1 Cyber Security in Switzerland Finding the balance between hype and complacency Key points While the term cyber security means different things to different companies in Switzerland, sophisticated and targeted attacks pose a significant threat to most of them. Compared to Swiss companies operating internationally, companies that are primarily focused on the Swiss market tend to underestimate cyber threats. Businesses with immature cyber defences are often unable to quantify attacks and incidents. This can lead to a false sense of security and underinvestment in cyber security measures. Businesses need to assess the maturity of their cyber defences and take a strategic view of what measures are needed, rather than simply reacting to incidents or regulations. Cyber security is too systemic an issue to be the sole responsibility of the IT department. Businesses need an integrated cross-organisational strategy and operating model. Contacts Mark Carter Partner Deloitte AG +41 (0) Dr. Klaus Julisch Senior Manager Deloitte AG +41 (0) Audit. Tax. Consulting. Corporate Finance.
2 2 Cyber Security in Switzerland Finding the balance between hype and complacency Contents What is cyber security? 3 Threat awareness 5 Cyber maturity 8 Strategic importance 10 Recommendations 13 Endnotes 14 About the study Deloitte interviewed 17 Chief Information Security Officers (CISOs) and Heads of Security Engineering or Operations from a cross-section of industries to understand how Swiss-based companies prepare for and respond to cyber threats. The interviews were conducted between October 2013 and January The key findings of our analysis are summarised in this report. Acknowledgement We would like to thank all the executives who were interviewed for participating in this report. Additional contributors Dr. Michael Grampp, Head of Research, Deloitte AG Dennis Brandes, Research Manager, Deloitte AG
3 Cyber Security in Switzerland Finding the balance between hype and complacency 3 What is cyber security? Since Operation Aurora was publicly disclosed in early 2010, reports on cyber security and Advanced Persistent Threats (APTs) have increasingly dominated the media. Recent revelations about government surveillance programmes have further fuelled concerns about security in a hyper-connected world. Understanding the issue Senior IT and business leaders across all industries have frequently voiced the view that they have no clear definition for the term cyber security. Rather, the term is seen as new words for old ideas. For decades, companies have been deploying firewalls, anti-virus scanners, intrusion detection systems and other security controls to keep hackers out. Therefore, some participants questioned the new sense of urgency regarding cyber security. Among companies that embrace the term cyber security, definitions vary. A common definition is that cyber security provides defences against targeted attacks from external actors against a company s digital and online assets. Others take cyber security to mean attacks against the embedded IT systems in power plants, public transport systems or other critical infrastructure. Yet another definition is that cyber security is the defence against attacks using incident detection and response rather than preventative means such as firewalls or access controls. The 2013 ENISA Threat Landscape clearly shows how serious cyber threats are. Past defences are no longer sufficient, today. 4 CISO, Swiss Insurance Company Deloitte practitioners observe the same ambiguity among our clients world-wide. However, sophisticated and targeted attacks are a significant threat to companies information assets, brands and financial accounts. Consider the following: More and more assets are going digital, including personal identities, money, intellectual property, books, movies, and health records. Most of these assets are vulnerable to cyber attacks and expose their owners and custodians to risks. Government agencies, organised cyber crime rings (e.g. the Elderwood hackers) and hackers-for-hire (e.g. Hidden Lynx), have all made the news because of their sophistication and technical prowess. Targeted attacks grew by an estimated 42% in 2012 following 6% growth in Deloitte practitioner experience suggests that the majority of companies have experienced security breaches in the previous 12 months. Officials globally have taken notice and are introducing new cyber security laws and regulations. 2,3 This increasingly forces companies to take action.
