61
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 29th Annual FMA Conference Wednesday, May 4, 2016 - Friday, May 6, 2016 Emerging Trends in Cybersecurity Brian Sanvidge / Baker Tilly Virchow Krause LLP Patrick Yu / Baker Tilly Virchow Krause LLP

Baker Tilly Presents: Emerging Trends in Cybersecurity

Embed Size (px)

Citation preview

Page 1: Baker Tilly Presents: Emerging Trends in Cybersecurity

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

29th Annual FMA Conference

Wednesday, May 4, 2016 - Friday, May 6, 2016

Emerging Trends in CybersecurityBrian Sanvidge / Baker Tilly Virchow Krause LLP

Patrick Yu / Baker Tilly Virchow Krause LLP

Page 2: Baker Tilly Presents: Emerging Trends in Cybersecurity

1

Agenda

> Introduction

> Organizational Data Breach Examples and Advisory

> Cybersecurity Risk Landscape Overview

> Cyber Risk Governance

> Implement Controls and Breach Response

Page 3: Baker Tilly Presents: Emerging Trends in Cybersecurity

2

Objectives of this presentation

> Raise awareness of the emerging trends in cybersecurity, such as

the threats and the potential cost that a breach could have on your

organization

> Establish an understanding of what your organization and board

can do to reduce the likelihood and impact of a breach

> Identify key characteristics and aspects within an incident/breach

response plan and how this plan will reduce the impact of the

unfortunate event

Page 4: Baker Tilly Presents: Emerging Trends in Cybersecurity

3

Organizational data breach examples and

advisory

Page 5: Baker Tilly Presents: Emerging Trends in Cybersecurity

4

Target Stores - Data Breach

Page 6: Baker Tilly Presents: Emerging Trends in Cybersecurity

5

Target Stores - Data Breach

In November 2013 Target Corporation announced that data from

around 40 million credit and debit cards was stolen. It is the second

largest credit and debit card breach in history.

> Engaged a third-party forensic expert to conduct an extensive investigation

> The initial intrusion into Target store networks was possible thanks to

network passwords stolen from an air conditioning and heating contractor

based in Pennsylvania, Fazio Mechanical Services.

> Target agreed to reimburse thousands of financial institutions as much as

$67 million

> The data breach cost Target $252 million in total

> Target also spent $100 million shoring up digital security

> Sales fell by 46% in the Fourth Quarter of 2013

Page 7: Baker Tilly Presents: Emerging Trends in Cybersecurity

6

Goodwill - Data Breach

Page 8: Baker Tilly Presents: Emerging Trends in Cybersecurity

7

Goodwill - Data breach

In July 2014 Goodwill Industries fell victim to a breach that lead to the

theft of customer credit and debit card data. The stolen data comprised

of 868,000 credit cards (names, card numbers, and expiration date)

from 330 store locations across 20 states.

> Engaged a third-party forensic expert to conduct an extensive investigation

> Third-party vendor’s systems was attacked by malware, enabling criminals

to access some payment card data of a number of the vendor’s customers

> The impacted Goodwill members used the same affected third-party vendor

to process credit card payments

> Impacted 20 of 158 Goodwill member locations

- Krebs on Security

Page 9: Baker Tilly Presents: Emerging Trends in Cybersecurity

8

Anthem - Data Breach

Page 10: Baker Tilly Presents: Emerging Trends in Cybersecurity

9

Anthem - Data Breach

In January 2015, Anthem Health suffered a data breach

exposing patient and employee names, DOB, Social

Security numbers, emails, employment info, and income

data.

>Anthem did not encrypt their data

>Anthem exhausted their $100 million cybersecurity

insurance policy from the customer notifications alone

(ZDNet: Technology News)

>The cost to Anthem well exceeded this amount

>Data breaches cost the healthcare industry as a whole

about $5.6 billion annually (Forbes)

Page 11: Baker Tilly Presents: Emerging Trends in Cybersecurity

10

JPMorgan Chase - Data Breach

Page 12: Baker Tilly Presents: Emerging Trends in Cybersecurity

11

JPMorgan Chase - Data Breach

In July 2014, JPMorgan Chase fell victim to a

cyberattack that compromised customer

usernames, addresses, phone numbers, and

email addresses

>Protection Group International estimated the

cost of the breach at $1 billion

>76 million households and 7 million small

businesses were exposed to the hack

>JPMorgan Chase invests $250 million in cyber

security a year

Page 13: Baker Tilly Presents: Emerging Trends in Cybersecurity

12

E-mail Phishing Advisory

Phishing is the attempt to gather sensitive information (such as

usernames, passwords and credit card information using a fake

request via electronic communication (i.e., a website, e-mail, etc.) that

appears to originate from a trustworthy entity.

> The NYS Information Technology Services (ITS) Cyber Security Operations

Center (CSOC) has been notified of an active phishing email threat

targeting government agencies and have received reports of a well-crafted

phishing email circulating in the past two weeks at several US universities.

