SlideShare une entreprise Scribd logo

Cyber Security Privacy Brochure 2015

S
sarah kabirat
1  sur  12
Télécharger pour lire hors ligne
Working in partnership to help your business innovate and grow in a secure and resilient way Cyber security and privacy
2 CYBER SECURITY AND PRIVACY About us Dynamic organisations know they need to apply both reason and instinct to decision making. At Grant Thornton, this is how we advise our clients every day. We combine award-winning technical expertise with the intuition, insight and confidence gained from our extensive sector experience and a deeper understanding of our clients. Through empowered client service teams, approachable partners and shorter decision making chains, we provide a wider point of view and operate in a way that enables our clients to be fast and agile. The real benefit for dynamic organisations is more meaningful and forward- looking advice that can help to unlock their potential for growth. Grant Thornton’s cyber security and privacy team has significant experience of assessing, improving and embedding controls to better align exposure to risk appetite. We have worked with organisations of all sizes across all industries and can tailor our services to meet specific client needs across a wide range of topics, including cyber security, cyber crime, digital security, vendor assurance and data privacy. Grant Thornton UK LLP is the UK member firm of Grant Thornton International Ltd, one of the world’s leading organisations of independent assurance, tax and advisory firms. Over 40,000 Grant Thornton people, across 130 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work. Cyber security governance Grant Thornton has been helping organisations define and implement cyber security governance to manage cyber security risk. We have benchmarked the maturity of key controls to guard against the risk of cyber security, such as: • governance committees and reporting • roles and responsibilities • risk appetite • key risk indicators • risk assessments and controls assurance • incident management and reporting • policies and procedures • training and awareness. This has reinforced to board members the importance of being involved in governing and overseeing cyber security decisions and investments.
CYBER SECURITY AND PRIVACY 3 Cyber security and privacy To protect its reputation, innovate and grow, an organisation needs to protect its intellectual property, customer information and other critical information assets. As the business community continues to find new and innovative approaches to embrace the world wide web through emerging solutions such as cloud computing, the security threat increases in complexity. Recent security breaches, such as the theft of intellectual property and disclosure of customer sensitive information, have highlighted how such events can undermine or even close an organisation. Cybereconomics is a key differentiator for organisations that are able to provide a secure business environment for customers. This realisation has raised the topic of cyber security and privacy to board level, with executives seeking assurances that such events could not affect their organisation. Robust cyber security measures are critical to protecting your organisation’s reputation, and meeting legal and regulatory requirements. Who is responsible for the governance of cyber security risks in your organisation? Since the board is ultimately responsible for managing an organisation’s risks, they should be regularly briefed on the effectiveness of cyber security controls and exposures outside of the organisation’s risk appetite. Governance, risk and compliance Cyber crime Digital security Business resilience Third party assurance Data privacy Payment security Technology security Identity and access management Our cyber security and privacy team consists of highly specialised professionals with extensive experience of key areas, including: Information is now seen as one of the most valuable assets that any organisation holds
4 CYBER SECURITY AND PRIVACY Cyber crime Are you protected against cyber attacks? Cyber crime’s footprint is increasing significantly in the frequency and size of its operations. It is evident that technological defences alone are not sufficient to protect a business from attacks. Cyber crime has evolved from being the act of individuals to one of many tools used by organised crime syndicates, where highly specialised professionals are putting data, information and assets at a high risk of misuse. No industry is safe from the possibility of a cyber attack, and being prepared is the best defence. At Grant Thornton we can work with your organisation to prevent security vulnerabilities that could be exploited by cyber criminals to access your intellectual property and disrupt your business. Case studies • A recently reported attack on banks resulted in $1 billion being stolen during the last two years using trojan software installed from the internet onto internal workstations. The attack was successful, not because of the technology used, but because the attackers behaved like bank staff and learned the bank procedures to steal funds without detection • Targeted cyber attacks have revealed confidential company and customer information from the biggest names in the film and gaming industry, large retailers and internet service providers • A publisher’s products were stolen and copies made freely available online. As well as the loss of revenue, the cost of updating the systems and policies was more than £50,000 The estimated cost of cyber crime to the UK is £27 billion per year, of which the main loser – at a total estimated cost of £21 billion – is UK business, which suffers from high levels of intellectual property theft and espionage1 . Over the last year the average cost of the worst breach suffered has gone up significantly to £0.6 - £1.15 million for large organisations2 . 1 Detica, Office of Cyber Security and Information Assurance in the Cabinet Office “The Cost of Cyber Crime” (2011) 2 Information Security Breaches Survey by Department for Business Innovation and Skills (2014)
CYBER SECURITY AND PRIVACY 5 Digital security Does your organisation know where cyber security threats will first appear? A company’s information infrastructure consists of many different facets, each of which may be a path through which attackers attempt to breach your defences to obtain access to or corrupt critical information. An effective digital security stance requires an organisation to know both the location and value of its critical information, and the means by which that information might be accessed. The creation and maintenance of an information asset register is a key step to identifying critical systems to prioritise for protection. Even for small organisations this is a significant effort. Data leakage One major avenue for the loss of intellectual property from your organisation is through data leakage. There are a wide range of routes that can be used to steal information from your organisation, from walking out the door with a hardcopy document to using complex software to copy and extract data by transferring it over the web. Grant Thornton can help you understand the data leakage methods to which your organisation may be exposed, the skills and experience required to exploit them and what preventative or detective controls could be deployed to reduce risk. Each of these require appropriate controls to ensure they cannot be leveraged to gain access to your organisation’s critical information assets. We can assist your organisation by providing assurance to management on the maturity of digital security controls, highlight high risk exposures and develop a roadmap to protect your digital assets. Some of the possible digital pathways used to gain access to critical information include: e-Commerce gateways and interfaces Online service portals Internal hardware and software Internal networks (wired and wireless) Third party service providers Non-standard and mobile devices
