Revitalizing privacy and trust in a data-driven world

How businesses can better manage rising risks to data privacy and security

Massive data breaches, constant collection of personal data—it may seem like privacy is dead in the digital age. But privacy, security and trust are increasingly vital and intertwined in our data-driven society. Many organizations worldwide need stronger privacy risk management that is better integrated with cybersecurity, according to our 2018 Global State of Information Security® Survey (GSISS).

For CEOs and boards, the existential question is less about the future of privacy and more about the future of their own organization: Will the company muster the will and imagination needed to jolt stalled privacy risk management into action? Will it leverage that momentum and integrate cybersecurity, striving to become a trusted brand for responsible innovation and data usage? Or will it cede its place in the market to more committed competitors?

Drawing on key findings from the 2018 GSISS and beyond, we offer nine insights on revitalizing privacy and trust in a data-driven world, concluding with next steps for global business leaders.

Download full survey


Reto Haeni
Partner and Leader Cybersecurity and Privacy
+41 58 792 75 12

Strengthening digital society against cyber shocks

How businesses can build the resilience needed to withstand disruptive cyberattacks

Massive cybersecurity breaches have become almost commonplace, regularly grabbing headlines that alarm consumers and leaders. But for all of the attention such incidents have attracted in recent years, many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society. As our reliance on data and interconnectivity swells, developing resilience to withstand cyber shocks—that is, large-scale events with cascading disruptive consequences—has never been more important.

In the 2018 Global State of Information Security® Survey (GSISS), 40% of survey respondents from organizations using robotics or automation say the disruption of operations would be the most critical consequence of a cyberattack on those systems. Despite an awareness of disruptive cyber risks, companies often remain unprepared to deal with them.

Many key processes for uncovering cyber risks in business systems have been adopted by less than half of survey respondents.

Download full survey


Reto Haeni
Partner and Leader Cybersecurity and Privacy
+41 58 792 75 12

China’s Cyber Security Law – technical implications

China’s top legislature adopted the country’s Cyber Security Law on Nov 7th 2016. After a third reading by the Standing Committee of the National People’s Congress, the law took effect on June 1st 2017. In addition to defining a wide scope of critical infrastructure, it lays the foundations for enforcing penalties on overseas organisations and individuals who attack, breach or insufficiently protect critical infrastructure and/or personal data. Reto Haeni, Leader Cybersecurity & Privacy at PwC Switzerland, explains what companies should consider as the topic has more impact than usually discussed.

China’s new Cyber Security Law focuses to a greater degree on several key topics: keeping personal information secure, combating cybercrime, ensuring network products and services are secure, clarifying the obligations network operators face and addressing sovereignty issues in cyberspace. There are two main aspects to responding to the law, and the second is often overlooked. First, companies operating in China must implement the law’s requirements if they want to remain compliant. Second, organisations with information or systems not located in China must also review their technology architecture, data protection efforts and business processes if they want to minimise the potential risks stemming from the new law.


China’s Cyber Security Law is the next step in the country’s wider effort to tighten rules and regulations governing information security and data privacy. Regulations have previously existed, for example the Administrative Measures for Prevention and Treatment of Computer Viruses and the Administrative Measures for Hierarchical Protection of Information Security. The new law enforces the rights and obligations the government, network operators and users all have in the area of cyber security and data protection. While the law has already come into effect, its concrete implementation is not yet known and a fair amount of interpretation is still needed to apply the law in practice to operations in China. Complying with the law entails several new challenges for both government and business, such as ensuring appropriate network operations, identifying security risks and encouraging network innovation. Each of these steps must be addressed if the rights of all stakeholders are to be protected.

Download full article


Reto Haeni
Partner and Leader Cybersecurity and Privacy
+41 58 792 75 12

Strengthening digital society against cyber shocks

59 % Say digital transformation has increased information security spending

Massive cybersecurity breaches have become almost commonplace, regularly grabbing headlines that alarm consumers and leaders. But for all of the attention such incidents have attracted in recent years, many organizations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society. As our reliance on data and interconnectivity swells, developing resilience to withstand cyber shocks — that is, large-scale events with cascading disruptive consequences — has never been more important. Read more.


