1. Working in partnership to help your business innovate and grow
in a secure and resilient way
Cyber security and privacy
2. 2 CYBER SECURITY AND PRIVACY
About us
Dynamic organisations know they need to
apply both reason and instinct to decision
making. At Grant Thornton, this is how we
advise our clients every day. We combine
award-winning technical expertise with the
intuition, insight and confidence gained from
our extensive sector experience and a deeper
understanding of our clients.
Through empowered client service teams, approachable partners and
shorter decision making chains, we provide a wider point of view and
operate in a way that enables our clients to be fast and agile. The real
benefit for dynamic organisations is more meaningful and forward-
looking advice that can help to unlock their potential for growth.
Grant Thornton’s cyber security and privacy team has significant
experience of assessing, improving and embedding controls to better
align exposure to risk appetite. We have worked with organisations of
all sizes across all industries and can tailor our services to meet specific
client needs across a wide range of topics, including cyber security,
cyber crime, digital security, vendor assurance and data privacy.
Grant Thornton UK LLP is the UK member firm of
Grant Thornton International Ltd, one of the world’s leading
organisations of independent assurance, tax and advisory firms. Over
40,000 Grant Thornton people, across 130 countries, are focused on
making a difference to clients, colleagues and the communities in which
we live and work.
Cyber security governance
Grant Thornton has been helping
organisations define and implement
cyber security governance to
manage cyber security risk. We have
benchmarked the maturity of key
controls to guard against the risk of
cyber security, such as:
• governance committees and
reporting
• roles and responsibilities
• risk appetite
• key risk indicators
• risk assessments and controls
assurance
• incident management and
reporting
• policies and procedures
• training and awareness.
This has reinforced to board
members the importance of being
involved in governing and overseeing
cyber security decisions and
investments.
3. CYBER SECURITY AND PRIVACY 3
Cyber security
and privacy
To protect its reputation, innovate and grow, an
organisation needs to protect its intellectual property,
customer information and other critical information assets.
As the business community continues to find new and
innovative approaches to embrace the world wide web
through emerging solutions such as cloud computing, the
security threat increases in complexity. Recent security
breaches, such as the theft of intellectual property and
disclosure of customer sensitive information, have
highlighted how such events can undermine or even close
an organisation. Cybereconomics is a key differentiator
for organisations that are able to provide a secure business
environment for customers.
This realisation has raised the topic of cyber security and
privacy to board level, with executives seeking assurances
that such events could not affect their organisation. Robust
cyber security measures are critical to protecting your
organisation’s reputation, and meeting legal and regulatory
requirements.
Who is responsible for the governance of cyber
security risks in your organisation?
Since the board is ultimately responsible for managing an
organisation’s risks, they should be regularly briefed on
the effectiveness of cyber security controls and exposures
outside of the organisation’s risk appetite.
Governance, risk and compliance
Cyber crime
Digital security
Business resilience
Third party assurance
Data privacy
Payment security
Technology security
Identity and access management
Our cyber security and privacy team consists of highly
specialised professionals with extensive experience of
key areas, including:
Information is
now seen as one of
the most valuable
assets that any
organisation holds
4. 4 CYBER SECURITY AND PRIVACY
Cyber crime
Are you protected against cyber attacks?
Cyber crime’s footprint is increasing significantly in the
frequency and size of its operations. It is evident that
technological defences alone are not sufficient to protect a
business from attacks. Cyber crime has evolved from being
the act of individuals to one of many tools used by organised
crime syndicates, where highly specialised professionals are
putting data, information and assets at a high risk of misuse.
No industry is safe from the
possibility of a cyber attack, and
being prepared is the best
defence.
At Grant Thornton
we can work with your
organisation to prevent
security vulnerabilities
that could be exploited
by cyber criminals to
access your intellectual
property and disrupt
your business.
