Seamus Reilly Director EY Information Security Cyber Security

Transcription

1 Seamus Reilly Director EY Information Security Cyber Security An Internal Audit perspective on the threats and responses within the Retail Sector 15 th May 2014

2 Agenda Introductions Cyber Security What is Cybercrime and Cyber Security? What are the threats? Organisational challenges Key considerations for prevention and response The role of internal audit in helping to protect the organisation Group discussion Page 1

3 2013 EYGM Limited All Rights Reserved The question is when, not if, a Cyber Security breach will happen, and therefore ensuring a business is prepared in its response planning is key. Cyber Security threats now mean a business has to sprint to stand still in managing the cyber threat.

4 Cyber Security Cyber crime spectrum What do the terms Cybercrime and Cyber Security mean to your business? Page 3

5 Cyber Security is now a boardroom agenda but is there enough training & knowledge? A Serious Issue 64% of Chairs think that their Board colleagues take cyber risk VERY seriously Changing Ownership & Accountability When asked who is the ultimate owner of Cyber risk for their company, Audit Committee Chairs responded with a variety of roles, but with a trend towards the Board, where 2 years ago 75% of companies viewed this wholly as a CIO responsibility Now a Business Risk 56% of respondents said that their strategic risk register includes a cyber risk category 20% 28% 25% CEO CFO CIO Cyber Savvy Boards Most Chairs think that their Board colleagues are qualified, to some extent, to manage innovation and risk in a digital age but more Cyber Training is required 75% of respondents had not undertaken any cyber or information security training in the past 12 months and 80% of respondents said none of their Board colleagues had undertaken any either Page 4

6 Businesses lack knowledge of data asset value, but understands need to find out more! Know your Data Assets Only a third of Chairs said the main Board has a very clear understanding of what the companies key information and data assets are two thirds need to understand more Who has your key data assets? 25% of respondents said the main Board has a poor understanding of where the company s key information or data assets are shared with 3 rd parties (e.g. suppliers, advisors, customers & outsourcing partners), Understand the Threat 40% of Chairs said the main Board does not received regular threat intelligence from their CIO or CISO Poor Very Clear Basic Don t Know/N/A The impact of a Cyber Attack Less than 50% of FTSE 350 Chairs think that their Board has a clear understanding of the potential impact of information and data asset losses Information Sharing on Threats Nearly half of respondents said their CIO and CISO teams are encouraged to share information with other companies in order to combat cyber threats SHARE PRICE FINANCIAL PERFORMANCE OPERATIONAL PERFORMANCE CUSTOMER LOYALTY COMPETITIVE ADVANTAGE Page 5

7 The reality for business today Perfect storm of factors at play Breaches occurring and will continue to do so Increased erosion of perimeter from third parties, social media and personal devices Extended supply chain includes smaller businesses with less resources Rising persistence and sophistication of external threats Growing regulatory and government focus Page 6

8 Improve Awareness of cyber threats propels improvement Knowing that an attack will inevitably occur sparks improvements 2013 EYGM Limited All Rights Reserved

9 Expand Leading practices to combat cyber threats Organisations must send clear signals from the top that they need to be proactive and ready for the unknown. Those that are satisfied with merely being reactive may not survive the next attack EYGM Limited All Rights Reserved EY s Global Information Security Survey

10 Innovate To survive, innovation in response must power cyber transformation Innovative Cyber security solutions can protect organisations against known cyber risks and prepare them for a great unknown the future EYGM Limited All Rights Reserved

11 Establish a cyber resilience framework Vision of organisational resilience that can be established to deal with cyber threats Builds on current information security arrangements A The organisation should have a process for gathering, analysing and sharing of cyber intelligence. Cyber governance and partnering The organisation should have an effective governance framework for monitoring cyber activities, including partnering collaboration, and the risks and obligations in cyberspace. Cyber situational Cyber resilience B C D awareness assessment The wider organisation should have a process for reassessing and adjusting their cyber resilience to the impacts of the past, present and future cyberspace activity. Cyber responses The organisation should effectively prevent, detect and respond to cyber incidents and minimise their impacts. Page 10

12 The role of internal audit functions within Cyber Security

13 Combating cyber attacks requires leadership and accountability The rapid-fire pace of technology (r)evolution that we have seen in recent years will only accelerate in the years to come as will the cyber risks. Not considering them until they arise gives cyber attackers the advantage. In fact, chances are, they re already in! 2013 EYGM Limited All Rights Reserved

14 Establish a cyber resilience group to enable efficient response Cyber Champion Strategic leadership at C-Suite level representation with access to senior management, and therefore resources and funds Day-to-day leadership possessing strategic business and communications skills Risk Managers Cyber Resilience Leader (CIO) Cyber Security Leader (CISO) Business Relationships Business Continuity Forensics Incident Management Legal Intelligence Technical Partners Human Capital Marketing Public relations Corporate Affairs In-depth advice and guidance on cyber security, with extensive experience across breadth of organisation Collaboration between all business functions with Cyber Champions appointed to ensure business relationship management between IT and the business is effective, proactive and aligned to organisational strategy. The LOB representatives should have access to other parts of the organisation and be well versed in organisational culture IT LOBs running cyberspace initiatives IT Operations & IT Security Functions In-depth advice and guidance on IT systems operations and IT security, with experience across the IT organisation Page 13

15 Key considerations for Internal Audit What should you be doing? How do you identify Cyber risks and attacks on your organisation? Has your business defined its Cyber Risk Universe? When did you last undertake an independent review of Cyber Security? What should your organisations response be? and Internal Audit s role? Awareness? How seriously does your organisation take Cyber Security? What is the business doing to raise user awareness of Cyber risks? Who is driving the awareness agenda and are the business supportive? Planning? When did the business last undertake a Cyber Crisis Management exercise? How frequently does your business review its risks, policies and controls management? Can we prevent Cybercrime? Page 14

16 Questions for your organisations CEO CFO CIO/CTO CRO Do you know what business information you need to protect and where it is, and do you trust your business partners with it? Is the information security function meeting your current and future business needs? How do you include information security in major business changes such as new channels to market, e.g., social media? Who is responsible for securing your critical business information? How often do you discuss information security risk at the Board and Audit Committee? How confident are you that your information and systems are protected from catastrophic loss? How do you assess investment priorities and effectiveness of spend for information security? Are you getting value for your information security spend? Do you know how much information security breaches and other data losses cost your organisation? Do you understand new and increasing information security risks? Do you know what business information you need to protect and where it is? Are you confident you have sufficient cyber insurance? How is information security addressed in business and IT plans, e.g., strategy, sourcing, new delivery models, third parties? How are the increasing risks from internal and external sources impacting your IT plans and activities? How effectively is information security built into design and requirements of new systems? Does IT have visibility of, and involvement in, information security issues and priorities? Do you know what business information you need to protect and where it is? How well is information security and risk integrated with your other risk activities? How often do you discuss information security risk at the Board and Audit Committee? How confident are you about third party related risks? What are the top information security risks and how are they being addressed? How do you identify and manage new and emerging information security risks? Do you know what business information you need to protect and where it is? Are you prepared for a security crisis? Page 15

17 Page Thank you