Companies are under attack. Are they getting cybersecurity right?
Practical steps for responding to the coronavirus crisis
As companies pivot toward a digital business model, exponentially more data is generated and shared among organizations, partners and customers. This digital information has become the lifeblood of the interconnected business ecosystem and is increasingly valuable to organizations—and to skilled threat actors. Business digitization also has exposed companies to new digital vulnerabilities, making effective cybersecurity and privacy more important than ever.
PwC offers services that address challenges which relate to cybersecurity and privacy threats, organizational changes, and regulatory requirements for organizations.
As organizations switch to digitization of information, the digital landscape becomes a new attack vector for crime, activism, and terrorism. Critical information that pass through the cyber landscape provide malicious actors a trove of valuable data which they can obtain illegally and use for their own purposes.
As organizations widely use web and mobile applications to spread information and promote their organizations, this has become an attack vector used by malicious actors focusing on defacement, man-in-the-middle attacks, or stealing of customer information which may lead to reputational damages to the organization.
As cybersecurity incidents become more common, this has become a real threat to organizations and gained the attention of board-level management and audit committees pushing them to strengthen their cybersecurity defenses to prevent irreversible damage such as data breaches and data leakage which would have an impact on the organization’s reputation.
Interconnection of devices and the internet made it easy for organizations to reach out to their customers and its employees, but this setup presents security concerns in the network of the organization. Malicious actors can use vulnerabilities in these areas to gain unauthorized access and obtain company and customer information.
There is an increase in the number of organizations that now use cloud services to house their data and applications, the reason being the efficiencies this service provides and the cost-effectiveness of this setup. With these in mind, organizations have to ensure that data and transactions processed through the cloud service are within the organization’s cybersecurity standards to protect customer data and other critical information.
As cyber attacks become more complex, fewer talents and resources are able to cope up with these newer threats. Organizations put in constant effort to strengthen their cybersecurity defenses, policies, and practices by relying on knowledgeable personnel who knows how cyber attacks work.
Connected with governments imposing regulatory requirements to organizations, they impose heavy fines and penalties to those who do not comply with these regulations. Organizations are required to protect customer information not only for the resilience of the organization, but also as required by the law.
Organizations need to address both the resiliency of the business to cyber attacks whilst addressing the regulatory requirements of the government on organizations. This addresses both the operational and compliance aspects of cybersecurity resilience.
Perform review and assessment of currently-placed policies in the organization and identify gaps when compared with the selected baseline standard such as ISO/IEC 27000 or NIST Cybersecurity Framework (CSF). Assess policies and implementing procedures if these are non-compliant, partially compliant, or in full compliance with the baseline standard.
Perform black-box to gray-box Vulnerability Assessments on the client network, web application, mobile application, wireless LAN connection, VoIP devices, servers and workstations, whichever covers the requirements of the organization, to identify weaknesses and subsequently perform Penetration Testing to check if publicly-available and advanced exploits can be used on these vulnerabilities to obtain, perform unauthorized transactions, or exfiltrate critical data from the organization. Report these weaknesses and exploits to client management and work with the IT department to remediate and retest these observations.
Perform campaigns or simulations which assess the social engineering awareness of an organization’s employees by testing how will the employees react in case a social engineering attack is conducted to them. This scope also includes the assessment of implemented security hygiene in the organization, tolerance to unauthorized physical intrusion, and conducting security awareness trainings as required or requested by the organization for their employees.
Eugene Jerome V. Tan
Risk Assurance Senior Manager, PwC Philippines
Tel: +63 (2) 8845 2728