Case studies
• A recently reported attack on
banks resulted in $1 billion being
stolen during the last two years
using trojan software installed
from the internet onto internal
workstations. The attack was
successful, not because of the
technology used, but because the
attackers behaved like bank staff
and learned the bank procedures
to steal funds without detection
• Targeted cyber attacks have
revealed confidential company
and customer information from
the biggest names in the film and
gaming industry, large retailers and
internet service providers
• A publisher’s products were stolen
and copies made freely available
online. As well as the loss of
revenue, the cost of updating the
systems and policies was more
than £50,000
The estimated cost
of cyber crime to the UK is
£27 billion per year, of which the
main loser – at a total estimated cost of
£21 billion – is UK business, which suffers
from high levels of intellectual property
theft and espionage1
. Over the last year the
average cost of the worst breach suffered
has gone up significantly to £0.6 - £1.15
million for large organisations2
.
1
Detica, Office
of Cyber Security and
Information Assurance in
the Cabinet Office “The Cost
of Cyber Crime” (2011)
2
Information Security Breaches
Survey by Department for
Business Innovation and
Skills (2014)
5. CYBER SECURITY AND PRIVACY 5
Digital security
Does your organisation know where cyber security
threats will first appear?
A company’s information infrastructure consists of many
different facets, each of which may be a path through which
attackers attempt to breach your defences to obtain access
to or corrupt critical information.
An effective digital security stance requires an
organisation to know both the location and value of
its critical information, and the means by which that
information might be accessed.
The creation and
maintenance of an
information asset register
is a key step to identifying
critical systems to
prioritise for protection.
Even for small organisations
this is a significant effort.
Data leakage
One major avenue for the loss of intellectual property
from your organisation is through data leakage.
There are a wide range of routes that can be used
to steal information from your organisation, from
walking out the door with a hardcopy document to
using complex software to copy and extract data by
transferring it over the web.
Grant Thornton can help you understand the data
leakage methods to which your organisation may be
exposed, the skills and experience required to exploit
them and what preventative or detective controls
could be deployed to reduce risk.
Each of these require appropriate controls to ensure they
cannot be leveraged to gain access to your organisation’s
critical information assets.
We can assist your organisation by providing assurance
to management on the maturity of digital security controls,
highlight high risk exposures and develop a roadmap to
protect your digital assets.
Some of the possible
digital pathways used to
gain access to critical
information include:
e-Commerce
gateways and interfaces
Online
service portals
Internal
hardware and software
Internal networks
(wired and wireless)
Third party
service providers
Non-standard
and mobile devices
6. 6 CYBER SECURITY AND PRIVACY
Business resilience
Does your organisation have the resilience to stand up
to a high profile cyber security incident?
Business resilience is the ability of an organisation to
minimise disruption and be able to function during an
incident. It covers all aspects of business continuity,
technology disaster recovery, incident management and
financial resilience.
Business resilience is pivotal to maintaining business
activities in the modern age of inter-connected global
operations, just in time production and complex
operational relationships. Maintaining your reputation
and delivering on time are fundamental to all professional
relationships.
Organisations need to anticipate and have proven
strategies to effectively respond to disruptive events,
maintain critical operations and learn from events to better
prepare for future challenges.
By partnering with us and using our wealth of
experience, we can better prepare organisations to face the
challenges that these disruptive events create.
Grant Thornton can assist to assess the readiness of
your organisation to handle, recover from and respond to a
cyber security incident, including both the public relations
and business resilience aspects.
Crisis management
Incident
management
Cyber resilience Business continuity Disaster recovery
Industry guidance
Our business resilience services are based on the guidance
contained in relevant British and international standards,
including:
Crisis management:
guidance to good
practice
BS 11200
Organisational
resilience: guidance
BS 65000
Business continuity
management systems:
requirements
ISO 22301
Business continuity
management systems:
guidance
ISO 22313
Case study
Grant Thornton was requested to provide support to a large
construction and support services firm to assess their level of
resilience and provide recommendations for improvement.