6 CYBER SECURITY AND PRIVACY Business resilience Does your organisation have the resilience to stand up to a high profile cyber security incident? Business resilience is the ability of an organisation to minimise disruption and be able to function during an incident. It covers all aspects of business continuity, technology disaster recovery, incident management and financial resilience. Business resilience is pivotal to maintaining business activities in the modern age of inter-connected global operations, just in time production and complex operational relationships. Maintaining your reputation and delivering on time are fundamental to all professional relationships. Organisations need to anticipate and have proven strategies to effectively respond to disruptive events, maintain critical operations and learn from events to better prepare for future challenges. By partnering with us and using our wealth of experience, we can better prepare organisations to face the challenges that these disruptive events create. Grant Thornton can assist to assess the readiness of your organisation to handle, recover from and respond to a cyber security incident, including both the public relations and business resilience aspects. Crisis management Incident management Cyber resilience Business continuity Disaster recovery Industry guidance Our business resilience services are based on the guidance contained in relevant British and international standards, including: Crisis management: guidance to good practice BS 11200 Organisational resilience: guidance BS 65000 Business continuity management systems: requirements ISO 22301 Business continuity management systems: guidance ISO 22313 Case study Grant Thornton was requested to provide support to a large construction and support services firm to assess their level of resilience and provide recommendations for improvement. Using a hybrid approach of interviews, document review and on-site inspections, conclusions were benchmarked against industry good practice. The review established that although controls were in a reasonable position, improvements and efficiencies could be delivered Quick win insights were provided during the review so urgent issues could be swiftly addressed. Longer term recommendations were delivered to improve their strategic approach to resilience and provide a standardised approach across the organisation. Operationally, a number of gaps and overlaps were identified along with opportunities for efficiencies, combined with improvements to the risk management processes. By closing out the items highlighted, management confidence significantly increased in the resilience framework across the entire organisation.
CYBER SECURITY AND PRIVACY 7 How secure is your cloud? Grant Thornton has performed third party sourcing reviews to assess relevant controls, such as: • the maturity of security controls embedded into the supplier management framework • whether the business could procure cloud based services directly without involving sourcing • whether services purchased from cloud based providers were on the list of approved vendors. Some reviews have identified that business staff could procure cloud based services directly, without going through controlled sourcing channels. Third party assurance How do you gain assurance that the third parties you’ve outsourced operations to are secure? Over the past decade there has been a paradigm shift in the way organisations operate, and many now recognise the clear value and benefits to be gained from leveraging business process outsourcing and third party services. Consequently, many operational activities that were once perceived as core are now outsourced, such as activities performed by technology, operations and human resources departments. There has also been the explosion in the use of cloud based services. These new ways of doing business present wonderful opportunities for cost efficiencies, but also create complex challenges and risks that need to be assessed and appropriately managed. At Grant Thornton we leverage our experience to report to the board on the maturity of controls operated by key third parties, in particular through assurance and contractual reviews. Third party security Third party contracts Third party assurance Third party exit management Recent research has found that the use of third party internet based services without formal approval, is widespread – 76% of CIOs are aware of the commission and use of third party cloud based products with no input from the technology department1 . 1 British Telecom’s ‘Creativity and the Modern CIO’ – December 2014
8 CYBER SECURITY AND PRIVACY Data privacy How will the proposed EU data protection regulation affect your organisation? While the draft general data protection regulation still has some way to go before becoming law, there are a number of changes likely to impact your organisation. Beyond the headline that organisations in breach of the rules could face penalties of up to €€100 million or up to 5% of their worldwide turnover, other anticipated changes include: • data breaches will need to be reported to impacted individuals without undue delay • businesses will be required to complete privacy impact assessments at least annually • the scope will be expanded to include non-European companies that trade in the EU. Many of these changes are already being adopted by organisations as best practice, especially disclosure of breaches and conducting privacy impact assessments. At Grant Thornton we can leverage our experience to help organisations prepare for and adhere to forthcoming regulatory changes. Privacy and security online Grant Thornton has performed privacy and security reviews to provide assurance over high profile internet-based services by: • assessing cloud-based services against privacy and security best practice • reviewing third party privacy and security contractual obligations • performing assurance testing of key controls. Some reviews have highlighted where key controls were inconsistent with risk appetite, resulting in follow-on activity to address risk exposures.
