20+ At risk and unready in an interconnected world

Size: px
Start display at page:

Download "20+ At risk and unready in an interconnected world"

Transcription

1 At risk and unready in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cyber attacks against power and utilities organizations have transitioned from theoretical to indisputable. Over the past year, sophisticated cyber adversaries have infected the industrial control systems of hundreds of energy companies in the US and Europe; others successfully infiltrated a public utility via the Internet and compromised its control system network. The volume of incidents increased dramatically in the past year. respondents to The Global State of Information Security Survey (GSISS) 2015, report the average number of detected incidents skyrocketed to 7,391, a six-fold increase over the year before. (We define a incident as any adverse incident that threatens some aspect of computer.) Yet as attempts to compromise supervisory control and data acquisition (SCADA), industrial control, and information technology systems have soared, information spending has not kept pace. respondents say spending in increased by a comparatively modest 9%. In, by contrast, survey respondents reported a significant 25% boost in investments, which very well may account for a portion of this year s increase in detected incidents. After all, organizations that spend more on typically discover more incidents. 20+ Detected incidents soared to more than 20 per day, per organization // 1

2 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 8K 7,391 6K 3M $ 2.4M 4K 2M All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 1,179 $ 1.2M 1M Average number of detected incidents Estimated total financial losses // 2

3 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 40% 37% 38% 31% 30% 29% 30% All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 20% 17% 20% 14% Current employees Former employees Hackers Current service providers/ consultants/contractors // 3

4 Even though businesses have invested more heavily in ious years, spending has been stalled at 4% or less of the total IT budget for the past five years. GSISS 2015: results at a glance Click or tap each title to view data Incidents Sources of incidents Security spending This lack of investment in has very likely contributed to attrition of key capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in practices, but it s worth pointing out that these advances were fewer and comparatively incremental. 4M $ 3.4M $ 3.7M 3M 6% 4.0% 3.9% 2M 4% All things considered, many power and utilities companies seem to be unready for the increasing risks of today s interconnected world. 2% Average annual IS budget IS spend as percentage of IT budget // 4

5 The primary threat actors those who perpetrate incidents remained relatively constant in the past year. Current and former employees are once again the most-frequent culprits of incidents, cited by 38% and 30%, respectively, of respondents. While incidents caused by employees often fly under the radar of the media, those committed by organized crime groups, activists, and nation-states typically do not. Attacks by these threat actors remain among the least frequent, but they are also among the fastest-growing incidents. 10% 14% Often these groups employ powerful distributed denial of service (DDoS) attacks in an attempt to embarrass organizations for social or political ends, rather than to exfiltrate data or intellectual property. Similarly, the number of respondents who cited organized criminals as the source of attacks increased 31% over last year. Cyber incidents attributed to nation-states continue to garner the lion s share of attention. This year, 14% of respondents attributed incidents to activists and hacktivists, a 40% jump over. They are keenly interested in energy, and they often target critical infrastructure providers and suppliers to steal IP and trade secrets as a means to advance their own political and economic advantage. This year, incidents attributed to nation-states more than doubled over. Given the ability of nation-state adversaries to carry out attacks without detection, we believe the volume of compromises is very likely under-reported. // 5

6 The fastest-growing sources of incidents Increase over 118% 48% 40% 31% Foreign nation-states Information brokers Activists/activist organizations/hacktivists Organized crime Security executives of power and utilities companies have told us that they also see -incident patterns in which criminals seem to be indiscriminately exploring the network to find any data of any value. Once they find data, they quickly siphon it off and try to sell it. That, in part, may account for the 43% rise in respondents who report that data was exploited as a result of incidents, the most cited impact. // 6

