...

Balancing digital opportunity with cybersecurity risk Private Company Services /

by user

on
Category: Documents
31

views

Report

Comments

Transcript

Balancing digital opportunity with cybersecurity risk Private Company Services /
Private Company Services / Tenth annual Business Insights® Survey of Canadian private companies
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Balancing digital
opportunity with
cybersecurity risk
www.pwc.com/ca/private
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Cybersecurity is an important issue for
private companies
8
%
Neutral
33
%
Agree
4%
Disagree
55%
Strongly
agree
Balancing digital strategy with
cybersecurity risk
In today’s connected world,
companies need to first understand
what they’re trying to protect and
determine how to apply the most
appropriate controls.
Visit www.pwc.com/ca/businessinsights
for videos and more information.
© 2015 PricewaterhouseCoopers LLP
Cybercriminals are increasingly targeting private companies
and startups, often as a gateway to other organizations, or in
hope of easy access to sensitive data. The cost to a business
can be high, ranging from customer defection to financial
loss to reputational damage. With heightened awareness,
private companies can be better prepared for the inevitable.
The headlines keep coming: Foreign hackers attack government.
Hackers steal bank’s valuable data. Big box store says millions of credit
card records may have been snatched. Cyber breaches make big news,
and have massive reputational impact.
The fallout? Financial loss, disrupted business systems, increased
regulation and penalties, and the erosion of customer confidence.
Corporate reputations suffer. Products are pirated. Research and
development information is diverted. Designs and prototypes are
stolen, as is sensitive information about M&A plans and corporate
strategy.
Cyberattacks have been rattling C-suite across the country, making
executives and IT managers wonder how vulnerable their own
environments might be. In our recent Business Insights Survey of
Canadian private companies, 88% of senior private company executives
say that cybersecurity is an important issue for their organization.
Cyber is only going to have an increasing presence in the business
landscape, so it needs to be a top-of-mind issue for all organizations—
regardless of size or complexity.
The challenge is even more pronounced for private companies, who
may think they’re secure because they’re obscure, but the opposite is
often the case. Complacency is not a winning strategy today.
2
Cyber resilience / Balancing digital opportunity with cybersecurity risk
“I regularly hear from clients, ‘we’re not a target,’ when the reality is,
they are,” observes Jason Green, a director in PwC’s Cyber Resilience
team. “Today’s cybercriminals often target private companies that have
been slower to invest in security as a platform to launch an attack on
other organizations.” Most organizations may not see themselves as a
target because they don’t accept credit cards or store personal
information. In reality, private companies usually have confidential
data that could be at risk, such as intellectual property or staff records.
If this is compromised, it can have a monumental impact, including loss
of competitive edge, reputational damage and could jeopardize the
future success of the business.
“If a private company is used as a gateway to access another
organization’s critical assets, it can lead to major financial and legal
impacts,” notes David Craig, leader of PwC’s Risk Assurance Services
Cybersecurity and Privacy practice. “Investing in cybersecurity will
pale in comparison to the costs associated with being in the middle of a
large scale breach.”
So what should you do? Well, for starters, don’t believe you’re not a
target. It’s not enough just to worry about security breaches anymore.
To thrive in today’s rapidly changing risk environment, you need a well
thought-out cybersecurity and privacy strategy, along with the right
skills and resources to implement and support it.
“
Investing in cybersecurity
will pale in comparison to the
costs associated with being in the
middle of a large scale breach.
© 2015 PricewaterhouseCoopers LLP
”
Why cybersecurity is viewed
as an important issue
Percentage of respondents who agree
cybersecurity is important
61% 43%
Potential liability/
exposure
Reduction of
security risks
41% 38%
Reputation
Client
requirement
26% 26%
Potential revenue
impact
Legal/regulatory
requirement
3
Cyber resilience / Balancing digital opportunity with cybersecurity risk
In your opinion, which of the
following would be the most
likely sources of cyberattacks?
66% 41%
Hackers
2
1
Former
employees
3
32% 22%
Competitors
Organized crime
19%
Information
brokers
© 2015 PricewaterhouseCoopers LLP
4
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Who are the sources of cyberattacks?
Cybercriminals have grown more sophisticated in their attacks and are
highly targeted in what they’re going after. They’re motivated by a variety
of reasons, often financial, but other times not—and they’re patient. It’s
well known that credit card data has been a historical target, but now
things like personal health information and employee lists are more
valuable in the black market for information brokers.