CYBER SECURITY AND PRIVACY 9 Payment security Are your payment systems secure? In 2013, payments businesses handled $425 trillion in non- cash transactions, more than five times global GDP. By 2023 the value of non-cash transactions is expected to reach $780 trillion1 . In developing economies the growth will be significantly higher. At the same time, regulatory challenges to the payments industry are increasing as regulators extend their remit to include payment institutions. There is also increased competition and market disruption by new entrants, including the rise of mobile payments, digital wallets and the use of Bitcoin. Given the volumes of funds moved on a daily basis, the risks associated with the payments industry include: • reputational and financial costs of system failure • fraud committed by criminal hackers • increased volatility in the payments landscape caused by customers changing their mobile payment habits • difficulties funding projects for continuous improvement and innovation in a competitive and rapidly changing market • regulatory censure and subsequent loss of reputation arising from abuse of the service, eg money laundering • payment market disrupters proposing alternate payment services. At Grant Thornton we can leverage the expertise of our in depth payment specialists to help ensure major wholesale and consumer facing payment systems remain available and are secure. Case studies Grant Thornton has reviewed the development and implementation of a mobile payment system project. Our team: • reflected the current status of the project to executive management • assessed implementation roadblocks holding back delivery of the project, including commercial, technical security and legal risks • suggested improvements to the project’s governance and risk management. Our portfolio of payment system review work includes the following: • organisations clearing transactions on behalf of third parties with highly developed and resilient payment infrastructures • payment system compliance reviews for organisations, such as large retail banks. In 2013, payments businesses handled $425 trillion in non-cash transactions, more than five times global GDP. By 2023 the value of non-cash transactions is expected to reach $780 trillion1 1 Source: Boston Consulting Group Global Payments Review 2014
Penetration testing • red team/penetration testing (infrastructure, web application, wireless networks) • mobile application assessment • wireless LAN security • cyber security architects • security configuration review 10 CYBER SECURITY AND PRIVACY Technology security Your organisation’s systems are only as secure as the weakest link – where’s yours? In today’s complex and ever changing world, systems used to help your organisation innovate and grow are updated or changed on a regular basis. In such an environment it is essential to be assured that the hardware and software infrastructure supporting your everyday business activities is robust and secure, especially as more and more processes become automated and move online. We can leverage our experience to perform penetration tests to assess the security and maturity of controls over your infrastructure, networks and applications, and identify vulnerabilities and angles of attack that could be exploited and how these should be mitigated. Application security Database security Operating system security Network security Perimeter security Infrastructure security assessments Grant Thornton has performed deep technical security reviews of complex infrastructure environments, including a variety of banking mainframes. Such reviews cover many layers of control that contribute to the security of critical systems, such as processing the bank accounts of a large national customer base. Some reviews have identified material risks resulting in recommendations to strengthen the environment and improve the security oversight and monitoring processes. Recent events have reinforced the direct correlation between successful attacks, brand reputation and share price. Some of the challenges faced by organisations include: • constantly evolving cyber threats, with new security vulnerabilities being discovered on a regular basis • organisations have to be on the front foot in respect to patching, upgrades and security event monitoring.
CYBER SECURITY AND PRIVACY 11 Identity and access management Joiners, movers and leavers Access recertification Toxic combinations Privileged access Developer access Could your organisation be exposed to financial crime by staff with excessive system access? Even though the topic of unauthorised access is an auditor’s favourite, dating back many decades, many organisations today still face challenges ensuring they have robust controls over system access and segregation of duties. Some of the more common challenges still faced by organisations today include: Access recertification becoming the detective control of choice, without preventative controls to remove access when individuals move role Cost reduction programmes – such as offshoring and outsourcing – making it more complex to govern access permissions Defining toxic access combinations that pose a segregation of duties risk, and deploying controls to prevent (or detect) such access violations Balancing controls that restrict privileged and developer access to production systems, with the need for high systems availability Access management coverage When thinking about the maturity of your identity and access management controls, it is wise to think about the variety of systems in use across your organisation, including: • Applications • Databases • Operating systems • Network file shares • Collaboration sites While much attention has been given to application access controls, effort is also required to restrict privileged access to databases and operating systems, as well as end user access to network file shares and collaboration sites, such as SharePoint. At Grant Thornton we can leverage our experience to benchmark the maturity and coverage of access management controls, and develop a roadmap to take things forward.
How Grant Thornton can help © 2015 Grant Thornton UK LLP. All rights reserved. ‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V24930 Sandy Kumar Partner Head of Business Risk Services T +44 (0) 20 7728 3248 E sandy.kumar@uk.gt.com Contact us Manu Sharma Director Head of Cyber Security and Privacy T +44 (0) 20 7865 2406 E manu.sharma@uk.gt.com Our team of experts bring a wealth of experience from across all industry sectors and can help your organisation to: • assess the effectiveness of your current systems, controls and processes, identifying key risks and creating a roadmap that puts you on the path to achieving strong assurance for all key stakeholders • identify key systems at risk of attack or exploitation and help you implement changes to minimise the disruption to your business in the event of an attack, through reduced detection time and effective response • review third party and key partners’ security arrangements and provide an accurate representation of the assurance that can be placed on them – as well as providing pre-selection reviews before any engagement with new suppliers/providers • ensure that your systems and services comply with industry, regulatory and legal standards - including preparing non-European companies for entry into the EU marketplace • design multi-year on-going programmes that will not only maintain but develop the maturity and effectiveness of your cyber security and privacy systems.

