Continuous Cyber Attacks: Engaging Business Leaders for the New Normal

Similar documents
Cyber Security: Confronting the Threat

Address C-level Cybersecurity issues to enable and secure Digital transformation

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Security Technology Vision 2016: Empowering Your Cyber Defenders to Enable Digital Trust Executive Summary

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

How To Protect Your Network From Attack From A Network Security Threat

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Managing cyber risks with insurance

RETHINKING CYBER SECURITY

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

HP Fortify Software Security Center

Solving the Security Puzzle

How to Evaluate DDoS Mitigation Providers:

WRITTEN TESTIMONY OF

Cybersecurity and Privacy Hot Topics 2015

PCI Compliance for Healthcare

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Beyond the Hype: Advanced Persistent Threats

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Leveraging Network and Vulnerability metrics Using RedSeal

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Gaining the upper hand in today s cyber security battle

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

Cyberprivacy and Cybersecurity for Health Data

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

How To Create An Insight Analysis For Cyber Security

Understanding the NIST Cybersecurity Framework September 30, 2014

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Cybersecurity: Mission integration to protect your assets

A NEW APPROACH TO CYBER SECURITY

Why should I care about PDF application security?

Cyber security Building confidence in your digital future

Security and Privacy Trends 2014

Middle Class Economics: Cybersecurity Updated August 7, 2015

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Cyber security: Are consumer companies up to the challenge?

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Microsoft s cybersecurity commitment

Accenture Technology Consulting. Clearing the Path for Business Growth

The Path Ahead for Security Leaders

Be the Disruptor, not the Disrupted: Accenture 2015 Compliance Risk Study

Business resilience in the face of cyber risk. By Roger Ostvold and Brian Walker

Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age

Leveraging a Maturity Model to Achieve Proactive Compliance

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Into the cybersecurity breach

Cybersecurity The role of Internal Audit

Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

Perspectives on Cybersecurity in Healthcare June 2015

Can Your Organization Brave The New World of Advanced Cyber Attacks?

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

CFO reality check: Good intentions in cost management are not good enough. By David A.J. Axson and Aneel Delawalla

Information Technology Risk Management

Cybersecurity Strategic Consulting

Privilege Gone Wild: The State of Privileged Account Management in 2015

Cybersecurity report As technology evolves, new risks drive innovation in cybersecurity

Building a Roadmap to Robust Identity and Access Management

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Navigating the NIST Cybersecurity Framework

OECD PROJECT ON CYBER RISK INSURANCE

Risk and responsibility in a hyperconnected world: Implications for enterprises

The Impact of Cybercrime on Business

CONSULTING IMAGE PLACEHOLDER

Defending against modern cyber threats

Transcription:

Continuous Cyber Attacks: Engaging Business Leaders for the New Normal

Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed. Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations. This starts with aligning the strategic agenda and business priorities with security. Organizations face a cybercrime wave Unexpected losses. Disrupted strategies. Damaged brands. Cyber-attacks can rapidly derail an enterprise s ability to create value and frequency, reach and levels of sophistication continue to grow. Last year, the number of cyber-attacks against large companies increased 40 percent, targeting five out of six enterprises with over 2,500 employees. 1 Attackers currently occupy the high ground in the battle for company data. The barriers to entry are low; with little investment and minimal risk, it s never been easier or more lucrative for adversaries to cash in on their efforts. What s more, cyber thieves that operate across borders rarely face prosecution. Attackers continued to evolve, their targets continued to expand, and their techniques continued to change. But the central narrative stayed the same: Far too many organizations were unprepared for the inevitable breach, allowing attackers to linger far too long in compromised environments. 2 Organizations cyber defense strategies aren t keeping pace with the new technology landscape In today s 24/7 world, global connectivity enables organizations to shrink geographic distances, bridge borders and forge real-time links. But every revolution has its casualties, and one victim of the connected age is the peace of mind companies once had regarding the security of their critical assets. Where a locked door and an onsite security team were once the frontlines of protection, today s attackers can target the company s core technology infrastructure. They can take advantage of company initiatives centered on emerging technology including cloud, analytics, mobile communications and the Internet of Things (IoT), to enter and peruse the most sensitive parts of a business all undetected. Leaders unfamiliar with the specific details of how pervasive cyber defense is becoming may fail to recognize the gaps that exist in their digital security strategies. It s easy to do: Regulators and other government bodies demand compliance with specific regulations focused on meeting baseline security standards, which can drown out other voices supporting dynamic approaches to cyber risk management. Cybersecurity was once a part of the business where meeting the lowest common denominator was an acceptable management practice. Companies soon learned that passing compliance assessments doesn t equal data security. Likewise, a strategy focused on acquiring the latest security products and add-on applications can quickly drain a security budget, while not appreciably improving the organization s defensive posture. The reality is that no organization can defend itself from everything, even if the resources existed to support such an endeavor. Leaders need to embrace a new approach. @AccentureSecure 2

