“The shortage of specialists in the field of cyber security is estimated at millions”, - Roman Chaplygin, PwC in Russia

Pwcis an international network of firms offering consulting and audit services.The brand exists

For more than 160 years, it has been one of the so-called Big Four audit companies.The network is headquartered in London.

“One expert is not able to build all the information security processes”

- How much has the demand for cybersecurity services increased in recent years?

- The practice of cybersecurity in PwC in Russia wasformed in early 2010. Over the past five years, the business has grown more than five times in financial terms and more than 3 times in the number of projects, we are now running about 30 unique projects per year. I have been working in the company since 2014, during which time we have gone from a small team of five people involved in basic services like compliance auditing to a team of 30 specialized specialists plus over 50 specialists in related areas with whom we work as a single team in complex, strategically important projects for our clients. We are developing cybersecurity strategies and creating cybersecurity operations centers for large, including international, companies from various fields.

ComplianceCompliance is an action in accordance with a request or instruction, compliance with any internal or external requirements or norms.

In banking, compliance is a systemcontrol and management of risks arising from non-compliance with legislation, regulations of regulators, controlling organizations, rules of self-regulating organizations and other forms of association of enterprises, internal documents.

- Do IT businesses have a greater understanding of the dangers of cyber threats compared to industry?

- Understanding more, but the degree of attention below: like any other specialists, their eyes are often “washed out”. The risks are hidden under the amount of change and innovation. For production departments, each element of digitalization is a strong change, they are more closely considered by it both in terms of risks and opportunities. IT managers in our projects are usually stakeholders, and production departments or company management are the final recipients of the service.

Photo: Anton Karliner / Haytek

- Why do IT companies give you this function, they themselves do not have enough expertise?

- This is a big problem today both in Russia andand around the world. The shortage of specialists in the field of cyber security is enormous, it is measured by millions of people. In addition, experts in the field of cloud technologies, in the field of process control systems, technological processes and others are singled out instead of the universal cybersecurity expert. Due to the complexity of technology, one employee is unable to build all the information security processes in the company. Specialists working in consulting companies have more extensive experience and practice in implementing projects in different industries and in different companies of the same industry, respectively, have a more complete picture of the risks.

- What will happen next with such an acute shortage of specialists?

— The problem of education is obvious, a lot is written, talked about, and applied to itPart of the task of ensuring information security can beIn the same way that companies automate their processes to improve their business, we, for our part, are looking at where we can apply modern technologies so that information security services are provided in a shorter time and on a larger scale.

“Most cyber incidents hide out of fear of losing trust”

- What is the main challenge in cyber security now?

"For business, this is, of course, cybercrime in all its aspects, both organized groups and hacktivists.The introduction of new technologies is constantly increasing the scale of risks, especially in the field of intellectual property protection, the so-called company perimeter, which is gradually being eroded, as well as in the field of protection of customers, consumers of services.

- Are there any figures confirming these risks?

- Most cyber incidents are hidden due tofear of losing customer confidence. According to our data, more than half of large Russian companies have been subjected to cyber attacks. Of these, 32% suffered real financial damage - infrastructure or production suffered from idle time. According to our study, about 80% of respondents believe that cybersecurity issues and the protection of key data play a crucial role in choosing a service or service provider. In the case of a hack or other incident, consumers quickly switch to another supplier. To return, they need at least a clear explanation of what happened, and in half of the cases - some kind of material compensation: paid services or something else. The lack of trust in the digital world is high: in Davos, for example, the issue of trust was highlighted as one of the key, and cybersecurity risks ranked among the top 5 global risks.

Photo: Anton Karliner / Haytek

- And how often do plants attack?

"There are even fewer statistics on the industry, because it is better hidden.In the United States, there is a study, I think, conducted by intelligence agencies, which says that in the event of a large-scale cyberattack,More than 60 critical infrastructure companies will be affected, and the damage will amount to $50 billion.But the most frightening figure is the number of potential deaths in the event of a cyberattack – about 2,500.That is, threats to the digital world can materialize in the real world and affect people's health and lives.We all saw what happened in the summer of 2017 with the WannaCry and Petya ransomware viruses, which led to the shutdown of railway transport, airports, and gas stations.In most cases, it was the inability to accept payments, but what if it was the transportation of passengers or the provision of medical care?A person may not receive test results or not fly to some important event.Less visible attacks have become an everyday reality: the transport industry and retail are attacked every day.Production is also attacked regularly: it is either data theft, theft of money, or disruption of operations.

- Can an attack like Petya and WannaCry be repeated?

— In the theory of risk management, there is a concept of a "black swan": it is an event that no one predicted, but when it happened, it looked quite logical.The pace of digitalization, the lack of specialists, and the surplus of attackers suggest that such events will happenIt is difficult to say how often it will be repeated in the future.

