Balancing digital opportunity with cybersecurity risk Private Company Services /
by user
Comments
Transcript
Balancing digital opportunity with cybersecurity risk Private Company Services /
Private Company Services / Tenth annual Business Insights® Survey of Canadian private companies Cyber resilience / Balancing digital opportunity with cybersecurity risk Balancing digital opportunity with cybersecurity risk www.pwc.com/ca/private Cyber resilience / Balancing digital opportunity with cybersecurity risk Cybersecurity is an important issue for private companies 8 % Neutral 33 % Agree 4% Disagree 55% Strongly agree Balancing digital strategy with cybersecurity risk In today’s connected world, companies need to first understand what they’re trying to protect and determine how to apply the most appropriate controls. Visit www.pwc.com/ca/businessinsights for videos and more information. © 2015 PricewaterhouseCoopers LLP Cybercriminals are increasingly targeting private companies and startups, often as a gateway to other organizations, or in hope of easy access to sensitive data. The cost to a business can be high, ranging from customer defection to financial loss to reputational damage. With heightened awareness, private companies can be better prepared for the inevitable. The headlines keep coming: Foreign hackers attack government. Hackers steal bank’s valuable data. Big box store says millions of credit card records may have been snatched. Cyber breaches make big news, and have massive reputational impact. The fallout? Financial loss, disrupted business systems, increased regulation and penalties, and the erosion of customer confidence. Corporate reputations suffer. Products are pirated. Research and development information is diverted. Designs and prototypes are stolen, as is sensitive information about M&A plans and corporate strategy. Cyberattacks have been rattling C-suite across the country, making executives and IT managers wonder how vulnerable their own environments might be. In our recent Business Insights Survey of Canadian private companies, 88% of senior private company executives say that cybersecurity is an important issue for their organization. Cyber is only going to have an increasing presence in the business landscape, so it needs to be a top-of-mind issue for all organizations— regardless of size or complexity. The challenge is even more pronounced for private companies, who may think they’re secure because they’re obscure, but the opposite is often the case. Complacency is not a winning strategy today. 2 Cyber resilience / Balancing digital opportunity with cybersecurity risk “I regularly hear from clients, ‘we’re not a target,’ when the reality is, they are,” observes Jason Green, a director in PwC’s Cyber Resilience team. “Today’s cybercriminals often target private companies that have been slower to invest in security as a platform to launch an attack on other organizations.” Most organizations may not see themselves as a target because they don’t accept credit cards or store personal information. In reality, private companies usually have confidential data that could be at risk, such as intellectual property or staff records. If this is compromised, it can have a monumental impact, including loss of competitive edge, reputational damage and could jeopardize the future success of the business. “If a private company is used as a gateway to access another organization’s critical assets, it can lead to major financial and legal impacts,” notes David Craig, leader of PwC’s Risk Assurance Services Cybersecurity and Privacy practice. “Investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach.” So what should you do? Well, for starters, don’t believe you’re not a target. It’s not enough just to worry about security breaches anymore. To thrive in today’s rapidly changing risk environment, you need a well thought-out cybersecurity and privacy strategy, along with the right skills and resources to implement and support it. “ Investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach. © 2015 PricewaterhouseCoopers LLP ” Why cybersecurity is viewed as an important issue Percentage of respondents who agree cybersecurity is important 61% 43% Potential liability/ exposure Reduction of security risks 41% 38% Reputation Client requirement 26% 26% Potential revenue impact Legal/regulatory requirement 3 Cyber resilience / Balancing digital opportunity with cybersecurity risk In your opinion, which of the following would be the most likely sources of cyberattacks? 66% 41% Hackers 2 1 Former employees 3 32% 22% Competitors Organized crime 19% Information brokers © 2015 PricewaterhouseCoopers LLP 4 Cyber resilience / Balancing digital opportunity with cybersecurity risk Who are the sources of cyberattacks? Cybercriminals have grown more sophisticated in their attacks and are highly targeted in what they’re going after. They’re motivated by a variety of reasons, often financial, but other times not—and they’re patient. It’s well known that credit card data has been a historical target, but now things like personal health information and employee lists are more valuable in the black market for information brokers. 