Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft
2 Cyber Security and Privacy Services What drives your security strategy? In this document we highlight some of the security challenges your organisation may be facing and explain how our Cyber Security and Privacy Services can be applied to help organisations surmount these obstacles. Economic and market forces have driven organisations through major transformations over the past decade. The importance of securing sensitive customer and corporate data is now widely accepted. Information is one of the most valuable assets that any organisation holds. As the business community continues to explore new and innovative approaches such as Cloud Computing, the security threat increases in complexity. Targeted persistent attacks by professional hackers and hacktivists have added to the volume of daily threats an organisation has to face. The regulators and authorities are increasingly aware of the threats to business and the impact this may have on the economy. As a result, new directives and legislation, aimed at ensuring critical businesses have robust defences, are emerging. The old defence mechanisms are no longer reliable and businesses need to adopt up to date security practices and develop a mature organisation-wide security culture to protect their interests and reputation. Recent regulatory developments A new European Union Cyber Security Strategy was proposed in February 2013. The strategy requires organisations to report significant cyber incidents to a competent national authority. The European Union has also drafted General Data Protection Organisations are expected to actively manage their exposure to cyber security risks and put frameworks in place to implement industry good practices and benchmarks. Regulations which will replace the current Data Privacy Directive. These require tighter controls and will change how organisations manage personal information. The UK government is increasingly focused on cyber security and, through various cabinet office initiatives, government and intelligence agencies are directly targeting the most senior levels in the UK s largest companies and providing them with advice and guidance on cyber security threats. The FSA s attention on information risk has increased recently, following a number of recent IT incidents where systems within major banks became unavailable. As a result, high street banks were required to identify weaknesses in their infrastructures and report how any future outages would be prevented. They were also required to nominate a member of the board accountable for future failures in critical information technology systems. Cyber Security and Privacy Services (CSPS). What are they? CSPS offer an innovative solution to tackling emerging security threats, by focussing on changing the way organisations deal with them. As an independent advisory practice at Grant Thornton, we help our clients evolve their approach to tackling current and emerging security issues. Creating a more proactive security approach involves transitioning away from outdated reactive methods to ones that are designed to ensure all aspects of the organisation become part of the security solution, provide more effective protection and improve return on security investment. CSPS can provide focus on maintaining a current and pragmatic view of the cyber security threat landscape, and periodically assess the effectiveness of the measures used to mitigate the risk to an organisation s services and information that could result from such an incident.
Cyber Security and Privacy Services 3 Is security an IT problem? Security is no longer the sole responsibility of IT Recent changes to regulatory frameworks, together with significant revisions to Corporate Governance and UK data protection law, mean that information risk now affects many functions across an enterprise, including finance, legal, compliance, technology, security, infrastructure and the executive office. Organisations must therefore re-assess the specialist skills they need, develop risk frameworks that incorporate information risk and ensure that security awareness is embedded as a key aspect of the organisation s culture. The world of cyber crime thanks you for your private and confidential information! Business and corporate executives are becoming increasingly aware that failure to comply with regulations has real consequences, that could include large fines and litigation. Without effective security policies and procedures, companies can suffer financial loss, productivity losses, customer defections and, importantly, reputational damage at a personal and organisational level. There could also be a significant and unwelcome increase in the financial burden of addressing security issues after a breach has taken place. Regulations affecting how organisations manage their information risks include: Sarbanes Oxley (SOx) Payment Card Industry Data Security Standards (PCI DSS) Data Protection Act 1998 EU General Data Protection Regulation (EU GDPR).
4 Cyber Security and Privacy Services Current challenges and requirements Data protection legislators impose new high penalty burdens The proposed revamp of the EU s Data Protection Rules gives individuals more control over the use of their personal information and imposes a new set of tighter regulation on all companies that hold and process personal information. Organisations that hold the personal data of EU citizens will be required to: appoint a data protection officer to supervise the protection of personal data stored, managed and processed by individual businesses comply with users requests to delete everything they have ever published about users online. It also means that consumers are able to force companies that hold data about them, such as financial institutions, marketing companies and also online services such as Facebook and LinkedIn, to remove all personal data held relating to them. Users providing information over the internet must be informed of the purposes their data will be used for internally, how long it will be stored for and if it is to be used by third parties. Organisations across Europe must gain explicit consent from their customers for processing personal data and provide those customers with a right to be forgotten - this means that all data stored on a customer requesting this right must be removed from corporate databases and data stores. Consent to process and a right to be forgotten Businesses will have to gain explicit consent from their customers for processing personal data and must also provide those customers with a right to be forgotten. Legislative changes include new European wide powers to impose punitive fines of up to 2 per cent of an organisation s global turnover should they breach the Data Protection Rules.