Recommandé

The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataDigital Shadows
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 

Recommandé

The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataDigital Shadows
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Reducing-Cyber-Risk-Whitepaper-Email (UK)
Reducing-Cyber-Risk-Whitepaper-Email (UK)Mark Baker
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Company Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignCompany Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignDigital Shadows
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence reportSimon Clements FIRP DipRP
 
Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020CBIZ, Inc.
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 
Configuration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationConfiguration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationDigital Shadows
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
In the news
In the newsIn the news
In the newsRob Wilson
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityAlistair Blake
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
 
Shutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HRShutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HRsarah kabirat
 
The cyber resilient enterprise
The cyber resilient enterpriseThe cyber resilient enterprise
The cyber resilient enterpriseAndrew Bycroft
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 

Contenu connexe

Tendances

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Company Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignCompany Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignDigital Shadows
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence reportSimon Clements FIRP DipRP
 
Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020CBIZ, Inc.
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 
Configuration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationConfiguration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationDigital Shadows
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final ReportPhil Agcaoili
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityAlistair Blake
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firmsJake Weaver
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
 

Tendances (18)

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Company Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignCompany Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist Campaign
 
Cybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next DimensionCybersecurity: Protection strategies from Cisco and Next Dimension
Cybersecurity: Protection strategies from Cisco and Next Dimension
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence report
 
Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020Commercial Real Estate - Cyber Risk 2020
Commercial Real Estate - Cyber Risk 2020
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital Economy
 
Configuration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationConfiguration File of Trojan Targets Organization
Configuration File of Trojan Targets Organization
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
In the news
In the newsIn the news
In the news
 
CC_Futureinc_Cyber Security
CC_Futureinc_Cyber SecurityCC_Futureinc_Cyber Security
CC_Futureinc_Cyber Security
 
Managed security services for financial services firms
Managed security services for financial services firmsManaged security services for financial services firms
Managed security services for financial services firms
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration Datasheet
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 

En vedette

Shutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HRShutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HRsarah kabirat
 
The cyber resilient enterprise
The cyber resilient enterpriseThe cyber resilient enterprise
The cyber resilient enterpriseAndrew Bycroft
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Swiss Digital Index 2015
Swiss Digital Index 2015Swiss Digital Index 2015
Swiss Digital Index 2015accenture
 
Cyber resilient infrastructure infographic
Cyber resilient infrastructure infographicCyber resilient infrastructure infographic
Cyber resilient infrastructure infographicAtkins
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsImperva
 

En vedette (9)

Shutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HRShutting the digital gate - data preservation and HR
Shutting the digital gate - data preservation and HR
 
The cyber resilient enterprise
The cyber resilient enterpriseThe cyber resilient enterprise
The cyber resilient enterprise
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
Swiss Digital Index 2015
Swiss Digital Index 2015Swiss Digital Index 2015
Swiss Digital Index 2015
 
Cyber resilient infrastructure infographic
Cyber resilient infrastructure infographicCyber resilient infrastructure infographic
Cyber resilient infrastructure infographic
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
The State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On SteroidsThe State of Application Security: Hackers On Steroids
The State of Application Security: Hackers On Steroids
 