42% of respondents told us they’ve never conducted formal cybersecurity employee training An important part of being prepared is knowing who your biggest threats may be. In our study, respondents cited hackers (66%), former employees (41%) and competitors (32%) as their most likely sources of cyberattacks. Hackers Hackers are more frequently targeting private companies, who may have lower security thresholds, in order to attack larger companies within their supply chain. This deflection of responsibility leaves private companies at risk of significant legal, financial and reputational issues. “Should a hacker route an attack through your organization, it’s up to you to explain or prove otherwise,” says Milos Petrovic, a director with PwC’s Cyber Resilience team. “This can be the difference between survival and failure due to the costs of forensics and litigation.” Insiders It’s known that 75% of breaches are driven by insiders, yet 42% of respondents told us they’ve never conducted formal cybersecurity employee training. Consider all of the people involved in your organization—current and former employees, contractors and those involved in your supply chain. These players move data around your business on remote devices, online, through databases and even manually, all of which present access points you need to protect. Developing strong policies, educating staff and doing your due diligence regarding vendors and suppliers can be one of the most effective and least expensive initiatives you can take on. © 2015 PricewaterhouseCoopers LLP Competitors Although competitors are often viewed as a likely source of cyberattacks—just the opposite may be true. An important part of incident response is actually to collaborate with others, either within the same industry or geography. The reality is that cybercriminals are very well organized. They work with one another and support one another. “If you try to tackle the issue of cybersecurity alone, it’s really difficult,” says Craig. “I know that many private companies will say, ‘I don’t want to share competitive information,’ but at a certain point, they’re all likely to be victims of a cybersecurity breach.” If communication channels are opened and companies learn from other incidents, collectively they’re better prepared. Cybersecurity shouldn’t be treated as a competitive weapon. “I think that’s one of the things that companies of all sizes need to consider,” says Craig. “Who can you work with? Or who can your security teams collaborate with? As cybercrime continues to evolve and become more complex, the more collective knowledge that can be leveraged to protect your company, the better.” 5 Cyber resilience / Balancing digital opportunity with cybersecurity risk Are competitors a threat, or an untapped opportunity? A number of industries have looked within to address their shared concerns with cybersecurity threats. Credit unions, for example, have been known to pool resources together to address challenges. This is also an area where we see collaboration flourish for the better good of all. Collaboration leads to stronger solutions and more effective investments in the things that matter. While 61% of private companies surveyed say they’re not formally collaborating with others in the industry, primarily because they don’t see anyone considerably more advanced than others, there’s concern that a competitor would use the information to market against them, or because they don’t trust their competitors. ll valid concerns, but we believe it’s an opportunity worth exploring in some instances. Pooling A resources, experiences and sharing leading practices not only strengthens the industry as a whole, allowing more time to focus on moving business forward, but also keeps organizations from falling victim to widespread security breaches. © 2015 PricewaterhouseCoopers LLP 6 Cyber resilience / Balancing digital opportunity with cybersecurity risk “ ” A company may in fact be hampering its growth by underinvesting in cybersecurity. Hear no evil, see no evil: The cost of not defending yourself “Private companies need to assume a stronger security posture,” says Green. “When clients hire us to conduct security testing, we can bypass their technical security controls nearly every time.” The costs can be considerable—not just in the loss of data or stolen intellectual property, but also the interruption to business operations and the hit your company’s reputation can take. To avoid these losses, companies need to take a hard look at their defences up front. A big reason companies often fail to invest in cybersecurity is that they see it as discretionary spending, not a business imperative. “With profitability being top of mind, businesses tend to be more inclined to invest in growth activities than defensive measures,” says Adriana Gliga-Belavic, director of Cybersecurity and Privacy at PwC. “A company may in fact be hampering its growth by underinvesting in cybersecurity. That’s because, increasingly, strong cybersecurity is viewed as a business enabler rather than a cost.” Indeed, 38% of private company leaders we surveyed believe that today, cybersecurity is a client requirement. Business partners, too, want evidence that they’re protected. More and more, strong information and system security has become