Embed Size (px)
Citation preview
© Lloyd’s 2013
< Picture to go here >
Cyber risk prioritization and preparedness A GLOBAL RISK PERSPECTIVE
22 october 2013
© Lloyd’s 2013
< Picture to go here >
"Take calculated risks. That is quite different from being rash." General George Patton
2
© Lloyd’s 2013
< Picture
to go here
>
2009: Global Risk Chart (1)
Priority Preparedness
1 Cost and availability of credit 6.25 5.25
2 Currency fluctuation 6.10 5.50
3 Insolvency risk 5.80 5.10
4 Loss of customers 5.75 5.10
5 Major asset price volatility 5.40 5.30
6 Cancelled orders 5.30 4.75
7 Risk of excessively strict regulation 5.25 4.75
8 Corporate liability 5.15 5.75
9 Reputational risk 5.12 5.80
10 Project delivery risk 5.05 5.45
Source: Lloyd’s 360 Risk Insight: Risk Priorities and Preparedness
3
© Lloyd’s 2013
< Picture
to go here
>
2009: Global Risk Chart (2)
Priority Preparedness
11 Abrupt interest change 4.98 5.30
12 Risk of poor/incomplete regulation 4.90 4.90
13 Increasing protectionism 4.81 4.70
14 Failed investment 4.80 4.90
15 Fraud and corruption 4.77 5.40
16 Information security breach 4.75 5.37
17 Price of material inputs 4.65 5.27
18 Theft of assets/intellectual property 4.50 5.23
19 Rapid technological change 4.45 5.70
20 Cyber attacks 4.30 5.13
Source: Lloyd’s 360 Risk Insight: Risk Priorities and Preparedness
4
© Lloyd’s 2013
< Picture
to go here
>
2011: Global Risk Chart (1)
Priority Preparedness
1 Loss of Customers / Cancelled Orders 6.2 6.3
2 Talent and Skills Shortage 6.2 5.9
3 Reputational Risk 5.8 6.6
4 Currency Fluctuation 5.6 5.9
5 Changing Legislation 5.6 5.4
6 Cost and Availability of Credit 5.5 6.4
7 Price of Material Inputs 5.4 5.7
8 Inflation 5.4 5.5
9 Corporate Liability 5.4 6.6
10 Excessively Strict Regulation 5.4 5.6
Source: Lloyd’s Risk Index 2011
5
© Lloyd’s 2013
< Picture
to go here
>
2011: Global Risk Chart (2)
Source: Lloyd’s Risk Index 2011
Priority Preparedness
11 Rapid Technological Changes 5.3 6.1
12 Cyber Attacks (malicious) 5.3 6.0
13 High Taxation 5.2 5.5
14 Failed Investment 5.2 6.1
15 Major Asset Price Volatility 5.2 5.7
16 Theft of Assets/Intellectual Property 5.2 6.1
17 Fraud and Corruption 5.2 6.3
18 Interest Rate Change 5.1 6.0
19 Cyber Risks (non-malicious) 5.1 6.4
20 Poor/Incomplete Regulation 5.0 5.4
21 Critical Infrastructure Failure 4.9 5.9
6
© Lloyd’s 2013
< Picture
to go here
>
2013: Global Risk Chart (1)
Priority Preparedness
1 High Taxation 6.2 5.3
2 Loss of Customers/Cancelled Orders 6.1 5.7
3 Cyber Risk 5.7 5.9
4 Price of Material Inputs 5.6 5.8
5= Excessively Strict Regulation 5.6 5.4
5= Changing Legislation 5.6 5.4
7 Inflation 5.5 5.6
8 Cost and Availability of Credit 5.5 5.9
9 Rapid Technological Changes 5.3 5.9
10 Currency Fluctuation 5.2 5.5
Source: Lloyd’s Risk Index 2013 (http://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/risk
%20index%202013/report/lloyds%20risk%20index%202013report100713.pdf)
7
© Lloyd’s 2013
< Picture
to go here
>
2013: Global Risk Chart (2)
Priority Preparedness
11= Interest Rate Change 5.2 5.7
11= Talent and Skills Shortage 5.2 5.7
13 Reputational Risk 5.2 6.2
14 Corporate Liability 5.1 6.0
15= Major Asset Price Volatility 5.1 5.4
15= Theft of Assets/Intellectual Property 5.1 5.4
17 Fraud and Corruption 5.1 5.3
18 Government Spending Cuts 5.1 5.7
19 Theft of Assets or Intellectual Property 5.0 5.7
20 Failed Investment 4.9 5.7
22 Critical Infrastructure Failure 4.8 5.7
8
Source: Lloyd’s Risk Index 2013 (http://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/risk
%20index%202013/report/lloyds%20risk%20index%202013report100713.pdf)
© Lloyd’s 2013
< Picture
to go here
>
2013: top 10 risks for north america
Priority Preparedness
1 High Taxation 5.56 5.16
2 Cyber Risk 5.08 5.49
3 Loss of Customers/Cancelled Orders 5.03 5.41
4 Changing Legislation 4.90 5.23
5 Inflation 4.80 5.41
6 Excessively Strict Regulation 4.77 5.48
7 Price of Material Inputs 4.42 5.86
8 Rapid Technological Changes 4.34 5.69
9 Cost and Availability of Credit 4.33 6.04
10 Major Asset Price Volatility 4.24 5.25