To thrive, business leaders should follow these three approaches to bring risk down to a manageable level: 1 2 3 Actively engage to make the business a better security customer Strengthen the partnership between the business and security Continuously exercise organizational defenses 3 www.accenture.com/cyberdefense

1 Actively engage to make the business a better security customer A solid cyber defense requires that companies interlock an organization s business stakeholders, its risk management office and the security team and develop a true relationship that asks every employee to own responsibility for security. Much like lean and total quality management drive efficiencies and cost savings in the product lifecycle, securing the enterprise requires a similar pivot organizationally to prioritize this challenge. Some organizations are inadvertently and unknowingly bad security customers, especially when they fail to understand the broader responsibilities and role the enterprise has in protecting itself. The likelihood of cyber threat detection and elimination significantly drops if the business side fails to fully interlock with the security team. Some typical challenges include: Security lacks sufficient top management access. Most companies recognize that digital security is an important agenda item, but in many cases, the chief information security officer (CISO) does not have toplevel access. More than half (54 percent) of security decision makers say security and risk at their company is still mainly technology-focused, and a similar percentage report that their CISO continues to report into IT (55 percent). 3 Consequently, most CISOs focus on technology instead of concentrating on security from a business-centered, holistic perspective. The front lines remain unengaged in security issues. Another study found that 62 percent of information security professionals say employees do not care enough about security to change their behavior. 4 Articulating the importance of security and doing it in an engaging manner starts at the top. One effective method for creating user engagement is through gamification that provides employee incentives and rewards. This can be an effective tool if the organization also creates and enforces robust accountability policies, and develops easily captured reporting measures. Ambiguity regarding who owns the systems under attack. Business teams are trying to meet customer demands; they re agile and entrepreneurial and continually create new applications and data stores. When these systems are under attack, the security team needs to know who owns the compromised system and its criticality to the business in order to coordinate an effective response. Many firms do not have this asset information immediately available due to lack of collaboration between security and the business, which can impede action and reduce the effectiveness of the response. @AccentureSecure 4

2 Strengthen the partnership between the business and security Leaders should take steps to ensure the organization can preempt, detect and respond to current and future threats. Instead of relying on the security team to play clean up after a breach, organizations need to factor potential cyber threats into today s business decisions. Many cyber defense veterans feel their teams are catching frequent Hail Mary passes from the business; but as sports fans know, hope is not a strategy. Instead, leading cybersecurity players take proactive steps to align the business side s commercial needs and the security team s cyber defense requirements by forging an effective business-security-risk management partnership. Four elements of such a partnership are: Keep security on the agenda. If organizations can operate under a concept called presumption of breach, acknowledging that a hacker will get into their networks, perspective on the right security strategy becomes laser focused. Having the right security strategy and cyber defense capabilities are core elements of business resilience and brand trust. Accenture recently collaborated with the Ponemon Institute, an independent research center specializing in security trends and best practices, in a study to understand key characteristics to improving security effectiveness. The study suggests that a focus on cyber defense innovation and strategy separates leading organizations from the laggards. 5 These organizations embrace and implement new ideas, develop officially sanctioned security strategies, make information security a business priority and do a better job of making employees fully aware of the business security requirements. Recognize the complexity of the challenge. The best organizations view risk management in dynamic terms, prioritizing the protection of critical information and recognizing that future costs could rise significantly. It s important to determine where to set the bar regarding loss tolerance. Part of the challenge is recognizing the complexity of roles; the organization has revenue goals and other business targets, and the security team has its own set of objectives. While the aims may differ, each group should align fundamentally in its dedication to the company s success. Work together to identify the organization s critical data. While all risk can t be mitigated, it can become manageable by applying a level of triage. Most organizations can pinpoint their most consequential risk in a small percentage of their networks giving them a greater level of protection. By triaging and prioritizing what is truly critical, an organization can reduce the bulk of its risk and mitigate the line of the attacker. In addition, from a data management perspective, as part of a continuous cycle, organizations should industrialize processes to delete, rationalize or encrypt dated and non-critical information with regular cadence. Volume matters; to cash in on PII [personally identifiable information], cybercriminals want to steal as many customer records as possible. Hackers pick their victim organization carefully, learn its business, understand its partner relationships, and test for weaknesses and vulnerabilities. 6 Evolve the organizational culture to attract and retain top-tier security talent. Given the intense focus on digital security, the war for top talent has reached new levels, triggering bidding wars for the elite cyber defense talent. More organizations are evaluating traditional hiring guidelines to attract and retain Millennials with in-demand skills. Today s security talent want challenging roles with opportunities to continuously develop technology skills. Organizations that fail to deliver face increased attrition and recruiting cost. Think proactively about talent pools, working with universities to develop key cyber defense recruits, and looking for expertise outside of normal channels. 5 www.accenture.com/cyberdefense

