Page 1 EY’s 19th Global Information Security Survey 2016-17 GCAA – Risk Management Seminar 11 th December, 2017 Mohamed Nayaz, Partner, EY Path to cyber resilience: Sense, Resist, React
Page 1
EY’s 19th Global Information Security Survey 2016-17
GCAA – Risk Management Seminar
11th December, 2017
Mohamed Nayaz, Partner, EY
Path to cyber resilience:Sense, Resist, React
The better the question. The better the answer.
The better the world works.
Would you be ready for a cyber attack this morning?
Page 3 25 December, 2017 Cyber resilience for aviation sector
Some statistics…
How prepared is your company to handle a cyber attack?
25%
69%
3%
2%
Fully prepared
Somewhat prepared
Not where we need to be
Unsure
Page 4 25 December, 2017
Evolution of Threats
Cyber resilience for aviation sector
Page 5 25 December, 2017
The EY GISS 2017 in a nutshell.Executive Summary
Cyber resilience for aviation sector
► EY’s 19th Global Information Security Survey:
“Path to cyber resilience: Sense, resist, react”
► Responses were received from 72 countries
and across nearly all industries
► 1735 responses from C-suite leaders,
Information Security and IT executives/managers
Full EY GISS 2017 report can be
found online at ey.com/giss2017
Page 6
Top security breach incidents in the aviation sector
Cybercrime is big business. Today’s attackers:
► Are more organized – they are not just opportunists
► Are patient and sophisticated – they will often gain access and wait until the right moment to pounce
Cyber resilience for aviation sector
Page 7
British Airways, May 2017: Cancelled all flights from Heathrow
and Gatwick following a massive global IT failure.1
Delta Airlines, 8 August 2016: Global computer system outage
caused grounding of airlines for 6 hours, causing large scale
cancellations2
Southwest Airlines, 20 July 2016:Router failure causing large
scale disruptions including system crash, back up failures resulting
in flight delays and cancellations 4
5
LOT, 21 June 2015: Cyber attack caused the grounding of more
than 1,400 passengers in the Warsaw Frederic Chopin Airport6
Vietnam Airlines, 29 July 2016: Website security breach of the
airlines resulted in the loss of confidential data like name, address,
dates of birth of frequent flyers. 3
Top security breach incidents in the Aviation sector (Contd..)
United Airlines, 8 July 2015: Failed computer network router
caused disruptions in airline reservation systems resulting in flight
cancellations and delays
British Airways, 27 March 2015: A cyber attack was carried out
on the airways club executive account and reward points were
redeemed7
Cyber resilience for aviation sector
Page 8
Sector Trends Emerging themes
Nation State and APT Focus
Advanced networks blend OT with IT
on latest aircraft
► A single exploitable routing device may be all that
separates an airliners operational systems from those of
entertainment devices, potentially allowing flight and other
systems to be feasible
► Data management and subsequent data security is a
growing concern in the aerospace sector. Lateral
movement from entertainment networks to those
which control critical plane components
► Cloud-based applications and outsourced software
management can decrease your data management
requirements, but also exposes data to a third party
vendor and their security controls that you don’t
manage
► Nation States are increasingly targeting aerospace
companies (intellectual property, research and
development, business processes)
► Information gained through targeting aerospace companies
could be used for foreign military purposes or to aid another
governments competitive advantage for future targeting
efforts
Data Processing
► Airfields must now respond to incidents of private and
commercial drones affecting controlled airspace
► Nation state actors actively seek to manipulate remotely
piloted aircraft and sensors operated by the defense sector
for political and competitive gains
Drones
Digital Technology Innovation
► Increased investment into automation and information
technology
► Maintenance technologies are allowing less downtime
for maintenance conducted in between flight cycles,
allowing systems to predict, order and ship
components nearing the end of their shelf life
► Growing use of collaboration platforms for more
efficient supply chain planning, HR and admin
functions, which create additional attack vectors for
cyber actors to leverage
Cyber resilience for aviation sector
Page 9
Some statistics on cybersecurity for aviation sector
91%
63%
94%
► Plans to invest in cybersecurity programs over the next three years
► of airlines say cybersecurity is a board-level responsibility
► of airports are investing in cybersecurity incident response management
Source: SITA survey 2016
Cyber resilience for aviation sector
Page 10
Cyber Resilience
Sense► Ability of organizations to predict
and detect cyber threats.
