Pwc - An international network of firms offering consulting and auditing services. Brand exists on
“One expert is not able to build all the information security processes”
- How much has the demand for cybersecurity services increased in recent years?
- The practice of cybersecurity in PwC in Russia wasformed in early 2010. Over the past five years, the business has grown more than five times in financial terms and more than 3 times in the number of projects, we are now running about 30 unique projects per year. I have been working in the company since 2014, during which time we have gone from a small team of five people involved in basic services like compliance auditing to a team of 30 specialized specialists plus over 50 specialists in related areas with whom we work as a single team in complex, strategically important projects for our clients. We are developing cybersecurity strategies and creating cybersecurity operations centers for large, including international, companies from various fields.
Compliance - from English compliance - "consent, compliance" - action in accordance with the request or indication, compliance with any internal or external requirements or standards.
In banking, compliance is a systemcontrol and management of risks arising from non-compliance with legislation, regulations of regulators, controlling organizations, rules of self-regulating organizations and other forms of association of enterprises, internal documents.
- Do IT businesses have a greater understanding of the dangers of cyber threats compared to industry?
- Understanding more, but the degree of attention below: like any other specialists, their eyes are often “washed out”. The risks are hidden under the amount of change and innovation. For production departments, each element of digitalization is a strong change, they are more closely considered by it both in terms of risks and opportunities. IT managers in our projects are usually stakeholders, and production departments or company management are the final recipients of the service.
Photo: Anton Karliner / Haytek
- Why do IT companies give you this function, they themselves do not have enough expertise?
- This is a big problem today both in Russia andand around the world. The shortage of specialists in the field of cyber security is enormous, it is measured by millions of people. In addition, experts in the field of cloud technologies, in the field of process control systems, technological processes and others are singled out instead of the universal cybersecurity expert. Due to the complexity of technology, one employee is unable to build all the information security processes in the company. Specialists working in consulting companies have more extensive experience and practice in implementing projects in different industries and in different companies of the same industry, respectively, have a more complete picture of the risks.
- What will happen next with such an acute shortage of specialists?
- The problem of education is obvious, about her a lotThey write, speak, and make an effort to improve or make a difference. In part, the task of ensuring information security can be solved by automation. Just as companies automate their processes to improve their business, we, for our part, are looking at where we can apply modern technologies so that information security services are provided in a shorter time and on a large scale.
“Most cyber incidents hide out of fear of losing trust”
- What is the main challenge in cyber security now?
- For business, of course, this is cybercrime inall its aspects - both organized groups and hacktivists. The introduction of new technologies is constantly increasing the scale of risk. Especially in the field of protection of intellectual property, the so-called perimeter of the company, which is gradually eroded, as well as in the field of protection of customers and consumers of services.
- Are there any figures confirming these risks?
- Most cyber incidents are hidden due tofear of losing customer confidence. According to our data, more than half of large Russian companies have been subjected to cyber attacks. Of these, 32% suffered real financial damage - infrastructure or production suffered from idle time. According to our study, about 80% of respondents believe that cybersecurity issues and the protection of key data play a crucial role in choosing a service or service provider. In the case of a hack or other incident, consumers quickly switch to another supplier. To return, they need at least a clear explanation of what happened, and in half of the cases - some kind of material compensation: paid services or something else. The lack of trust in the digital world is high: in Davos, for example, the issue of trust was highlighted as one of the key, and cybersecurity risks ranked among the top 5 global risks.
Photo: Anton Karliner / Haytek
- And how often do plants attack?
- According to industry statistics even less, becausethat it is better hidden. In the US, there is a study, I think, conducted by the special services. It says that in the case of a large-scale cyber attack, more than 60 companies of critical infrastructure may suffer, and the damage will be $ 50 billion. But the most frightening figure is the number of potential deaths in the case of a cyber attack - about 2,500. and affect people's health and lives. We all saw what happened in the summer of 2017 with the encryption viruses WannaCry and Petya - they led to a halt of railway transport, airports, gas stations. In most cases it was the impossibility of accepting payments, but what if it is the carriage of passengers or the provision of medical care? A person may not receive test results or fly to some important event. Less visible attacks have become a daily reality: every day the transport industry and retail trade are attacking. Production is also attacked regularly: it is either data theft, or money theft, or disruption of activity.
- Can an attack like Petya and WannaCry be repeated?
- There is a concept in risk management theory"Black swan": this is an event that no one predicted, but when it happened, it looked quite logical. The pace of digitalization, lack of specialists and an excess of intruders suggest that such events will be repeated in the future, with what frequency it is difficult to say.