3 Continuously exercise organizational defenses The cyber defense story is compelling, but what can leaders do to improve the enterprise s data security? Focus on developing organizational defenses: Relentlessly test cyber defenses. One way to become more resilient is to train like a professional athlete. Athletes who train exclusively with a static punching bag won t stand a chance against a real opponent. Likewise, an enterprise focused totally on conventional defenses will quickly fall prey to today s increasingly aggressive digital attackers. Individual hackers and organized criminal groups are using state-ofthe-art techniques to infect hundreds of thousands sometimes millions of computers and cause massive financial losses, all while becoming increasingly difficult to detect. 7 Organizations leading the way in cyber defense are training with third-party sparring partners equipped with the skills and technologies (but none of the malice) that attackers bring to bear. Organizations that consistently engage in sparring sessions benefit from the feedback loop such training provides, developing a real understanding of how well the enterprise detects, defends and responds to cyber-attacks. They learn from mistakes without facing the catastrophic effects of a real attack. Hunt inside the organization s defenses. When leaders assume the enterprise is already compromised, they find better methods to constantly look for intruders across the entire enterprise. Design security architectures and business processes for emerging technologies and proactively hunt across systems to better anticipate attacks and significantly reduce detection timeframes versus waiting for a static indicator of compromise, which will likely happen too late to minimize the impact of an attack. Improve response effectiveness. As the organization spars with an elite security assessment team going through the same tactics as the attacker would use over time they develop much needed muscle memory. The more time fighters spend in the ring, the more their comfort levels increase and their performance improves. Likewise, organizations that spar repetitively and consistently work more effectively to minimize an event s impact. They read their opponent more effectively and improve their abilities to actively defend their business with speed, strength and accuracy. As companies become more adroit in response to incursions, the better they become at mitigating impact. @AccentureSecure 6

Put the 100-day cyber defense plan into action Once an enterprise takes the pulse of its cyber defense strengths and weaknesses, developing an action plan is critical. That means assessing where the organization needs to invest and architecting triage procedures to handle security concerns now and in the future. By following assessments with clear-cut 100-day and 365-day plans, organizations can build the momentum needed to realize their cyber defense goals. Conclusion Fraud and theft are nothing new, but the intensity, impact and level of sophistication of current digital attacks make cybercrimes uniquely dangerous for digital businesses and governments. In this everchanging environment, business leaders need real solutions to improve resilience and that starts with aligning security to strategic imperatives. 7 www.accenture.com/cyberdefense

Contributors Bill Phelps Managing Director, Global Security Services bill.phelps@accenture.com Twitter: @waphelps Ryan LaSalle Managing Director, Security Growth & Strategy Lead ryan.m.lasalle@accenture.com Twitter: @labsguy Kevin Richards Managing Director, North America Security Practice k.richards@accenture.com Twitter: @kevin_richards Matt Devost Co-founder and CEO of FusionX matt.devost@accenture.com Twitter: @MattDevost Steve Culp Senior Managing Director, Accenture Finance & Risk Services steven.r.culp@accenture.com Twitter: @steve_culp David Smith Senior Managing Director, Talent & Organization david.y.smith@accenture.com References 1. Internet Security Threat Report, Volume 20, Symantec Corp. http://www. symantec.com/security_response/publications/threatreport.jsp 2. Mandiant, M-Trends 2015, A View from the Front Lines, 2014. https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf 3. Forrester, Evolve to Become the CISO of 2018 or Face Extinction, August 14, 2015. 4. Clearswift survey of 4,000 employees and 500 decision makers in the UK, Germany, the US and Australia. http://www.tripwire.com/ state-of-security/security-data-protection/cyber-security/one-thirdof-employees-would-sell-corporate-information-for-the-right-pricereveals-clearswift-survey/ 5. The Cyber Security Leap: From Laggard to Leader, Accenture and the Ponemon Institute 6. Forrester, The Cybercriminal s Prize: Your Customer Data and Intellectual Property, Sept. 2, 2015 7. Source: Department of Justice, ASSURING Authority for Courts to Shut down Botnets, March 11, 2015. http://www.justice.gov/opa/blog/ assuring-authority-courts-shut-down-botnets About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions underpinned by the world s largest delivery network Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com. DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this document and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. Copyright 2015 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary interest in the marks and names of others.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information