Cyber Security

The heart of the matter

We live in an increasingly data rich society where information is more accessible and shared than ever before. However, at the same time, the need for this information to be protected from misappropriation is vital.

Advances in technology mean that organisations are increasingly dependent on information to meet the needs of customers and citizens. The ways of securing and protecting this information, however, have not kept pace, nor recognised the critical importance of non-IT related aspects of effective Information Security. 


We find the following common key issues in many organisations we work with.

A lack of management priority and clear commitment

Information Security is often regarded as solely an IT issue

An inconsistent approach to information risk management

A lack of control over information in the ‘extended enterprise’

Information Security is uncoordinated  with the rest of the organisation

A myriad of IT applications, databases and spreadsheets

Cyber Crime... Cyber Defences

Hardly a day goes by without some news item about a data breach or about new types of cyber-attacks. Criminals and terrorists are targeting the cyber-world as a new market and organised crime is known to be investing in cyber capabilities with malicious intent. Local companies have not been spared. There have been several cases involving substantial financial losses as a result of various incidents, primarily involving the following causes:

Lack of an incident response mechanism

Lack of training on how to behave and operate during an incident

Lack of experience - handling an incident

Lack of analytical resources involving digital forensic technologies and expertise

Our service offerings

Our core strength in delivering pragmatic enterprise security for our clients comes from a combination of:

  • The ability to bring together a diverse range of skills and experiences from across our firm.
  • The ability to provide truly independent trusted advice.
  • The ability to leverage our global skill base to deploy consistent capabilities in 120 countries.


Our team delivers solutions that generate real business benefit by addressing legal and regulatory issues, mitigating business and technology risks and improving business performance through automation and simplification of security related business processes.

people process technology

Information Risk Management

Information risk assessment services

We can help our clients carry out an information risk assessment using proven methodologies to identify critical assets and business processes, evaluate the risk exposure and assist our clients to align their processes to their risk appetite.


Information risk assessment review and design

An information risk assessment is a continual process and we can help our clients to implement a programme to assess the risks on a periodic basis and taking the necessary measures to reduce the risks to an acceptable level.


Data leakage review

The leakage of critical business data can lead to a disaster for our clients.  We can assist our clients by, either reviewing their current approach to prevent data leakage and protect their  critical assets or by assisting our clients to investigate a data leakage incident.


Business Continuity Plan

Our clients often need assistance in designing a Business Continuity Plan to respond to an emergency, deploy backup operations and carry out a post-disaster recovery to ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation after a reasonable period of time.


View more

Security Management

Security strategy development

We can assist our clients by assessing their primary Information Security functions, identifying root causes of common pain points, develop a future state vision and strategic objectives, create a services maturity roadmap needed to achieve the client’s desired future state, and provide tactical recommendations based on services interdependencies, key issues and the risk appetite of the organisation.


Organisational review

PwC assists clients in addressing common issues by establishing the right management structure for security to take into consideration size, complexity, maturity, existing culture, relationships with external organisations.


Security metrics design

In addition to ensuring that our clients’ security objectives are aligned with their business objectives, we can assist our clients in identifying the security metrics  that would permit them to measure their security effectiveness. 


Physical and environment security review

Critical systems are often hosted by our clients in data centres and managed remotely. Yet, the physical and environmental security of these facilities is of utmost importance. We can assist our clients by reviewing the physical and environmental security controls implemented at these facilities and assess them against best practices and industry standards.


Management reporting design

Through our client experience, we know that management needs timely, accurate and concise reporting. We can advise our clients during the design of manual and/or automated reporting capabilities that would provide management with the right tools and information to effectively manage their business. 


Managing the outsourcing

We have found that businesses’ outsourcing expectations are not met because often the organisation and the outsourcing service provider each has different needs and goals. During the transition to a managed security services provider, we provide strong business process knowledge to help organisations achieve a cost-effective transformation in both processes and technology.


Return on investment review

A return on investment review states the non-financial benefits, financial benefits and costs of Information Security or a security initiative to an organisation.  Our clients request this service to justify the budget set for security projects, to assist in project appraisal and selection, and to provide general input for the management of Information Security.


View more

Compliance and Awareness

Data Classification, Policy and standards review and development

A sound set of policies, standards, procedures and security baselines are an important component in the client’s security strategy to ensure that their operations are aligned to their objectives. We can assist our clients    either by supporting in the development of   the policy set or by reviewing existing policies and recommend improvements.