42%
of respondents told us
they’ve never conducted
formal cybersecurity
employee training
An important part of being prepared is knowing who your biggest threats
may be. In our study, respondents cited hackers (66%), former employees
(41%) and competitors (32%) as their most likely sources of cyberattacks.
Hackers
Hackers are more frequently targeting private
companies, who may have lower security
thresholds, in order to attack larger
companies within their supply chain. This deflection of
responsibility leaves private companies at risk of significant
legal, financial and reputational issues. “Should a hacker route
an attack through your organization, it’s up to you to explain
or prove otherwise,” says Milos Petrovic, a director with PwC’s
Cyber Resilience team. “This can be the difference between
survival and failure due to the costs of forensics and
litigation.”
Insiders
It’s known that 75% of breaches are driven by
insiders, yet 42% of respondents told us they’ve
never conducted formal cybersecurity
employee training. Consider all of the people involved in your
organization—current and former employees, contractors and
those involved in your supply chain. These players move data
around your business on remote devices, online, through
databases and even manually, all of which present access
points you need to protect. Developing strong policies,
educating staff and doing your due diligence regarding
vendors and suppliers can be one of the most effective and
least expensive initiatives you can take on.
© 2015 PricewaterhouseCoopers LLP
Competitors
Although competitors are often viewed as a
likely source of cyberattacks—just the opposite
may be true. An important part of incident
response is actually to collaborate with others, either within
the same industry or geography. The reality is that
cybercriminals are very well organized. They work with one
another and support one another. “If you try to tackle the issue
of cybersecurity alone, it’s really difficult,” says Craig. “I know
that many private companies will say, ‘I don’t want to share
competitive information,’ but at a certain point, they’re all
likely to be victims of a cybersecurity breach.” If
communication channels are opened and companies learn
from other incidents, collectively they’re better prepared.
Cybersecurity shouldn’t be treated as a competitive weapon.
“I think that’s one of the things that companies of all sizes
need to consider,” says Craig. “Who can you work with? Or
who can your security teams collaborate with? As cybercrime
continues to evolve and become more complex, the more
collective knowledge that can be leveraged to protect your
company, the better.”
5
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Are competitors a threat,
or an untapped opportunity?
A number of industries have looked within to address their shared concerns with
cybersecurity threats. Credit unions, for example, have been known to pool resources
together to address challenges. This is also an area where we see collaboration
flourish for the better good of all. Collaboration leads to stronger solutions and more
effective investments in the things that matter.
While 61% of private companies surveyed say they’re not formally collaborating with others in the
industry, primarily because they don’t see anyone considerably more advanced than others, there’s
concern that a competitor would use the information to market against them, or because they don’t
trust their competitors.
ll valid concerns, but we believe it’s an opportunity worth exploring in some instances. Pooling
A
resources, experiences and sharing leading practices not only strengthens the industry as a whole,
allowing more time to focus on moving business forward, but also keeps organizations from falling
victim to widespread security breaches.
© 2015 PricewaterhouseCoopers LLP
6
Cyber resilience / Balancing digital opportunity with cybersecurity risk
“
”
A company may in fact be hampering its
growth by underinvesting in cybersecurity.
Hear no evil, see no evil:
The cost of not defending yourself
“Private companies need to assume a stronger security posture,” says Green.
“When clients hire us to conduct security testing, we can bypass their technical
security controls nearly every time.” The costs can be considerable—not just in
the loss of data or stolen intellectual property, but also the interruption to
business operations and the hit your company’s reputation can take.
To avoid these losses, companies need to take a hard look at their defences up
front. A big reason companies often fail to invest in cybersecurity is that they see
it as discretionary spending, not a business imperative. “With profitability being
top of mind, businesses tend to be more inclined to invest in growth activities
than defensive measures,” says Adriana Gliga-Belavic, director of Cybersecurity
and Privacy at PwC. “A company may in fact be hampering its growth by
underinvesting in cybersecurity. That’s because, increasingly, strong
cybersecurity is viewed as a business enabler rather than a cost.” Indeed, 38% of
private company leaders we surveyed believe that today, cybersecurity is a client
requirement.
Business partners, too, want evidence that they’re protected. More and more,
strong information and system security has become a requirement for companies
that seek to collaborate on, or outsource work, either within Canada or in other
markets. “We’re seeing this trend in the Financial Sector and the US,” says Craig.
“It’s only a matter of time before all Canadian companies will be following suit.
Because insider threats are the most common gateway for incidents to occur,
companies need to prove they have appropriate systems and policies in place
when it comes to cybersecurity.”
