What, when and how – are you prepared? Cyber security What, when and how – are you prepared? Leon Fouche 24 November 2016 Introduction The guidance notes included in this template are intended to assist you in creating successful PowerPoint slide presentations. In order to reduce the amount of time it takes to create a presentation, colours, fonts, the position of the locator graphic device and various graphic elements have been programmed into the templates. This means that the creation of most slides is automated. When printing to ‘black and white’, all colour elements will be converted to grayscale. You can preview how your presentation will print ‘black and white’ by choosing the preview option under the ‘view’ menu in PowerPoint. Title slide (Slide layout option: Title Slide) The title slide is preset in style by the ‘title master’. Graphic elements are fixed in position on the typographic grid. Text, which is also fixed in size and position, can be edited but should not be resized or the colour changed. The title slide master includes the BDO Teal colour as a background. This can be changed to any of the colours from the template’s colour palette except BDO Grey. BDO Blue, BDO Teal, BDO Burgundy, BDO Copper and BDO Fuchsia are all acceptable. Text should always be white. See also image title slide option (next slide) Instil – 24 November 2016

Cyber security Overview What is Cyber security? What is at risk? Industry trends BDO Cyber security survey – Australian perspective Cyber risk mitigation strategies Instil – 24 November 2016

What is cyber security Instil – 24 November 2016

Cyber Security Traditional boundaries have shifted and are interconnected The “IT ecosystem” is built around a model of open collaboration and trust —the attributes are being exploited by an increasing number of global adversaries Data is distributed and disbursed throughout the “IT ecosystem” — expanding the domain requiring protection Cyber criminals are actively targeting critical assets throughout the “IT ecosystem” — significantly increasing the exposure and impact to businesses. Instil – 24 November 2016

It is no longer just an IT challenge – it is a business imperative! Cyber Security What is cyber security? Cyber security represents many things to many different people – more than just IT security Key characteristics and attributes of cyber- security: Organisations are becoming increasingly vulnerable due to technology connectivity and dependency Broader than just IT and extends beyond the organisation and people An ‘outside-in view’ of the threats and business impact facing an organisation Shared responsibility that requires cross- functional disciplines in order to identify, protect, detect, respond and recover. It is no longer just an IT challenge – it is a business imperative! Instil – 24 November 2016

Source: The Global Risk Report 2016 – World Economic Forum Cyber security 2016 World Economic Forum Instil – 24 November 2016 Source: The Global Risk Report 2016 – World Economic Forum

What is at risk Instil – 24 November 2016

What is at risk Who are the adversaries and what are their motives? Adversary Motives Targets Impact Hacktivists Influence political and /or social change Pressure business to change their practices Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Disruption of business activities Brand and reputation Loss of consumer confidence Cyber criminals Immediate financial gain Collect information for future financial gains Financial / payment systems Personally identifiable information Payment card information Protected health information Costly regulatory inquiries and penalties Consumer and shareholder lawsuits Nation state Economic, political, and/or military advantage Trade secrets Emerging technologies Critical infrastructure Loss of competitive advantage Disruption to critical infrastructure Insiders Personal advantage, monetary gain Professional revenge Patriotism Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information Trade secret disclosure Operational disruption National security impact Instil – 24 November 2016

What is at risk The actors and the information they target Adversary What’s most at risk Hacktivists Industrial Control Systems (SCADA) Emerging technologies Cyber criminals Payment card and related information / financial markets Advanced materials and manufacturing techniques R&D and / or product design data Energy data Nation state Healthcare, pharmaceuticals, and related technologies Business deals information Insiders Health records and other personal data Information and communication technology and data Motives and tactics evolve and what adversaries target vary depending on the organization and the products and services they provide. Instil – 24 November 2016

Industry trends Instil – 24 November 2016

Source: Verizon 2016 Data Breach Investigations Report Industry trends Sharp increase in targeted cyber attacks Instil – 24 November 2016 Source: Verizon 2016 Data Breach Investigations Report

Source: Verizon 2016 Data Breach Investigations Report Industry trends Cyber attacks on user devices & persons are rising Instil – 24 November 2016 Source: Verizon 2016 Data Breach Investigations Report