Key findings from the Global State of Information Security Survey 2018.


For more information please contact:

Reto Häni
Partner and Leader Cybersecurity and Privacy
PwC Digital Services
+41 58 792 75 12

How to keep your smartphone safe in cyberspace

You have antivirus software and a firewall on your PC, right? But what about your smartphone?

These days most of us use our phones for everything, including highly confidential stuff we would prefer to keep private. But many people still are not aware of the need to keep their smartphone secure, or how to do it.

PwC’s cybersecurity team has come up with some easy tips to keep you safe when you use your smartphone in cyberspace. You will be aware of some of them, but some are less obvious, and it is worth checking all of them out if you want to stay secure. The resources are easily available, and all it takes to protect your privacy is a little extra awareness and a few minutes of your time.

The main areas to keep an eye on are apps, wifi connections, authentication, and data and updates.


  • Be careful about what you install.
  • Disable apps from untrustworthy sources.
  • Do not root or jailbreak, especially if you do not know what you are doing.
  • Always use the legitimate app stores run by Google, Apple, Windows, etc. Disallow any apps downloaded and installed from other sources.
  • Remember that you do not have to agree to all the access permissions an app is asking for. If the app gives you the option, only agree to those that make sense and you feel comfortable with.
  • Do not download an app that asks for permissions and does not give you the option of disagreeing. Even if it looks legitimate and has high ratings, the app could be malware called CopyCat that could get you in a lot of trouble.
  • Get rid of any apps you do not use any more − or at least keep them updated. Apps that are not up to date could have security breaches and be used as an access point to your phone.


  • Do not connect to a public wifi network unless you have reliable antivirus software on your phone.
  • It is safer to use a virtual private network (VPN) app. This gives you a secure connection that is less vulnerable to hackers listening in on an unsecured network. You will find VPN apps on your app store for free or for only a few francs a month.
  • Do not make financial transactions (e-banking, payments, etc.) over an unsecured public wifi network without special protection (for example VPN). It is very risky.
  • Turn the wifi connection OFF when you have finished using the wifi network.


  • Use authentication and strong passwords. Instead of passwords, consider using passphrases such as ‘iAmFromUetliberg!’
  • Use two-factor authentication wherever possible.
  • Avoid reusing the same passwords for different websites.
  • Change your passwords regularly.
  • Consider using a password management tool such as LastPass, Keeper or Dashlane to help you remember your passwords. This option requires an extra security step to log in to your account. Use your password management tool whenever possible, especially for Facebook and email.

Data and updates:

  • do not store sensitive files on your phone.
  • Activate the ‘lost phone’/’find phone’ Both Apple and Google offer a ‘find my device’ function.
  • Keep an eye on suspicious activities in the background. You can install apps like LogDog that alert you to suspicious activity such as logins from unfamiliar places. This allows you to step in and change your credentials before serious harm can be done.
  • Always keep your phone operating system updated. The new updates are actually security patches that could protect your phone from breaches.

If you are aware of the potential risks, it only takes a few minutes of your time to make your smartphone much safer to use.

If you have further questions about keeping mobile devices secure (privately or in an organisational context) or any other issues related to cybersecurity, check out PwC’s Cybersecurity website or contact Reto Häni direct.


Reto Häni
Cyber Security Partner and Leader
PwC Digital Services
+41 79 345 01 24


How to comply with the mandatory controls for SWIFT participants

In response to recent cases of major cyber-fraud exploiting weaknesses in local infrastructures run by SWIFT participants, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) has issued a set of mandatory controls designed to help participants combat the threats.