Acquisition can force a review as well. When a business performs due diligence on
a target company, a security component is often part of the assessment, says
Craig: “Looking at a target company, the buyer asks: What risk am I taking on,
what would be the cost if there were a data or privacy breach?”
The demands of all of these stakeholders—consumers, partners, employees and
purchasers—are reinforcing the importance of having a cybersecurity strategy.
© 2015 PricewaterhouseCoopers LLP
7
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Reality check: Learn where your blind spots are
Nearly half of survey respondents (49%) said that if a cyberattack happened to their organization
tomorrow, they either wouldn’t or don’t know if they’d be able to respond effectively—largely
because they’re not sure which resources or safeguards are necessary.
There’s a common misconception that you’ll need the equivalent of a large corporation’s
fulltime security team to assess and address your company’s cybersecurity and privacy
weaknesses. Assessment is essential; without one, it’s hard to forge a strategy to safeguard
your assets. We’ve developed a baseline for companies of any size to consider when assessing
threat vulnerability.
Understand your cyber ecosystem
It used to be that if you protected your “four walls” (i.e. the perimeter), you
could keep the bad guys out. But in today’s world of social, mobile, analytics,
and cloud—more commonly known as SMAC—your ecosystem of information
sharing has expanded exponentially. To make smart use of your cybersecurity investment,
companies should think about it up front, rather than treat it as a bolt-on feature. Too often,
though, cybersecurity ends up being an afterthought.
Embedding security in your cyber ecosystem before you incorporate further elements simply
makes good business sense, says Green, pointing out that “you wouldn’t design a new vehicle,
but fail to include basic anti-theft measures such as locks. If you tried to install these as an
afterthought, it would be more expensive, and the vehicle’s overall design would be impacted.
You need to embed the security considerations requirements at the outset. The same principle
applies to any business.”
Learn where your blind spots are and how to protect critical assets
© 2015 PricewaterhouseCoopers LLP
8
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Identify your most valuable data
Know where your prized information
lives and who has access to it
Your most valuable data won’t all be in one
place. So it’s important to ask yourself, ‘Where
has the information been? Where’s it going? How’s it getting
there? And who has access to it?’ For instance, is the
information living in the organization, or is it stored
elsewhere (e.g., in the cloud)? Is it coming from an outside
source and then being modified? When does it become
special? Who’s using it? How are they using it? Are they
sending it to third parties? How are they sending it (via
email, a mobile device)? Is it being sent securely (does the
company use email encryption)? Knowing the answers to
these questions is essential if you’re going to do an effective
job of protecting your critical assets.
Simply put, you can’t protect everything. But
by identifying your most important data,
understanding who might be after it, the next
thing is to put applicable controls in place. “The trick is to
apply controls that are suitable for your business
environment, what you’re trying to protect, and that meet
your risk appetite,” says Green. And they don’t have to be a
big investment, notes Craig: “The right control could be
minor, and cost nothing. It could be a process that says a
manager should sign off something once a week—just review
it and sign off on it. That might catch a potential breach.” But
finding that sweet spot is really the challenge, notes Green:
“A lot of the time people will pull something off the shelf as a
controls framework and think to themselves, ‘Let’s just apply
all these controls.’ But in this case, they might actually be
over-engineering, spending money on things they don’t
actually need because it’s not really suitable. It’s a matter of
sizing correctly, that’s how you get it right.”
As cyber threats evolve and your maturity level increases,
costs required to effectively combat threats can add up.
“Another option may be to look at outsourcing select, noncore competencies to relieve that burden,” says Petrovic.
“This can provide you with advanced security services, such
as cyber assessments, advanced analytics and cyber threat
management on demand.”
“
“
Tackling information security begins with a
simple question: What’s our most sensitive
data? As it turns out, many companies aren’t
sure how to begin answering that question. While certainly
there are the company’s crown jewels to guard, the most
valuable data to a cyber thief might not be yours exclusively.
Once you’ve zeroed in on what that is (including the
information you have a fiduciary responsibility to
safeguard), then you can start to devise a strategy to protect
that material.
Apply focused controls
Apply controls
that are suitable
for your business
environment.
© 2015 PricewaterhouseCoopers LLP
9
Cyber resilience / Balancing digital opportunity with cybersecurity risk
“
”
Cybersecurity is not a technology issue
—it’s a business issue.
Fight back: Four defence tactics every
company should employ
So what’s the best way to go about protecting your company’s information? It’s
important to set the tone at the top, making sure it resonates throughout all
aspects of the organization. And then someone has to lead the charge—rally
company employees and regularly update leadership. Easier said than done, but
it’s time and effort well spent if you want to reduce your risk of being the next
cyberattack casualty.
