Cyber Security

Cyber security

How to keep ahead of the threats……… Warren Dunn, Partner, Forensic Technology (FIDS) There has never been a more exciting time to be……

2 What’s in a name

►Anonymous ►Computer Chaos Club (CCC) ►Energetic Bear ►Wannacry ►globalHell ►ILOVEYOU ►LulzSec ► Code Red ►Lizard Squad ► Melissa ►Magic Kitten ► Sasser ►Network Crack Program Hacker ► Zeus Group ► Conficker ►Numbered Panda ► Stuxnet ►OurMine ► Mydoom ►Syrian Electronic Army ► CryptoLocker ►The Level Seven Crew ► Flashback ►TeaMp0isoN

3 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation 4 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation 5 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation 6 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation Page 7 Page 8 Page 9 10 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation 11 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation EY’s Global Information Security Survey: It is no longer possible to prevent attacks or breaches

► Cybercrime is growing and damages an organisation and its brands ► The interconnectivity of people, devices and organizations opens up new vulnerabilities. ► New technologies, regulatory pressure and changing business requirements call for more security measures. ► What companies used to know and do to protect their information is no longer enoughenough. ► No longer just “an IT Problem”; Cybersecurity is a genuine business issue that has ramifications for the C-suite, Board, Directors ► The wrong question to ask is “Are we secure”; (because the answer is “No”) ► Mature organisations ask “are we doing enough to protect ourselves from cybercrime?”; how good is good enough?

What data do you collect, store or generate that a cybercriminal would be most interested in? When and how would you identify a sophisticated attack – and how would you respond?

► They have significant funding, are patient and sophisticated. 8 yrs ► They target vulnerabilities in people and $1Bn Length of time a hacking ring processes, as well as technology. targeted banks, payment The amount of financial ► processers and chain stores, loss allegedly suffered by a They are constantly inventing new tools and stealing more than 160m credit group of banks in the techniques to get to the information they want. and debit card numbers and money stealing campaign accessing 800k bank accounts known as Carbanak APT ► They are getting better at identifying gaps and (informationisbeautiful.net) (Kaspersky Labs February 2015) unknown vulnerabilities.

Page 13 How confident are you that your organisation is not currently compromisedcompromised?? How do you know?

Page 14 Industry vulnerability

►Your key concerns include…. ►Financial sustainability and stability ►Threats to your infrastructure

►Government at all levels are perceived “easy” targets for hackers ►State and local governments are especially vulnerable ►Valuable community/citizen data ►Aging infrastructure ►Constrained budgets ►Under-investment in IT consolidation and security initiatives ►War on talent - hard to attract necessary security skills

$2.64 Million

Average total cost of data breach for an Australian company in 2016

A slight drop from 2015 ($2.82 million). Research indicates data breaches are a “permanent cost” organisations need to be prepared to deal with

$142 (US$355)

Average cost per lost or stolen record

$62 are direct costs incurred to resolve the data breach. Larger part, $80, is indirect costs including extrapolated value of customer loss.

Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software – that will give them access to your passwords and bank information as well as giving them control over your computer.

18 Copyright © 2017 Ernst & Young Australia. All Rights Reserved. Liability limited by a scheme approved under Professional Standards Legislation 19 Do you have a complete view of what constitutes your ‘high value’ assetsassets,, where these are and how well they are protected

Page 20 given the risks you face? What should you be asking?

What is our risk appetite for How will we How will we technology and cyber risk? respond to a know when we cyber incident? are attacked?

What threats What is our current state of maturity How do we give access are our peers for information security controls? to our data? seeing? Do our people know their role Are we proactively looking for Who is in cyber risk attacks on our organisation? accountable for mitigation? cyber?

This sounds like a simple process, but given the complexities of the systems, data and vendor landscape and the increasing threats and risks, it can be difficult to practically achieve.

Page 22 Limit the damage when cyber incidents occur

Poor handling of cyber incidents (internally and externally) have led to harsh impacts on many companies.

► A centralised, enterprise-wide cyber breach responseresponse plan is vital ► Be confident that everyone knows exactly what to do if an attack takes place ► Be ready to set in motion the appropriate handling mechanisms for a breach ► Forensic handing of data and systems ► Consider stakeholders, customers, employees, PR, regulators, etc. ► Being in a state of readiness requires that the organisation will have already rehearsed many different attack scenarios ► Introduce board-level cybersecurity simulations and war gaming ► Regularly undertake cybercrime diagnostic assessments/reviews

Page 23 The basics…..

1. Ensure vulnerability and patch management policies and procedures are up to date 2. Incident response and business continuity plan that is tested 3. Security awareness training program in place 4. Regular, tested backups are in place 5. Seek assurance from third parties who connect to your network 6. Implement endpoint monitoring 7. Identify critical systems and data and confirm these are connected to the Internet only when necessary 8. Test the security program with frequent penetration tests

Page 24 Page 25 “It is going to be a continual and likely never-ending battle to stay ahead of [cybercrime] - and, unfortunately, not every battle will be won .” Jamie Dimon, after JP Morgan

26 Chase’s breach EYEYEY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com