7 While the number of detected incidents increased dramatically, organizations say the financial impact of these compromises lessened. respondents say total financial losses resulting from incidents declined to an average of $1.2 million, a 51% drop over. This finding seems counter-intuitive, given the huge upsurge in detected compromises. In part, the discrepancy may be attributed to the 25% rise in spending in, which may have enabled organizations to more quickly detect and mitigate incidents before they caused real financial harm. Another explanation may be that, while adversaries have been able to gain access to power and utilities companies networks, they are typically stopped before they can wreak havoc on operational and SCADA systems. And unlike the retail sector, which has been hit by a barrage of breaches, power and utilities companies hold comparatively few payment card records and therefore are not liable for costly mitigation of card theft and customer data. We also looked into how power and utilities respondents calculate the financial consequences of incidents, and found that many do not consider a full range of possible impacts, including costs associated with legal defense fees, court settlements, forensics, and reputational damage. // 7

8 As risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies may need to take a more strategic approach to information. At the core of this initiative should be a riskbased cyber program that enhances the ability to identify, manage, and respond to privacy and threats. It all starts with an information strategy or at least it should. However, we found the number of organizations that have an overall information strategy dropped to 70% this year, down from 79% in. Moreover, those that have a strategy that is aligned with the specific needs of the business declined to 45%, from 65% last year. An effective strategy will allocate spending to the assets that are most valuable to the business. respondents show a more solid, if incomplete, commitment in this area: 62% say their investments are allocated to the organization s most profitable lines of business. companies seem to be falling short of the fundamentals: Only 54% say they have a unified and controls framework and/or enterprise riskmanagement framework to address cyber risks. Last year that number was 61%. A basic tenet of an effective information strategy is that it should be founded on risk management. A strategic approach is lacking // 8

9 70% 79% 57% 65% 59% 56% Many key safeguards weaken Have information strategy Secure access-control measures Patch-management tools 55% Intrusion-detection tools 50% 54% 66% Privileged user access 55% 49% 68% 63% 63% 55% Vulnerability scanning tools 39% 48% Before resources can be allocated, however, it will be necessary to first identify the organization s most valuable assets and determine who owns responsibility for them. This is an area in which we found great potential for improvement: Only 54% of respondents have a program to identify sensitive assets, and the same number (54%) have an inventory of all third parties that handle personal data of customers and employees. Inventory of all third parties that handle personal data of employees and customers 47% 57% Active monitoring/analysis of information intelligence 50% 44% Risk assessments of third-party vendors 58% 43% Cyber and privacy should be embedded into an organization s core, with a top-down commitment to and ongoing employee training programs. Employee awareness and training program 43% 56% Security-event correlation tools Established standards for external partners, suppliers, vendors and customers Require employees to complete privacy training The number of organizations that have employee -awareness training programs (47%) actually declined over last year, as did those that require personnel to complete training on privacy practices and policies (43%). Considering that employees are the leading source of incidents, we believe that training should be universal and that accountability should cascade from the C-suite to every employee and thirdparty vendor and supplier. A strategic approach is lacking // 9

10 Strategic processes are often lacking 45% 61% 65% 65% 54% 52% 54% 54% 45% 46% 36% 33% Program to identify sensitive assets Have a unified and controls framework for cyber risks Information strategy is aligned with specific business needs A senior executive communicates importance of to entire enterprise Collaborate with others to improve Have cyber insurance An effective program will require top-down commitment and communication. Yet fewer than half (46%) of organizations have a senior executive who communicates the importance of information to the entire enterprise. That s a substantial drop from last year (65%) and demonstrates that the executive team may not be taking adequate ownership of cyber risks. To do so, senior executives should proactively ensure that the Board of Directors understands how the organization will detect, defend against, and respond to cyber threats. Despite all the discussion following high-profile retailer breaches, many power and utilities companies have not elevated to a Board-level discussion. Consider, for instance, that only 26% of respondents say their Board of Directors participates in the overall strategy. Fewer (23%) say their Board is involved in reviews of current and privacy risks a crucial component of any effective program. The area in which Boards are most likely to participate is the budget (40%). Finally, cyber threats, technologies, and vulnerabilities are evolving at lightning speed, and sharing information among public and private entities has become central to a strong cyber program. More than half (55%) of overall survey respondents across industries say they collaborate with others to share intelligence and tactics. Among power and utilities sector, however, the number of organizations that collaborate sank to 36% this year, a sharp drop over. A strategic approach is lacking // 10