► Cyber threat intelligence
► Active defense
► Need to know what will happen,
and they need sophisticated
analytics to gain early warning
of a risk of disruption.
Resist► The corporate shield
► Starts with how much risk an
organization is prepared to take
across its ecosystem
► Followed by establishing the
three lines of defense:
► First line of defence
► Second line of defence
► Third line of defence
React• If Sense fails and there is a
breakdown in Resist organizations
need to be ready to deal with the
disruption
• Incident response capabilities
• Preserve evidence in a forensically
sound way
• Investigate the breach
• Initiate a claim against perpetrators.
• Bring the organization back to
business as usual in the fastest
possible way
• Learn from what happened, and
adapt and reshape the organization to
improve cyber resilience going
forward.
See the threats comingEstablish corporate shield through
countermeasuresRecover from disruption
Cyber resilience for aviation sector
Page 11
Overall picture
Sense(See the threats coming)
Resist(The corporate shield)
React(Recover from disruption)
Where do organizations
place their priorities?Medium High Low
Where do organizations
make their investments?Medium High Low
Board and C-level
engagementLow High Low
Quality of executive or
boardroom reportingLow Medium Low
Cyber resilience for aviation sector
Page 12
Sense
Page 13
Sense: Predict and detect cyber threats.
56% use functions of a
security operation centre
Majority of organizations improved their
sense capabilities, but some are still just
delivering the basics.
64% do not have, or only have an
informal threat intelligence program
Most organisations have a too much
focus on their own environment and do
not consider the whole cyber ecosystem.
68% would not increase their
cybersecurity spending even
if a supplier was attacked
To improve their threat intelligence,
organisations should share information
and collaborate with other companies
e.g. suppliers and customers; especially
with the rise of the internet of things.
Source: EY’s 19th Global Information Security Survey:
Cyber resilience for aviation sector
Page 14
SOC
Cyber resilience for aviation sector
Page 15
Sense
Cyber resilience for aviation sector
Page 16
Resist
Page 17
Resist: Withstand cyber attacks.
86% say their cybersecurity
function does not fully meet their needs
Most organizations need to improve resist
capabilities to better defend, mitigate and
neutralize cyber attacks.
33% say they need more than
25% additional budget
Although every year budgets increase,
the amounts being spent and required to
invest are also rising.
Meeting organization’s cybersecurity
objectives requires investments into the
right things to close the skill gap and to
create more awareness on the board level.
56% see their main obstacle in
the lack of skilled resources
Source: EY’s 19th Global Information Security Survey:
Cyber resilience for aviation sector
Page 18
Resist: Withstand cyber attacks
What are the main obstacles or reasons that challenge your Information Security
operation’s contribution and value to the organization?
Lack of skilled
resources
57% Budget
constraints
61%
Lack of executive
awareness or support
23%
Management and
governance issues
24%
Lack of quality tools
for managing
information security
24%
Fragmentation of
compliance/ regulation
20%Other 3%
Source: EY’s 19th Global Information Security Survey:
Cyber resilience for aviation sector
Page 19
React
Page 20
Where is the money spent?
Compared to the previous year, which of the following activities does your organization
plan to spend more on over the coming year?
