes & limit the number of privileged accounts. Limit user privileges & monitor user activity. Control access to activity & audit logs Establish an incident response & disaster recovery capability. Produce & test incident management plans. Provide specialist training to the incident management team. Produce user security policies covering acceptable & secure use of the organisation s systems. Establish a staff training programme. Maintain user awareness of the cyber risks. Establish an effective governance structure and determine your risk appetite just like you would for any other risk. Maintain the Board s engagement with the cyber risk. Produce supporting IRM policies. Source: CESG 10 steps to Cyber Maturity 22

24 Cyber Transformation 23

25 Section 2: Key Cyber Risk questions How secure are you currently? Are you getting more or less secure? How do you set priorities and risk appetite? How are you organised to manage the issue? Are you spending at the right level? And getting value for money for that spend? How do you manage third party suppliers? What have been the most serious security and privacy incidents that you (and your peers) have faced in the past 12 months, what have you learned from those experiences, and what are you now doing differently to prevent them from re-occurring? What key indicators are on your security dashboard, how is the organisation achieving those objectives, and how does this compare to your peers? What is your organisational risk appetite for downtime, data loss and privacy incidents, how do you set your appetite level, and how are you tracking against that? What are the 'crown jewels' that require the highest levels of protection? Which business processes are critical to survival of the organisation? How is your first line and second line of defence set up? How do you report on the risk? How do you co-ordinate across multiple responsible functions? What are you spending on security over the next three years? Is it enough to appropriately respond to the threat? Where are you under-invested and where can you make savings? Can you defend your investment compared to your peers? How do you ensure your suppliers (and their suppliers in turn) do not expose you to unacceptable cyber risk? 24

26 Contact Details Jason Alexander KPMG LLP Information Protection Mob: +44 (0) Information Security Consultancy of the Year - SC Magazine Europe Awards 2011 and

27 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).