View more

Threat and Vulnerability Assessment

Vulnerability scanning

Externally facing systems need to be adequately protected against malicious attacks. Clients may be required to prove or may want to gain assurance that their systems are not susceptible to known vulnerabilities.


Penetration testing

Traditionally, security penetration testing has been a technically focused assessment technique that tests systems in isolation. We can assist our clients using a structured security penetration testing methodology. 


Web application security assessment

Organisations are re-using their web-based environments for the deployment of internal and external (client-facing) applications. This paradigm shift resulted in a parallel shift in security. Whereas past attacks targeted networks, today’s attacks are targeting the applications that run on top of them. The increasing use of intranet and internet deployment of web-based applications exposes these companies to different risks that need to be carefully assessed and addressed.


PwC’s threat and vulnerability management practice is dedicated to the critical task of protecting the enterprise. The activities in this area range from traditional firewall and host security mechanisms to dealing with the increased security risks that are an outgrowth of ever-expanding network infrastructures.


View more

Architecture, Applications and Network Security

When it comes to the core technology security challenges our Architecture, Applications and Network Security team really knows how to deliver. Encompassing experience across all the layers of the security environment our team is able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.


View more

Incident Response and Forensic Investigation

PwC draws on specialised forensic experts with deep technical and security backgrounds who are experienced in complex investigations.  

The diagram below depicts typical services and expertise available to clients. 



PwC is the trusted partner you can turn to for assistance in preventing an incident or to deal with an incident and to recover effectively and minimise damage.


01. Cyber Investigations

PwC is equipped with the resources and expertise needed to assist a client during a cyber-incident. Thanks to what we call as the Internet of Things (IoT), we are constantly exposed to threats that can severely affect our operational capabilities. 


02. Insider Investigations

Research consistently shows that insider threats are the most common as well as the most damaging of all the digital threats analysed. Organisations need to continuously apply controls to make sure that no internal staff member can use the digital and physical assets present within the organisation to undermine the organization. The most common situations involve the copying or manipulation of data and fraud.


03. Malware Attacks

Malware is a lethal tool that cyber criminals resort to deliver widespread automated attacks on their victims. Using malicious software, criminals and terrorists have been able to hit-out at a wide-range of victims. 


04. Social Engineering Methods

Social Engineering is the art of psychologically manipulating a human activity. Technology today allows for an attack without the necessary physical presence or physical action. 


05. Evidence Preservation

Procedures used during disaster recovery and business continuity plans usually change or erase evidence pertaining to the incident. This presents a critical problem of accuracy and consistency of data during analysis and undermines its use in court prosecutions. 


06. Expert Witnessing at Courts

We want to make sure that we are there to assist our clients at all phases of an incident, including during court hearings. Should our client opt to proceed to a court prosecution, our experience and reporting techniques can assist to present the findings of the incident analysis in such a way that is scientifically and forensically sound. We can also provide court testimony during court hearings should it be necessary.


07. Incident Response Training

As a pro-active measure to minimize damage and preserve evidence if or when an incident happens, PwC offers internal staff training on how to behave during an incident as well as how to preserve the original evidence present at that critical time. 


08. Consultancy

Corporate cybersecurity incidents are by definition unpleasant, disruptive and stressful on many areas within an organization: Management; IT; and operations as well as anyone who may have been the “weak-link” that was exploited.

View more

Are you the next phishing victim?

Phishing is a form of social engineering attack that has become one of the most prevalent causes of security breaches in recent years. Malicious actors use familiar communication media such as emails, messages, or calls to deceive recipients into divulging sensitive information. Notorious phishing emails attack vectors include masqueraded emails containing web links leading to fake login pages or otherwise malicious file attachments that execute malware (e.g. ransomware) on the victim’s machine once opened. To increase the likelihood of success, attackers launch targeted phishing campaigns against organisations through well-crafted emails that include a familiar sender address, sender name, style and formatting, as well as a topical content message. Very often, the end-user is the last line of defence preventing a serious security breach on the network.

PwC has recognised that the best countermeasure against phishing is educating your employees. By launching a tailor-made simulated Phishing Campaign within your organisation, PwC can assist you in assessing the related risks and avoid becoming the next phishing victim. 

Find out more

phishing attack

Contact us

George Sammut

George Sammut

Advisory Partner, PwC Malta

Tel: +356 2564 7091

Follow us