11 This year s survey indicates that power and utilities organizations are falling behind in key practices. For many, it may be necessary to reposition the strategy by more closely linking technologies, processes, and tools with the organization s broader risk-management activities. International standards provide a good measure to gauge preparedness and build a strong cyber program. Some of the most widely used include ISO/IEC 27001, COBIT 5, and ISA A new set of guidelines from the US National Institute of Standards and Technology (NIST) compiles these global standards into one framework, providing an up-to-date model for implementing and improving risk-based. The voluntary NIST Cyber Framework, which targets critical infrastructure providers and suppliers, has been adopted by 11% of US power and utilities respondents; an additional 22% say adoption is a future priority. This comparatively low implementation rate is not necessarily discouraging; it s a matter of timing. The Framework was released in February, and our survey was conducted from March 27, to May 25,, giving organizations little time to embrace the Framework. 22% 11% Among those that have, most (54%) say they have leveraged the Framework to determine their risk based on Implementation Tiers, which are designed to help companies understand the maturity of their current cyber risk-management capabilities. It seems very likely that organizations with mature practices may have adopted some of the Framework s controls and standards, while not formally implementing the entire set of guidelines. No matter whether companies have adopted the Framework fully or partially, it seems to be elevating the discussion on cyber. We believe that organizations across industries and even geographies can gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level. As the world s sophisticated organized criminals and nation-states devise new ways to compromise systems and steal intellectual property of power and utilities companies, the Framework provides the right foundation for proactive, risk-based cyber. // 11

12 The convergence of information, operational, and consumer technologies will very likely introduce tremendous benefits for businesses and significant conveniences for their customers. It also will create a new world of risks, a possibility that power and utilities respondents are beginning to address. In fact, 25% of respondents say they have already implemented a strategy for the convergence of information, operational, and consumer technologies, most often referred to as the Internet of Things. An additional 27% say they are working on a strategy. When asked to name primary drivers for spending, this year 17% of respondents cited modernization of field assets such as IP-connected process control systems, compared with 6% last year. This increased focus on connected field assets suggests that power and utilities respondents are gearing up for the Internet of Things. // 12

13 To have a deeper conversation about cyber, please contact: United States Brad Bauch Principal Darren Highfill Director // PwC helps organisations and individuals create the value they re looking for. We re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see for further details. The Global State of Information Security is a registered trademark of International Data Group, Inc. // 13

Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015

Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015 Driving cybersecurity advances in an interconnected world Key findings from The Global State of Information Security Survey 2015 Technology advances like telematics, networked manufacturing tools, and

More information

Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015

Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015 Security deficits in an interconnected world Key findings from The Global State of Information Security Survey 2015 It will come as no surprise to most financial services executives that information security

More information

Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 If the recent string of high-profile cyber attacks has proved anything, it s that

More information

Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015

Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015 Improving cyber readiness in an interconnected world Key findings from The Global State of Information Security Survey 2015 organizations tend to have comparatively robust and mature cybersecurity programs.

More information

Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Healthcare cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Healthcare payers Technology is not the only agent of change. Innovations

More information

Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015 Over the past year, the phrase data breach has become closely associated with

More information

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

Managing cyber risks with insurance

Managing cyber risks with insurance www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive

More information

Global State of Information Security Survey 2015

Global State of Information Security Survey 2015 www.pwc.ch/cybersecurity Global State of Information Security Survey 2015 The risks and repercussions of security incidents continue to rise as preparedness falls. Agenda Methodology Key findings Focus

More information

Defending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Power & Utilities. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director January IIA / ISACA Joint Meeting Pre-meeting Cybersecurity Update for Internal Auditors Matt Wilson, Risk Assurance Director Introduction and agenda Themes from The Global State of Information Security

More information

www.pwc.co.uk Cyber security Building confidence in your digital future

www.pwc.co.uk Cyber security Building confidence in your digital future www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

Defending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

The promise and pitfalls of cyber insurance January 2016

The promise and pitfalls of cyber insurance January 2016 www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped

More information

Information Technology in the Automotive Aftermarket

Information Technology in the Automotive Aftermarket Information Technology in the Automotive Aftermarket March 2015 AASA Thought Leadership: The following white paper consists of key takeaways from three AASA surveys conducted in 2014, which focused on

More information

Getting real about cyber threats: where are you headed?

