Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Cyber Security. Evolved. Building Resilience 29th May 2013 James Nunn-Price Partner and UK Cyber Security Lead, Deloitte
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Bio James Nunn-Price James is Deloitte’s UK lead partner for Cyber Security He is also the Partner responsible for Deloitte’s information security and cyber advisory services to UK Government and is currently advising regulators on the UK and EU Cyber initiatives. He has over 15 years security experience assisting clients with a number of high-profile and complex challenges and prior to this a deep technology background.
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. New technology, new opportunities, new threats Exciting technological innovations bring opportunities to enter new markets, alternative business models, increase integration and drive efficiencies. But this opportunity brings security risk. Organisations are more exposed to cyber attacks than ever before. Assets that were once physically protected are accessible online; customer channels are vulnerable to disruption; criminals have new opportunities for theft and fraud. Cloud Nation states Espionage Criminal gangs Patch failure Hactivists Insiders Shared services Analytics Virtualisation Social Mobile Your Business
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Companies like yours
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. In our latest global industry security survey 50 per cent* of companies had knowingly experienced an attack in the last 12 months. The frequency is increasing and it only takes a single weakness for an attack to be successful. Governments and regulators at national and international levels are looking to enhance the security of nation states, companies and their citizens to enhance cyber resilience, reduce cyber-crime and protect opportunities for future economic growth The cost to UK Business, £27 billion and growing... *Deloitte’s 2012 Report, Blurring the Lines
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. From hype to reality *Deloitte’s 2013 Report, A Secure Consumer Our 2013 security survey reveals the true impact of cyber attacks on UK citizens* Receive phishing s Were victims of cybersquatting Had their computer affected with malware 65 % 32 % 26 %
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. More targeted and sophisticated Global exposure Commoditisation of exploitation Relentless/persistent attacks Low stake high rewards Accidental discovery Malware Cyber squatting Phishing and determination Increasing sophistication determination Increasing Insider threats Competitor risk Nation state cyber warfare Hacktivism Script kiddy Botnet The threat is real and growing and sophistication
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. The threat intelligence – key terms 101 Cyber Campaigns Phishing Artificial websites linked from forged s with the express intent to defraud customers, either for money or sensitive information. E.g., usernames and passwords. Malware Malicious software, generally concealing its presence, that contains references to a company's domain name or IP addresses. Vulnerabilities Planned, in progress or executed attacks by individuals or organisations of cyber criminals. Examples include Anonymous, 3xp1r3 Cyber Army, & Iran Security Team. Social Media Detection of un-authorised social profiles, compromised social media user accounts as well as adverse / negative mentions. Information Leakage Sensitive and non-sensitive information belonging to the companies being posted online. Information which describes systems, databases, networks, devices, applications and their corresponding websites that are vulnerable to attack. Cyber- Squatting Domains that are not owned by the likely / related company, but registered to be used by cyber criminals for the purposes of defraud customers or extorting companies. Advanced Persistent Threat (APT) is a term for highly skilled targeted attacks that use all of the above over a sustained period of time.
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. So, what does an attack look like? Seconds to enter your organisation Minutes to start extracting your data Days, weeks or even months until discovery Response and containment, until the next time? Initial stages are slow and quiet as attackers try to compromise your defences. It only takes a single weakness to get in... From then its takes:
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Loss of consumer confidence, loss of sales Brand reputation and market confidence damaged Lost IP reducing commercial advantage Operating margin down and assets devalued Reduced stakeholder confidence Depending on how an organisation responds, the business impact can severely dent the reputation and performance of even the most established firm. The devastating impact of an attack Intense and prolific media coverage exposing breach
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Painful questions for business Cyber attacks bring an organisation under the spotlight with stakeholders probing for answers: Where was the defence? Was there no intelligence? Did the execs understand the risk? Was there no priority at board level to protect the firm? Why was the response so slow? ?*!&
© 2013 Deloitte LLP. Private and confidential. The future of security – are you evolving? “Ignorance more frequently begets confidence than does knowledge;” Charles Darwin Activities are still largely reactive and compliance-driven: Largely compliance focused Developing policies Meeting industry baselines Audit Often limited visibility or interest to the business – unless something goes wrong Touching some change programmes Limited future watching Low operational agility Social forces Technological forces Organisation Political forces Environmental forces Legislative forces Economic forces
Deloitte-LBG UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. Private and confidential. Striving for cyber resilience To succeed companies need to take control of their cyber risks, building cyber resilience Companies need to be aware of the latest risks; prepare their organisations to be robust and; respond quickly and effectively to mitigate new risks. By getting this right, organisations can evolve to cyber resilience enabling them to focus on core business, rather than reactively managing and responding to security incidents. Board and Audit Committee owned risk – don’t over delegate to IT! Cyber Security. Evolved.
© 2013 Deloitte LLP. Private and confidential. Questions?
© 2013 Deloitte LLP. Private and confidential. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) Fax: +44 (0) © 2013 Deloitte LLP. All rights reserved.