Embed Size (px)
Citation preview
Lessons from 2018 BDO/AusCERT SurveyIt's Dangerous To Go Alone
Leon Fouche and Mike Holm
30 MAY 2019
AGENDA1. Global risk landscape2. Australian threat landscape3. Impacts from increased security investments 4. Impacts from legislative changes5. Final thoughts
WEF GLOBAL RISK LANDSCAPE 2019
3
AUSTRALIAN THREAT LANDSCAPE
SOURCES OF INCIDENTS – 2016 TO 2019
5
Respondents anticipate an increase in incidents at Third party providers in 2019
0%
10%
20%
30%
40%
50%
60%
70%
0%
10%
20%
30%
40%
50%
60%
70%
Most likely sources of incidents - 2018 vs 2019
Most likely in 2018 Most likely in 2017 Most likely in 2016 Expected for 2019
Cyber criminals were most likely sources for incidents last year, but respondents are much less concerned about them over the coming year
INCIDENTS EXPERIENCED – 2018 VS 2019
6
Phishing remain a concern for industry: -> 2018 seen a 200% increase in phishing incidents to what was expected
Concern about unauthorised external access:-> expect 110% increase this year
Increased concern on data loss and theft of confidential information: –> expect 260% increase this year
Expecting in 2019 Experienced in 2018
DATA BREACHES - 2018
7
2018 saw a 79% year-on-year increase in data loss and theft of confidential information
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
ContactInformation
IdentityInformation
FinancialInformation
Other Health andMedicalRecords
Protected,confidential or
securityclassified
information
Types of information breached - 2018
Over 1 in 4 data breaches disclosed information that directly facilitates identity theft
Over 1 in 10 data breaches disclosed information that directly enables financial fraud
DATA BREACH IMPACTS – 2017 VS 2018
8
0% 5% 10% 15% 20% 25% 30%
A ransom had to be paid
Fined for non-compliance
Legal exposure / lawsuit
Intellectual property / trade secrets stolen
Customer records compromised
Employee records compromised
Notification of breaches to the privacy commissioner made
Websites taken off line
Brand / business reputation damaged
Access to information / systems lost for several days
A data recovery exercise was required
Access to information / systems lost for less than a day
Data breach impacts experienced - 2017 vs 2018
2017 2018
Breaches of employee and customer records increased significantly in 2018
Reputational damage increased significantly as a result of data breaches in 2018
IMPACTS FROM INCREASED SECURITY INVESTMENTS
CONTROL INVESTMENTS: GOVERNANCE – VISIBILITY OF RISK
10
12% year-on-year increase in both 3rd party risk assessments and cloud security standards
Increased focus on procedural and governance controls
Cyber security awareness programs have been adopted nearly 20% more often compared to 2017
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT / Cybersecuritypolicy
IT / Cybersecurity
standards /baselines forthird parties
Cloud securitystandards
Regular cybersecurity riskassessments
Third party /vendor riskassessment
Patchmanagement
processes
Cybersecurity riskreporting tothe Board /Executives
ChiefInformation
SecurityOfficer (CISO)
Cybersecurity
awarenessprogram
Implementation of processes and standards - 2016 to 2018
Already or currently being adopted Plan to implement within next 24 months
Never or do not know Implemented in 2017
Implemented in 2016
CONTROL INVESTMENTS: PREVENTION - REDUCING LIKELIHOOD
11
0102030405060708090100
0%10%20%30%40%50%60%70%80%90%
100%
Implementation of technical controls - 2016 to 2018
Already or currently being adopted Plan to implement within next 24 months
Never or do not know Implemented in 2017
Implemented in 2016
Securing email systems (AV and email filtering) most mature controls but these are not stopping phishing
Adoption of privileged account management and identity and access management fell in 2018
CONTROL INVESTMENTS: RESPONSE – REDUCING IMPACT
12
Organisations need to focus more on planning and preparing for incidents
0
10
20
30
40
50
60
70
80
90
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Security operationscentre
Cyber security incidentresponse plan
Cyber security incidentresponse team /
capability
Business continuity plan Disaster recovery plan
Implementation of incident response capabilities - 2016 to 2018
Already or currently being adopted Plan to implement within next 24 months
Never or do not know Implemented in 2017
Implemented in 2016
IMPACTS FROM LEGISLATIVE CHANGES
REGULATORY LANDSCAPE – CONFIDENCE
14
Most organisations required to comply with the NDB Scheme are completely confident in their ability to meet their reporting obligations
0%
10%
20%
30%
40%
50%
60%
Completely Mostly Almost Mostly not Absolutely not
Confidence in meeting NDB Obligations - 2017 vs 2018
2017 2018
Almost 1 in 10 organisations required to comply with the NDB scheme have made a breach notification to the OAIC
REGULATORY LANDSCAPE – INCREASED MATURITY
15
When required to comply with the NDB or GDPR, the adoption of controls is significantly higher than organisations that do not have to comply
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Patchmanagement
processes
IT / Cybersecurity
standards /baselines forthird parties
Third party /vendor riskassessment
Securityinformationand event
managementSystem (SIEM)
Cloud securitystandards
Cyberinsurance
Securityoperations
centre
ChiefInformation
SecurityOfficer (CISO)
How Data Breach Compliance Requirements Affects Adoption Of Security Controls - 2018
Required to comply Not Required to comply
With a 74% rise in data breaches through 3rd
parties, NDB-bound organisations are focussing on third party standards, policies, plans and processes
REGULATORY LANDSCAPE – PREPAREDNESS
16
0% 10% 20% 30% 40% 50% 60% 70%
Tested the organisation's Data Breach Response Plan
Developed a process to determine how to manage thedifferent steps of a data breach notification
Created a Data Breach Response Plan
Developed a process to determine who needs to be notified(i.e. Office of the Australian Information Commissioner,
affected individuals, etc.)
Developed a process to determine when a data breachnotification needs to be made
NDB preparation activities in 2017 vs 2018
Already implemented in 2018 Already implemented 2017 Planned to implement in the next 12 months 2017
Despite developing plans, less than half of organisations have ever tested them
Most organisations required to comply with the NDB Scheme now have a data breach response plan
FINAL THOUGHTS
PREVENTION VS RESPONSE: SHIFT TO REDUCING IMPACT
18
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
A data recoveryexercise was required
Access to information/ systems lost for
several days
Brand / businessreputation damaged
Websites taken off line
Planning & Preparation - Reduction of Incident Impacts
With IR Plan & Capability Without IR Plan or Capability
Without prior Planning and Preparation, organisations are significantly less likely to detect data breaches
Organisations with IR plan and capability in place detected over 3.5x as many data breach incidents than organisations
Planning & Preparation reduces downtime, reputational impact and shorter incident durations
QUESTIONS?
Survey results: www.bdo.com.au/en-au/cyber-security/2018-2019-cyber-security-survey-results