4 4 Cyber Security in Switzerland Finding the balance between hype and complacency Are you prepared? While the term might be controversial, the issue is not: cyber security is a real and growing threat. Security leaders must therefore ask: Does my company have the right cyber capabilities to prevent, detect, and respond to targeted and sophisticated attacks against our digital and online assets? When discussing this question, interviewees had different views on three important aspects: Threat awareness the assessment of the severity of cyber threats. Cyber maturity the assessment of existing capabilities and defences. Strategic importance the importance assigned to cyber security versus other priorities and how much risk to tolerate. Businesses with mostly Swiss operations ranked these aspects differently from their internationally operating peers (see Chart 1). Domestically oriented companies rank cyber threats as low, their maturity as medium-to-high and the strategic importance as medium-to-low. International companies lean towards a high-medium-high ranking. While outliers exist, this model provides a concise view of the differences and raises interesting questions for companies regardless of their size or where they are located. The following sections explore the three aspects of threat awareness, cyber maturity and strategic importance in more detail. CHART 1. VIEWS ON CYBER SECURITY DIFFER BETWEEN DOMESTICALLY AND INTERNATIONALLY OPERATING COMPANIES High International companies Low RANKING Medium Domestic companies Threat awareness Cyber maturity ASPECT Strategic importance
5 Cyber Security in Switzerland Finding the balance between hype and complacency 5 Threat awareness While the majority of internationally oriented companies assess cyber threats as high, domestically oriented businesses generally rate these threats as medium-tolow (see Chart 1). Clearly, all companies operate in the same cyber space and the dichotomy can be traced back to differences in threat awareness. Interviewees with medium or low threat awareness frequently used arguments such as: We have nothing of value that would motivate cyber criminals to attack us. Our audit reports show that we are ok. We have not experienced any severe cyber incidents in the recent past. Other interviewees experiences as well as our own project work with clients globally show that these arguments may not hold up to closer scrutiny. As such, they can create a dangerous and false sense of security. Nothing of value versus the motives of hackers Few, if any, businesses are so commoditised that they have no data, intellectual property, brand name, or financial resources that attackers might find attractive. However, even if there was nothing to be stolen, several CISOs pointed out that organisations get hacked by opportunistic attackers, just because they are vulnerable. Companies can get targeted, not because of their assets, but because they are a stepping stone to the ultimate target. Some companies are attacked because hackers want to control their computing resources, e.g. to turn the organisations networks into botnets. Hacktivists compromise companies to inflict reputational damage for political rather than economic motives. Foreign governmental agencies may seek control over other nations critical infrastructure for military advantage. The same weapons that are used against global and multinational companies are also being used against small or regional companies. Head of Security, ICT Company Accidental failures and human errors can also result in cyber incidents. For example, web crawlers regularly find and retrieve sensitive data on misconfigured web servers. This type of error has been so common that an entire methodology, known as search engine hacking, was developed to take advantage of it. 5 Rogue clouds are another case in point. 6 It is important to factor in these aspects when assessing the cyber threats a company faces. Some interviewees could convincingly argue that their cyber controls were strong enough that the cost of overcoming them exceeded the value of what could be gained. This is a valid argument and the above objection merely addresses the notion that a company had nothing of value to attackers, which is hardly ever true.
6 6 Cyber Security in Switzerland Finding the balance between hype and complacency What we see depends mainly on what we look for. John Lubbock Banker, politician and scientist from the 19th century Using audit reports as a yardstick Some interviewees relied on their financial or regulatory audits as assurance that cyber threats were under control. We caution companies to examine their audit reports carefully before drawing such conclusions. Financial and regulatory audits are risk-based and cover certain applications and IT infrastructure controls in the areas of access security, IT change management and IT operations. In particular external audits generally exclude large parts of IT as well as many pertinent security controls such as intrusion detection systems and vulnerability management. As a result, external audit reports are generally not the right yardstick for measuring cyber security. Seeing is believing Companies that have experienced few security incidents should be careful not to draw the wrong conclusions. Companies are notoriously bad at detecting security incidents as demonstrated by the fact that approximately 70% of incidents are detected by external parties rather than the companies themselves and the majority of incidents take months to discover. 7 Moreover, a self-reinforcing cycle of blindness can set in when a state of not seeing any incidents leads to not looking (a classic case of confirmation bias). Chart 2 shows what occurs in many companies. Those that are not aware of a cyber incident may tend to belittle such threats. Lacking a business case, they do not invest in the kind of capabilities that would make them more aware of their true exposures. This creates a self-reinforcing cycle, which continues until it is broken. Experience shows that this only happens through a catalyst such as a major cyber incident, regulatory pressure or a devastating security assessment that attracts the attention of senior management.