Smart phone and mobile phone risks
Smart phone and mobile phone risksSmart phone and mobile phone risks
Smart phone and mobile phone risks
 

Similaire à Cyber Security Privacy Brochure 2015

How to Start a Cyber Security Business.pdf
How to Start a Cyber Security Business.pdfHow to Start a Cyber Security Business.pdf
How to Start a Cyber Security Business.pdfMr. Business Magazine
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Importance of Cyber Security for Company.pdf
Importance of Cyber Security for Company.pdfImportance of Cyber Security for Company.pdf
Importance of Cyber Security for Company.pdforage technologies
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAbdullahKanash
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowShantam Goel
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionEMC
 
Cyber security cdg.io
Cyber security cdg.ioCyber security cdg.io
Cyber security cdg.ioCyberGroup
 
Security Breach: It's not if, it's not when, it's will you know
Security Breach: It's not if, it's not when, it's will you knowSecurity Breach: It's not if, it's not when, it's will you know
Security Breach: It's not if, it's not when, it's will you knowqmatheson
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensaakash malhotra
 
Cybersecurity – a critical business issue
Cybersecurity – a critical business issueCybersecurity – a critical business issue
Cybersecurity – a critical business issueSonaliG6
 
Information Security
Information SecurityInformation Security
Information SecurityBrian Hacker
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
What is Importance of Cyber Security
What is Importance of Cyber Security What is Importance of Cyber Security
What is Importance of Cyber Security Wee Tang
 

Similaire à Cyber Security Privacy Brochure 2015 (20)

How to Start a Cyber Security Business.pdf
How to Start a Cyber Security Business.pdfHow to Start a Cyber Security Business.pdf
How to Start a Cyber Security Business.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Importance of Cyber Security for Company.pdf
Importance of Cyber Security for Company.pdfImportance of Cyber Security for Company.pdf
Importance of Cyber Security for Company.pdf
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Awareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdfAwareness Security Session 2023 v1.0.pptx.pdf
Awareness Security Session 2023 v1.0.pptx.pdf
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
Cybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To KnowCybersecurity- What Retailers Need To Know
Cybersecurity- What Retailers Need To Know
 
Cybersecurity Landscape for Canadian Business
Cybersecurity Landscape for Canadian BusinessCybersecurity Landscape for Canadian Business
Cybersecurity Landscape for Canadian Business
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Cyber security cdg.io
Cyber security cdg.ioCyber security cdg.io
Cyber security cdg.io
 
Maritime Cyber Security
Maritime Cyber SecurityMaritime Cyber Security
Maritime Cyber Security
 
Security Breach: It's not if, it's not when, it's will you know
Security Breach: It's not if, it's not when, it's will you knowSecurity Breach: It's not if, it's not when, it's will you know
Security Breach: It's not if, it's not when, it's will you know
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
 
Cybersecurity – a critical business issue
Cybersecurity – a critical business issueCybersecurity – a critical business issue
Cybersecurity – a critical business issue
 
Information Security
Information SecurityInformation Security
Information Security
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
What is Importance of Cyber Security
What is Importance of Cyber Security What is Importance of Cyber Security
What is Importance of Cyber Security
 

