www.pwc.

com/ca

EPICC

Cyber Security and

Business Continuity
Management
October 2016
Meet the team

Cyber security is top of mind for many organizations, and were

seeing a large number undertaking initiatives to address risk. For
some, these initiatives lead to tailor-made processes and controls to
address risk.

Ed Matley Marie Lavoie Dufort

Director, Risk Assurance
Associate, Risk Assurance

Edward is a Director in PwCs

Marie is an Associate in Vancouvers
Risk Assurance practice, based in
Risk Assurance practice. She focuses
Vancouver. He leads our Business
on Business Resilience projects, with
Resilience practice in Western
a particular focus on crisis
Canada.
management and communication.

Cybersecurity and Business Continuity Management October 2016

PwC 2
Our interpretation of Cybersecurity

Definition:
Cyber security is not just about technology
and computers. It involves people,
information systems, processes, culture and
physical surroundings as well as
technology.
It aims to create a secure environment
where businesses can remain resilient in
the event of a cyber breach.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 3
 Cybersecurity and IT security are
synonymous. They both relate to
securing an organizations IT
systems.

True False

Cybersecurity and Business Continuity Management October 2016

PwC 4
1. Cybersecurity is achieved by
securing digital assets with the use
of robust firewalls to prevent
potential attacks.

True False

Cybersecurity and Business Continuity Management October 2016

PwC 5
 Cybersecurity is the responsibility
of the CIO or Head of IT in an
organization.

True False

Cybersecurity and Business Continuity Management October 2016

PwC 6
 Cyber attacks are caused by
individual hackers who want to steal
valuable information.

True False

Cybersecurity and Business Continuity Management October 2016

PwC 7
What incidents are we seeing in Vancouver?

E-mail Phishing / Spear Phishing

Email phishing attacks regarding payment requests have impacted numerous
clients in recent months resulting in millions of dollars of financial fraud.

Malicious Software
Laptops, desktops and handheld devices are being hacked using malicious
software resulting in exfiltration of sensitive and confidential corporate
documents / intellectual property.

Internal Attacks
Disgruntled employees sabotaging information systems impacting the
companys business operations.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 8
Recent global incidents JP Morgan= about 76 million households
affected
Home Depot = about 56 million customer
Russians behind JPMorgan Cyber attack: debit and credit card info compromised
It scared the pants off many people Ebay = 233 million user information is
compromised
Washington Times, October 2014

PricewaterhouseCoopers LLP 9
Organizations today face four main types of cyber
adversaries
Adversary Motives Targets Impact
Economic, political, Trade secrets Loss of competitive
and/or military advantage Sensitive business advantage
Nation State information Regulatory inquiry/penalty
M&A information Disruption to critical
Critical financial systems infrastructure

Immediate financial gain Financial / payment systems Regulatory inquiry/penalty

Collect information for future Personally identifiable Consumer and shareholder
Organized financial gains information lawsuits
Crime Payment card information Brand and reputation
Protected health information Loss of consumer confidence

Influence political and /or Corporate secrets Disruption of business

social change Sensitive business information activities
Hacktivists Pressure business to change Critical financial systems Brand and reputation
their practices Loss of consumer confidence

Personal advantage, Sales, deals, market strategies Trade secret disclosure

monetary gain Corporate secrets Operational disruption
Insiders Professional revenge Business operations Brand and reputation
Patriotism Personnel information Loss of consumer confidence
Bribery or coercion Administrative credentials

PricewaterhouseCoopers LLP 10
The Global State of Information Security Survey
2016

10,000 17
Respondents Industries represented Reported annual revenues
51% C-suite level Top 5 34% at least US$1B
15% Director level 22% Technology 48% US$25 to $999M
34% Other (e.g. Manager, 10% Financial Services 26% less than US$100M
Analyst, etc.)
8% Consulting/Prof. Services 3% non-profit
39% Business and 61% IT
7% Engineering/ Construction
(18% increase compared to
2014) 7% Consumer Products &
Retail

Cybersecurity and Business Continuity Management October 2016

PwC 11
 The Global State of Information Security Survey
2016
2016 Canadian insights at a glance

160% increase in Incidents attributed Customer Attacks on IoT Security spending Average financial
detected to foreign nation- records continue devices and increased by 82% loss due to detected
incidents in states increased the to be the most systems are on over 2014, currently incidents is $1M
Canada (over most ( up 67% over targeted data the rise at 5% of IT spend (18% decrease from
2014) 2014) while (36%) 2014)
employees continue
to be the most cited
source of incidents
(66%)

Cybersecurity and Business Continuity Management October 2016

PwC 12
The Global State of Information Security Survey
2016

65% 58% 50% 54%

Have an overall Have a CISO in
information charge of security
security strategy

57% 53% 50% 49%

Employee training Conduct threat
and awareness assessments
programs

55% 52% 54% 48%

Have security Active monitoring
baselines / standards analysis of security
for third parties intelligence

Cybersecurity and Business Continuity Management October 2016

PwC 13
Risk-based frameworks can help organizations
design, measure and monitor progress towards an
improved cyber program

NIST Cybersecurity Framework 41% 35%

ISO27001 29% 40%
SANS Critical Controls 24% 28%
ISF Standard of Good Practice 22% 26%
Other 17% 18%
None 8% 8%
Do not know 13% 11%

