When, not if Strategies on guarding against cyber risk€¦ · Cyber security trends 2016...
Transcript of When, not if Strategies on guarding against cyber risk€¦ · Cyber security trends 2016...
When, not if – Strategies on guarding
against cyber risk
Nick Galletto
Marc MacKinnon
Agenda…
Canada’s Best Managed Companies
The evolving cyber threat landscape
Anatomy of an attack
Cyber myths and realities for private companies
Transforming your defenses: Secure. Vigilant. Resilient
Closing thoughts
The evolving
cyber threat
landscape
Canada’s Best Managed Companies
The landscape is changing…
• Cyber risks are reputational and operational
risks to information and assets
• External forces transforming cyber from what
has historically been a technology-driven issue
to a multi-faceted business risk issue
• Customer expectations
– Third-party obligations
– Legislation
– Regulatory action
– Media attention
Canada’s Best Managed Companies
Examples of cyber risks:
• IP/confidential information theft
• Business disruption and outages
• Data and software loss
• Cyber crime/cyber fraud
• Breach of personal identifiable
information events
• Physical asset loss
• Regulatory investigations and fines
• Reputational impact
Cyber crime is
evolving in volume,
sophistication,
and impact
Global
Cost of
Cyber
Crime*:
$445B$3T impact
on
Technology
and
Business
Innovation*
*McAfee http://www.telegraph.co.uk/technology/internet-security/10886640/Cyber-crime-costs-global-economy-445-bn-annually.html
**WEF Risk and Responsibility in Hyperconnected world
Digital revolution = Business innovation and growth + new
and emerging cyber threats
In World Economic Forum’s Global Risk 2016 report, cyber risk is firmly positioned as a major risk
Cyber criminal may not be what
you envision
“Today, the average age of a
cyber criminal is 35, and 80 % of
are affiliated with organized
crime…. Leading to the creation
of increasingly sophisticated
criminal organizations …”
Business and technology trends
trigger cyber risks
New business model(s)
Mobile
workforce
Innovative
economy
Peer to Peer
Models
Extended
Enterprise
Commoditized
Data / Intelligence
Technology forces
Analytics Cloud Big DataMobile Social IoT
Canada’s Best Managed Companies
It starts with asking the right questions…
Canada’s Best Managed Companies
What tactics
might they use?
• Spear phishing, drive by download, etc.
• Software or hardware vulnerabilities
• Third party compromise
• Stolen credentials
• Control systems compromise
• Integrity attacks
• Ransomware
• Cyber criminals
• Hactivists (agenda driven)
• Nation states
• Malicious insiders
• Rogue suppliers
• Competitors
• Skilled individual hacker
Who might attack?
• Sensitive data
• Financial fraud
(e.g., wire transfer, payments)
• Business disruption
(building systems, etc.)
• Threats to health and safety
What are they after
and what key business
risks must we mitigate?
Cyber security trends 2016
Canada’s Best Managed Companies
Scarcity and high cost of qualified talent in mature geographies
Attacks more frequent, targeted, and sophisticated
Increased number of connected systems and devices continues to expand an organization’s attack surface
Ransomware and data integrity attacks will increase in sophistication and frequency
Supply chain or business partner poisoning or lateral entry are on the rise
Poor security hygiene continue to plague organizations
Asymmetrical warfare capabilities through crime as a service platform
Rising costs of prevention and remediation
Attack patterns increasingly looking like normal behavior
Anatomy of
an attack
Canada’s Best Managed Companies
Fulfill objective
Pre-compromise
Compromise
Exploit
TargetVulnerability
Strategic assets,
financial assets,
data and
intelligence
Your business
What How
Anatomy of an attack
Canada’s Best Managed Companies
Cyber myths and
realities for private
companies
Canada’s Best Managed Companies
Demystifying the myths
Breaches only happen to large and publicly traded organizations
While breaches of named brand organizations grab the headlines, cyberattackers are increasingly
targeting small and mid-sized businesses as well
Given the lack of security and privacy regulations – the majority of breaches go unreported
We are just too small to be of interest to cyber criminals
While one small organization in isolation may not seem like a worthwhile target, collectively they are a
goldmine or you may either be a lateral way into a much more strategic target or used to launch an attack
against another target
As many as 30,000 websites are infected everyday – 80% of those belong to legitimate small businesses
?
Our company’s data is just not that valuable
Your companies data is more valuable than you think and the cost of data breaches can be devastating.
Between 2014-2015, the cost of data breaches due to malicious or criminal attacks has increased from an
average of $159 to $174 per record
These costs do not include potential liability issues or intangible damage
such as brand and reputation
?
Canada’s Best Managed Companies
?
We haven’t been breached to date
We feel we are secure
Have you had someone validate that assumption?
You need to continually manage, update and fine-tune your security systems, and keep your
employees aware.
It takes only one attacker being right once – as an enterprise, you need to defend 100 percent of the time.
?
Demystifying the myths
Are you so sure?
Advanced attacks and malware typically resides in infected systems for long periods of time (low/slow)
before detected – If detected at all
Canada’s Best Managed Companies
?
Top 5 cyber challenges for private companies
Still a major lack of enterprise risk awareness/culture – CFO ‘money scam’1
Operate without formality and centralized security policies and standards2
Insider threats are often ignored or not considered3
Primary focus on locking down the perimeter – At expense of defense in depth4
Cyber incident response capabilities are basic or non-existent5
Canada’s Best Managed Companies
Transforming
your defenses
Secure.Vigilant.Resilient
Canada’s Best Managed Companies
Secure.Vigilant.Resilient.TM
Being
VIGILANT
means having threat intelligence and
situational awareness to anticipate and
identify harmful behavior.
Being
RESILIENT
means being prepared and having the ability
to recover from cyber incidents and minimize
their impact.
Being
SECURE
means having risk-prioritized controls to
defend critical assets against known and
emerging threats.
Through an ongoing program to become secure, vigilant and resilient, an organization can become more confident in their ability to experience value
of their strategic investments
…Building a robust cyber risk program
Canada’s Best Managed Companies
…recommendations for private companies
Fortify your
organization and
establish risk-prioritized
controls to protect
against threats
Patch holes and
manage patches
Develop S/W securely
Manage physical
security
Focus on what matters
Crown jewels and
relationships
Proactively assess
your cyber risk
Know what to look for
and how to detect
threats (incidents and
anomalies) both
conventional and
emerging
Focus on awareness
to build a
multilayered defense
Develop a program
that encompasses your
organization,
employees, customers
and partners
Prepare for the
inevitable
Establish the ability to
handle critical
incidents, quickly
return to normal
operations, repair
damage to the
business and brand
RESILIENTVIGILANT SECURE
Canada’s Best Managed Companies
Closing thoughts
Canada’s Best Managed Companies
Reality Adversaries have motives, funding
and means
Strategy Protect the things that matter
Reality Traditional cyber defenses are not enough
Strategy Cyber intelligence and advanced security
monitoring expands your view into threats
and response capabilities
Reality Your organization is a target
Strategy Be proactive: align, assess, educate,
monitor, and practice
Reality Focusing on “secure” only provides a
false sense of security
Strategy Be secure, vigilant, and resilient
Reality You can’t go at it alone
Strategy Understand where you need help and
engage a managed security
service provider
Closing thoughts
Canada’s Best Managed Companies
Questions
Canada’s Best Managed Companies
Marc MacKinnon Toronto Cyber Risk Services Leader
Deloitte
Canada’s Best Managed Companies
Thank you