- In general, the degree of nervousness in the public is very high.

- Yes, total paranoia is increasing - taking into accountgeopolitical factors and heating this topic in the media. The most difficult thing is that no one knows in which industry, with what scale and with what technology the next attack will happen.

“Leading sectors of the Russian economy are organizing communities for knowledge sharing”

- How do you get insider information? Attending any conferences of white or black hackers?

- Opportunities for sharing knowledge is becomingmore. Yes, there are foreign conferences of white and black hackers. But industrial and specialized communities are also being created in Russia, which are actively sharing best practices in the field of protection against cyber attacks. From my experience the brightest - in the banking sector. Our company is a member of the association of banks “Russia”: it hosts meetings at least once a month, where heads of bank security services exchange experience and work together to solve challenges in the area of ​​cybersecurity legislation. In the metal mining and refining industry and in the oil and gas industry, such knowledge sharing is also gaining popularity.

Leading industries of the Russian economy, notwaiting for a special invitation, organize communities to share knowledge. The state has issued a law on critical information infrastructure and creates a system to which companies related to the objects of this infrastructure should be connected - in fact, all large industrial, technological and financial companies. The system is designed to ensure the rapid collection of data on emerging cyber attacks and to prepare the business for their rapid reflection.

Photo: Anton Karliner / Haytek

- And at what stage is this system?

- Companies align themselves withwith the requirements of the law, they are connected to the centers of the State Council for the Education and Industry, build their own systems of monitoring and detection of cyber attacks, cyber security information centers. Everyone is trying to solve in different ways: someone with a great focus on organizational issues and building interaction, someone on the technological component and preparation for the struggle at the digital level.

- From what size do businesses need to think about their security in cyberspace?

- As soon as he began to earn and bringowner money. More precisely, from the moment when the business begins to comply with tax and other legislation. If you do not do this, you can lose it in one second at some point due to a tiny puncture in cybersecurity.

- Now it can happen with any business.

- Especially with modern small business, whichactively uses cloud products, technologies, analytical data, builds online communications and keeps the history of its activities in the digital space. Any leakage can ruin a business.

- And how, in your opinion, are the state structures and objects in Russia well protected?

— The state at all levels payssignificant attention to cybersecurity issues. This is reflected in the everyday life of citizens: security events are held for schoolchildren, students, consumers of government services and pensioners, among others. Companies with a social impact, such as Sberbank, for example, also invest in community education. Our landmark events - the Olympics, the World Cup - took place without tragic stories related to cybersecurity. This gives us confidence that the state is not only aware, but also taking the necessary measures to protect. At the same time, as a cybersecurity specialist, I would like more transparency in government actions. I would like more elaboration and more active use of international experience when introducing new initiatives. What is just beginning in Russia - the protection of critical infrastructure and personal data - already exists in one form or another in other countries; they already have experience and practice in applying this legislation.

“Protect me” - a study conducted by PwC in 2018 in 12 major Russian cities

  • 97% of respondents do not trust companies in the protection of their personal information;
  • 93% of respondents believe that companies are vulnerable to hacker attacks;
  • 88% of respondents are sure that they do not control the amount of personal data that companies collect about them;
  • 60% of respondents will no longer deal with a company if their confidential information is stolen as a result of a leak.

- How does this process take place in other states?

- Now regulators practice activeinvolvement of the industry in the development of new laws, the solution of practical problems in the field of cyber security. They proceed progressively - from a clear verification of the problem through the development of a coherent approach to solutions, only then fixed recommendations appear. The rule is born only in the third stage. In Russia, it seems, the opposite is true - first a rule appears, then we get feedback from industry, business, we get lessons, perhaps, then we correct something, but not quickly and transparently enough.

“Isn't all this going to the level of creating an international cyber security committee?”

— There is definitely such a movement.As part of open events, while exchanging knowledge in more private circles, representatives of different industries, companies, and countries are trying to build counteraction to international cyberterrorism. At the same time, the geopolitical situation and mistrust both between different companies and between states makes this process very slow and insufficiently effective. Nowadays, companies that help build cybersecurity and investigate cyberattacks play an important connecting role between business and governments.

— What new tools have cybercriminals acquired?

— Over the past year, the main trend has been —using human factors, weaknesses and errors to carry out cyber attacks. A large number of complex attacks are implemented through social engineering, affecting users, and only then - the company’s information infrastructure. There is a high risk of attackers using modern technologies, artificial intelligence, machine learning, and big data to create complex attacks. Zero-day vulnerabilities (previously unexploited vulnerabilities) continue to be used, and exploits and attack tools for these vulnerabilities are being developed.