Using a hybrid approach of interviews, document review and on-site
inspections, conclusions were benchmarked against industry good
practice. The review established that although controls were in a
reasonable position, improvements and efficiencies could be delivered
Quick win insights were provided during the review so urgent issues
could be swiftly addressed. Longer term recommendations were
delivered to improve their strategic approach to resilience and provide
a standardised approach across the organisation.
Operationally, a number of gaps and overlaps were identified along
with opportunities for efficiencies, combined with improvements to
the risk management processes. By closing out the items highlighted,
management confidence significantly increased in the resilience
framework across the entire organisation.
7. CYBER SECURITY AND PRIVACY 7
How secure is your cloud?
Grant Thornton has performed third party
sourcing reviews to assess relevant
controls, such as:
• the maturity of security controls
embedded into the supplier
management framework
• whether the business could procure
cloud based services directly without
involving sourcing
• whether services purchased from cloud
based providers were on the list of
approved vendors.
Some reviews have identified that
business staff could procure cloud based
services directly, without going through
controlled sourcing channels.
Third party
assurance
How do you gain assurance that the third parties you’ve
outsourced operations to are secure?
Over the past decade there has been a paradigm shift in the
way organisations operate, and many now recognise the
clear value and benefits to be gained from leveraging business
process outsourcing and third party services.
Consequently, many operational activities that were once
perceived as core are now outsourced, such as activities
performed by technology, operations and human resources
departments. There has also been the explosion in the use of
cloud based services.
These new ways of doing business present wonderful
opportunities for cost efficiencies, but also create
complex challenges and risks
that need to be assessed and
appropriately managed.
At Grant Thornton
we leverage our
experience to report
to the board on
the maturity of
controls operated
by key third
parties, in particular
through assurance and
contractual reviews.
Third party security
Third party
contracts
Third party
assurance
Third party
exit management
Recent research
has found that the use
of third party internet based
services without formal approval,
is widespread – 76% of CIOs
are aware of the commission and
use of third party cloud based
products with no input from the
technology department1
.
1
British
Telecom’s
‘Creativity and the
Modern CIO’ –
December 2014
8. 8 CYBER SECURITY AND PRIVACY
Data privacy
How will the proposed EU data protection regulation affect
your organisation?
While the draft general data protection regulation still has
some way to go before becoming law, there are a number
of changes likely to impact your organisation. Beyond the
headline that organisations in breach of the rules could
face penalties of up to €€100 million or up to 5% of their
worldwide turnover, other anticipated changes include:
• data breaches will need to be reported to impacted
individuals without undue delay
• businesses will be required to complete privacy impact
assessments at least annually
• the scope will be expanded to include non-European
companies that trade in the EU.
Many of these changes are already being adopted by
organisations as best practice, especially disclosure of
breaches and conducting privacy impact assessments.
At Grant Thornton we can leverage our experience to
help organisations prepare for and adhere to forthcoming
regulatory changes.
Privacy and security online
Grant Thornton has performed privacy and
security reviews to provide assurance over high
profile internet-based services by:
• assessing cloud-based services against
privacy and security best practice
• reviewing third party privacy and security
contractual obligations
• performing assurance testing of key controls.
Some reviews have highlighted where key
controls were inconsistent with risk appetite,
resulting in follow-on activity to address risk
exposures.
9. CYBER SECURITY AND PRIVACY 9
Payment security
Are your payment systems secure?
In 2013, payments businesses handled $425 trillion in non-
cash transactions, more than five times global GDP. By
2023 the value of non-cash transactions is expected to reach
$780 trillion1
. In developing economies the growth will be
significantly higher.
At the same time, regulatory challenges to the payments
industry are increasing as regulators extend their remit
to include payment institutions. There is also increased
competition and market disruption by new entrants,
including the rise of mobile payments, digital wallets and the
use of Bitcoin.
Given the volumes of funds moved on a daily basis, the
risks associated with the payments industry include:
• reputational and financial costs of system failure
• fraud committed by criminal hackers
• increased volatility in the payments landscape caused by
customers changing their mobile payment habits
• difficulties funding projects for continuous improvement
and innovation in a competitive and rapidly changing
market
• regulatory censure and subsequent loss of reputation
arising from abuse of the service, eg money laundering
• payment market disrupters proposing alternate payment
services.
