Managing your cyber risks and ensuring digital resiliency
We live in an increasingly data rich society where information is more accessible and shared than ever before. However, at the same time, the need for this information to be protected from misappropriation is vital. Cyber security has become an integral component of a business and a proactive approach is necessary to keep on top of emerging threats.
At PwC Malta, our team of cyber security experts can help you build resilient operations and protect your organisation by identifying and managing cyber risks. We provide the clarity your business needs to confidently adapt to new challenges and opportunities while ensuring your organisation can withstand adverse cyber events and disruptions.
Because we believe that cyber security is a business enabler, we can help you build a secure digital strategy through a combination of both offensive and defensive cyber security services from within our four main pillars: Assessments, Training and Awareness, Auditing and Compliance, and Consultancy.
With the ever-increasing news items of data breaches; cyber-attacks and hacking, the board of directors wonder if they are doing enough to avoid these emerging risks. Many IT departments have to juggle budgets, resources and skills between delivering business solutions and investing in defences that are often unpopular because they slow things down or get in the way. It is difficult to internally judge if the balance is right and where the weak spots are.
PwC Malta has the perfect solution for such cases – a Cyber Security Health Check that follows internally developed methodologies and practices as well as established ones such as ISO 27002. This assessment provides a broad but comprehensive overview of a client’s cyber security posture and a measurable Cyber Maturity Rating, highlighting those areas that require improvements as well as those which are well-developed. We will also provide recommendations that should be considered by clients in their path to achieve better cyber resiliency.
Malicious actors are always probing for weaknesses in your organisations’ security perimeter – that exploitable gap that allows them entry into a network, compromising sensitive data or critical systems. Today, packaged attack tools make any connection to the internet an attractive target. It is no longer only the big brands that get this unwanted attention.
We can assist clients in finding known security weaknesses within the Internet-facing perimeter, such as web, email, and file transfer, as well as any vulnerabilities within the internal network. The latter are equally important as these may be leveraged by a malicious insider or otherwise an external attacker with a foothold inside the network following some form of social engineering attack.
While a vulnerability assessment is a good place to start if no prior security testing has ever been done, a penetration test takes security testing to the next level by checking for the exploitability of the identified vulnerabilities and assessing the hypothetical damage.
Our PwC cyber security team includes specialised and certified penetration testers that can simulate an intrusion attempt into your network or critical systems by following established methodologies, posing as an external attacker or a malicious insider. Such an assessment is key in providing clients a thorough understanding of the business risk in exploitable security weaknesses that translate technical vulnerabilities into measurable business loss.
The web has become a critical aspect of modern IT-driven businesses. Traditional desktop software has nowadays been mostly replaced by web applications, or web apps in short, accessible by both customers and employees alike through an Internet browser. The increasing dependency on sophisticated web apps has not gone unnoticed by malicious attacker and neither has the massive increase in e-Commerce sites accelerated by the COVID-19 pandemic.
Our team can assist you in securing internal or external web apps by performing vulnerability assessments or penetration testing, prioritising web-based threats and attacks, such as the OWASP Top 10, over traditional network and infrastructure-oriented attacks. Such an assessment may uncover serious risks such as data exfiltration through SQL injection or the possibility of unauthorised actions through request forgery.
Wi-Fi is a technology used by everyone, but not everyone truly understands its underlying risks. Organisations rely on wireless connections to facilitate connectivity for employees into the corporate network, or otherwise provide Internet access for visitors. Although Wi-Fi provides convenience, it carries various inherent risks that are very often underestimated. For instance, in certain Wi-Fi configurations, attackers may be able to capture valid enterprise credentials and leverage this to gaining access to your corporate network.
By performing a tailored assessment on the client’s Wi-Fi setup, our experts can test for any wireless vulnerabilities by attempting to exploit weaknesses and provide you with the necessary recommendations on how best to secure the wireless coverage and the authentication system.
Compliance to standards or regulatory frameworks is quite often a driver of cyber security initiatives and investment. Organisations just starting out in their road to compliance with a set of requirements or control objectives face a challenging task that requires both a good understanding of the business operations as well as cyber security.
Our experience and expertise makes it ideally placed to assist you to make this journey easier. By taking a snapshot of your organisation operations and processes as they stand, we can provide you with a roadmap of necessary steps to bridge the existing gaps and achieve the desired compliance-ready state.
Cyber security has become embedded into regulatory frameworks, and organisations are required to have a mature cyber security function that serves as a peace of mind to external parties such as customers. Ensuring that cyber security processes and controls are effective is an ongoing task that usually requires an independent set of eyes external to the organisation.
PwC’s IT security auditing expertise together with constantly updated knowledge of the regulations in various industries allows us to provide clients with demonstrable auditing services to assist in achieving compliance from a cyber security aspect. This includes requirements and guidelines as issued by the MFSA and the EBA, regulations and directives such as the GDPR and PSD2, as well as the MDIA's requirements for blockchain-enabled platforms.
Further to regulatory-driven security audits, we can also assist clients in the internal auditing of security programmes and controls conforming to international standards such as ISO 27001, PCI-DSS, and NIST CSF. Clients that undergo a yearly re-certification process know that the business requirements easily change from one year to another, and the effectiveness of the implemented security controls may be impacted. This puts them at risks if these non-conformities are left unchecked before a certification audit.
With expertise of such established standards and pragmatic experience in effective cybersecurity practices, we can assure clients that their certification process will be smooth by identifying any non-conformities, while providing the necessary recommendations and guidance to transform compliance into a value-adding process to the security programme.
The SWIFT organisation requires companies such as banks operating a SWIFT environment, also referred to as SWIFT users, to attest compliance to all mandatory controls on an annual basis. As of 2021, users must provide this attestation through an independent assessment which verifies whether the implemented controls mitigate various cyber security risks. When determining who will help carry out this independent assessment, it is important to ensure your assessor has the expertise to determine you have the right controls in place and can guard against the potential damage of a cyber attack. We recommend an independent SWIFT approved cyber security provider, such as PwC, who has familiarity with SWIFT and your industry and can assist you in understanding how you compare to your peers as well as in gaining additional insight into security best practices in this space.
Advisory Partner, PwC Malta
Tel: +356 2564 7091