To establish a security baseline for the entire SWIFT community, all SWIFT participants are called upon to implement 16 mandatory and 11 advisory security controls based on existing SWIFT guidelines and best practice standards. The controls, part of the SWIFT Customer Security Programme (SWIFT CSP), revolve around securing the environment, knowing and limiting access, and detecting and responding to threats.

Urgent action required

The SWIFT CSP will come into force on 1 January 2018, and shortly afterwards participants will be required to demonstrate compliance, either via a self-assessment, an internal audit, or an external audit. There will also be regular spot-checks by SWIFT. Non-compliance or late submission of confirmation of compliance will be reported to local supervisory authorities or other SWIFT counterparties, so there are major implications for participants failing to implement the controls properly.

SWIFT participants should act quickly to do a self-assessment, make sure they can prove compliance annually, and take steps to understand and anticipate the cyber-threats.

PwC’s Cybersecurity and Risk Assurance services are there to help participants get an up-to-date view of the relevant threats, assess their SWIFT readiness, implement the new controls, report on compliance, and detect threats on an ongoing basis.

The team at PwC has produced a brochure with comprehensive information on the new SWIFT controls.

For more information please contact:

Reto Häni
Cyber Security Partner and Leader
PwC Digital Services
+41 79 345 01 24

Yan Borboën
Cyber Security Partner
PwC Assurance
+41 79 580 73 53

Jens Probst
Systems & Process Leader
PwC Assurance
+41 58 792 29 59

Nicolas Vernaz
Data Protection and Regulatory Compliance Leader
PwC Digital Services
+41 79 419 43 30


The ransomware that made the world cry

The last few days of the cybersecurity community have been heated up by a vast-scale ransomware attack rippling across the world. On Friday 12 May came the first announcements of victims infected with a ransomware dubbed WannaCry (also known as WCry or Wanna Decryptor). It soon became clear that the scale of this wave was bigger than usual. According to the last estimates, the malware infected more than 250,000 systems in as many as one hundred countries. The list of victims is long and includes notorious names across all sectors. In some cases, the malware had unfortunate consequences. For instance, a few hospitals in the United Kingdom had to cancel their scheduled surgeries and some students in China lost their graduation thesis.

What we know

The malware encrypts and adds the extension “.WCRY” to all files that match a list of 176 specific extensions including documents, database and backup files. The victim is requested to pay between USD 300 and 600 in Bitcoins to get its files back. So far, there is no evidence that a payment will effectively provide the key for decrypting the files. In their message, the authors threaten to delete the file forever if their request is not met within eight days. The international ambitions of this campaign are made clear by the fact that the ransom message is translated in 28 languages.

Once the initial host has been infected, the ransomware dropper makes use of the MS17-010 vulnerability of the Server Message Block (SMB) protocol to spread laterally through the network. The exploit using this vulnerability has been made public by the group Shadow Broker on 14 April 2017 in a leak of hacking tools allegedly crafted by a state actor. Microsoft had released a patch a month before.

Switzerland has not been spared. The Swiss GovCERT declared that until Sunday evening there were roughly 200 potential victims. The number of victims could steeply increase, as there are more than 5,000 systems directly connected to the Internet over a SMB protocol.

What is still unclear

Despite the overwhelming information, some points still remain unclear. First, it is not yet known how the dropper is initially delivered to the victims. According to one hypothesis a spear phishing e-mail should have spread the malicious attachment. However, no such e-mails have surfaced yet. In its alert, the US-CERT claimed that hackers gained access to the victims’ network either through Remote Desktop Protocol or through the exploitation of the critical Windows SMB vulnerability mentioned above. Second, the identity of the authors is wrapped in mystery. Given the financial nature of the attack, the dominant hypothesis states that the attack has been launched by a criminal group. However, it should not be forgotten that in the past even state actors were involved in spectacular heists. Fresh discoveries suggest that the malware might be linked to Lazarus, a state actor group believed to be involved in the infamous SWIFT attack against the Bangladesh Central Bank of February 2016. So far, the authors have neither spent nor transferred the Bitcoins they obtained. At this stage, it is difficult to make further assertions on the attribution of the attack.