Source: Lloyd’s Risk Index 2013 (http://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/risk
%20index%202013/report/lloyds%20risk%20index%202013report100713.pdf)
9
© Lloyd’s 2013
< Picture
to go here
>
Cyber risk global analysis
10
Region Priority Rating
Priority Score
Preparedness Rating
Preparedness Score
North America 2 5.08 21 5.49 Asia Pacific 8 5.90 3 6.03 Europe 6 5.56 5 5.74 South Africa 6 6.33 1 6.92 Latin America 4 6.71 19 5.83
Source: Lloyd’s Risk Index 2013 (http://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/risk
%20index%202013/report/lloyds%20risk%20index%202013report100713.pdf)
© Lloyd’s 2013
< Picture
to go here
>
2013: top 20 preparedness scores for north america
Source: Lloyd’s Risk Index 2013 (http://www.lloyds.com/~/media/files/news%20and%20insight/risk%20insight/risk
%20index%202013/report/lloyds%20risk%20index%202013report100713.pdf)
11
1 Reputational Risk 6.32 10= Industrial/Workplace Accident 5.79
2 Insolvency Risk 6.07 12= Theft of Assets/Intellectual Prop. 5.72
3 Cost and Availability of Credit 6.04 12= Energy Security 5.72
4 Fraud and Corruption 6.00 14= Strikes and Industrial Action 5.71
5 Interest Rate Change 5.87 14= Population Growth 5.71
6 Price of Material Inputs 5.86 16 Rapid Technological Changes 5.69
7 Supply Chain Failure 5.84 17 Talent and Skills Shortage 5.66
8= Corporate Liability 5.82 18 Failed Investment 5.64
8= Flooding 5.82 19 Pollution/Environmental Liability 5.63
10= Corporate Governance Failure 5.79 20 Demographic Shift 5.58
© Lloyd’s 2013
< Picture
to go here
>
Attacks and actors
► 52% used some form of hacking (-)
► 76% of network intrusions exploited weak or stolen credentials (-)
► 40% incorporated malware (-)
► 35% involved physical attacks (+)
► 29% leveraged social tactics (+)
► 13% resulted from privilege misuse and abuse (=)
► 2% resulted from error (+)
► 92% perpetrated by outsiders (+)
► 14% committed by insiders (+)
► 1% implicated business partners (=)
► 7% involved multiple parties (=)
► 19% attributed to state-affiliated actors (+)
Source: 2013 Data Breach Investigations Report, Verizon
© Lloyd’s 2013
< Picture
to go here
>
Victims and commonalities
► 37% of breaches affected financial organisations (+)
► 24% of breaches occurred in retail environments and restaurants (-)
► 20% of network intrusions involved manufacturing, transportation, and utilities (+)
► 20% of network intrusions hit information and professional services firms (+)
► 38% of breaches impacted larger organisations (+)
► 75% driven by financial motives (-)
► 71% targeted user devices (+)
► 54% compromised servers (-)
► 75% considered opportunistic attacks (-)
► 78% of intrusions rated as low difficulty (=)
► 69% discovered by external parties (=)
► 66% took months or more to discover (+)
Source: 2013 Data Breach Investigations Report, Verizon
© Lloyd’s 2013
< Picture
to go here
>
Reported trends (1)
► Small businesses are the path of least resistance
– Information, IP and capital
– Provide ability to leap frog into business partners
– Compromise websites and use as watering holes
► Malware authors acting as Big Brother
– Translate information into money
– Leverage information for targeted attacks
► Mobile malware increasing: 58% increase in 2012
– Not predicated on operating system vulnerabilities
– Android: market share, openness of platform, multiple distribution methods of infected apps
► Exploitation of Zero-day vulnerabilities, e.g. Stuxnet variants, Elderwood
► Attribution and motivation becoming difficult, e.g. DDoS
Source: Internet Security Threat Report 2013 (Volume 18), Symantec
© Lloyd’s 2013
< Picture
to go here
>
Reported trends (2)
► Top priorities: Prevention of Security Breaches and Protection of Information
► 91% of companies had at least one external security incident, 85% reported internal incidents
► Cost of a serious incident: large company an average of $649k, SME ~ $50k
► Successful targeted attack: large company $2.4m, SME approximately $92k
► Significant proportion of incidents resulting in the loss of data were internal
