Cyber & Privacy- how cyber-safe

are we in a COVID-19 world?

2020 Deloitte Shared Services Virtual Conference| 18 June 2020

Cyber as a business competitorTangibly eroding business value and confidence, today

Global resources available in every continent and jurisdiction.

Government employees, full-time professionals, contractors for hire, zero-hours, hacking-as-a-service. Working in any language, 24x7.

GlobalWorkforce

FlexibleBusiness models

InnovativeCutting edge tools

Cloud, collaboration, social-media, and machine-learning platforms.

Sophisticated, zero-cost commodity tools, low-cost licensed tool-kits and platforms for hire, and bespoke development for well-funded sponsors.

Responsive to market opportunities and demands, diversified revenue sources.

Blackmail, theft of intellectual property to order, collecting sensitive information for re-sale. Ancillary services: money laundering, false IDs, foreign exchange, managed services (platforms, tools).

Complete chain of independent specialist services.

Research and development, productisation, sales, marketing, delivery and implementation.

Managed services, franchising, licensing, and customer support;

providing platforms, tools and services to buy or lease.

Every industry is now subject to frequent attacks by sophisticated ‘bad actors’.

Almost certainly every major organisation is currently compromised, whether or not they are aware of it.

Bad actors often deliberately delay or hide

visible impacts. Remaining undetected, to find more weaknesses to exploit or information to steal.

High volume or high value illegal goods in efficient and liquid market-places.

Online markets join buyers and sellers to trade stolen assets for cash or cryptocurrency. Limited risk of identification or prosecution.

The only significant ‘tax’ is the effort and cost of laundering profits.

IntegratedVertical industry

EmbeddedRelationships in every client

ProfitableLow regulation and taxes

The underground marketsCommodity prices, expensive impacts

$500 Reveal your business emails

$200 Cripple your digital services

40% Profit-share for successful attacks

Reputably disreputableHow hacking-as-a-service promotes itself

Professionalism. We are working only with the best technologies and developments. Experience. We are constantly improving our technology in this area and are adopting new advanced solutions. Quality. Our expertise allows us to exploit various vulnerabilities on the target servers, making our attacks the most effective. Power. With the continuous improvement of our technology, we have huge abilities.Anonymity. You can be sure that any information regarding your order will not be shared with a third party. Honesty. We provide conditions for repayment of funds, if you are not entirely satisfied. Provide free-trial attacks on web servers.

We are trustworthy and

professional .”

Weekly fee to disrupt business website services

One-off fee to provide total access to a business email address

You nominate the business to attack, they provide the tools. 60:40 split of profits

Sources: SecureWorks 2016, 2018

“

ExamplesAccessible, affordable & polished – to rival any business

Two friends are hiking in the forest, when suddenly they hear a bear approaching.

One starts to run immediately, while the other kneels down to tie his shoe-laces.

Cyber Climate ChangeDeterrence and avoidance once offered some shelter

“What are you doing, you can’t out-run a bear!”

“I don’t have to out-run the bear, only out-run you!”

Causes & EffectsProfit and politics motivate determined and sophisticated actors

Like third-party risk, on a larger scaleWhere the attack doesn’t stop at the target; it spreads indiscriminatingly between organisations; with no direct link between the origin and ultimate victims.

Contagion

Nation States Sophisticated, dedicated cyber teamsFocus on defensive and increasingly offensive campaigns. Some states engage in industrial espionage for strategic goals, and cyber crime to raise funds.

Constantly targeted as a weak spotBeing inside the business often means fewer protective measures apply, impacts are greater. Also includes disgruntled employees, or accidents by employees.

Employees

Third-Parties

Sophisticated capabilities, ongoing investment and advancementBlend cyber with fraud, money laundering, identity theft, drugs and human trafficking to maximise profits. Evade prosecution by leveraging trans-jurisdictional operations.

Org. Crime

Terrorists

Attackers

Causes & EffectsBusiness extinction is now a credible scenario

Impacts

Destroy Value

Clients’ fears about sensitive data you hold on their behalf. Regulators’ fears over market confidence, or contagion. Suppliers’ fears of collateral damage.

Recovery time and costs to return business to normal. Delayed or lost sales, penalties, regulatory / legal fines. Stolen assets (cash, tradable commodities, intellectual property).

Erode Reputation & Trust

Deplete Assets

Disrupt Operations

Direct loss of productivity (employees, platforms unable to function). Indirect loss (people and systems diverted to recover from the incident).

Extinguish Presence

Attacks* with sufficient ferocity and speed can overwhelm organisations to a point where recovery is not possible, causing business collapse.

* Accidental, or deliberate.

Services without sufficient resilience can be destroyed without hope of recovery; eradicating past investment and future returns.

Making an impact that matters | 2020 Deloitte Shared Services Virtual Conference 7

Governance

Diligent & Proportional

GovernanceDiligent & Proportional

“Both optimists and pessimists contribute to society.

The optimist invents the aeroplane, the pessimist

the parachute.”

George Bernard Shaw

CultureHow well are behaviours and mind-set aligned with security?

Are we supporting difficult conversations on risk?

AttentionHow well do we monitor and understand our cyber landscape?

What do we do differently as a result?

TargetingIs our investment proportionate, and focussed appropriately?

Have we sufficient balance between people, skills and technology?

First PrincipalsHave we nailed basic cyber hygiene?Do we have clear agreement on what our absolute

essential platforms are? Are they sufficiently

resilient and capable of timely recovery?

Trojan HorseHow confident are we the risk

from third-parties is controlled sufficiently? Are we providing

them with sufficient guidance,

and monitoring their behaviour?

ActionHow prepared are we at all levels to respond? Do we understand our

roles and responsibilities?

Have we tested ourselves sufficiently to be confident?

GovernanceKey factors for the Board to challenge and support

ChampionGive your teams consistent messaging and support; foster positive behaviours and give them the confidence to act in the best interests rather than self interest.

Governance Key roles to adopt to generate and maintain trusted partnerships

CustodianRegulators, suppliers, clients observe our behaviours and attitudes. Well-managed cyber responses provide reassurance and maintain confidence in an uncertain world.

InvestorBuild and sustain skilled teams, empowered to act, with the right tools. Earn confidence in return on investment from aligning priorities with regular horizon scans for the Board.

VanguardTake regular briefings on changes in the cyber landscape, and what the implications are. Adapt your strategy accordingly, lead from the front in responding.

Mind-Set & ResiliencePreparing people and business for better outcomes

“Everyone has a plan… …‘till they get punched in the mouth.”Mike Tyson

Making an impact that matters | 2020 Deloitte Shared Services Virtual Conference 12

Cyber, Privacy & COVID-19

COVID-19 Impacts on Cyber landscapeCyber threats are increasing

Privacy considerationsA fine balance

Making an impact that matters | 2020 Deloitte Shared Services Virtual Conference 15

Summary & Takeaways

Cyber & PrivacyThe threats are increasing

• Cyber is not just an IT issue

• Threats are increasingly sophisticated and impacts are getting bigger

• The regulatory landscape is getting tougher

• COVID-19 is having an impact

• Privacy will more than ever polarise opinion

• The Laws are there to protect us when properly enforced but need

proactive attention

• Data ethics is increasingly important as society demands more