- In general, the degree of nervousness in the public is very high.
- Yes, total paranoia is increasing - taking into accountgeopolitical factors and heating this topic in the media. The most difficult thing is that no one knows in which industry, with what scale and with what technology the next attack will happen.
“Leading sectors of the Russian economy are organizing communities for knowledge sharing”
- How do you get insider information? Attending any conferences of white or black hackers?
- Opportunities for sharing knowledge is becomingmore. Yes, there are foreign conferences of white and black hackers. But industrial and specialized communities are also being created in Russia, which are actively sharing best practices in the field of protection against cyber attacks. From my experience the brightest - in the banking sector. Our company is a member of the association of banks “Russia”: it hosts meetings at least once a month, where heads of bank security services exchange experience and work together to solve challenges in the area of cybersecurity legislation. In the metal mining and refining industry and in the oil and gas industry, such knowledge sharing is also gaining popularity.
Leading industries of the Russian economy, notwaiting for a special invitation, organize communities to share knowledge. The state has issued a law on critical information infrastructure and creates a system to which companies related to the objects of this infrastructure should be connected - in fact, all large industrial, technological and financial companies. The system is designed to ensure the rapid collection of data on emerging cyber attacks and to prepare the business for their rapid reflection.
Photo: Anton Karliner / Haytek
- And at what stage is this system?
- Companies align themselves withwith the requirements of the law, they are connected to the centers of the State Council for the Education and Industry, build their own systems of monitoring and detection of cyber attacks, cyber security information centers. Everyone is trying to solve in different ways: someone with a great focus on organizational issues and building interaction, someone on the technological component and preparation for the struggle at the digital level.
- From what size do businesses need to think about their security in cyberspace?
- As soon as he began to earn and bringowner money. More precisely, from the moment when the business begins to comply with tax and other legislation. If you do not do this, you can lose it in one second at some point due to a tiny puncture in cybersecurity.
- Now it can happen with any business.
- Especially with modern small business, whichactively uses cloud products, technologies, analytical data, builds online communications and keeps the history of its activities in the digital space. Any leakage can ruin a business.
- And how, in your opinion, are the state structures and objects in Russia well protected?
- The state at all levels is givingsubstantial attention to cybersecurity issues. This is reflected in the everyday life of citizens: safety events are held for schoolchildren, students, consumers of public services and retirees as well. Socially charged companies such as Sberbank, for example, also invest in community education. Our landmark events - the Olympics, the World Cup - were held without tragic stories related to cyber security. This gives us confidence that the state is not only aware of, but also taking the necessary measures for protection. At the same time, as a cybersecurity expert, I would like more transparency in the actions of the state. I would like more study and more active use of international experience in the implementation of new initiatives. What is just beginning in Russia - the protection of critical infrastructure, personal data - already exists in one form or another in other countries, they already have experience and practice in applying this legislation.
“Protect me” - a study conducted by PwC in 2018 in 12 major Russian cities
- 97% of respondents do not trust companies in the protection of their personal information;
- 93% of respondents believe that companies are vulnerable to hacker attacks;
- 88% of respondents are sure that they do not control the amount of personal data that companies collect about them;
- 60% of respondents will no longer deal with a company if their confidential information is stolen as a result of a leak.
- How does this process take place in other states?
- Now regulators practice activeinvolvement of the industry in the development of new laws, the solution of practical problems in the field of cyber security. They proceed progressively - from a clear verification of the problem through the development of a coherent approach to solutions, only then fixed recommendations appear. The rule is born only in the third stage. In Russia, it seems, the opposite is true - first a rule appears, then we get feedback from industry, business, we get lessons, perhaps, then we correct something, but not quickly and transparently enough.
“Isn't all this going to the level of creating an international cyber security committee?”
- There is definitely such a movement. In the framework of open events in the exchange of knowledge in more private circles, representatives of various industries, companies, countries are trying to build opposition to international cyber-terrorism. At the same time, the geopolitical situation, distrust both between different companies and between states makes this process very slow and not effective enough. Now companies that help build cybersecurity, investigate cyber attacks, play an important connecting role between business and government.
- What are the new tools for cybercriminals?
- During the last year the main trend -use of human factors, weaknesses and mistakes for the implementation of cyber attacks. A large number of complex attacks is implemented through social engineering, the impact on users, and only then - on the information infrastructure of the company. There is a big risk of the use of modern technologies by the attackers, artificial intelligence, machine learning, big data to create complex attacks. Zero-day vulnerabilities (previously not exploited vulnerabilities) continue to be used, exploits and attack tools are developed for these vulnerabilities