7 Cyber Security in Switzerland Finding the balance between hype and complacency 7 A catalyst by itself, however, is seldom enough to break the cycle. It also takes a strong executive leader who can mobilise the company, secure funding, deliver results and articulate the value of these results to maintain momentum. Maintaining momentum is crucial because major cyber security transformations can take two to three years. Once companies start investing, they are better able to see threats and their true state of security improves. However, this can reveal disturbing facts. For example, one interviewee noted that security incidents detected have been increasing by 40 per cent per year over the last several years mostly, as a result of investments in security monitoring capabilities. This experience is not uncommon and helps establish a virtuous cycle of continuous learning and improvement. CHART 2. MOVING FROM BLINDNESS TO AWARENESS Not seeing Seeing VICIOUS CYCLE OF BLINDNESS CATALYST & LEADERSHIP VIRTUOUS CYCLE OF AWARENESS Not investing Not believing Investing Believing Action Points Revisit your threat assessment and make sure to factor in all adversaries (opportunists, cyber criminals, corporate spies, hacktivists, nation states) as well as non-malicious accidents. Avoid getting stuck in the cycle of blindness. As a security professional you cannot defend your company unless you are aware of the threats, attacks and incidents the company faces. Ask yourself: If our IT systems were compromised, how would we know? How can we be certain that intellectual property is not being sent to competitors? How would we learn about fraudsters that steal our brand to establish a fake Internet presence? What don t we know that could hurt us?
8 8 Cyber Security in Switzerland Finding the balance between hype and complacency Cyber maturity When asked whether companies are doing enough to protect their assets against cyber attacks more than 80 per cent of interviewees answered not yet. The list of gaps included everything from relatively basic capabilities (e.g. configuring firewalls, basic network monitoring, detection of unauthorised devices, patching software) to more advanced cyber capabilities such as cyber intelligence, zero-day protection 8 or cyber incident response. The following sections summarise the four key points that stood out from the conversations. Difficulty measuring cyber maturity Many companies find it difficult to assess how good their cyber security is and find it even more difficult to decide how good their cyber security should be. Consequently, they do not have a strategic view of where they stand and where they want to go. In such companies, security priorities are generally based on audit issues, compliance requirements, past security incidents or an effort to salvage sunk costs. Based on our project work, we would recommend a more strategic approach, which is also embraced by some of the companies interviewed for this study. In this approach, a scoping step is used to identify the key capabilities the company wants to focus on. Subsequently, each capability is ranked on a 1-to-5 maturity scale and a target state is defined to document the aspired maturity (see Charts 3 and 4). CHART 3. MEASURING CYBER MATURITY EXAMPLE FROM A DELOITTE PROJECT Cyber capabilities (Defined based on project scope) 1 Initial 2 Repeatable 3 Refined 4 Managed 5 Optimised Cyber threat intelligence Logging, monitoring and scanning Secure development lifecycle Malware protection Vulnerability & patch management Firewalls (incl. application firewalls) Cyber incident response User training and awareness Current state as assessed during the project Target state as defined by the client Tools are not capabilities Many companies have a tendency to deploy new tools faster than they are able to integrate them into their processes and organisational structures. This leads to situations where, for example, intrusion detection systems are deployed without having provided the processes to configure, maintain and monitor them. While companies realise that tools are not capabilities, they struggle to drive the necessary organisational transformations. Moreover, to build mature cyber capabilities, companies must take a holistic approach that advances the maturity of people, processes and technology (see Chart 4).