Main takeaways

As previously mentioned, the exploit used in this attack was leaked in April this year. By that time, the vendor had already released a patch to correct the flaws. Unfortunately, many users ignored this threat and were not much eager to install the patch. This episode should serve as a reminder that threat actors will reuse leaked tools and that without a proper prophylaxis an incident is just around the corner.

As reported by the media, a young IT-security researcher could temporarily curb the attack by registering a “kill-switch” domain that told the ransomware to stop spreading itself. Unfortunately, new versions of the malware without this feature have already been spotted in the wild. Furthermore, the threat intelligence community generously shared a lot of indicators and advices helping organisations to identify, prevent and dwarf the impact of infections. These common efforts have to be praised and should continue in the future.


If not done yet, apply the MS17-010 patches immediately. As short-term actions, your IT team should consider to:

  • disable all external SMB access (blocking ports 137, 139 and 445 to/from the internet);
  • disable the use of the SMBv1 network file sharing protocol;
  • ensure two-factor authentication is in place for all necessary external accesses to systems (e.g. VPN and RDP);
  • update the antivirus signatures;
  • rapidly isolate the infected system from your corporate network to curb the spreading of the infection;
  • backup the encrypted files in case a decryption tool become available, if you have already fallen victim to the ransomware.

On a more long-term approach, consider to plan and exercise a business continuity programme, adopt and test an incident response strategy, a consistent patch and vulnerability management, as well as a regular backup policy and security awareness raising trainings.

PwC can provide you with the necessary assistance and counsel to address these issues and improve your overall security posture. PwC strongly believes in a holistic approach to cyber security by offering a wide variety of services covering all the phases of the cyber lifecycle: from strategy and policy development to its implementation and review.

Why is the latest attack different and what is its relevance for boards? Read more.

In case of questions, please contact us at


Switzerland targeted in sustained global cyber campaign

PwC and BAE Systems have recently concluded an intensive investigation into an espionage network dubbed APT10. Our Advanced Cyber Defense team in Switzerland has been involved in the detection, response and remediation of the attack in multiple sectors where Swiss based clients have fallen victim to this campaign.

Over the last year we have seen sustained targeted attacks against major organisations in Switzerland. The attacks have specifically targeted managed IT service providers (MSPs) and used these networks to reach MSPs customers. This potentially gave unprecedented global access to the intellectual property and sensitive data of those MSPs and their clients.
As part of the investigations carried out by our Swiss, UK and global teams, we have linked these activities to similar attacks in more than 14 countries. PwC has gone public with this because although we have already seen several companies compromised, there may be many other organisations affected. We recommend performing a cybersecurity breach assessment to detect whether your organisation has been previously compromised, and to use tailored threat intelligence to manage risk effectively.

World-wide, the campaign has targeted many Japanese state entities, and in the US, defence-related as well as telecommunication companies. The construction, retail and consumer, energy and mining, technology, professional services, metals, industrial manufacturing, and public sector were also targeted.

What is APT10?

APT10 has targeted “managed IT service providers” and has used them as a springboard to crawl through networks. The group behind the campaign has been using a wide variety of malware which has evolved over time. This has included: RedLeaves, PlugX, Poison Ivy, EvilGrab, and mimikatz. These tools used as part of the campaign have been around for quite some while and passed around within criminal circles.

The campaign uses an impressive network of command-and-control servers. PwC assesses the energy and resources invested into the campaign as high and sustained.


PwC was successful in attributing the attack to the campaign by seeking analytical conclusions from a variety of disciplines and perspectives, all pointing to the same conclusion. Reverse engineering of the malware revealed a command-and-control infrastructure as well as recognisable characteristics. Additional folders and file conventions and paths further shed light on associated techniques, tools, and procedures (TTPs). Robust intelligence corroborated with similar indicators and activities across related victims. Lastly, the modus operandi, targeted information and temporal analysis of activities when compared to similar activities at the time and in the industry reinforced PwC’s conclusions.