Four cybersecurity defence tactics every company should employ
© 2015 PricewaterhouseCoopers LLP
10
Cyber resilience / Balancing digital opportunity with cybersecurity risk
Set the tone at the top
Many private companies run lean IT departments, with security being just
one among a number of responsibilities falling to the group. In fact, 45% of
our survey respondents report that it’s their IT director in charge of
cybersecurity, which can be short sighted in that it will be treated as a technology issue
rather than a business issue. Having a top executive be responsible for overseeing IT
activities or appoint members of senior management to an IT or security committee means
you won’t let cybersecurity slip through the cracks. “When a company has been negatively
impacted by a cyber incident, it’s the CEO who has to fall on the sword, so to speak. It’s
absolutely critical they’re involved in their security strategy,” says Craig.
Secure against most likely scenarios
While cyberattacks are growing increasingly sophisticated, the main reason
for security breaches remains quite simple: lax security awareness among
employees. The problems can be as basic as employees leaving their passwords
visible (e.g., on a sticky note tacked to the wall of their cubicle) or failing to turn off their
computers before going home—oversights that could be addressed with adequate education.
Employees are your first line of defence, yet over half (52%) say employee training related to
cybersecurity is not a priority for their business. “Raising security awareness doesn’t need to
be a costly or logistically difficult undertaking,” observes Petrovic. “Effective use of office
bulletin boards, for instance, and weekly emails to remind employees of basic security
precautions can go far toward improving information protection across a company.”
52%
say employee training
related to cybersecurity
is not a priority for their
business
Do your due diligence on third-party security providers
Every question that you or a business partner would raise within your own
company regarding security standards should also be raised with your
third-party providers. Establish your standards up front so that you don’t have
to recreate a security questionnaire for each new arrangement. Spell out the
security you want, make sure it’s specified in the provider’s fine print, and then check that
it’s actually being done. “If you’re a third-party, expect that you’ll be doing things differently
in a very short time,” says Gliga-Belavic. “The US has brought in standards that we only
expect to see soon on this side of the border.”
Be predictive, be prepared
Every company should devise a plan for how to take immediate action if a
security breach were to happen. Once a plan has been created, you should run
an incident response exercise with key members of your executive team. Ask
yourselves: What actions should specific staff members take to pinpoint and then mitigate
the damage? Who should you contact in law enforcement? How should you go about
informing all the stakeholders? Who should speak to the media, and what should they
divulge? Companies that don’t scenario plan for eventualities like these may end up looking
like deer in the headlights, making a bad situation worse. “Most organizations run regular
fire drills to develop an almost automatic response to an emergency,” says Green. “Preparing
for a cyberattack should be no different. Running incident response scenarios helps
organizations build muscle memory to be prepared for the worst.” Incident preparedness can
help minimize the impact should the worst happen.
© 2015 PricewaterhouseCoopers LLP
11
Cyber resilience / Balancing digital opportunity with cybersecurity risk
The good news
While tackling cyber threats might seem daunting to many
private companies, it’s hardly a doom-and-gloom scenario.
There are several encouraging things to bear in mind as you
brace yourself for the battle with cybercriminals.
You’re nimble. You might not have the budget and staffing of
larger corporations to fight cybercrime, but you can be agile in
implementing a strategy (having less bureaucratic red tape to
cut through)—key to battling a fast-evolving adversary. The
cost doesn’t need to be overwhelming. New, affordable
technologies are offering stronger protections so that you can
detect intruders sooner—at the gate as they come in, rather
than as they slip out (the difference between realizing there’s
been a breach and actually preventing one). Even basic
cybersecurity controls may deter attackers.
Key takeaway
Leading private companies recognize that investing in
cybersecurity is about more than just protecting the
business.
While that’s admittedly the most important objective,
strong cybersecurity can also better position an
organization with its business partners and customers—
not to mention let the company take safe advantage of
newer technologies—to help grow the business.
Cybersecurity is a business issue, not a technology issue.
So if you don’t have a cybersecurity strategy, now’s the
time to start thinking about one. Being prepared for the
inevitable is a forward thinking plan—and a business
imperative in today’s hyper-connected world.
Private-sector efforts are underway to identify and circumvent
zero-day threats (unknown and unpatched code flaws) before
hackers can exploit them. This could ultimately make
cybercrime less lucrative by forcing hackers to invest more in
technology and attack process capabilities. Some hackers might
end up deciding it just isn’t worth it because they work on a
time/value equation as well.
