safeguarding company from cyber-crimes and ...€¦ · financial losses increase two-fold: losses...

www.pwc.com

Safeguarding company from cyber-crimes and other technology scams

ASSOCHAM

Rahul Aggarwal - Director

PwC

The new ‘digital’ business ecosystem is complex and highly interconnected

1

Enterprise

Service providers

Suppliers

Industry

Customer

Consumer

JV/Partners

The new business ecosystem An always on, Always connected

world

Data explosion

Infrastructure revolution

Future finance

Tougher regulations and standards

New identity and trust models

1

2

3

4

5

6

Together will define

future security models

PwC

Evolving business ecosystem..

2

Advancements in technology –Adoption of cloud-enabled services;Internet of Things (“IoT”) securityimplications; BYOD usage

Value chain collaboration andinformation sharing – Persistent‘third party’ integration; tieredpartner access requirements; usageand storage of critical assetsthroughout ecosystem

Operational fragility – Real-timeoperations; product manufacturing;service delivery; customerexperience

Business objectives and initiatives– M&A transactions; emergingmarket expansion; sensitiveactivities of interest toadversaries

Historical headlines have primarily been driven by compliance and disclosure requirements

Cybersecurity must be viewed as a strategic business imperative in order to protect brand, competitive advantage, and shareholder value

Unmanaged risks with potential

long-term, strategic

implications

However, the real impact is often not recognized, appreciated, or reported

PwC

Information Security Incidents rising Globally…

3

Red October

BlackEnergy Regin Shamoon

PwC

Cyber crime ranks as one of the top economic crimes perceived by the businesses across the world

4

Cyber crime the second most important crime across the world

64%

32%

24%

23%

18%

12%

11%

69%

24%

27%

29%

22%

15%

11%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Asset Misappropriation

Cybercrime

Bribery & Corruption

Procurment Fraud

Accounting Fraud

Human Resources Fraud

Money Laundering

Types of Economic Crime Experienced

2014 2016

PwC global economic crime survey

PwC

Security incidents have increased multi-fold in last couple of years..

5

Security Incidents handled by CERT-In, CERT-In Annual Report 2014 Source : -http://www.cert-in.org.in/

# Security Incidents in 2014 No. of incidents

1. Phishing 1,122

2. Network Scanning/ Probing 3,317

3. Virus/ Malicious Code 4,307

4. Website defacements 25,037

5. Spam 85,659

6. Website intrusion and malware propagation 7,286

7. Others 3,610

Total 1,30,338

10315 13301 22060

71780

130338

0

50000

100000

150000

2010 2011 2012 2013 2014

SECURITY INCIDENTS HANDLED

PwC

Number of registered cases of cyber crime registered under IT Act in India are increasing at an alarming rate

6

Cyber crime has been increasing at an alarming rate in India. The number of cybercrime cases registered under the IT Act in 2011 were 1791, an 85% increase since 2010.This has increased to 2876 in 2012, 4356 in 2013 and 7201 in 2014.

Significant increase in the number of registered cases

Number of cyber crime cases registered under the IT Act

‘Crime in India’ report 2011-2014, (National Crime Record Bureau), PwC Analysis

288 420966

17912876

4356

7201

0

1000

2000

3000

4000

5000

6000

7000

8000

2008 2009 2010 2011 2012 2013 2014

CYBER CRIME CASES IN INDIA

PwC

Financial losses increase two-fold: Losses increased by 135% over the previous year

7PwC global state of information security survey

36%

38%

25%

32%

31%

17%

8%

10%

40%

44%

38%

0% 10% 20% 30% 40% 50%

Financial losses

Theft of 'soft' intellectual property

Theft of 'hard' intellectual property

Brand/reputation compromised

Loss of customers

Legal exposure/lawsuit

Other

Unknown

Business

Loss or damage of internal records

Customer records compromised

Employee records compromised

Data

Impact of security incidents on business and data

PwC

Security incidents caused by insiders have dominated those caused by external actors.

PwC global state of information security survey

2.2

1.10.9

1.5

0

0.5

1

1.5

2

2.5

2012 2013 2014 2015

Ratio of security incidents caused by insiders as compared to external actors

8

PwC 9

Third party security focus should be top priority

In today’s interconnected ecosystem, the compliance of third parties to relevant security policies andprocedures is important to maintain the overall security posture of the organization

24% of respondents cited former business partners and suppliers ascauses of incidents.

Surprisingly, we noted that 50% of companies do not ensure thatthird parties comply with their privacy policies, and around 40% oftotal organisations do not have established baseline standards for thirdparties.