Several indicators point to the instigators being located in East Asia. Most strikingly, the timestamps of registration of domains for the important network of command-and-control servers as well as the compilation time would appear to make sense for an actor based within this region. Many of these indicators could be faked to induce investigators to draw the wrong conclusions. However, to do so consistently across several types of evidence, and without hinting at another geographical location would be rather exceptional.

Further investigations are still being carried out to try to determine more exactly who could be behind the attacks. Attribution is a lengthy investigative process, but we believe that the report needed to come out quickly to help organisations protect their networks as much as possible.

What to do

The report includes a long list of Indicators-of-Compromise. It is advisable to upload these into your systems to protect against future possible attacks. Furthermore, for organisations in targeted sectors with high value intellectual property we recommend conducting a threat hunt into your network to identify whether you have been targeted by the attacks.

PwC also recommends at a minimum two factor authentication for jump posts where managed service providers (MSP) enter client networks. The compromise and data exfiltration is done via system and MSP administrator accounts so having stronger controls around these entry points are key. Additionally, increasing visibility across the enterprise through a holistic logging policy would further assist.

Should you need any help to conduct such assessment, PwC would gladly assist you in any way we can. Don’t hesitate to get in touch with us: PwC Swiss Breach Aid Team

The report and the technical indicators can be found here

Reto Häni
Cyber Security Leader
+41 79 345 01 24

Lessons from a hack

What links spies, hackers, cookies and a grey Aston Martin DBS? The answer can be found in the indictment against four suspects that the U.S. Department of Justice published last week. The four individuals are accused of breaching into the networks of a large telecommunication company in 2014 and of stealing large amounts of client data. Despite the legal jargon (albeit with a few sparks of technical details), the reading of the document reveals some interesting aspects in regard to cyber security.

The blurring line between cyber crime and cyber espionage

Cyber security experts have repeatedly pointed out that intelligence services are keen on taking advantage of the abilities of cyber criminals by hiring and mandating them for penetrating into their targets’ networks and siphon out sensitive data. The indictment confirms this practice. Two of the defendants are allegedly officers of a foreign intelligence service and have been accused of “[directing] criminal hackers, […], to gain unauthorized access to computers of companies”.

The increasingly blurring line between cyber crime and cyber espionage makes the attribution of cyber incidents more complex. As cyber criminals offer their services and tools on underground markets of the dark web, a same tool can be used in several campaigns and by different threat actors, even intelligence agencies. Hence, the approach for declaring the instigators of a cyber attack needs to go beyond the mere technical details (i.e., the so-called indicator of compromise [IOC], such as the signature of malware used or the IP addresses of command and control servers). The attribution process must take into account nontechnical aspects such as the nature of the target and the type of the information stolen. These elements are then to be interpreted within a geopolitical framework.

Tools, techniques and procedures

The indictment gives an interesting insight into the techniques used by criminals to gain unauthorized access to a system. The methods listed by the Department of Justice include advanced techniques such as spear phishing and cookies minting. In the first case, the hackers had sent ad hoc tailored e-mails designed to resemble messages from a trustworthy source luring the recipients to either open an attachment carrying a malware or to click on a malicious link. In the latter, the suspects had forged session cookies to gain unauthorized access to the e-mail accounts of the victim. Furthermore, in order to make the task of the investigators more difficult and to “reduce the likelihood of detection”, the criminals had covered their tracks by leasing servers in different countries and using VPN. Once inside the system of the breached company, they also had run log cleaners to erase their traces.

The indictment does not report either the malware used or any IOC, it however highlights the high skills and versatility of cyber criminals these days. They are professionals able to use a large set of tools and to combine different techniques ranging from social engineering to the use of malware. When defending your company’s network, you have to be aware of this and consequently implement a comprehensive security infrastructure without neglecting employees’ awareness training.