Multiple responses allowed
SIEM and SOC
Threat and vulnerability
management
46%
All sectors
40%
All sectors
Identity and access
management
Incident response
capabilities
43%
All sectors
39%
All sectors
Cloud computing
Business continuity
57%
All sectors
45%
All sectors
Source: EY’s 19th Global Information Security Survey:
Cyber resilience for aviation sector
Page 21
It is critical that companies develop a strong, centralized response framework as
part of their overall enterprise risk management strategy
► The CBRP provides guidance to all lines of businesses involved in the response and can
help ensure that:
► An organization’s business continuity plan is appropriately implemented
► A communication and briefing plan among all internal stakeholders is developed and enforced
► All breach-related inquiries received from external and internal groups are centrally managed
Today’s emergency services: the Cyber Breach Response Program (CBRP)
Cyber resilience for aviation sector
Page 22
Growing cyber threats and implications for Aviation companies
Recover
From cybersecurity event by
restoring normal operations and
services
► Set up recovery plan
► Consider recover infrastructure, restoring data and reconnecting services with minimum disruption
► Routine audits and testing of incident response plan.
Respond
To a potential cybersecurity
event
► Know how to respond to cybersecurity incidents
► Set up a team and internal reporting structure
► Set up incident response plans
Detect
System intrusions, data
breaches and unauthorized
access
► Detect intrusions inside and outside of networks
► Detection strategy to include real time and proactive monitoring of networks, payment systems,
communication channels etc.
Protect
Organizational systems, assets,
and data
► Aviation companies to ensure appropriate safeguards are in place
► Take protection measures like raising awareness and provide trainings
Identify
Internal and external cyber risk► Implement risk assessment including classification of critical information assets, threats,
vulnerabilities, measurement of cyber risks and communication strategy for cyber risks
Cyber resilience for aviation sector
Page 23
What leaders are asking about their cyber security readiness?
Shared
Services
Centers
Regulatory risk
Control failures
Reputation riskInformation
risk
Executive leadership should consider whether the organization’s security framework could
respond to these issues:
How will governments
and regulators respond
to the increasing threat
of information risk?
How would a cyber
attack affect our
reputation and brand?
Could gaps or
weaknesses in our IT
controls and security be
contributing factors?
How will our
organization address
the key risk areas of
security, resilience and
data leakage?
Would using third parties
or shared service
centres increase risks to
our security and IT
sourcing?
IP & data
security
Is our organization
covered against data
leakage, loss and
rogue employees?
The success of a
sophisticated, effective
security strategy lies in the
ability to look ahead to future
opportunities and threats.
Cyber resilience for aviation sector
Page 24
A holistic approach to cybersecurity planning
Enable
► business performance
►Make security everyone’s responsibility.
►Don’t restrict newer technologies; use the forces of change to enable them.
►Broaden the program to adopt enterprise-wide information risk management
concepts.
►Set security program goals and metrics that influence business performance.
Identify the real risks
►Define the organization’s overall risk appetite and how information risk fits.
►Get governance right — make security a board-level priority.
►Allow good security to drive compliance, not vice versa.
►Measure leading indicators to catch problems while they are still small.
►Accept manageable risks that improve performance.
Sustain an enterprise program
►Align all aspects of security (information, privacy, physical and business continuity) with
the business.
►Spend wisely in controls and technology —invest more in people and processes.
►Consider selectively outsourcing operational security program areas.
Optimize for business performance
Protect what matters the most
►Develop a security strategy focused on business drivers and protecting high-value data.
►Assume breaches will occur — improve processes that plan, protect, detect and
respond.
►Balance fundamentals with emerging threat management.
►Assess the threat landscape and develop predictive models highlighting your real exposures.
►Identify the most important information and applications, where they reside and who has or needs access.
Cyber resilience for aviation sector
Page 25
A holistic approach to cybersecurity planning
Threat
Management/ SOC
operations
Technology Security
Assessment
Cloud Security
ReviewData Privacy
Third party risk
assessmentPayment Security
Cyber resilience for aviation sector
Page 26
Thank You
Mohamed Nayaz
Partner
Advisory Services | Cyber & Resilience
Tel. +968 99429679
The full report with all
insights and results of the
EY’s 19th Global
Information Security Survey
2016-17 can be found online
at
ey.com/giss2016-17
Find out more about EY’s cybersecurity services and visit
ey.com/cyber.
Full EY’s 20th GISS 2017-
18 report can be found
online at ey.com/giss2017-
18
Cyber resilience for aviation sector