Getting real about cyber threats: where are you headed? Getting real about cyber threats: where are you headed? Energy, utilities and power generation companies that understand today s cyber threats will be in the best position to defeat them June 2011 At a

More information

www.pwc.com Cybersecurity and Privacy Hot Topics 2015

www.pwc.com Cybersecurity and Privacy Hot Topics 2015 www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets

More information

Defending yesterday. Telecommunications. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Telecommunications. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

Defending yesterday. Technology. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Technology. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

Cybersecurity Awareness. Part 1

Cybersecurity Awareness. Part 1 Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat

More information

Assessing the strength of your security operating model

Assessing the strength of your security operating model www.pwc.com Assessing the strength of your security operating model May 2014 Assessing the strength of your security operating model Retail stores, software companies, the U.S. Federal Reserve it seems

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

WRITTEN TESTIMONY OF

WRITTEN TESTIMONY OF WRITTEN TESTIMONY OF KEVIN MANDIA CHIEF EXECUTIVE OFFICER MANDIANT CORPORATION BEFORE THE SUBCOMMITTEE ON CRIME AND TERRORISM JUDICIARY COMMITTEE UNITED STATES SENATE May 8, 2013 Introduction Thank you

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity Nine recommendations for alternative funds battling cyber crime kpmg.ca/cybersecurity Cyber criminals steal user names and passwords and use it to conduct financial trading activity illicitly. Hackers

More information

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte Cyber security Time for a new paradigm Stéphane Hurtaud Partner Information & Technology Risk Deloitte 90 More than ever, cyberspace is a land of opportunity but also a dangerous world. As public and private

More information

Compliance & Internal Audit Collaboration

Compliance & Internal Audit Collaboration www.pwc.com Compliance & Internal Collaboration Developing a compliance third line of October 2015 The Society of Corporate Compliance & Ethics 14 th Annual Compliance & Ethics Institute Conference Introductions

More information

Gaining the upper hand in today s cyber security battle

Gaining the upper hand in today s cyber security battle IBM Global Technology Services Managed Security Services Gaining the upper hand in today s cyber security battle How threat intelligence can help you stop attackers in their tracks 2 Gaining the upper

More information

Cyber security the facts

Cyber security the facts Cyber security the facts By Dr Carolyn Patteson, Executive Manager, CERT Australia The cyber threat is real and ever present and every business is at risk. Australia s security and intelligence agencies

More information

Defending yesterday. Key findings from The Global State of Information Security Survey 2014

Defending yesterday. Key findings from The Global State of Information Security Survey 2014 www.pwc.com/security Defending yesterday While organizations have made significant security improvements, they have not kept pace with today s determined adversaries. As a result, many rely on yesterday

More information

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response. MAJOR FINANCIAL SERVICES LEADER Top 5 Global Bank Selects Resolution1 for Cyber Incident Response. Automation and remote endpoint remediation reduce incident response (IR) times from 10 days to 5 hours.

More information

Answering your cybersecurity questions The need for continued action

Answering your cybersecurity questions The need for continued action www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future

www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future www.pwc.nl/cybersecurity Cyber security Building confidence in your digital future 2015 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence

More information

Energy Industry Cybersecurity Report. July 2015

Energy Industry Cybersecurity Report. July 2015 Energy Industry Cybersecurity Report July 2015 Energy Industry Cybersecurity Report INTRODUCTION Due to information sharing concerns, energy industry cybersecurity information is not readily available.