Collateral damage

The victim of the breach is a well-known e-mail provider with millions of users and even more e-mail accounts. By breaching the company’s network, the hackers had gained access to thousands of e-mail accounts. According to the charges, the suspects had had access to accounts of journalists, politicians, government officials, sales managers and even to the ones belonging to a Chief Technology Officer. Among the victims there were also 14 employees of a Swiss Bitcoin wallet and banking firm.

The intelligence officers were more interested in personal information about specific political targets; on the other hand, the hackers rather sought financial data for their personal enrichment. Apparently, the business activity was somewhat lucrative as the list of the forfeited goods mentions a grey Aston Martin DBS.

As widely reported in the media, the breached company was in the process of being acquired. In the aftermath of this very disclosure and of another previous one, the price of the deal was reduced by $300 million. Also, taking responsibility for the breach, the company’s CEO decided to renounce her annual bonus. Yes, a security breach can have heavy and real repercussions for the company and its employees.


This breach showcases the importance of not having your personal and business data on a single webmail without protecting it. We strongly recommend using encrypted communication for any sensitive information. Moreover, the criminals reused the stolen passwords to log into other accounts belonging to the users. As a good security reflex, you should never reuse your password across different services.

PwC strongly believes in a holistic approach to cyber security by offering a wide variety of services covering all the phases of the cyber lifecycle: from strategy and policy development to its implementation and to incident response. PwC cyber security services can help your company improve its security posture to face old and new threats.

Contact us if you would like to discuss this topic.

Reto Haeni
Cyber Security Leader
+41 79 345 01 24

Mark Barwinski
Director, Cyber Security
+41 58 792 20 89

Cybersecurity: A peek into the nuts and bolts of a state cyber apparatus

WikiLeaks, the platform that has in the past released thousands of classified US diplomatic cables and, more recently, emails from the Democratic National Committee, has now published leaked documents which it claims came from the CIA. The documents detail tools the intelligence agency uses for surveillance. This includes notably kits to penetrate computers (from Windows to OS X), mobile phones (iOS, Android) and many other devices.

Why is this relevant?

It has been known for some years that intelligence services also launch cyber attacks. In so doing, they add new malware and create new “threats” to the security landscape. The secret way services operate has contributed to certain expectations, at times exaggerated, as to what their capabilities are. The leak offers us a peek into what a state intelligence service does and how it operates to breach systems. For cyber security specialists, this is in a way a boon to learn how they can make their network more resilient – provided that they are in measure to correctly digest the information.

Furthermore, because of their sometimes sizeable budget, a few intelligence services can set the tone as to what is the most sophisticated way to perform successful and stealthy attacks. The leaks provide, however, a slightly different perspective.

Should we be worried?

One of the stories to make the headlines concerned spying via Smart TV. It is, however, much less scary than it may sound. The TVs were not hacked remotely, but malware was introduced physically into them.

Many intelligence services go after specific targets. The way they operate means that they will seek to obtain further information about what a specific person is up to because the agency will already have received a hint from another source that the person is involved in terrorist activities, nuclear or chemical weapons proliferation, or organised crime for instance. The agency then works its way through to have surveillance in place – be it through remote cyber means or through human intelligence (HUMINT) and up-close support by a network of assets (recruits).

What the leaks show is that agencies, logically, can use their strongest assets to put such surveillance systems into place, humans: either they physically go in themselves or utilise these recruits to inject malware via up-close support. Regardless of an organisation’s cyber security, it is very likely that the agency will be able to circumvent it this way. For an intelligence service to use a Smart TV as a bugging device is in the end not so different than if they had installed their own in-house-developed listening device after breaking into a target’s home.

Therefore, if an organisation comes into the crosshair of an intelligence service, it may have bigger problems to worry about than only to know whether it is under surveillance.