– Unpatched software vulnerabilities
– Intentional / negligent actions by employees
– Loss or theft of smart mobile devices
► Personal smart mobile devices remain a significant concern
► Issues
– Inadequate control framework and control implementation
– Inadequate policies, compliance, enforcement and understanding
Source: Global Corporate IT Security Risk: 2013, Kaspersky Lab
© Lloyd’s 2013
< Picture
to go here
>
risk management strategy
► 81% of US organisations surveyed state that they have a significant or very significant commitment to risk-based security management
► Protection of intellectual property (88%) and minimization of regulatory and legal non-compliance (78%) are the top critical business objectives
► Actual risk-based security management deployment is growing slowly: 47% have no or only an informal security risk management strategy
► CISO or CSO has responsibility for security risk management in 67% of organizations
► 20% have business leaders responsible for risk
► 56% believed that IT complexity has a significant impact on organizational ability to perform risk-based security management
► 60% believed that risk-based security management helps align security with business objectives but
► 62% don’t believe that their organizations actually are aligning the two!
16
Source: The State of Risk-based Security Management: US & UK, Ponemon Institute 2013
© Lloyd’s 2013
< Picture
to go here
>
20 critical security controls for effective cyber defense
Source: The Critical Security Controls, SANS
17
1 Inventory of Authorized and Unauthorized Devices
11 Limitation and Control of Network Ports, Protocols and Services
2 Inventory of Authorized and Unauthorized Software
12 Controlled Use of Administrative Privileges
3 Secure Configurations (H/W and S/W) on Mobile Devices, Workstations, Servers
13 Boundary Defense
4 Continuous Vulnerability Assessment and Remediation
14 Maintenance, Monitoring and Analysis of Audit Logs
5 Malware Defenses 15 Controlled Access based on the Need to Know (Least Privilege)
6 Application Software Security 16 Account Monitoring and Control
7 Wireless Device Control 17 Data Loss Prevention
8 Data Recovery Capability 18 Incident Response and Management
9 Security Skills Assessment 19 Secure Network Engineering
10 Secure Configurations for Network Devices 20 Penetration Tests and Red Team Exercises
© Lloyd’s 2013
< Picture
to go here
>
2013: Global Risk Landscape
18
© Lloyd’s 2013
< Picture
to go here
>
“The Dark Side of Connectivity Constellation”
Source: World Economic Forum Global Risks 2012
19
© Lloyd’s 2013
< Picture
to go here
>
“Digital Wildfires in a Hyper-connected World Constellation ”
20
Source: World Economic Forum Global Risks 2013
© Lloyd’s 2013
< Picture
to go here
>
2013: The risk interconnection map
Source: World Economic Forum Global Risks 2012 21
Source: World Economic Forum Global Risks 2013
© Lloyd’s 2013
< Picture
to go here
>
Conclusions
► Organizational disconnect between perception and reality a major concern
► Top down Senior Management understanding, involvement & support essential
► Security risk management must be strategized with effective governance
► Cyber risk is complex but understanding risk exposure is less so
► Cyber risk mitigation needs to be considered as part of the bigger risk picture
► Increased expenditure does not always mean reduced exposure: spend wisely
► Remediating fundamental weaknesses essential as easiest to exploit
► Increased communication, co-operation and collaboration required
► Threat vectors being adapted to attack targets, directly and indirectly
► Detective and corrective controls required, preventative controls not enough
► People need their awareness raised as they’re typically the weakest link
► Government scrutiny of cyber risk management increasing: Resilience
► Regulatory & legal requirements will increase as will penalties & compensation
22
© Lloyd’s 2013
< Picture
to go here
>
Key message
23
© Lloyd’s 2013
< Picture to go here >
“you get what you settle for." Thelma and Louise
24
© Lloyd’s 2013
Q&A