Cyber Security Privacy Brochure 2015

  • 1. Working in partnership to help your business innovate and grow in a secure and resilient way Cyber security and privacy
  • 2. 2 CYBER SECURITY AND PRIVACY About us Dynamic organisations know they need to apply both reason and instinct to decision making. At Grant Thornton, this is how we advise our clients every day. We combine award-winning technical expertise with the intuition, insight and confidence gained from our extensive sector experience and a deeper understanding of our clients. Through empowered client service teams, approachable partners and shorter decision making chains, we provide a wider point of view and operate in a way that enables our clients to be fast and agile. The real benefit for dynamic organisations is more meaningful and forward- looking advice that can help to unlock their potential for growth. Grant Thornton’s cyber security and privacy team has significant experience of assessing, improving and embedding controls to better align exposure to risk appetite. We have worked with organisations of all sizes across all industries and can tailor our services to meet specific client needs across a wide range of topics, including cyber security, cyber crime, digital security, vendor assurance and data privacy. Grant Thornton UK LLP is the UK member firm of Grant Thornton International Ltd, one of the world’s leading organisations of independent assurance, tax and advisory firms. Over 40,000 Grant Thornton people, across 130 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work. Cyber security governance Grant Thornton has been helping organisations define and implement cyber security governance to manage cyber security risk. We have benchmarked the maturity of key controls to guard against the risk of cyber security, such as: • governance committees and reporting • roles and responsibilities • risk appetite • key risk indicators • risk assessments and controls assurance • incident management and reporting • policies and procedures • training and awareness. This has reinforced to board members the importance of being involved in governing and overseeing cyber security decisions and investments.
  • 3. CYBER SECURITY AND PRIVACY 3 Cyber security and privacy To protect its reputation, innovate and grow, an organisation needs to protect its intellectual property, customer information and other critical information assets. As the business community continues to find new and innovative approaches to embrace the world wide web through emerging solutions such as cloud computing, the security threat increases in complexity. Recent security breaches, such as the theft of intellectual property and disclosure of customer sensitive information, have highlighted how such events can undermine or even close an organisation. Cybereconomics is a key differentiator for organisations that are able to provide a secure business environment for customers. This realisation has raised the topic of cyber security and privacy to board level, with executives seeking assurances that such events could not affect their organisation. Robust cyber security measures are critical to protecting your organisation’s reputation, and meeting legal and regulatory requirements. Who is responsible for the governance of cyber security risks in your organisation? Since the board is ultimately responsible for managing an organisation’s risks, they should be regularly briefed on the effectiveness of cyber security controls and exposures outside of the organisation’s risk appetite. Governance, risk and compliance Cyber crime Digital security Business resilience Third party assurance Data privacy Payment security Technology security Identity and access management Our cyber security and privacy team consists of highly specialised professionals with extensive experience of key areas, including: Information is now seen as one of the most valuable assets that any organisation holds
  • 4. 4 CYBER SECURITY AND PRIVACY Cyber crime Are you protected against cyber attacks? Cyber crime’s footprint is increasing significantly in the frequency and size of its operations. It is evident that technological defences alone are not sufficient to protect a business from attacks. Cyber crime has evolved from being the act of individuals to one of many tools used by organised crime syndicates, where highly specialised professionals are putting data, information and assets at a high risk of misuse. No industry is safe from the possibility of a cyber attack, and being prepared is the best defence. At Grant Thornton we can work with your organisation to prevent security vulnerabilities that could be exploited by cyber criminals to access your intellectual property and disrupt your business. Case studies • A recently reported attack on banks resulted in $1 billion being stolen during the last two years using trojan software installed from the internet onto internal workstations. The attack was successful, not because of the technology used, but because the attackers behaved like bank staff and learned the bank procedures to steal funds without detection • Targeted cyber attacks have revealed confidential company and customer information from the biggest names in the film and gaming industry, large retailers and internet service providers • A publisher’s products were stolen and copies made freely available online. As well as the loss of revenue, the cost of updating the systems and policies was more than £50,000 The estimated cost of cyber crime to the UK is £27 billion per year, of which the main loser – at a total estimated cost of £21 billion – is UK business, which suffers from high levels of intellectual property theft and espionage1 . Over the last year the average cost of the worst breach suffered has gone up significantly to £0.6 - £1.15 million for large organisations2 . 1 Detica, Office of Cyber Security and Information Assurance in the Cabinet Office “The Cost of Cyber Crime” (2011) 2 Information Security Breaches Survey by Department for Business Innovation and Skills (2014)
  • 5. CYBER SECURITY AND PRIVACY 5 Digital security Does your organisation know where cyber security threats will first appear? A company’s information infrastructure consists of many different facets, each of which may be a path through which attackers attempt to breach your defences to obtain access to or corrupt critical information. An effective digital security stance requires an organisation to know both the location and value of its critical information, and the means by which that information might be accessed. The creation and maintenance of an information asset register is a key step to identifying critical systems to prioritise for protection. Even for small organisations this is a significant effort. Data leakage One major avenue for the loss of intellectual property from your organisation is through data leakage. There are a wide range of routes that can be used to steal information from your organisation, from walking out the door with a hardcopy document to using complex software to copy and extract data by transferring it over the web. Grant Thornton can help you understand the data leakage methods to which your organisation may be exposed, the skills and experience required to exploit them and what preventative or detective controls could be deployed to reduce risk. Each of these require appropriate controls to ensure they cannot be leveraged to gain access to your organisation’s critical information assets. We can assist your organisation by providing assurance to management on the maturity of digital security controls, highlight high risk exposures and develop a roadmap to protect your digital assets. Some of the possible digital pathways used to gain access to critical information include: e-Commerce gateways and interfaces Online service portals Internal hardware and software Internal networks (wired and wireless) Third party service providers Non-standard and mobile devices