Industry trends Breaches are on the rise but industry spend has not keep track Cyber attacks are on the rise The estimated annual cost of cyber-attacks to the global economy was more than $500 billion in 2015 with $230 billion in APAC World Economic Forum recognise cyber breaches as one of the top threats to stability of global economy Cost of data breaches and malware infections will cost the global economy $2.1 trillion by 2019 Cyber threats are Boards’ fastest-growing concern, but investments are not keeping track with breach costs $75 billion spend on cyber security in 2015 Estimated spend on Cyber Security by 2020 will be $175 billion Cyber spend will more than double over the next five years with Cyber insurance expect to grow to $2.5 billion by 2020 $500 billion $2.1 trillion $75 billion $175 billion Source: Forbes Instil – 24 November 2016

Industry trends Cyber security skills are in high demand Solid growth in cyber security job market 1 million unfilled cyber security job globally in 2015 which is a 75% increase in the last five years Cyber security jobs in demand as investments increase There will be shortage in cyber security skills as the market is expected to grow to 6 million jobs by 2019 with a shortage of 2 million jobs Cyber job market in ANZ region is growing The demand for cyber security skills in ANZ market will grow 21% over the next five years with expected shortage of 10,000 people by 2019 1 million 6 million 21% Source: Forbes Instil – 24 November 2016

BDO Cyber security survey Instil – 24 November 2016

NZ Respondents by region Australian Respondents by state BDO cyber survey Respondents by country 400+ responses 65.9% Australian respondents 34.1% New Zealand respondents NZ Respondents by region Australian Respondents by state Instil – 24 November 2016

BDO cyber survey Primary industry of respondents coloured by type Organisation type Primary industry Instil – 24 November 2016

BDO cyber survey Cyber security incidents experienced last financial year Ransomware Phishing Malware DDoS Instil – 24 November 2016

BDO cyber survey Cyber security incidents experienced last financial year Instil – 24 November 2016

BDO cyber survey Cyber security incidents experienced last financial year Instil – 24 November 2016

BDO cyber survey Cyber security incidents expected next financial year Instil – 24 November 2016

BDO cyber survey Cyber security incidents comparison Instil – 24 November 2016

BDO cyber survey Cyber security incidents comparison Cyber security incident experienced last year Cyber security incident of concern for coming year Instil – 24 November 2016

BDO cyber survey Likely source of Cyber security Incidents Cyber criminals Insiders / current employees Activists Third party hosting providers Instil – 24 November 2016

BDO cyber survey Implementation of security controls – tone at the top Instil – 24 November 2016

BDO cyber survey Implementation of security controls – visibility of risk Instil – 24 November 2016

BDO cyber survey Implementation of security controls – detection capability Instil – 24 November 2016

BDO cyber survey Implementation of security controls – response capability Instil – 24 November 2016

BDO cyber survey Only 28% of respondents have cyber insurance cover Instil – 24 November 2016

Cyber insurance - FINANCIAL EXPOSURE Security Spend vs Insurance Cover Conduct an insurance review across all of your insurance policies to ensure that the organisation has the appropriate insurance cover in place in line with the your risk profile and exposure Create a matrix of risk against exposure based on current coverage Review the current policy wordings to ensure that your insurance policy will respond in the event of a data incident Measure required security spend to meet insurance offset benefits Instil – 24 November 2016

Cyber risk mitigation strategies Instil – 24 November 2016

Cyber Risk mitigation strategies Changing landscape - businesses need to adapt the new reality Historical IT Security Perspectives Today’s Leading Cyber security Insights Scope of the challenge Limited to your “four walls” and the extended enterprise Spans your interconnected global business ecosystem Ownership and accountability IT led and operated Business-aligned and owned; CEO and board accountable Adversaries’ characteristics One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Organised, funded and targeted; motivated by economic, monetary and political gain Information asset protection One-size-fits-all approach Prioritise and protect your “crown jewels” Defense posture Protect the perimeter; respond if attacked Plan, monitor, and rapidly respond when attacked Security intelligence and information sharing Keep to yourself Public/private partnerships; collaboration with industry working groups Instil – 24 November 2016

Cyber Risk mitigation strategies How you can become more cyber resilient Know the value of your data / assets Know where your data / assets are Know who has access to it Know who is responsible for protecting it Know how well it is protected Know if the level of protection is within your risk appetite Know what to do when you are breached Instil – 24 November 2016

questions Leon Fouche E: leon.fouche@bdo.com.au T: +61 (0)7 3237 5688 www.bdo.com.au/en-au/services/advisory/cyber-security Instil – 24 November 2016