Transcript Title (description) - Financial Executives

Cyber Security. Evolved.
Building Resilience
29th May 2013
James Nunn-Price
Partner and UK Cyber Security Lead, Deloitte
© 2013 Deloitte LLP. Private and confidential.
Bio
James Nunn-Price
• James is Deloitte’s UK lead partner for Cyber Security
• He is also the Partner responsible for Deloitte’s information security and
cyber advisory services to UK Government and is currently advising
regulators on the UK and EU Cyber initiatives.
• He has over 15 years security experience assisting clients with a number of
high-profile and complex challenges and prior to this a deep technology
background.
© 2013 Deloitte LLP. Private and confidential.
New technology, new
opportunities, new threats
Exciting technological innovations bring
opportunities to enter new markets,
alternative business models, increase
integration and drive efficiencies.
But this opportunity brings security risk.
Organisations are more exposed to cyber
attacks than ever before.
Assets that were once physically protected
are accessible online; customer channels
are vulnerable to disruption; criminals have
new opportunities for theft and fraud.
© 2013 Deloitte LLP. Private and confidential.
Companies like yours
www.cybersecurityevolved.com
© 2013 Deloitte LLP. Private and confidential.
The cost to UK Business,
£27 billion and growing...
In our latest global industry security survey 50 per cent* of
companies had knowingly experienced an attack in the last 12
months.
The frequency is increasing and it only takes a single weakness for
an attack to be successful.
Governments and regulators at national and
international levels are looking to enhance the
security of nation states, companies and their
citizens to enhance cyber resilience, reduce
cyber-crime and protect opportunities for future
economic growth
*Deloitte’s 2012 Report, Blurring the Lines
© 2013 Deloitte LLP. Private and confidential.
From hype to reality
Our 2013 security survey reveals the true impact of cyber
attacks on UK citizens*
65%
32%
26%
Receive
phishing
emails
Were victims of
cybersquatting
Had their computer
affected with malware
*Deloitte’s 2013 Report, A Secure Consumer
© 2013 Deloitte LLP. Private and confidential.
The threat is real and growing
• More targeted and sophisticated
• Global exposure
Nation state
cyber warfare
• Commoditisation of exploitation
• Relentless/persistent attacks
• Low stake high rewards
Competitor risk
Hacktivism
Script kiddy
Botnet
Insider threats
Accidental
discovery
Cyber
squatting
Phishing
Malware
© 2013 Deloitte LLP. Private and confidential.
The threat intelligence – key terms 101
Phishing
Artificial websites linked from forged e-mails with the express intent to defraud
customers, either for money or sensitive information. E.g., usernames and passwords.
Malware
Malicious software, generally concealing its presence, that contains references to a
company's domain name or IP addresses.
Cyber
Campaigns
Planned, in progress or executed attacks by individuals or organisations of cyber
criminals. Examples include Anonymous, 3xp1r3 Cyber Army, & Iran Security Team.
Social Media
Detection of un-authorised social profiles, compromised social media user accounts
as well as adverse / negative mentions.
Information
Leakage
Sensitive and non-sensitive information belonging to the companies being posted
online.
Vulnerabilities
Information which describes systems, databases, networks, devices, applications and
their corresponding websites that are vulnerable to attack.
CyberSquatting
Domains that are not owned by the likely / related company, but registered to be used
by cyber criminals for the purposes of defraud customers or extorting companies.
Advanced Persistent Threat (APT) is a term for highly skilled targeted attacks that
use all of the above over a sustained period of time.
© 2013 Deloitte LLP. Private and confidential.
So, what does an attack look like?
Initial stages are slow and quiet as attackers try to compromise your defences.
It only takes a single weakness to get in... From then its takes:
• Seconds to enter your organisation
• Minutes to start extracting your data
• Days, weeks or even months until discovery
• Response and containment, until the next time?
© 2013 Deloitte LLP. Private and confidential.
The devastating impact of an attack
Lost IP reducing
commercial
advantage
Intense and prolific
media coverage
exposing breach
Loss of consumer
confidence, loss of
sales
Brand reputation and
market confidence
damaged
Depending on how an organisation
responds, the business impact can severely
Operating margin
down and assets
devalued
dent the reputation and performance of even
the most established firm.
Reduced stakeholder
confidence
© 2013 Deloitte LLP. Private and confidential.
Painful questions for business
Cyber attacks bring an organisation under the spotlight with
stakeholders probing for answers:
• Where was the defence?
?*!&
• Was there no intelligence?
• Did the execs understand the risk?
• Was there no priority at board level to protect the firm?
• Why was the response so slow?
© 2013 Deloitte LLP. Private and confidential.
The future of security – are
you evolving?
“Ignorance more frequently begets confidence than does knowledge;”
Charles Darwin
Activities are still largely reactive and
compliance-driven:
• Largely compliance focused
• Developing policies
Social
forces
Political
forces
Legislative
forces
• Meeting industry baselines
Organisation
• Audit
• Often limited visibility or interest to the
business – unless something goes wrong
• Touching some change programmes
• Limited future watching
• Low operational agility
Economic
forces
Environmental
forces
Technological
forces
© 2013 Deloitte LLP. Private and confidential.
Striving for cyber resilience
To succeed companies need to take control of
their cyber risks, building cyber resilience
• Companies need to be aware of the latest
risks;
• prepare their organisations to be robust and;
• respond quickly and effectively to mitigate new
risks.
Cyber Security.
Evolved.
By getting this right, organisations can
evolve to cyber resilience enabling
them to focus on core business, rather
than reactively managing and
responding to security incidents.
Board and Audit Committee owned risk
– don’t over delegate to IT!
© 2013 Deloitte LLP. Private and confidential.
Questions?
© 2013 Deloitte LLP. Private and confidential.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the
legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out
will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from
acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this
publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New
Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
© 2013 Deloitte LLP. All rights reserved.
© 2013 Deloitte LLP. Private and confidential.