More information

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both

More information

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

More information

10Minutes. on the stark realities of cybersecurity. The Cyber Savvy CEO. A changed business environment demands a new approach:

10Minutes. on the stark realities of cybersecurity. The Cyber Savvy CEO. A changed business environment demands a new approach: 10Minutes on the stark realities of cybersecurity The Cyber Savvy CEO Highlights Business leaders must recognise the exposure and business impact that comes from operating within an interconnected global

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

PROMOTION // TECHNOLOGY. The Economics Of Cyber Security

PROMOTION // TECHNOLOGY. The Economics Of Cyber Security PROMOTION // TECHNOLOGY The Economics Of Cyber Security Written by Peter Mills Malicious cyber activity, from hacking and identity fraud to intellectual property theft, is a growing problem within the

More information

EY Cyber Security Hacktics Center of Excellence

EY Cyber Security Hacktics Center of Excellence EY Cyber Security Hacktics Center of Excellence The Cyber Crime Underground Page 2 The Darknet Page 3 What can we find there? Hit men Page 4 What can we find there? Drug dealers Page 5 What can we find

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response

More information

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically

More information

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure

More information

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING? A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions: TrendLabs Targeted attacks often employ tools and routines that can bypass traditional security and allow threat actors to move deeper into the enterprise network. Threat actors do this to access data

More information

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014 Remarks by Thomas J. Curry Comptroller of the Currency Before a Meeting of CES Government Washington, DC April 16, 2014 Good afternoon. It s a pleasure to finally be here with you. I had very much hoped

More information

Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST

Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST November 6, 2013 Copyright 2013 Trusted Computing Group 1 November 6, 2013 Copyright 2013 Trusted Computing

More information

Continuous Network Monitoring

Continuous Network Monitoring Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment

More information

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE

SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE SECURITY, CYBER AND NETWORK INSURANCE SECURING YOUR FUTURE Businesses today rely heavily on computer networks. Using computers, and logging on to public and private networks has become second nature to

More information

The Dow Chemical Company. statement for the record. David E. Kepler. before

The Dow Chemical Company. statement for the record. David E. Kepler. before The Dow Chemical Company statement for the record of David E. Kepler Chief Sustainability Officer, Chief Information Officer, Business Services and Executive Vice President before The Senate Committee

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS 1 As regulators around the world move to tighten compliance requirements for financial institutions, improvement in cyber security controls will become

More information

Rogers Insurance Client Presentation

Rogers Insurance Client Presentation Rogers Insurance Client Presentation Network Security and Privacy Breach Insurance Presented by Matthew Davies Director Professional, Media & Cyber Liability Chubb Insurance Company of Canada mdavies@chubb.com

More information

A Layperson s Guide To DoS Attacks

A Layperson s Guide To DoS Attacks A Layperson s Guide To DoS Attacks A Rackspace Whitepaper A Layperson s Guide to DoS Attacks Cover Table of Contents 1. Introduction 2 2. Background on DoS and DDoS Attacks 3 3. Types of DoS Attacks 4

More information

CFIR - Finance IT 2015 Cyber security September 2015

CFIR - Finance IT 2015 Cyber security September 2015 www.pwc.dk Cyber security Audit. Tax. Consulting. Our global team and credentials Our team helps organisations understand dynamic cyber challenges, adapt and respond to risks inherent to their business

More information

HEALTH CARE AND CYBER SECURITY:

HEALTH CARE AND CYBER SECURITY: HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers

More information

SPEAR PHISHING UNDERSTANDING THE THREAT

SPEAR PHISHING UNDERSTANDING THE THREAT SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

More information

HP Fortify Software Security Center

HP Fortify Software Security Center HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)

More information

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014 It s a pleasure to be with you back home in Boston. I was here just six weeks ago

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

Cyber Risks in the Boardroom

Cyber Risks in the Boardroom Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing

More information

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Data Security: Fight Insider Threats & Protect Your Sensitive Data Data Security: Fight Insider Threats & Protect Your Sensitive Data Marco Ercolani Agenda Data is challenging to secure A look at security incidents Cost of a Data Breach Data Governance and Security Understand

More information

Security and Privacy

Security and Privacy Security and Privacy Matthew McCormack, CISSP, CSSLP CTO, Global Public Sector, RSA The Security Division of EMC 1 BILLIONS OF USERS MILLIONS/BILLIONS OF APPS 2010 Cloud Big Data Social Mobile Devices