50%

Compliance with privacy policies

55%

Compliance audit to check PII safeguards

62%

Established security baselines/standards


PwC 10

Technological Investments required to fight the cyber crimes

Vulnerability scanning tools have seen an increase in adoption and are up from 57% to 62% Intrusion detection tools have increased from 55% to 62% 53% of organizations have listed implementation of newer technologies as their top priority in

the next 12 months

58%

61%

59%

62%

62%

71%

56%

52%

56%

53%

55%

57%

68%

53%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Biometrics

Malicious code detection tools

Tools to discover unauthorised devices

Intrusion detection tools

Vulnerability scanning tools

Malware or virus protection software

Use of virtual desktop interface (VDI)

Organizations adopting various security technologies

2014

2015


PwC 11

Organizations collaborate and the involvement of executives and the board evolves

As more businesses share more data with an expanding roster of partners and customers, it makes sense for them toswap intelligence on cyber security threats and responses. Indeed, over the past three years, the number oforganisations embracing external collaboration has steadily increased.

Benefits of external collaboration

Share and receive information from industry peers 63%

Improved threat intelligence and awareness 58%

Share and receive information from government 46%

Share and receive more information from law enforcement 46%

Receive more timely threat intelligence alerts 49%

Benefits of board participation

51%Identification and communication of

key risks

50%Encouragement of

organisational culture of

information security

51%Information

security programme

funding

38%Internal and

external collaboration and communications


PwC

Taking measures to address the risks due to emerging technologies. . .

12PwC global state of information security survey

64%

52%

62%

51%

57%

41%

59%

46%

0% 10% 20% 30% 40% 50% 60% 70%

Risks related to malware/malicious apps

Risks related to hardware/device platforms

Verification/provisioning processes

End-user risks and vulnerabilities

Protection of customer personal information

Tokenisation and encryption

Strong authentication

Work with issuing banks

Steps taken to secure mobile payment services

Internet of things (IoT)

IoT has come a long way from being a futuristicconcept just a few years ago to transforming intoreal products, services, and applications; thisoffers miscreants an enlarged surface area toattack leading to highly publicized consequences.

Going mobile with payments

With the increase in sales of smartphones andaccess to the Internet, m-commerce, m-paymentis set to grow rapidly. However, it also brings withit cyber, privacy and compliance risks thatorganisations need to address.

PwC 13

The big impact of Big Data

In a world where data is gaining importance, and companies are leveraging big data analytics for business decision,a growing number of organizations are also employing big data analytics to monitor security threats, quicklyrespond to incidents and audit and review data to understand how it is used, by whom and when.


PwC 14

9th June 2000 23rd December 2008 11th April 2011

Ma

tur

ity

Legal Recognition for E-Commerce• Digital Signatures and Regulatory

Regime for Digital Signatures• Electronic Documents are now

Treated at Par with Paper DocumentE-Governance• Electronic Filing of Documents

Defines Civil wrongs, Offences, Punishments• Appellate Regime• Right of Investigation and

Adjudication

• Section 43 A – Personal Data Protection

• Section 66 – Computer related offences

• Section 69B – Cyber Security

• Section 67C – Intermediary responsibilities

• Section 70A & B – CERT-IN Powers

• Various Provisions – Inspections, interceptions and disclosures

• Defines Sensitive personal data or information

• Body corporate to provide policy for privacy and disclosure of information

• Collection of information

• Disclosure of information

• Transfer of information

• Reasonable Security Practices and Procedures

Ov

er

vie

w

• Legal recognition for transactions carried out by means of electronic data interchange

• Other means of electronic, communication

• Penal actions for violationsOb

jec

tiv

e • Specific provisions on data protection

• Provisions on cyber security, national security, encryption policy, cyber crimes

• Strengthen the data protection regime in the country.

• Strengthen the data protection regime in India thereby providing legal assurance to the clients, governments, regulators and end customers abroad that India is a secure destination for outsourcing.

IT Act, 2000 IT Act, 2000IT Act Amendment,

2008IT Act Rules, 2011

The legal framework in India for privacy and data security . . .

PwC 15

Keeping pace with the new reality – Key considerations

Security Culture and

Mindset

Process and Technology

Fundamentals

Threat Intelligence

Monitoring and Detection

Critical Asset Identification and

Protection

Incident and Crisis

Management

Develop a cross-functional incident response plan for effective crisis management

Evaluate and improve effectiveness of existing processes and technologies

Enhance situational awareness to detect and respond to security events

Identify, prioritize, and protect the assets most essential to the business

Establish values and behaviours to create and promote security effectiveness

Understand the threats to your industry and your business

PwC

Thank you

© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.