Cyber Security and Privacy Services 5 The 24 hour rule Under the proposed Data Protection regulations, organisations must swiftly inform individuals when their personal data is lost, stolen or hacked. Companies that suffer a data breach must inform the data protection authorities and the individuals concerned within 24 hours of the disclosure being identified. The new rules have been introduced as a comprehensive legislative package which are uniformly applicable across all EU member states, including those outside the EU and those holding personal data on EU citizens. With an ever expanding, increasingly sophisticated and persistent threat landscape, which is driving wider legislation to ensure organisations are adequately protected, the need for specialist CSPS is fast becoming a business as usual (BAU) necessity. The average cost of a data breach for a UK company has reached 1.7 million and is now 47.00 per lost customer record According to the Ponemon Institute the cost of a data security breach for companies in the UK ranged from 160,000 to 4.8 million
6 Cyber Security and Privacy Services Combating the challenges - what CSPS offers It is clear there are numerous security issues organisations need to consider. CSPS aim to: reduce the risk of data loss and security breaches minimise the risk of significant legislative fines improve the maturity level of an organisation s security culture provide a platform for collaboration and innovation across the security community. The benefits CSPS can bring to your organisation are: knowledge that your corporate and customer data is appropriately protected against internal and external threats in the case of a data breach, a faster recovery process to demonstrate to shareholders, customers and legislators that lessons have been learnt and mitigating actions implemented a benchmark security standard set against industry best practice that will let you know your level of vulnerability and your organisation s capacity to deal with evolving local and international threats. As auditors, advisors and consultants to industry, Grant Thornton UK LLP has conducted numerous reviews on behalf of clients to ensure that the Data Protection Rules are being applied. We also provide professional services to identify and bridge any gaps you may have in achieving compliance with legislation and we seek to provide a platform for innovation and collaboration within the security community.
Cyber Security and Privacy Services 7 Why Grant Thornton and our approach to CSPS Grant Thornton UK LLP has an extensive client base that spans across multiple industries and countries. Our CSPS are designed to help clients protect data, assets and services at an appropriate and proportionate level to the unique or combined threats faced by individual organisations around the globe. Our team of dedicated security practitioners are experienced in advising, consulting on and leading major security initiatives for high profile organisations and are often engaged as trusted advisors on sensitive national or international initiatives. Grant Thornton has a distinctive approach to CSPS and it covers three interdependent elements: physical security (buildings/estates/property) personnel security (including staff and culture) information and cyber security (documents/data/systems). In assessing an organisation s security framework, we focus on: Our senior security consultants come with a range of commercial and government accreditations including: CISSP, CLAS, CISM, CREST and CHECK. 1: Governance Information Security Management Systems (ISMS) Alignment to Business Strategies Compliance Assessment and Assurance Frameworks Information Security Risk Assessments and Audits Training and Awareness 2: Regulatory Compliance and Standards Review and compliance assessment including: -- European Union Cyber Security Directive (EU CSD) -- Payment Card Industry Data Security Standards -- Data Protection Act 1998 and EU Data Protection Directive (EU DPD) -- FSA Data Security guidelines -- ISO 27000 suite of standards -- BS 25999 -- ITIL 3: Information Risk Management Cyber Threat Analysis Services Data Governance Consulting Services Data Protection and Records Management Developing a Security Culture Physical Security and Social Engineering Advisory Cloud and End-point Security Third Party Security Assessments 4: Technical Security Management Malware and Anti-Virus Management Encryption and Transmission Security Vulnerability Assessment and Penetration Testing Enterprise Mobility Management Identity and Access Management (IAM)
How we can help Grant Thornton UK LLP can provide a range of services to meet your organisation s specific requirements. From providing additional expert resource to supplement your security team, to providing a completely outsourced service, we can deliver cyber, information, data and physical advisory and consulting services. Where an entire project is outsourced we would supply a comprehensive team of multi-skilled practitioners to provide services across agreed functions and to deliver a complete end to end solution. Our experts can conduct a range of support activities, including: cyber security reviews and gap analysis technical reviews of current security and organisational infrastructure cyber security assessments, health checks and internal audit reviews in depth analysis and benchmarking of cultural maturity for security services across the firm legislative advisory services Project and Programme Management Data, Physical and HR Professional Security Services training of staff and Change Management Forensic IT Security Services collaboration and innovation events to connect chief information security officers and the business community. Grant Thornton can help you ensure that your corporate security and privacy standards and infrastructure are fit for purpose and up to the task of defending your organisation against current and emerging cyber security threats. Who should I contact for assistance? To understand more about our CSPS expertise, please contact: Sandy Kumar Partner Head of Business Risk Services T 020 7728 3248 E sandy.kumar@uk.gt.com Manu Sharma Associate Director Lead for Cyber Security and Privacy Services Business Risk Services T 020 7865 2406 E manu.sharma@uk.gt.com Ravi Joshi Head of Technology Risk Services Business Risk Services T 020 7865 2571 E ravi.joshi@uk.gt.com 2013 Grant Thornton UK LLP. All rights reserved. Grant Thornton means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to Grant Thornton are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V22758