A PwC survey into cyber security breaches earlier this year reported 15 per cent of businesses surveyed suffered hundreds of attempted breaches of their network every day. More worryingly, over half of the respondents had suffered multiple successful breaches within the last year.
Although technological advances have helped many businesses accelerate their growth, they've also introduced a range of security risks that never used to exist. Businesses now need to pay close attention to everything from their technology infrastructure to their network resilience in order to ensure there are no weaknesses for people to exploit.
To help protect against the constantly evolving dangers from online attackers, a global telecommunications business consulted PwC's Cyber Security team for assistance. To learn more about one particular solution PwC developed in response to their client's requirements, we spoke to Swetha Balla, one of the Cyber Security managers.
Overwhelmed by large amounts of raw security data, Swetha's client wanted to create a security reporting framework capable of providing real-time information about the security of their systems that could be easily understood by people at various levels within the organisation. Without such an overview, the client was finding it difficult to tell where their security investment should be targeted, leaving the board reluctant to sanction further investment into cyber security.
Swetha: "What we're trying to do is improve the visibility of what the different teams are doing and give the board an understandable picture of how their security functions are operating so they can easily see if what they've invested in is working."
To better understand the needs of the client, Swetha and her team spoke to the heads of the various departments who needed to use this reporting framework to discover what their individual needs were.
Swetha: "When we first go into a business, we're unlikely to be an expert in their field. We need to see how everything works. By shadowing and interviewing people, we learnt that at each step down through the business, the data they needed was different. Knowing this, we came up with a three-level hierarchy for our framework, going from a very detailed level of information at the bottom to a general overview at the top level."
Building a solution
Having settled on this structure for their reporting framework, Swetha's team began working out the particulars. Their solution would initially offer a summary report outlining the business's susceptibility to an attack. Those requiring more detailed information would be able to move down levels to increasingly specific reports, allowing them to accurately target a potential problem.
Swetha: "This system is purely for reporting problems - it can't analyse or resolve them. So an individual personally signs off the reports at each level of the hierarchy, confirming they make sense and following up any inconsistencies or red flags."
The project's benefits for the client
- Greater understanding of the value of their investment in information security.
- Increased knowledge of emerging risks and the business's current level of security protection against them.
- Greater understanding of security processes.
- Can predict impending problems and respond proactively to significant threats.