9 Cyber Security in Switzerland Finding the balance between hype and complacency 9 CHART 4. CYBER MATURITY SCALE 1 Initial 2 Repeatable 3 Refined 4 Managed 5 Optimised People Basic knowledge, undefined roles and responsibilities, reactive. Fragmented expertise, roles and responsibilities defined in silos. Trained security staff, enterprisewide roles and responsibilities exist. Broad and deep expertise, use of threat intelligence to act proactively. Highly skilled staff, holistic and systematic work approach using KPIs. Processes Ad hoc and mostly manual, inconsistent execution, little documentation. Processes exist in silos, but inconsistent design and execution. Defined processes, some automation, documentation. Strong focus on automation, KPIs used to improve effectiveness. Continuous improvement and integration with enterprise risk management. Technology Basic security technologies managed in a piecemeal manner. Foundational security technology managed in silos. Centralised technologies in line with enterprise policies. Best of breed technology aligned with policies. Extensive automation using technologies. Cyber intelligence is a focus area The majority of interviewees are investing to improve their companies cyber intelligence. In general, these efforts focus on implementing classic security logging and monitoring capabilities including Security Information and Event Management (SIEM). These are important steps towards breaking the cycle of blindness previously discussed. Only a small number of interviewees are investing in more advanced cyber intelligence such as malware forensics, commercial intelligence feeds, big data analytics or low-interaction honeypots. 9 Cyber incident response is in its infancy Most companies have historically underinvested in incident response. Even today, few have started to invest in this area to build teams that are capable of responding to attacks in a coordinated manner that integrates all affected parties and captures forensic evidence to support law enforcement and continuous improvement efforts. This makes cyber response the orphan child among cyber capabilities and an important area of improvement because it literally is the last line of defence when all other controls have failed. Moreover, professional incident response capabilities are indispensable when cleaning up incidents caused by Advanced Persistent Threats. 10 Action Points Form a strategic view of your cyber capabilities current and target states. Take people, processes and technology into account when assessing the maturity of cyber capabilities. If available, factor empirical evidence into the assessment. Specifically assess if you need to invest in specialised incident response capabilities or if you should contract with an external provider who can provide these skills on demand in the event of incidents.
10 10 Cyber Security in Switzerland Finding the balance between hype and complacency Strategic importance Lack of strategic support and funding Only a third of interviewees responded that in their companies, cyber security is considered a must have of strategic importance that cannot be traded off against other priorities. The remaining respondents did not single out cyber security as a category of its own, but rather managed it as part of their general information security budgets. These companies reported varying degrees of difficulty in obtaining executive support and funding to strengthen cyber security. The root cause for this difficulty was partially attributed to the vicious cycle of blindness described previously: When empirical evidence is lacking, it is difficult to create a compelling business case and gain executive sponsorship for cyber security investments. However, the situation is exacerbated by a widespread bias among C-level executives who tend to view security as a second-tier priority. Three main factors are seen as contributing to this bias: Security in general, and cyber security in particular, are seen as highly technical IT problems that are preferably delegated to IT specialists. Cyber incidents are rarely made public, which creates a shortage of recent, vivid and memorable examples. Psychological studies have shown that without such examples, risks are perceived as more benign. 11 C-level executives are highly focused on managing financials and leading change and innovation. These predispositions can be at odds with the values of security, stability, and operational continuity. Thus, what could be described as a bias for action puts the priority of security projects under pressure.
11 Cyber Security in Switzerland Finding the balance between hype and complacency 11 Changing priorities In the words of one CISO, the lynchpin is getting executives to understand that cyber security is their responsibility. This is because rather than being an IT problem, cyber security is a systemic problem that has its roots in IT and affects all parts of a company. Consider the following examples: In general, IT departments do not monitor blogs and online communities to detect when a company s brand is belittled on the Internet. Nor do IT departments prepare press releases when such Internet chatter is picked up by mainstream media. Attacks that abuse corporate brands such as cyber squatting or brandjacking 12 are generally not addressed by IT departments. While security breaches at third parties are a significant security threat to many companies, most IT departments do not own the topic of third party security. 13 Businesses must maintain relationships with industry peers, customers, suppliers, regulators and governmental agencies to exchange threat intelligence and respond to incidents in an effective manner. The bottom line is that C-suite leadership is essential to manage all facets of cyber security holistically and across organisational silos. The majority of interviewees confirmed this point, but less than half of all companies have established the necessary executive support. Action Points Continue to brief senior management on cyber security to win strong and broad sponsorship among C-level executives. Take an enterprise-wide view of cyber security: Identify all internal and external parties that have a stake in cyber security. Define their roles and responsibilities, and establish end-to-end processes for incident detection, incident response, and other cyber capabilities. Appoint a single C-level executive or a management board who is accountable for all aspects of cyber security across the company.