More information

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

OCIE Technology Controls Program

OCIE Technology Controls Program OCIE Technology Controls Program Cybersecurity Update Chris Hetner Cybersecurity Lead, OCIE/TCP 212-336-5546 Introduction (Role, Disclaimer, Background and Speech Topics) SEC Cybersecurity Program Overview

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3 GLOBAL ADVANCED THREAT LANDSCAPE SURVEY 2014 TABLE OF CONTENTS Executive Summary 3 Snowden and Retail Breaches Influencing Security Strategies 3 Attackers are on the Inside Protect Your Privileges 3 Third-Party

More information

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY BY DR. BRIAN MCELYEA AND DR. EMILY DARRAJ Approved for Public Release: Case # 16-0276 NORTHROP GRUMMAN WHITE PAPER 2016 Northrop Grumman

More information

US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey

US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey www.pwc.com/cybersecurity US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey July 2015 About the 2015 US State of Cybercrime Survey The 2015 US State of Cybercrime

More information

Cyber and Operational Solutions for a Connected Industrial Era

Cyber and Operational Solutions for a Connected Industrial Era Cyber and Operational Solutions for a Connected Industrial Era OPERATIONAL & SECURITY CHALLENGES IN A HYPER-CONNECTED INDUSTRIAL WORLD In face of increasing operational challenges and cyber threats, and

More information

Protecting against cyber threats and security breaches

Protecting against cyber threats and security breaches Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So

More information

Defending Against Cyber Attacks with SessionLevel Network Security

Defending Against Cyber Attacks with SessionLevel Network Security Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive

More information

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015 Cyber Threats Insights from history and current operations Prepared by Cognitio May 5, 2015 About Cognitio Cognitio is a strategic consulting and engineering firm led by a team of former senior technology

More information

2015 VORMETRIC INSIDER THREAT REPORT

2015 VORMETRIC INSIDER THREAT REPORT Research Conducted by 2015 VORMETRIC INSIDER THREAT REPORT Trends and Future Directions in Data Security FINANCIAL SERVICES EDITION #2015InsiderThreat RESEARCH BRIEF US FINANCIAL SERVICES SPOTLIGHT ABOUT

More information

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013 State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

The Four-Step Guide to Understanding Cyber Risk

The Four-Step Guide to Understanding Cyber Risk Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap TABLE OF CONTENTS Introduction: A Real Danger It is estimated

More information

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK HANDBOOK VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK CONSIDERATIONS FOR SERVICE ADOPTION Version 1.0 July 2014 VerisignInc.com CONTENTS 1. WHAT IS A DDOS PROTECTION SERVICE? 3 2. HOW CAN VERISIGN

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE THREAT INTELLIGENCE 1 THREAT INTELLIGENCE How it applies to our clients, and discuss some of the key components and benefits of a comprehensive threat intelligence strategy. Threat

More information

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure Home Secure digital transformation SMACT Advise, Protect & Monitor Why Capgemini & Sogeti? In safe hands Capgemini & Sogeti Cybersecurity Services Guiding enterprises and government through digital transformation

More information

Types of cyber-attacks. And how to prevent them

Types of cyber-attacks. And how to prevent them Types of cyber-attacks And how to prevent them Introduction Today s cybercriminals employ several complex techniques to avoid detection as they sneak quietly into corporate networks to steal intellectual

More information

Tackling the growing risk of cyber crime

Tackling the growing risk of cyber crime Financial Institutions Customer Industry Community Tackling the growing risk of cyber crime Discussion points for financial institutions Contents Introduction 3 The scale of cyber risk 4 Zurich survey

More information

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015 Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders

More information

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015 Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cybersecurity..Is your PE Firm Ready? October 30, 2014 Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services

More information

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST WHITE PAPER Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST Table of Contents THE SECURITY MAZE... 3 THE CHALLENGE... 4 THE IMPORTANCE OF MONITORING.... 6 RAPID INCIDENT

More information