a requirement for companies that seek to collaborate on, or outsource work, either within Canada or in other markets. “We’re seeing this trend in the Financial Sector and the US,” says Craig. “It’s only a matter of time before all Canadian companies will be following suit. Because insider threats are the most common gateway for incidents to occur, companies need to prove they have appropriate systems and policies in place when it comes to cybersecurity.” Acquisition can force a review as well. When a business performs due diligence on a target company, a security component is often part of the assessment, says Craig: “Looking at a target company, the buyer asks: What risk am I taking on, what would be the cost if there were a data or privacy breach?” The demands of all of these stakeholders—consumers, partners, employees and purchasers—are reinforcing the importance of having a cybersecurity strategy. © 2015 PricewaterhouseCoopers LLP 7 Cyber resilience / Balancing digital opportunity with cybersecurity risk Reality check: Learn where your blind spots are Nearly half of survey respondents (49%) said that if a cyberattack happened to their organization tomorrow, they either wouldn’t or don’t know if they’d be able to respond effectively—largely because they’re not sure which resources or safeguards are necessary. There’s a common misconception that you’ll need the equivalent of a large corporation’s fulltime security team to assess and address your company’s cybersecurity and privacy weaknesses. Assessment is essential; without one, it’s hard to forge a strategy to safeguard your assets. We’ve developed a baseline for companies of any size to consider when assessing threat vulnerability. Understand your cyber ecosystem It used to be that if you protected your “four walls” (i.e. the perimeter), you could keep the bad guys out. But in today’s world of social, mobile, analytics, and cloud—more commonly known as SMAC—your ecosystem of information sharing has expanded exponentially. To make smart use of your cybersecurity investment, companies should think about it up front, rather than treat it as a bolt-on feature. Too often, though, cybersecurity ends up being an afterthought. Embedding security in your cyber ecosystem before you incorporate further elements simply makes good business sense, says Green, pointing out that “you wouldn’t design a new vehicle, but fail to include basic anti-theft measures such as locks. If you tried to install these as an afterthought, it would be more expensive, and the vehicle’s overall design would be impacted. You need to embed the security considerations requirements at the outset. The same principle applies to any business.” Learn where your blind spots are and how to protect critical assets © 2015 PricewaterhouseCoopers LLP 8 Cyber resilience / Balancing digital opportunity with cybersecurity risk Identify your most valuable data Know where your prized information lives and who has access to it Your most valuable data won’t all be in one place. So it’s important to ask yourself, ‘Where has the information been? Where’s it going? How’s it getting there? And who has access to it?’ For instance, is the information living in the organization, or is it stored elsewhere (e.g., in the cloud)? Is it coming from an outside source and then being modified? When does it become special? Who’s using it? How are they using it? Are they sending it to third parties? How are they sending it (via email, a mobile device)? Is it being sent securely (does the company use email encryption)? Knowing the answers to these questions is essential if you’re going to do an effective job of protecting your critical assets. Simply put, you can’t protect everything. But by identifying your most important data, understanding who might be after it, the next thing is to put applicable controls in place. “The trick is to apply controls that are suitable for your business environment, what you’re trying to protect, and that meet your risk appetite,” says Green. And they don’t have to be a big investment, notes Craig: “The right control could be minor, and cost nothing. It could be a process that says a manager should sign off something once a week—just review it and sign off on it. That might catch a potential breach.” But finding that sweet spot is really the challenge, notes Green: “A lot of the time people will pull something off the shelf as a controls framework and think to themselves, ‘Let’s just apply all these controls.’ But in this case, they might actually be over-engineering, spending money on things they don’t actually need because it’s not really suitable. It’s a matter of sizing correctly, that’s how you get it right.” As cyber threats evolve and your maturity level increases, costs required to effectively combat threats can add up. “Another option may be to look at outsourcing select, noncore competencies to relieve that burden,” says Petrovic. “This can provide you with advanced security services, such as cyber assessments, advanced analytics and cyber threat management on demand.” “ “ Tackling information security begins with a simple question: What’s our most sensitive data? As it turns out, many companies aren’t sure how to begin answering that question. While certainly there are the company’s crown jewels to guard, the most valuable data to a cyber thief might not be yours exclusively. Once you’ve zeroed in on what that is (including the information you have a fiduciary responsibility to safeguard), then you can start to devise a strategy to protect that material. Apply focused controls Apply controls that are suitable for your business environment. © 2015 PricewaterhouseCoopers LLP 9 Cyber resilience / Balancing digital opportunity with cybersecurity risk “ ” Cybersecurity is not a technology issue —it’s a business issue. Fight back: Four defence tactics every company should employ So what’s the best way to go about protecting your company’s information? It’s important to set the tone at the top, making sure it resonates throughout all aspects of the organization. And then someone has to lead the charge—rally company employees and regularly update leadership. Easier said than done, but it’s time and effort well spent if you want to reduce your risk of being the next cyberattack casualty. Four cybersecurity defence tactics every company should employ © 2015 PricewaterhouseCoopers LLP 10 Cyber resilience / Balancing digital opportunity with cybersecurity risk Set the tone at the top Many private companies run lean IT departments, with security being just one among a number of responsibilities falling to the group. In fact, 45% of our survey respondents report that it’s their IT director in charge of cybersecurity, which can be short sighted in that it will be treated as a technology issue rather than a business issue. Having a top executive be responsible for overseeing IT activities or appoint members of senior management to an IT or security committee means you won’t let cybersecurity slip through the cracks. “When a company has been negatively impacted by a cyber incident, it’s the CEO who has to fall on the sword, so to speak. It’s absolutely critical they’re involved in their security strategy,” says Craig. Secure against most likely scenarios While cyberattacks are growing increasingly sophisticated, the main reason for security breaches remains quite simple: lax security awareness among employees. The problems can be as basic as employees leaving their passwords visible (e.g., on a sticky note tacked to the wall of their cubicle) or failing to turn off their computers before going home—oversights that could be addressed with adequate education. Employees are your first line of defence, yet over half (52%) say employee training related to cybersecurity is not a priority for their business. “Raising security awareness doesn’t need to be a costly or logistically difficult undertaking,” observes Petrovic. “Effective use of office bulletin boards, for instance, and weekly emails to remind employees of basic security precautions can go far toward improving information protection across a company.” 52% say employee training related to cybersecurity is not a priority for their business Do your due diligence on third-party security providers Every question that you or a business partner would raise within your own company regarding security standards should also be raised with your third-party providers. Establish your standards up front so that you don’t have to recreate a security questionnaire for each new arrangement. Spell out the security you want, make sure it’s specified in the provider’s fine print, and then check that it’s actually being done. “If you’re a third-party, expect that you’ll be doing things differently in a very short time,” says Gliga-Belavic. “The US has brought in standards that we only expect to see soon on this side of the border.” Be predictive, be prepared Every company should devise a plan for how to take immediate action if a security breach were to happen. Once a plan has been created, you should run an incident response exercise with key members of your executive team. Ask yourselves: What actions should specific staff members take to pinpoint and then mitigate the damage? Who should you contact in law enforcement? How should you go about informing all the stakeholders? Who should speak to the media, and what should they divulge? Companies that don’t scenario plan for eventualities like these may end up looking like deer in the headlights, making a bad situation worse. “Most organizations run regular fire drills to develop an almost automatic response to an emergency,” says Green. “Preparing for a cyberattack should be no different. Running incident response scenarios helps organizations build muscle memory to be prepared for the worst.” Incident preparedness can help minimize the impact should the worst happen. © 2015 PricewaterhouseCoopers LLP 11 Cyber resilience / Balancing digital opportunity with cybersecurity risk The good news While tackling cyber threats might seem daunting to many private companies, it’s hardly a doom-and-gloom scenario. There are several encouraging things to bear in mind as you brace yourself for the battle with cybercriminals. You’re nimble. You might not have the budget and staffing of larger corporations to fight cybercrime, but you can be agile in implementing a strategy (having less bureaucratic red tape to cut through)—key to battling a fast-evolving adversary. The cost