12 12 Cyber Security in Switzerland Finding the balance between hype and complacency Security is the last remaining IT Risk. Former CIO Global Fortune 10 Company
13 Cyber Security in Switzerland Finding the balance between hype and complacency 13 Recommendations The threat from sophisticated and targeted attacks against digital and online assets is real and growing. To respond to this situation, security leaders should consider the following steps: 1. Reassess cyber threats. Make sure to consider all threat actors (opportunists, cyber criminals, corporate spies, hacktivists, nation states, etc.) and their motivations (financial gain, publicity, inflicting damage, access to computer resources, theft of knowledge). Given these motivations, what threat do your digital and online assets face from potential attackers? 2. Gain visibility. Companies often underestimate threats because they do not observe them. Companies that lack the technical capabilities to monitor attacks and detect incidents should prioritise investments in these areas. 3. Take a strategic view. Take a strategic view of the cyber capabilities your company needs, their current maturity and the target maturity that is required. Then invest in achieving those capabilities target maturities. Doing so will ensure that scarce resources are allocated wisely, rather than being lost in tactical battles. 4. Build company-wide governance. Cyber security is a systemic issue that requires a coordinated approach involving IT, legal & compliance, public relations, fraud investigations, external regulators, customers, partners and the broader public. Companies should therefore build a holistic cyber governance approach that manages these stakeholders end-to-end. 5. Maintain communication with senior management. C-level executives are biased to focus on change initiatives and financial performance while delegating cyber security to IT departments. Security leaders must counter this bias by maintaining continuous communication with senior management to gain their support and sponsorship.
14 14 Cyber Security in Switzerland Finding the balance between hype and complacency Endnotes and 2013 Internet Security Threat Report, Symantec 2012 and 2013, see also: 2 Digital Agenda for Europe Cybersecurity; European Commission, see also: 3 National Cyber Security Strategies in the World; ENISA, see also: In particular, regulators take a keen interest in the cyber resilience of the banking system, as evidenced by the 2013 cyber simulations Waking Shark II in the United Kingdom and Quantum Dawn II in the United States ENISA Threat Landscape; ENISA, 2013, see also: enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats 5 Understanding the Web: A Guide to Internet Research, National Security Agency, See also: 6 Navigating Social Media Legal Risks: Safeguarding Your Business, Robert McHale, Que Publishing, The 2013 Data Breach Investigations Report, Verizon, 2013, see also: 8 Zero-day attacks are attacks that exploit previously unknown software vulnerabilities. 9 Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Niels Provos and Thorsten Holz, Addison-Wesley Professional, Security Incident Response in the Age of APT, Anton Chuvakin, Gartner, September 25, The Psychology of Security, Bruce Schneier, Africacrypt 2008, LNCS 5023, Springer-Verlag, 2008, pp Navigating Social Media Legal Risks: Safeguarding Your Business, Robert McHale, Que Publishing, Blurring the lines, 2013 TMT Global Security Study, Deloitte; 2013, see also: https://www.deloitte.com/view/en_gu/gu/industries/tech-media-telecommunications/57 72cd015031f310VgnVCM f70aRCRD.htm
15 Cyber Security in Switzerland Finding the balance between hype and complacency 15 About Deloitte in Switzerland Deloitte is a leading accounting and consulting company in Switzerland and provides industry-specific services in the areas of audit, tax, consulting and corporate finance. With approximately 1,100 employees at six locations in Basel, Berne, Geneva, Lausanne, Lugano and Zurich (headquarters), Deloitte serves companies and institutions of all legal forms and sizes in all industry sectors. Deloitte AG is a subsidiary of Deloitte LLP, the UK member firm of Deloitte Touche Tohmatsu Limited (DTTL). DTTL member firms comprise of approximately 200,000 employees in more than 150 countries around the world. Basel Zurich Berne Lausanne Geneva Lugano
