Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security



Similar documents
Security and Privacy Trends 2014

Cyber security Building confidence in your digital future

Developing a robust cyber security governance framework 16 April 2015

Developing National Frameworks & Engaging the Private Sector

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Business resilience in the face of cyber risk. By Roger Ostvold and Brian Walker

Italy. EY s Global Information Security Survey 2013

Cyber Security - What Would a Breach Really Mean for your Business?

Blending Corporate Governance with. Information Security

Cyber Security key emerging risk Q3 2015

Cybersecurity in the States 2012: Priorities, Issues and Trends

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber security: Are consumer companies up to the challenge?

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cyber security Building confidence in your digital future

A NEW APPROACH TO CYBER SECURITY

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

The European Response to the rising Cyber Threat

Cyber Security: from threat to opportunity

Cyber intelligence exchange in business environment : a battle for trust and data

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Cyber Security Evolved

National Cyber Security Policy -2013

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

HIGH ON THE RISK RADAR REPUTATION RISK

Business Continuity Management Policy

Changing the Enterprise Security Landscape

Playing Our Part in Responding to National Threats

How To Be Prepared For A Cybercrime

CLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Confident in our Future, Risk Management Policy Statement and Strategy

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Protecting against cyber threats and security breaches

AISA NATIONAL CONFERENCE 2015 TRUST IN INFORMATION SECURITY. 14 October 2015 OPENING ADDRESS LYNWEN CONNICK

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Defending yesterday. Retail & Consumer. Key findings from The Global State of Information Security Survey 2014

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Information Security in a Downturn

REPORT. Next steps in cyber security

A Guide to the Cyber Essentials Scheme

How To Protect Your Network From Attack From A Network Security Threat

How To Manage Risk On A Scada System

The Evolution of Application Monitoring

Effective risk management

Chief Information Officer

Information Governance Strategy & Policy

Australian Government Cyber Security Review

Team Leader Business Information Data Warehouse Business Information Data Warehouse

Smart Security. Smart Compliance.

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

PwC Cybersecurity Briefing

Business Risk Management - Top 10 Questions to Ask

The Connected CFO a company s secret silver bullet?

How To Write An Article On The European Cyberspace Policy And Security Strategy

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Data Security: Fight Insider Threats & Protect Your Sensitive Data

CONSULTING IMAGE PLACEHOLDER

Best Practice Strategies for Managing and Mitigating Key Cyber Risks. Brendan Saunders, Principal Security Consultant - November 2015

International Chamber of Commerce The world business organization

Sponsored by. A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Aggressive and Persistent: Using Frameworks to Defend Against Cyber Attacks

Global Information Security Survey 2002

The Importance of Senior Executive Involvement in Breach Response

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

Business Continuity and Disaster Recovery Planning

Partnership for Cyber Resilience

CYBERSTRAT IS PART OF GMTL LLP, 26 YORK STREET, LONDON, W1U 6PZ, UNITED KINGDOM

Assessing the strength of your security operating model

Lessons from Defending Cyberspace

CYBER SECURITY TRAINING SAFE AND SECURE

The Mid Yorkshire Hospitals NHS Trust. Job Description

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Committees Date: Subject: Public Report of: For Information Summary

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Securing a Digital Economy

Transcription:

Seamus Reilly Director EY Information Security sreilly@uk.ey.com 0207 951 3179 Cyber Security An Internal Audit perspective on the threats and responses within the Retail Sector 15 th May 2014

Agenda Introductions Cyber Security What is Cybercrime and Cyber Security? What are the threats? Organisational challenges Key considerations for prevention and response The role of internal audit in helping to protect the organisation Group discussion Page 1

2013 EYGM Limited All Rights Reserved The question is when, not if, a Cyber Security breach will happen, and therefore ensuring a business is prepared in its response planning is key. Cyber Security threats now mean a business has to sprint to stand still in managing the cyber threat.

Cyber Security Cyber crime spectrum What do the terms Cybercrime and Cyber Security mean to your business? Page 3

Cyber Security is now a boardroom agenda but is there enough training & knowledge? A Serious Issue 64% of Chairs think that their Board colleagues take cyber risk VERY seriously Changing Ownership & Accountability When asked who is the ultimate owner of Cyber risk for their company, Audit Committee Chairs responded with a variety of roles, but with a trend towards the Board, where 2 years ago 75% of companies viewed this wholly as a CIO responsibility Now a Business Risk 56% of respondents said that their strategic risk register includes a cyber risk category 20% 28% 25% CEO CFO CIO Cyber Savvy Boards Most Chairs think that their Board colleagues are qualified, to some extent, to manage innovation and risk in a digital age but more Cyber Training is required 75% of respondents had not undertaken any cyber or information security training in the past 12 months and 80% of respondents said none of their Board colleagues had undertaken any either Page 4

