CYBER SECURITY

Nick Kervin – Partner, IT Advisory

Page 1

August 2017

CYBER SECURITY

1. What is at risk?

2. Global industry trends

3. BDO/AusCERT survey

4. Recent cyber case studies

5. Cyber risk mitigation strategies

Page 2

Overview

WHAT IS AT RISK

Page 3

Page 4

2017 World Economic Forum

Source: The Global Risk Report 2017 – World Economic Forum

WHAT IS AT RISK

WHAT IS AT RISK

Adversary Motives Targets Impact

Hacktivists • Influence political and /or social change

• Pressure business to change their practices

• Corporate secrets• Sensitive business information• Information related to key

executives, employees, customers & business partners

• Disruption of business activities

• Brand and reputation• Loss of consumer confidence

Cyber criminals

• Immediate financial gain• Collect information for

future financial gains

• Financial / payment systems• Personally identifiable

information• Payment card information• Protected health information

• Costly regulatory inquiries and penalties

• Consumer and shareholder lawsuits

• Loss of consumer confidence

Nation state • Economic, political, and/or military advantage

• Trade secrets• Sensitive business information• Emerging technologies• Critical infrastructure

• Loss of competitive advantage

• Disruption to critical infrastructure

Insiders • Personal advantage, monetary gain

• Professional revenge• Patriotism

• Sales, deals, market strategies • Corporate secrets, IP, R&D• Business operations• Personnel information

• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact

Page 5

Who are the adversaries and what are their motives?

WHAT IS AT RISK

Page 6

The actors and the information they target

Cyber criminals

Hacktivists

Nation state

Insiders

Adversary What’s most at risk

Motives and tactics evolve and what adversaries target vary depending on the organisation and the products and services they provide.

Emerging technologies

Energy data

Advanced materials and manufacturing techniques

Healthcare, pharmaceuticals, and related technologies

Business deals information

Health records and other personal data

Industrial Control Systems (SCADA)

R&D and / or product design data

Payment card and related information / financial markets

Information and communication technology and data

GLOBAL INDUSTRY TRENDS

Page 7

INDUSTRY TRENDS

Page 8

Cyber attacks on user devices & persons are rising

Source: Verizon 2016 Data Breach Investigations Report

INDUSTRY TRENDS

Page 9

Breach discovery methods are changing

Source: Verizon 2016 Data Breach Investigations Report

INDUSTRY TRENDS

Cyber attacks are on the riseThe estimated annual cost of cyber-attacks to the global economy was more than $500 billion in 2015 with $230 billion in APAC

World Economic Forum recognise cyber breaches as one of the top threats to stability of global economyCost of data breaches and malware infections will cost the global economy $2.1 trillion by 2019

Cyber threats are Boards’ fastest-growing concern, but investments are not keeping track with breach costs$75 billion spend on cyber security in 2015

Estimated spend on Cyber Security by 2020 will be $175 billion Cyber spend will more than double over the next five years with Cyber insurance expect to grow to $2.5 billion by 2020

Page 10

Breaches are on the rise but industry spend has not kept track

$500 billion

$175billion

$2.1trillion

$75billion

Source: Forbes

INDUSTRY TRENDS

Solid growth in cyber security job market1 million unfilled cyber security jobs globally in 2015 which is a 75% increase in the last five years

Cyber security jobs in demand as investments increaseThere will be shortage in cyber security skills as the market is expected to grow to 6 million jobs by 2019 with a shortage of 2 million jobs

Cyber job market in ANZ region is growingThe demand for cyber security skills in ANZ market will grow 21% over the next five years with expected shortage of 10,000 people by 2019