16 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte AG is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL. Deloitte AG is recognised as auditor by the Federal Audit Oversight Authority and the Swiss Financial Market Supervisory Authority. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte AG would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte AG accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication Deloitte AG. All rights reserved. Designed and produced by The Creative Studio at Deloitte, Zurich A
Cyber Security Evolved Aware Cyber threats are many, varied and always evolving Being aware is knowing what is going on so you can figure out what to do. The challenge is to know which cyber threats are
Addressing Cyber Risk Building robust cyber governance Mike Maddison Partner Head of Cyber Risk Services The future of security The business environment is changing The IT environment is changing The cyber
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
ISO27032 Guidelines for Cyber Security Deloitte Point of View on analysing and implementing the guidelines Deloitte LLP Enterprise Risk Services Security & Resilience Contents Foreword 1 Cyber governance
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
Treasury Advisory Services Stability through effective financial risk and liquidity management Audit. Tax. Consulting. Financial Advisory. Treasury Health Check Identify gaps and benchmark to make informed
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
Cyber: The Catalyst to Transform the Security Program Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA A Common Language? Hyper Connected World Rapid IT Evolution Agile Targeted Threat
Under control 2015 Hot topics for IT internal audit in financial services An Internal Audit viewpoint Introduction Welcome to our fourth annual review of the IT hot topics for IT internal audit in financial
January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored. It takes an average
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
The enemies ashore Vulnerabilities & hackers: A relationship that works Alexandros Charvalias, Manager CISSP, CISA, ACDA Assurance & Enterprise Risk Services Cyber security maturity model How effectively
Increase insight. Reduce risk. Feel confident. Define critical goals with enhanced visibility then enable security and compliance across your complex IT infrastructure. VIRTUALIZATION + CLOUD NETWORKING
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
Cyber security: everybody s imperative A guide for the C-suite and boards on guarding against cyber risks Secure Enhance risk-prioritized controls to protect against known and emerging threats, and comply
Cybersecurity Services Combating a new generation of cybercriminal with in-depth security monitoring 1 st Advanced Data Analysis Security Operation Center The Challenge Don t leave your systems unmonitored.
RETHINKING CYBER SECURITY Introduction Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time, the traditional cyber security vendor
Assetbox The future of asset management out of a box Audit. Tax. Consulting. Corporate Finance. Assetbox? Driven by reality, inspired by a vision The asset management market is facing continuous change:
Cyber threat intelligence and the lessons from law enforcement kpmg.com/cybersecurity Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively
I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)
Malware isn t The only Threat on Your Endpoints Key Themes The cyber-threat landscape has Overview Cybersecurity has gained a much higher profile over the changed, and so have the past few years, thanks
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
White Paper McAfee Security Architectures for the Public Sector End-User Device Security Framework Table of Contents Business Value 3 Agility 3 Assurance 3 Cost reduction 4 Trust 4 Technology Value 4 Speed
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
22 SPONSORED FEATURE COMBATTING DIGITAL FRAUD Combatting digital fraud Combatting digital fraud has become a strategic business issue for today s CIOs. The battle to contain fraud is as old as business
RETHINKING CYBER SECURITY CHANGING THE BUSINESS CONVERSATION INTRODUCTION Advanced Persistent Threats (APTs) and advanced malware have been plaguing IT professionals for over a decade. During that time,
Close the security gap with a unified approach Detect, block and remediate risks faster with end-to-end visibility of the security cycle Events are not correlated. Tools are not integrated. Teams are not
Extracting learning from operational risk loss events and root cause analysis Caroline Coombe Chief Executive, ORIC International Today s agenda An introduction to ORIC International Risk consciousness
