Cyber Security key emerging risk Q3 2015

Transcription

1 Cyber Security key emerging risk Q The study is based on interviews with CIO:s, CISO:s and Head of Security in August and September November

2 Companies falling behind are more likely to face a Cyber Security attack 2 Cyber Security key emerging risk Q3 2015

3 State of Swedish Cyber Security Key observations from survey Rolf Rosenvinge One of Swedens leading experts and responsible for Cyber at PwC Sweden Number of incidents continue to increase and overall dedicated Cyber Security spend is not picking up at surveyed clients as we see among Global peers. These two facts equals increasing risk levels among clients. Are Audit Committees aware? And is this in line with the Boards Risk Appetite? Additionally, when comparing Swedish companies with European and global companies, it is clear that Swedish clients are falling behind in terms of: 1. Single responsible Executive appointed CISO with fit for purpose organization including clear mandates and management support. 2. Lack of mature Cyber Security Governance mechanisms policies, procedures, mandates, forums and Board level reporting. 3. Clear understanding of Crown Jewels. What are they, where are they and who has access? Resilience Martin Allen Internationally experienced Cyber Security expert, PwC Sweden Cyber Security Risk Management Cyber Security - Sweden Is the lack of a large scale/high impact attack in Sweden with significant media coverage the reason why we still see relatively low maturity levels in a European/global comparison? Privacy Cyber Security key emerging risk Q

4 Cyber Security Strategy 36% Only 36% of surveyed clients have a fully or partially implemented Management system for Information Security. How much risk are the organizations (unknowingly) carrying due to lack of Management oversight and only partially defined standards, procedures and control environments? 55% of the Boards of surveyed clients are not continuously engaged in Cyber Security discussions (Strategy, status and funding etc). 55% More robust Cyber Security Governance mechanisms are needed among surveyed clients. Getting to a Board level risk appetite statement is the first step to a successful Cyber Security Strategy. And designing a set of non-technical KPI:s/KRI:s supporting the risk appetite statement would allow for continuous Board level monitoring of this key emerging risk. 37% Only 37% of surveyed clients have classified their data. And only 27% are actively monitoring their technology landscape for data loss. Defining the Crown Jewels (CJ) should be one of the immediate starting points for a effective Cyber Security program. Designing and implementing a fit for purpose monitoring of the CJs to avoid critical data being ex-filtrated would be a logic next step. 4 Cyber Security key emerging risk Q3 2015

5 Cyber Security Operations 0% 0% of surveyed clients have full Forensics capabilities in-house. Most clients (55%) rely on external vendors for Forensic services. Focusing in-house resources on daily Cyber Security operations and relying on vendors for external expertise makes sense if it is a conscious decision. Only 10% of surveyed clients have fully integrated response capabilities. 10% 63% have limited response capabilities to counter an active ongoing attack. Do we fully understand that taking the Compliance -approach to Cyber Security will not be sufficient tomorrow? Are clients integrating Threat Intelligence into their Cyber Security operating model? 27% Only 27% of surveyed clients are actively monitoring their technology landscape for data loss. Many clients have partial monitoring in place but since Crown Jewels are not designated in many organizations (see previous page) the effectiveness of the monitoring in place could be inadequate. Are sufficient efforts in place to monitor data exfiltration attempts? Or are too many (relatively) efforts placed on only identifying incoming malicious threats? Cyber Security key emerging risk Q

6 The Cyber Security Roadmap - 8 steps to fix the problem 1. Cyber Risk Assessment 2. Roles & Responsibilities CISO etc 3. Information Security Program funded and resourced, fit for purpose design 4. Critical data crown jewels: What are they? Where are they? Who owns them? 5. Fix the basics policies, standards, vulnerabilities, access etc 6. Detection and response capabilities 7. 3rd party risk vendors, outsourcing partners, JVs etc 8. People matter company culture, awareness training, insider threats etc 6 Cyber Security key emerging risk Q3 2015

7 Cyber Security key emerging risk Q

8 Contact information Rolf Rosenvinge +46 (0) Martin Allen + 46 (0) PwC Sweden is the market leader within auditing, accounting, tax and advisory services, with 3,600 people with operations at 100 locations throughout the country. Using our experience and unique business knowledge, we enhance value for our 60,000 clients, who are comprised of global companies, major Swedish companies and organisations, smaller and medium-sized companies, primarily local, and the public sector. PwC Sweden is a separate and independent legal entity. We are the Swedish member firm of the PwC global network. Close to 208,000 people in 157 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.