Page 11

Cyber security skills are in high demand

1 million

21%

6 million

Source: Forbes

BDO / AusCERT CYBER SECURITY SURVEY

Page 12

Australian Respondents by state

NZ Respondents by region

Page 13

BDO / AUSCERT CYBER SURVEY

• Over 400 respondents

• 43% of Australian respondents from Queensland

Australian Respondents

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

Accommodation and food services

Administrative and support services

Agriculture, forestry and fishing

Arts and recreation services

Construction

Education and training

Electricity, gas, water and waste services

Financial and insurance services

Health care and social assistance

Information media and telecommunications

Manufacturing

Mining

Other

Professional, scientific and technical services

Public administration and safety

Rental, hiring and real estate services

Retail trade

Transport, postal and warehousing

Wholesale trade

State Government Federal Government Local/regional Government Not-for-profit

Private limited company Public listed company Sole trader / Partnership

BDO / AUSCERT CYBER SURVEY

Page 14

Primary industry of all respondents coloured by type

0% 5% 10% 15% 20% 25% 30% 35%

Data breach and third party provider / supplier

Data loss / theft of confidential information

Denial of service attack

Brute force attack

Email addresses or website(s) blacklisted

Malware / trojan infections

Phishing / targeted malicious e-mails

Ransomware

Theft of laptops or mobile devices

Unauthorised access to information by external user

Unauthorised access to information by internal user

Unauthorised modification of information

Website defacement

Healthcare All Respondents

Page 15

BDO / AUSCERT CYBER SURVEYCyber security incidents experienced in 2016• Ransomware

• Phishing

• Malware

• DDoS

0.00% 5.00% 10.00% 15.00% 20.00% 25.00%

Data breach and third party provider / supplier

Data loss / theft of confidential information

Denial of service attack

Brute force attack

Email addresses or website(s) blacklisted

Malware / trojan infections

Phishing / targeted malicious e-mails

Ransomware

Theft of laptops or mobile devices

Unauthorised access to information by external user

Unauthorised access to information by internal user

Unauthorised modification of information

Website defacement

Healthcare All Respondents

Cyber security incidents expected in 2017

Page 16

BDO / AUSCERT CYBER SURVEY

• Cyber criminals

• Insiders / current employees

• Activists

• Third party hosting providers

Page 17

Likely source of Cyber security Incidents

Suppliers / business partners

4%

Customers4%

Competitors6%

Former employees8%

Foreign Governments / Nation States

10%

Third party hosting provider

10%

Activists12%

Insiders / current employees

13%

Cyber criminals / organised crime

33%

BDO / AUSCERT CYBER SURVEY

Page 18

Likely source of cyber security incidentsBDO / AUSCERT CYBER SURVEY

0% 5% 10% 15% 20% 25% 30% 35%

Activists

Competitors

Customers

Cyber criminals / organised crime

Foreign Governments / Nation States

Former employees

Insiders / current employees

Suppliers / business partners

Third party hosting provider

All Respondents Healthcare

Cyber security awareness programs reduce incidents overall

Page 19

BDO / AUSCERT CYBER SURVEY

0%

10%

20%

30%

40%

50%

Ransomware Phishing Malware/Trojan All Other

All Respondents

Security Operations Centres reduce incidents by 79%

Page 20

BDO / AUSCERT CYBER SURVEY

0%

10%

20%

30%

40%

Ransomware Phishing Malware/Trojan All Other

All Respondents

Does your organisation utilise intelligence sharing networks

Page 21

BDO CYBER SURVEY

No - we feel we don't need to

11%

No - we don't know if such a network exists

39%

No - it doesn’t provide us value4%

Yes - but its usefulness is limited

18%

Yes - but the process is overly expensive/time

consuming5%

Yes - we gain a great deal of value from

doing so23%

Only 28% of respondents have cyber insurance cover

Page 22

14%

9%

5%

25%18%

9%

12%

8%

Yes - we have this cover as anextension to another insurancepolicy

Yes - we have a standalone cyberpolicy

Yes - but do not know how thepolicy was arranged

Not yet - we are considering it

No - we were not aware of thistype of insurance

No - we self-insure

No - we don't feel we need it

BDO / AUSCERT CYBER SURVEY

ASX 100 CYBER HEALTH CHECK REPORT

Page 23

ASX 100 CYBER HEALTH CHECK REPORT

Page 24

What is it?

• The ASX 100 Cyber Health Check is the first attempt to gauge how the boards of Australia’s largest publicly listed companies view and manage their exposure to the rapidly evolving cyber world

• 76% of the ASX 100 responded to the survey

• Currently, only 11% of companies proactively reassure customers and investors about their approach to cyber security

• Survey is available at: www.asx.com.au/ASX100-Cyber

DETECT, RESPOND AND MANAGE

Page 25

Are you prepared?