Cyber threat intelligence and the lessons from law enforcement kpmg.com.au Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many organisations
WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY. A guide for IT security from BIOS The Problem SME s, Enterprises and government agencies are under virtually constant attack today. There
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended
Cyber security Digital Customer Experience Digital Employee Experience Digital Insight Internet of Things Payments IP Solutions Cyber Security Cloud 2015 CGI IT UK Ltd Contents... Securing organisations
www.pwc.com Developing a robust cyber security governance framework 16 April 2015 Cyber attacks are ubiquitous Anonymous hacker group declares cyber war on Hong Kong government, police - SCMP, 2 October
CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday
Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government
EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOK Leonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Assessor 14 February 2016 AGENDA 1. The present state of Cybersecurity 2. Threat horizon 2018
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations September 2015 Copyright 2015 Deloitte Development LLC. All rights reserved. This presentation
IIA South Event 16 th June 2015 Cyber, Social Media and IT Risks 1 st and 2 nd Line Perspective David Canham (BA) Hons, MIRM Agenda This evening we ll cover the following: Who, why and what? Traditional
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
Fostering Incident Response and Digital Forensics Research Bruce J. Nikkel firstname.lastname@example.org September 8, 2014 Abstract This article highlights different incident response topics with a focus on digital
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Detection, analysis, and understanding of threat
CONTINUOUS MONITORING Managing the Unpredictable Human Element of Cybersecurity A WHITE PAPER PRESENTED BY: May 2014 PREPARED BY MARKET CONNECTIONS, INC. 14555 AVION PARKWAY, SUITE 125 CHANTILLY, VA 20151
AUDIT COMMITTEE INSTITUTE Cyber Security for audit committees An introduction kpmg.com/globalaci 2 Audit Committee Institute An introduction to cyber security for audit committees Audit committees have
Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit 2014 Welcome to our third annual review of the IT hot topics facing Internal Audit functions within
The Internal Audit fraud challenge Prevention, protection, detection Contents Introduction to survey 1 Key findings 2 What are the views of senior management? 3 Adequately resourced? 6 Current trends and
Secure by design: taking a strategic approach to cybersecurity The cybersecurity market is overly focused on auditing policy compliance and performing vulnerability testing when the level of business risk
Identity & Management The Cloud Perspective Andrea Themistou 08 October 2015 Agenda Cloud Adoption Benefits & Risks Security Evolution for Cloud Adoption Securing Cloud Applications with IAM Securing Cloud
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
Developments in cybercrime and cybersecurity Developments in cybercrime and cybersecurity As customers and clients increasingly go online to do their banking with convenience, privacy and security their
THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED THE CYBER SECURITY PLAYBOOK 2 03 Introduction 04 Changing Roles, Changing Threat
Insero & Company s Accounting & Finance Education Series Presents 7 Things All CFOs Should Know About Cyber Security September 23, 2014 Michael Montagliano Chief Technologist, IV4. Inc. CERTIFIED PUBLIC
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au Cyber attack is one of the biggest threats to Australian businesses, however many Chief Executive Officers (CEOs) admit a lack
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
www.pwc.com/ca/security Trends in Cybersecurity and Privacy Insights from The Global State of Information Security Survey 2016 Ottawa, Ontario April 13, 2016 Your speakers today David Craig Anthony Dias
At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
IT ADVISORY Cyber Security: from threat to opportunity www.kpmg.com/nl/cybersecurity From threat to opportunity / Cyber security / 1 FOREWORD OPPORTUNITY-DRIVEN CYBER SECURITY Cyber security (also known
Cyber security: Are consumer companies up to the challenge? 1 Cyber security: Are consumer companies up to the challenge? A survey of webcast participants kpmg.com 1 Cyber security: Are consumer companies