© 2015 PricewaterhouseCoopers LLP
12
Cyber resilience / Balancing digital opportunity with cybersecurity risk
For more information on this subject
Contact Saul Plener
National Leader, Private Company Services
416 941 8299
[email protected]
Contact Jason Green
Director, Cyber Resilience
416 814 5709
[email protected]
Contact David Craig
Partner, Risk Assurance Services
416 814 5812
[email protected]
Contact Milos Petrovic
Director, Cyber Resilience
416 815 5028
[email protected]
Contact Adriana Gliga-Belavic
Director, Cybersecurity and Privacy
416 815 5148
[email protected]
For more information on the Business Insights Survey
of Canadian private companies, please visit:
www.pwc.com/ca/businessinsights
© 2015 PricewaterhouseCoopers LLP
13
Private Company Services
Local contacts
Contacts
For more information, please contact the local Private Company Services leader in your region
National Leader,
Private Company Services
Saul Plener
416 941 8299
[email protected]
North American Life Building
5700 Yonge Street, Suite 1900
Toronto, Ontario
M2M 4K7
Atlantic Canada
Brenda Belliveau
902 491 7415
[email protected]
1601 Lower Water Street, Suite 400
Halifax, Nova Scotia
B3J 3P6
44 Chipman Hill
P.O. Box 789
Saint John, New Brunswick
E2L 4B9
125 Kelsey Drive, Suite 200
St. John’s, Newfoundland
A1B 0L2
500 George St, Suite 220
Sydney, Nova Scotia
B1P 1K6
710 Prince Street
Truro, Nova Scotia
B2N 1G6
Calgary
Nadja Ibrahim
403 509 7538
[email protected]
Suncor Energy Centre
111 5th Avenue SW, Suite 3100
Calgary, Alberta
T2P 5L3
© 2015 PricewaterhouseCoopers LLP
Edmonton
Montreal
Vancouver
David Bryan
780 441 6709
[email protected]
Yves Bonin
514 205 5220
[email protected]
Brad Sakich
604 806 7730
[email protected]
Toronto Dominion Tower
10088 102nd Avenue NW, Suite 1501
Edmonton, Alberta
T5J 3N5
1250 boulevard René Lévesque Ouest,
bureau 2800
Montréal, Québec
H3B 2G4
PricewaterhouseCoopers Place
250 Howe Street, Suite 700
Vancouver, British Columbia
V6C 3S7
Fraser Valley
National Capital Region
Waterloo
Michael Shields
604 806 7802
[email protected]
Marc Normand
613 755 8733
[email protected]
Glen Dyrda
519 570 5715
[email protected]
13450 102nd Avenue, Suite 1400
Surrey, British Columbia
V3T 5X3
99 Bank Street, Suite 800
Ottawa, Ontario
K1P 1E4
95 King Street South, Suite 201
Waterloo, Ontario
N2J 5A2
Greater Toronto Area
Neil Manji
416 687 8130
[email protected]
North American Life Building
5700 Yonge Street, Suite 1900
Toronto, Ontario
M2M 4K7
London
Chirag Shah
519 640 7914
[email protected]
465 Richmond Street, Suite 300
London, Ontario
N6A 5P4
900, boulevard de la Carriere
Bureau 101
Gatineau, Quebec
J8Y 6T5
Quebec City
Windsor
Giancarlo Di Maio
519 985 8911
[email protected]
Thomas Bouchard
418 691 2448
[email protected]
245 Ouellette Ave, Suite 300
Windsor, Ontario
N9A 7J4
Place de la Cite,
Tour Cominar, Bureau 1700
2640 Boulevard Laurier
Sainte-Foy, Quebec
G1V 5C2
Winnipeg
Saskatoon
One Lombard Place, Suite 2300
Winnipeg, Manitoba
R3B 0X6
Lee Braaten
306 668 5968
[email protected]
Danny Wright
204 926 2427
[email protected]
128 4th Avenue South, Suite 600
Saskatoon, Saskatchewan
S7K 1M8
14
Cyber security / Balancing digital opportunity with cybersecurity risk
Making a difference
to you and your business
Entrepreneurs and business owners face a unique set of opportunities
and challenges. Our Private Company Services group understands
this. We’re part of a global network of advisers who are committed to
driving your success. We’ll make a difference by connecting you to
affordable solutions that help you navigate the road ahead, build
value in your business and achieve the return you’re looking for.
www.pwc.com/ca/private
© 2015 PricewaterhouseCoopers LLP
15
© 2015 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved. PwC refers to the Canadian member firm, and may
sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. 4324-10 0315
Fly UP