1. More needs to be done around proactive detection

2. The rise of the SOC

3. Who has an Incident Response Plan

4. Do you know what your breach reporting obligations are?

LEADERSHIP

Page 26

Are you doing enough?

1. Very large percentage admits that there is more to do

2. Only 20% have a standalone cyber budget

3. 20% of the respondents have no plans to include a board member with cyber expertise

RECENT CYBER CASE STUDIES

Page 27

DATA BREACH CASE STUDY

Page 28

Early Sept ‘16: Donor

information accessible

via website

25 Oct ’16: Troy Hunt contact AusCERT who

then notifies Red Cross

24 Oct ’16: Data set discovered by anonymous

source and notified Troy Hunt

26 Oct ’16: Red Cross learns of file containing

donor information

14 Nov ’16: Forensic investigation concludes,

only one person accessed the file

28 Oct ’16: Red Cross chief executive

Shelly Park makes public statement

DATA BREACH CASE STUDY – TARGET

Page 29

27 November - 15 December ‘13: Malware

installed to infect Target’s POS system -

personal information of customers are exposed

to fraud

14 December ’13: Target hires Verizon to investigate the

hack

13 December ’13:Department of Justice notifies Target of the

breach

15 December ’13: Target removes malware from

“virtually all” registers in U.S. stores

19 December ’13: Target publicly acknowledges the

breach

18 December ’13: Data and security blog

KrebOnSecurity reports the data breach

20 December ’13: Target says they believe few credit cards were compromised,

offer customers 10% discount in store

DATA BREACH CASE STUDY – TARGET

Page 30

23 December ’13: Target’s general

counsel, Tim Baer, hosts 30-minute conference

call with state attorneys general

10 January ’14: Target says an additional 70m

customers had data stole

27 December ’13: Ongoing investigation finds that

encrypted debit card PIN information was accessed during the breach – Target believes the PIN numbers

remain secure

22 January ’14: Target laysoff 475 employees at its headquarters and leaves

another 700 positions unfilled

18 February ’14: Costs associated with the data breach topped $200m,

according to report from the Consumer Bankers Association and Credit

Union National Association

4 February ’14: Target CFO John Mulligan

testifies before the U.S. Senate Judiciary

Committee

30 April ’14: Target says it has committed $100m

to update technology

5 May ’14: Bob DeRodestakes over as Target’s CIO. Target CEO Gregg

Steinhafel resigns.

CYBER RISK MITIGATION STRATEGIES

Page 31

CYBER RISK MITIGATION STRATEGIES

Historical IT Security Perspectives Today’s Leading Cyber security

Insights

Scope of the challenge

• Limited to your “four walls” and the extended enterprise

• Spans your interconnected global business ecosystem

Ownership and accountability

• IT led and operated • Business-aligned and owned; CEO and board accountable

Adversaries’ characteristics

• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

• Organised, funded and targeted; motivated by economic, monetary and political gain

Information asset protection

• One-size-fits-all approach • Prioritise and protect your “crown jewels”

Defense posture • Protect the perimeter; respond if attacked

• Plan, monitor, and rapidly respond when attacked

Security intelligence and information sharing

• Keep to yourself • Public/private partnerships; collaboration with industry working groups

Page 32

Changing landscape - businesses need to adapt the new reality

CYBER RISK MITIGATION STRATEGIES

Page 33

How you can become more cyber resilient

• Know the value of your data / assets

• Know where your data / assets are

• Know who has access to it

• Know who is responsible for protecting it

• Know how well it is protected

• Know if the level of protection is within your risk appetite

• Know what to do when you are breached

Source: Expanded from Telstra’s “Five Knowns of Cyber Security”

CYBER RISK MITIGATION STRATEGIES

Page 34

Educate, educate, educate!

QUESTIONS?

NEED MORE INFORMATION?

Nick Kervin Download the report:nick.kervin@bdo.com.au http://bdoaus.co/2gJ5aQu

Page 35