doesn’t need to be overwhelming. New, affordable technologies are offering stronger protections so that you can detect intruders sooner—at the gate as they come in, rather than as they slip out (the difference between realizing there’s been a breach and actually preventing one). Even basic cybersecurity controls may deter attackers. Key takeaway Leading private companies recognize that investing in cybersecurity is about more than just protecting the business. While that’s admittedly the most important objective, strong cybersecurity can also better position an organization with its business partners and customers— not to mention let the company take safe advantage of newer technologies—to help grow the business. Cybersecurity is a business issue, not a technology issue. So if you don’t have a cybersecurity strategy, now’s the time to start thinking about one. Being prepared for the inevitable is a forward thinking plan—and a business imperative in today’s hyper-connected world. Private-sector efforts are underway to identify and circumvent zero-day threats (unknown and unpatched code flaws) before hackers can exploit them. This could ultimately make cybercrime less lucrative by forcing hackers to invest more in technology and attack process capabilities. Some hackers might end up deciding it just isn’t worth it because they work on a time/value equation as well. © 2015 PricewaterhouseCoopers LLP 12 Cyber resilience / Balancing digital opportunity with cybersecurity risk For more information on this subject Contact Saul Plener National Leader, Private Company Services 416 941 8299 [email protected] Contact Jason Green Director, Cyber Resilience 416 814 5709 [email protected] Contact David Craig Partner, Risk Assurance Services 416 814 5812 [email protected] Contact Milos Petrovic Director, Cyber Resilience 416 815 5028 [email protected] Contact Adriana Gliga-Belavic Director, Cybersecurity and Privacy 416 815 5148 [email protected] For more information on the Business Insights Survey of Canadian private companies, please visit: www.pwc.com/ca/businessinsights © 2015 PricewaterhouseCoopers LLP 13 Private Company Services Local contacts Contacts For more information, please contact the local Private Company Services leader in your region National Leader, Private Company Services Saul Plener 416 941 8299 [email protected] North American Life Building 5700 Yonge Street, Suite 1900 Toronto, Ontario M2M 4K7 Atlantic Canada Brenda Belliveau 902 491 7415 [email protected] 1601 Lower Water Street, Suite 400 Halifax, Nova Scotia B3J 3P6 44 Chipman Hill P.O. Box 789 Saint John, New Brunswick E2L 4B9 125 Kelsey Drive, Suite 200 St. John’s, Newfoundland A1B 0L2 500 George St, Suite 220 Sydney, Nova Scotia B1P 1K6 710 Prince Street Truro, Nova Scotia B2N 1G6 Calgary Nadja Ibrahim 403 509 7538 [email protected] Suncor Energy Centre 111 5th Avenue SW, Suite 3100 Calgary, Alberta T2P 5L3 © 2015 PricewaterhouseCoopers LLP Edmonton Montreal Vancouver David Bryan 780 441 6709 [email protected] Yves Bonin 514 205 5220 [email protected] Brad Sakich 604 806 7730 [email protected] Toronto Dominion Tower 10088 102nd Avenue NW, Suite 1501 Edmonton, Alberta T5J 3N5 1250 boulevard René Lévesque Ouest, bureau 2800 Montréal, Québec H3B 2G4 PricewaterhouseCoopers Place 250 Howe Street, Suite 700 Vancouver, British Columbia V6C 3S7 Fraser Valley National Capital Region Waterloo Michael Shields 604 806 7802 [email protected] Marc Normand 613 755 8733 [email protected] Glen Dyrda 519 570 5715 [email protected] 13450 102nd Avenue, Suite 1400 Surrey, British Columbia V3T 5X3 99 Bank Street, Suite 800 Ottawa, Ontario K1P 1E4 95 King Street South, Suite 201 Waterloo, Ontario N2J 5A2 Greater Toronto Area Neil Manji 416 687 8130 [email protected] North American Life Building 5700 Yonge Street, Suite 1900 Toronto, Ontario M2M 4K7 London Chirag Shah 519 640 7914 [email protected] 465 Richmond Street, Suite 300 London, Ontario N6A 5P4 900, boulevard de la Carriere Bureau 101 Gatineau, Quebec J8Y 6T5 Quebec City Windsor Giancarlo Di Maio 519 985 8911 [email protected] Thomas Bouchard 418 691 2448 [email protected] 245 Ouellette Ave, Suite 300 Windsor, Ontario N9A 7J4 Place de la Cite, Tour Cominar, Bureau 1700 2640 Boulevard Laurier Sainte-Foy, Quebec G1V 5C2 Winnipeg Saskatoon One Lombard Place, Suite 2300 Winnipeg, Manitoba R3B 0X6 Lee Braaten 306 668 5968 [email protected] Danny Wright 204 926 2427 [email protected] 128 4th Avenue South, Suite 600 Saskatoon, Saskatchewan S7K 1M8 14 Cyber security / Balancing digital opportunity with cybersecurity risk Making a difference to you and your business Entrepreneurs and business owners face a unique set of opportunities and challenges. Our Private Company Services group understands this. We’re part of a global network of advisers who are committed to driving your success. We’ll make a difference by connecting you to affordable solutions that help you navigate the road ahead, build value in your business and achieve the return you’re looking for. www.pwc.com/ca/private © 2015 PricewaterhouseCoopers LLP 15 © 2015 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights reserved. PwC refers to the Canadian member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. 4324-10 0315