  • 6. 6 CYBER SECURITY AND PRIVACY Business resilience Does your organisation have the resilience to stand up to a high profile cyber security incident? Business resilience is the ability of an organisation to minimise disruption and be able to function during an incident. It covers all aspects of business continuity, technology disaster recovery, incident management and financial resilience. Business resilience is pivotal to maintaining business activities in the modern age of inter-connected global operations, just in time production and complex operational relationships. Maintaining your reputation and delivering on time are fundamental to all professional relationships. Organisations need to anticipate and have proven strategies to effectively respond to disruptive events, maintain critical operations and learn from events to better prepare for future challenges. By partnering with us and using our wealth of experience, we can better prepare organisations to face the challenges that these disruptive events create. Grant Thornton can assist to assess the readiness of your organisation to handle, recover from and respond to a cyber security incident, including both the public relations and business resilience aspects. Crisis management Incident management Cyber resilience Business continuity Disaster recovery Industry guidance Our business resilience services are based on the guidance contained in relevant British and international standards, including: Crisis management: guidance to good practice BS 11200 Organisational resilience: guidance BS 65000 Business continuity management systems: requirements ISO 22301 Business continuity management systems: guidance ISO 22313 Case study Grant Thornton was requested to provide support to a large construction and support services firm to assess their level of resilience and provide recommendations for improvement. Using a hybrid approach of interviews, document review and on-site inspections, conclusions were benchmarked against industry good practice. The review established that although controls were in a reasonable position, improvements and efficiencies could be delivered Quick win insights were provided during the review so urgent issues could be swiftly addressed. Longer term recommendations were delivered to improve their strategic approach to resilience and provide a standardised approach across the organisation. Operationally, a number of gaps and overlaps were identified along with opportunities for efficiencies, combined with improvements to the risk management processes. By closing out the items highlighted, management confidence significantly increased in the resilience framework across the entire organisation.
  • 7. CYBER SECURITY AND PRIVACY 7 How secure is your cloud? Grant Thornton has performed third party sourcing reviews to assess relevant controls, such as: • the maturity of security controls embedded into the supplier management framework • whether the business could procure cloud based services directly without involving sourcing • whether services purchased from cloud based providers were on the list of approved vendors. Some reviews have identified that business staff could procure cloud based services directly, without going through controlled sourcing channels. Third party assurance How do you gain assurance that the third parties you’ve outsourced operations to are secure? Over the past decade there has been a paradigm shift in the way organisations operate, and many now recognise the clear value and benefits to be gained from leveraging business process outsourcing and third party services. Consequently, many operational activities that were once perceived as core are now outsourced, such as activities performed by technology, operations and human resources departments. There has also been the explosion in the use of cloud based services. These new ways of doing business present wonderful opportunities for cost efficiencies, but also create complex challenges and risks that need to be assessed and appropriately managed. At Grant Thornton we leverage our experience to report to the board on the maturity of controls operated by key third parties, in particular through assurance and contractual reviews. Third party security Third party contracts Third party assurance Third party exit management Recent research has found that the use of third party internet based services without formal approval, is widespread – 76% of CIOs are aware of the commission and use of third party cloud based products with no input from the technology department1 . 1 British Telecom’s ‘Creativity and the Modern CIO’ – December 2014
  • 8. 8 CYBER SECURITY AND PRIVACY Data privacy How will the proposed EU data protection regulation affect your organisation? While the draft general data protection regulation still has some way to go before becoming law, there are a number of changes likely to impact your organisation. Beyond the headline that organisations in breach of the rules could face penalties of up to €€100 million or up to 5% of their worldwide turnover, other anticipated changes include: • data breaches will need to be reported to impacted individuals without undue delay • businesses will be required to complete privacy impact assessments at least annually • the scope will be expanded to include non-European companies that trade in the EU. Many of these changes are already being adopted by organisations as best practice, especially disclosure of breaches and conducting privacy impact assessments. At Grant Thornton we can leverage our experience to help organisations prepare for and adhere to forthcoming regulatory changes. Privacy and security online Grant Thornton has performed privacy and security reviews to provide assurance over high profile internet-based services by: • assessing cloud-based services against privacy and security best practice • reviewing third party privacy and security contractual obligations • performing assurance testing of key controls. Some reviews have highlighted where key controls were inconsistent with risk appetite, resulting in follow-on activity to address risk exposures.