Cybersecurity and Business Continuity Management October 2016

PwC 14
Risk-based frameworks can help organizations
design, measure and monitor progress towards an
improved cyber program
NIST Cybersecurity SANS Critical Controls ISF Standard of
Framework The CIS Critical Security Good Practice
a voluntary framework Controls are a recommended The ISF Standard of
based on existing set of actions for cyber defense Good Practice for
standards, guidelines, and that provide specific and Information Security is
practices - for reducing actionable ways to stop the most comprehensive
cyber risks to critical today's most pervasive and information security
infrastructure. dangerous attacks. A principle standard in the world,
benefit of the Controls is that providing more coverage
they prioritize and focus a of topics than ISO
ISO 27001 smaller number of actions
The ISO 27000 family of with high pay-off results
standards helps
organizations keep
information assets secure.
Cybersecurity and Business Continuity Management October 2016
PwC 15
Risk-based frameworks and controls

NIST Cybersecurity SANS Critical Controls ISF Standard of

Framework Incident response and Good Practice
Response plans management Business continuity
(Incident Response and strategy
Business Continuity)
Business Continuity
Recovery plans (Incident
ISO 27001 Program
Recovery and Disaster Information security Resilience
Recovery) aspects of business
continuity Crisis Management
Risk Assessment
management Business Continuity
Information security Planning
continuity Business Continuity
Arrangements
Business Continuity
Testing
Cybersecurity and Business Continuity Management October 2016
PwC 16
Integrating Cybersecurity and BCM

Cybersecurity and Business Continuity Management October 2016

PwC 17
What is BCM?

A holistic management process that identifies potential threats to an

organization and the impacts to business operations those threats, if
realized, might cause, and which provides a framework for building
organizational resilience wit the capability of an effective response that
safeguards the interests of its key stakeholders, reputation, brand and
value-creating activities.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 18
The Business Continuity Management Lifecycle

Shows the stages of activity that an

organization moves through and
repeats with the overall aim of
improving organizational resilience

Improving
organizational
resilience

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 19
Current developments in BCM

WEF Global Risk Report

respondents were asked to
select the three global risks
that they believe are the most
likely to occur in North
America

Cyber attacks are top of

mind

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 20
Current developments in BCM

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 21
Pros and cons

+ -
Clarity
Efficiency Level of detail
Risk Management Organizational silos

Cybersecurity and Business Continuity Management October 2016

PwC 22
Analysis

Objective:

1 Business impact analysis

Identify & prioritize most time sensitive business activities

2 Continuity requirements
What resources does our organization need

3 Risk assessment
Limit the impact of disruptions on an organizations key services

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 23
Analysis
Integrating cybersecurity and BCM

1 Analysis
Identification of, crown jewels, information assets
Engaging IT resources early
Performing an explicit cyber risk assessment
Identification of operational controls gaps

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 24
Design

Objective:
Identifies and selects appropriate tactics to determine how
continuity and recovery from disruptions will be achieved.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 25
Design
Integrating cybersecurity and BCM

1 Design
Is the BCP program team a cyber security threat?
Are appropriate security resources included in the BCP program?
Is there appropriate physical security for facilities and logical
security over data?

Consider security in IT recovery strategy selection

Cyber considerations for third party selection
Integration of incident management team / escalation

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 26
Implementation

Objective:
Executes the agreed strategies and tactics through the process of
developing the Business Continuity Plan.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 27
Implementation
Integrating cybersecurity and BCM

1 Implementation
Do you need more than one incident management process?
Consider controls required to protect Personally Identifiable
Information (PII)
Consider requirements to control where/how information is posted
during a crisis
Ensure that leadership and IT response teams have regular
touchpoints
Ensure that crisis communications for cyber incidents is aligned
with the overall program
Recording activities

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 28
Validation

Objective:
Confirms that the BCM programme meets the objectives set in
the BC policy and that the organizations BCP is fit for purpose.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 29
Validation
Integrating cybersecurity and BCM

1 Validation
Use cybersecurity incident as an exercise scenario
Integrate audit / reviews / post incident reviews
Consider impact on maintenance update frequency

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 30
Policy and programme management

Objective:
Is the start of BCM lifecycle. It is the professional practice that defines
the organizational policy relating to BC and how that policy will be
implemented, controlled, and validated through a BCM programme.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 31
Policy and programme management
Integrating cybersecurity and BCM

1 Policy and programme management

Policy alignment
Integration
Use of cyber resources on program team

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 32
Embedding business continuity

Objective:
Ongoing activity resulting from the BCM policy and programme
management stage of the BCM lifecycle. It seeks to integrate BC into
day-to-day business activities and organizational culture.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 33
Embedding business continuity
Integrating cybersecurity and BCM

1 Embedding Business Continuity

Senior management posture
Awareness bang for your buck
Develop organisations, intuition.

Cybersecurity and Business Continuity Management October 2016

PricewaterhouseCoopers LLP 34
Questions?

Cybersecurity and Business Continuity Management October 2016

PwC 35
Thank you!

Marie Lavoie Dufort Edward Matley

Associate, Risk Assurance Services Director, Risk Assurance Services
Tel: 604 806 4195 Tel: 604 806 7634
Marie.Lavoie.dufort@ca.pwc.com Email: edward.matley@ca.pwc.com

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the
information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the
accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members,
employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to
act, in reliance on the information contained in this publication or for any decision based on it.

2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.