Similarly and in addition, up-close physical contact is commonly utilised by such intelligence agencies in a broad set of countries to gain persistence into mobile devices. Such activities often take place in hotel rooms where unsuspecting users sometimes may leave telephones, iPads, and laptops unattended for a few hours at a time. It may only take a matter of seconds for a trained operative to equip a personal device with new software or hardware. If successful, these agencies may harvest a treasure trove of information, which could include all email communications, as well as the ability to monitor live sound and video, banking transactions, and geolocation coordinates and much more – essentially a complete pattern of life. (Patterns of life are akin to human fingerprints making it possible for intelligence agencies to maintain detail awareness of a target’s actions.) It is therefore wise to maintain awareness of the location of all personal devices during business trips to foreign destinations in order to minimise access to such devices by unauthorised individuals.

If there is a point on which to rejoice is that in this latest apparent tool release, a few commonly known communication applications, which use encryption to keep people’s conversations private, seem to be genuinely safe to use. As the leaks appear to indicate, state intelligence services utilise Trojans to penetrate targets’ cell phones, highlighting that they probably have not been able to crack the encryption algorithms. Users may find comfort in that their private sphere may very well remain protected in some circumstance and for some mobile device models.

What are the largest takeaways?

The toolkit exposed is less sophisticated and impressive than others, which would stem from a signal intelligence agency. This is probably because certain agencies can use other “human” means to gain an entry point into a network.

All intelligence agencies are not alike and many within the same countries operate under different mandates, authorities, and areas of specialisation. Such is the case for this most recent release of tools associated with an agency focused on the collection of foreign intelligence through highly targeted activities and sometimes via up-close tactical operations – mass surveillance is generally not considered associated with the operating principles of an agency not focussing on signal intelligence, in other words.

As a consequence, the released information does not contain zero-days, and shows that intelligence services can reuse portion of codes garnered on the internet or already deployed by criminals and other intelligence services. Albeit from being practical, this also adds to the confusion for whoever tries to attribute the attacks honouring the principles of deception and plausible deniability.

A second point which follows is that many of the leaks showcase that the agency merely makes good use of unpatched systems. Some of the released information may well be quite old – such as a document concerning the rapid copying of 3.5 inches disk – but it seems in accordance with PwC’s views that many unpatched systems still leave the door open as much to criminals as to intelligence services.

Open questions

The US intelligence community has been very much in the spotlight for the past couple of months – and the timing for the release of the leaks could not be more awkward. It comes at a time when intelligence agencies have likely been tasked to take action against those responsible for influencing the democratic electoral process in the country. The timing hence raises the question whether there are motives behind the leaks other than the obvious ones. If we are to accept recent reports of such activities, then such a release of tools may signal a pre-emptive action designed to hinder retaliation. This should incite us to be cautious as to how we interpret them and not to take information at face value, especially as some of it may also not be genuine.

Once more, the leaks appear to seek to damage the organisation at least in two ways: it will have to rebuild tools to ensure that it can continue its surveillance of terrorists and others; and it will have to double its efforts to ensure to its international partners that information they give to the agency will remain confidential.

Threat intelligence?

Now that this information about a state’s capabilities lies in the open, it makes sense to integrate it into an organisation’s security posture: professional criminals are likely to seek to reuse what they can perceive as top-notched hacking tips. To do so requires understanding the context of the information (of the leaks but also of the functioning agencies behind the leaks) and having appropriate technical systems in place.

PwC is a global leader in security services and has multiple threat intelligence teams globally including in Switzerland. Furthermore, PwC built one of the world leading threat detection and intelligence platforms “Secure Terrain”. The platform is based upon the most advanced analytics technology to pull information out of large amounts of data that traditional methods would not be able to digest. Combined with our threat intelligence, PwC can provide the tools, methods and (if needed) people to detect, and respond to, advanced attacks in an intelligence-driven way.

Contact us if you would like to discuss this topic.

Reto Haeni
Cyber Security Leader
+41 79 345 01 24

Mark Barwinski
Director, Cyber Security
+41 58 792 20 89