Businesses lack knowledge of data asset value, but understands need to find out more! Know your Data Assets Only a third of Chairs said the main Board has a very clear understanding of what the companies key information and data assets are two thirds need to understand more Who has your key data assets? 25% of respondents said the main Board has a poor understanding of where the company s key information or data assets are shared with 3 rd parties (e.g. suppliers, advisors, customers & outsourcing partners), Understand the Threat 40% of Chairs said the main Board does not received regular threat intelligence from their CIO or CISO Poor Very Clear Basic Don t Know/N/A The impact of a Cyber Attack Less than 50% of FTSE 350 Chairs think that their Board has a clear understanding of the potential impact of information and data asset losses Information Sharing on Threats Nearly half of respondents said their CIO and CISO teams are encouraged to share information with other companies in order to combat cyber threats SHARE PRICE FINANCIAL PERFORMANCE OPERATIONAL PERFORMANCE CUSTOMER LOYALTY COMPETITIVE ADVANTAGE Page 5

The reality for business today Perfect storm of factors at play Breaches occurring and will continue to do so Increased erosion of perimeter from third parties, social media and personal devices Extended supply chain includes smaller businesses with less resources Rising persistence and sophistication of external threats Growing regulatory and government focus Page 6

Improve Awareness of cyber threats propels improvement Knowing that an attack will inevitably occur sparks improvements 2013 EYGM Limited All Rights Reserved

Expand Leading practices to combat cyber threats Organisations must send clear signals from the top that they need to be proactive and ready for the unknown. Those that are satisfied with merely being reactive may not survive the next attack. 2013 EYGM Limited All Rights Reserved EY s Global Information Security Survey 2013 8

Innovate To survive, innovation in response must power cyber transformation Innovative Cyber security solutions can protect organisations against known cyber risks and prepare them for a great unknown the future. 2013 EYGM Limited All Rights Reserved

Establish a cyber resilience framework Vision of organisational resilience that can be established to deal with cyber threats Builds on current information security arrangements A The organisation should have a process for gathering, analysing and sharing of cyber intelligence. Cyber governance and partnering The organisation should have an effective governance framework for monitoring cyber activities, including partnering collaboration, and the risks and obligations in cyberspace. Cyber situational Cyber resilience B C D awareness assessment The wider organisation should have a process for reassessing and adjusting their cyber resilience to the impacts of the past, present and future cyberspace activity. Cyber responses The organisation should effectively prevent, detect and respond to cyber incidents and minimise their impacts. Page 10

The role of internal audit functions within Cyber Security

Combating cyber attacks requires leadership and accountability The rapid-fire pace of technology (r)evolution that we have seen in recent years will only accelerate in the years to come as will the cyber risks. Not considering them until they arise gives cyber attackers the advantage. In fact, chances are, they re already in! 2013 EYGM Limited All Rights Reserved

Establish a cyber resilience group to enable efficient response Cyber Champion Strategic leadership at C-Suite level representation with access to senior management, and therefore resources and funds Day-to-day leadership possessing strategic business and communications skills Risk Managers Cyber Resilience Leader (CIO) Cyber Security Leader (CISO) Business Relationships Business Continuity Forensics Incident Management Legal Intelligence Technical Partners Human Capital Marketing Public relations Corporate Affairs In-depth advice and guidance on cyber security, with extensive experience across breadth of organisation Collaboration between all business functions with Cyber Champions appointed to ensure business relationship management between IT and the business is effective, proactive and aligned to organisational strategy. The LOB representatives should have access to other parts of the organisation and be well versed in organisational culture IT LOBs running cyberspace initiatives IT Operations & IT Security Functions In-depth advice and guidance on IT systems operations and IT security, with experience across the IT organisation Page 13

Key considerations for Internal Audit What should you be doing? How do you identify Cyber risks and attacks on your organisation? Has your business defined its Cyber Risk Universe? When did you last undertake an independent review of Cyber Security? What should your organisations response be? and Internal Audit s role? Awareness? How seriously does your organisation take Cyber Security? What is the business doing to raise user awareness of Cyber risks? Who is driving the awareness agenda and are the business supportive? Planning? When did the business last undertake a Cyber Crisis Management exercise? How frequently does your business review its risks, policies and controls management? Can we prevent Cybercrime? Page 14

Questions for your organisations CEO CFO CIO/CTO CRO Do you know what business information you need to protect and where it is, and do you trust your business partners with it? Is the information security function meeting your current and future business needs? How do you include information security in major business changes such as new channels to market, e.g., social media? Who is responsible for securing your critical business information? How often do you discuss information security risk at the Board and Audit Committee? How confident are you that your information and systems are protected from catastrophic loss? How do you assess investment priorities and effectiveness of spend for information security? Are you getting value for your information security spend? Do you know how much information security breaches and other data losses cost your organisation? Do you understand new and increasing information security risks? Do you know what business information you need to protect and where it is? Are you confident you have sufficient cyber insurance? How is information security addressed in business and IT plans, e.g., strategy, sourcing, new delivery models, third parties? How are the increasing risks from internal and external sources impacting your IT plans and activities? How effectively is information security built into design and requirements of new systems? Does IT have visibility of, and involvement in, information security issues and priorities? Do you know what business information you need to protect and where it is? How well is information security and risk integrated with your other risk activities? How often do you discuss information security risk at the Board and Audit Committee? How confident are you about third party related risks? What are the top information security risks and how are they being addressed? How do you identify and manage new and emerging information security risks? Do you know what business information you need to protect and where it is? Are you prepared for a security crisis? Page 15

Page Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information