At Grant Thornton we can leverage the expertise of our in
depth payment specialists to help ensure major wholesale and
consumer facing payment systems remain available and are
secure.
Case studies
Grant Thornton has reviewed the development
and implementation of a mobile payment system
project. Our team:
• reflected the current status of the project to
executive management
• assessed implementation roadblocks holding
back delivery of the project, including
commercial, technical security and legal risks
• suggested improvements to the project’s
governance and risk management.
Our portfolio of payment system review work
includes the following:
• organisations clearing transactions on behalf
of third parties with highly developed and
resilient payment infrastructures
• payment system compliance reviews for
organisations, such as large retail banks.
In 2013,
payments businesses
handled $425 trillion in
non-cash transactions, more
than five times global GDP. By
2023 the value of non-cash
transactions is expected to
reach $780 trillion1
1
Source: Boston
Consulting Group
Global Payments
Review 2014
10. Penetration testing
• red team/penetration
testing (infrastructure, web
application, wireless networks)
• mobile application assessment
• wireless LAN security
• cyber security architects
• security configuration review
10 CYBER SECURITY AND PRIVACY
Technology
security
Your organisation’s systems are only as secure as the
weakest link – where’s yours?
In today’s complex and ever changing world, systems used
to help your organisation innovate and grow are updated
or changed on a regular basis. In such an environment it
is essential to be assured that the hardware and software
infrastructure supporting your everyday business activities
is robust and secure, especially as more and more processes
become automated and move online.
We can leverage our experience to perform
penetration tests to assess the security
and maturity of controls over your
infrastructure, networks and
applications, and identify
vulnerabilities and angles of
attack that could be exploited
and how these should be
mitigated.
Application security Database security
Operating system
security
Network security Perimeter security
Infrastructure security assessments
Grant Thornton has performed deep
technical security reviews of complex
infrastructure environments, including
a variety of banking mainframes.
Such reviews cover many layers of
control that contribute to the security
of critical systems, such as processing
the bank accounts of a large national
customer base.
Some reviews have identified
material risks resulting in
recommendations to strengthen
the environment and improve
the security oversight and
monitoring processes.
Recent events
have reinforced the direct
correlation between successful
attacks, brand reputation and share price.
Some of the challenges faced by organisations
include:
• constantly evolving cyber threats, with new
security vulnerabilities being discovered on a
regular basis
• organisations have to be on the front
foot in respect to patching, upgrades
and security event
monitoring.
11. CYBER SECURITY AND PRIVACY 11
Identity and
access management
Joiners, movers and leavers
Access recertification
Toxic combinations
Privileged access
Developer access
Could your organisation be exposed to financial crime by
staff with excessive system access?
Even though the topic of unauthorised access is an auditor’s
favourite, dating back many decades, many organisations
today still face challenges ensuring they have robust controls
over system access and segregation of duties.
Some of the more common challenges still faced by
organisations today include:
Access recertification becoming the detective
control of choice, without preventative controls to
remove access when individuals move role
Cost reduction programmes – such as offshoring
and outsourcing – making it more complex to
govern access permissions
Defining toxic access combinations that pose a
segregation of duties risk, and deploying controls to
prevent (or detect) such access violations
Balancing controls that restrict privileged and
developer access to production systems, with the
need for high systems availability
Access management coverage
When thinking about the maturity of your identity
and access management controls, it is wise to think
about the variety of systems in use across your
organisation, including:
• Applications
• Databases
• Operating systems
• Network file shares
• Collaboration sites
While much attention has been given to application
access controls, effort is also required to restrict
privileged access to databases and operating
systems, as well as end user access to network file
shares and collaboration sites, such as SharePoint.
At Grant Thornton we can leverage our experience to
benchmark the maturity and coverage of access management
controls, and develop a roadmap to take things forward.