  • 9. CYBER SECURITY AND PRIVACY 9 Payment security Are your payment systems secure? In 2013, payments businesses handled $425 trillion in non- cash transactions, more than five times global GDP. By 2023 the value of non-cash transactions is expected to reach $780 trillion1 . In developing economies the growth will be significantly higher. At the same time, regulatory challenges to the payments industry are increasing as regulators extend their remit to include payment institutions. There is also increased competition and market disruption by new entrants, including the rise of mobile payments, digital wallets and the use of Bitcoin. Given the volumes of funds moved on a daily basis, the risks associated with the payments industry include: • reputational and financial costs of system failure • fraud committed by criminal hackers • increased volatility in the payments landscape caused by customers changing their mobile payment habits • difficulties funding projects for continuous improvement and innovation in a competitive and rapidly changing market • regulatory censure and subsequent loss of reputation arising from abuse of the service, eg money laundering • payment market disrupters proposing alternate payment services. At Grant Thornton we can leverage the expertise of our in depth payment specialists to help ensure major wholesale and consumer facing payment systems remain available and are secure. Case studies Grant Thornton has reviewed the development and implementation of a mobile payment system project. Our team: • reflected the current status of the project to executive management • assessed implementation roadblocks holding back delivery of the project, including commercial, technical security and legal risks • suggested improvements to the project’s governance and risk management. Our portfolio of payment system review work includes the following: • organisations clearing transactions on behalf of third parties with highly developed and resilient payment infrastructures • payment system compliance reviews for organisations, such as large retail banks. In 2013, payments businesses handled $425 trillion in non-cash transactions, more than five times global GDP. By 2023 the value of non-cash transactions is expected to reach $780 trillion1 1 Source: Boston Consulting Group Global Payments Review 2014
  • 10. Penetration testing • red team/penetration testing (infrastructure, web application, wireless networks) • mobile application assessment • wireless LAN security • cyber security architects • security configuration review 10 CYBER SECURITY AND PRIVACY Technology security Your organisation’s systems are only as secure as the weakest link – where’s yours? In today’s complex and ever changing world, systems used to help your organisation innovate and grow are updated or changed on a regular basis. In such an environment it is essential to be assured that the hardware and software infrastructure supporting your everyday business activities is robust and secure, especially as more and more processes become automated and move online. We can leverage our experience to perform penetration tests to assess the security and maturity of controls over your infrastructure, networks and applications, and identify vulnerabilities and angles of attack that could be exploited and how these should be mitigated. Application security Database security Operating system security Network security Perimeter security Infrastructure security assessments Grant Thornton has performed deep technical security reviews of complex infrastructure environments, including a variety of banking mainframes. Such reviews cover many layers of control that contribute to the security of critical systems, such as processing the bank accounts of a large national customer base. Some reviews have identified material risks resulting in recommendations to strengthen the environment and improve the security oversight and monitoring processes. Recent events have reinforced the direct correlation between successful attacks, brand reputation and share price. Some of the challenges faced by organisations include: • constantly evolving cyber threats, with new security vulnerabilities being discovered on a regular basis • organisations have to be on the front foot in respect to patching, upgrades and security event monitoring.
  • 11. CYBER SECURITY AND PRIVACY 11 Identity and access management Joiners, movers and leavers Access recertification Toxic combinations Privileged access Developer access Could your organisation be exposed to financial crime by staff with excessive system access? Even though the topic of unauthorised access is an auditor’s favourite, dating back many decades, many organisations today still face challenges ensuring they have robust controls over system access and segregation of duties. Some of the more common challenges still faced by organisations today include: Access recertification becoming the detective control of choice, without preventative controls to remove access when individuals move role Cost reduction programmes – such as offshoring and outsourcing – making it more complex to govern access permissions Defining toxic access combinations that pose a segregation of duties risk, and deploying controls to prevent (or detect) such access violations Balancing controls that restrict privileged and developer access to production systems, with the need for high systems availability Access management coverage When thinking about the maturity of your identity and access management controls, it is wise to think about the variety of systems in use across your organisation, including: • Applications • Databases • Operating systems • Network file shares • Collaboration sites While much attention has been given to application access controls, effort is also required to restrict privileged access to databases and operating systems, as well as end user access to network file shares and collaboration sites, such as SharePoint. At Grant Thornton we can leverage our experience to benchmark the maturity and coverage of access management controls, and develop a roadmap to take things forward.
  • 12. How Grant Thornton can help © 2015 Grant Thornton UK LLP. All rights reserved. ‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V24930 Sandy Kumar Partner Head of Business Risk Services T +44 (0) 20 7728 3248 E sandy.kumar@uk.gt.com Contact us Manu Sharma Director Head of Cyber Security and Privacy T +44 (0) 20 7865 2406 E manu.sharma@uk.gt.com Our team of experts bring a wealth of experience from across all industry sectors and can help your organisation to: • assess the effectiveness of your current systems, controls and processes, identifying key risks and creating a roadmap that puts you on the path to achieving strong assurance for all key stakeholders • identify key systems at risk of attack or exploitation and help you implement changes to minimise the disruption to your business in the event of an attack, through reduced detection time and effective response • review third party and key partners’ security arrangements and provide an accurate representation of the assurance that can be placed on them – as well as providing pre-selection reviews before any engagement with new suppliers/providers • ensure that your systems and services comply with industry, regulatory and legal standards - including preparing non-European companies for entry into the EU marketplace • design multi-year on-going programmes that will not only maintain but develop the maturity and effectiveness of your cyber security and privacy systems.