The email notifies employees that their electronic W-2s are available and

encourages them to click to login and view/print their W-2s. The link takes

them to a landing page which has been made to look like the organization’s

Human Resources site.

> Those who fall victim to the phishing email may have their personal

information compromised, including login, password, tax information, bank

account information, personal contact information and benefit information.

Page 14: Baker Tilly Presents: Emerging Trends in Cybersecurity

13

E-mail Phishing Advisory

Measures to prevent E-Mail Phishing

> Do not reply to e-mails with any personal information or passwords, and do

not click a link in an unsolicited e-mail message. If you have reason to

believe the request is real, call the institution or company directly to confirm.

> Avoid using the same password for your work computer login, bank

accounts, Facebook, etc. In the event you do fall victim to a phishing

attempt, the thieves will try the compromised password in as many places

as they can.

> If you suspect any account you have access to may be compromised,

change ALL of your passwords.

> Be equally cautious when reading email on your phone. It may be easier to

miss telltale signs of phishing attempts when reading the email on a smaller

screen.

Page 15: Baker Tilly Presents: Emerging Trends in Cybersecurity

14

IRS - Phishing Hack

Page 16: Baker Tilly Presents: Emerging Trends in Cybersecurity

15

IRS - Phishing Hack

Taxpayers often fall victim to criminals perpetrating

phishing schemes. Callers contact individuals via phone or

email and demand tax information and immediate

payment.

> The Phishers appear legitimate by using personal

information like taxpayers’ names and addresses

> They also utilize false badge numbers and IRS titles

> 2016 has seen a 400% increase in phishing schemes

> Since October 2013, there have been 896 thousand

phishing scam reports

> 5,000 victims have paid a total of $26.5 million

− Fortune Magazine

Page 17: Baker Tilly Presents: Emerging Trends in Cybersecurity

16

Home Depot - Phishing Hack

Page 18: Baker Tilly Presents: Emerging Trends in Cybersecurity

17

Home Depot - Phishing Hack

In November 2014, hackers used a vendor’s stolen log-in

credentials to perpetrate a massive hack on Home Depot.

The breach allowed the criminals to gain access to 53

million email addresses as well as millions of credit card

information.

> Customers were alerted to look out for phishing

scammers

> The false emails attempted to lure customers into

revealing personal data by “signing up” for exclusive

savings

> The breach cost the company $62 million

− SC Magazine

Page 19: Baker Tilly Presents: Emerging Trends in Cybersecurity

18

Cybersecurity risk landscape overview

Page 20: Baker Tilly Presents: Emerging Trends in Cybersecurity

19

Changing cyber risk landscape

Past Present Implications

Mostly physical assets (plants,

equipment) - relatively few digitized

assets.

Highly digitized asset base

(IP, financial, PII), mobile and cloud

technologies.

Strong cybersecurity controls and processes

are required to protect these assets.

Simple, unsophisticated attacks

(e.g., web site defacement intended to

embarrass).

Advanced Persistent Threats (APTs)

involve high degree of complexity

and sophistication; hacker “gangs”

steal IP and other assets for

financial gain, sometimes using

ransom to hold the data “hostage”.

Company must have adequate resources and

capabilities to protect the IT environment; may

even require obtaining third-party assistance or

even using Managed Security Services (MSS)

provider. May require working closely with law

enforcement.

IT budgeted hardware and software

expenditures; managed deployment and

use.

Ability of IT to manage alone may be

insufficient; budgets increasing.

Budget for cybersecurity should be rolled up at

an enterprise level, not necessarily tied to one

dept.

Relatively insulated, self-contained IT

environment with limited complexity.

Application support provided in-house

with limited use of 3rd parties for hosting

and cloud services.

Cybersecurity needs to be managed

in the context of extended “digital

ecosystem” involving outside

stakeholders and 3rd

parties/vendors.

Cybersecurity must be managed as an

enterprise-wide risk, not just an IT issue.

Limited use of mobile data access. IT

provided a restricted list of mobile device

choices which provided robust security

support.

Mobile user access to applications

containing personal/financial data

and use of Bring Your Own Device is

nearly commonplace.

More challenging for IT to assure security of

“end point” devices.

Page 21: Baker Tilly Presents: Emerging Trends in Cybersecurity

20

What is cybersecurity risk?

> For most organizations, value resides in its data and systems

> A sophisticated community of hacktivists, cyber criminals, organized crime

syndicates, and foreign governments wants to cause competitive harm or

profit by exploiting technical and social vulnerabilities of information assets

> This combination leads to a high-likelihood of data breaches

Page 22: Baker Tilly Presents: Emerging Trends in Cybersecurity

21

Data at Rest vs. Data in Motion

> Data at Rest – data in computer storage

> Data in Motion – data exiting in the network

> Encryption – scrambling contents of a file to

increase security. The contents can only be

read by an individual with the encryption key.

Page 23: Baker Tilly Presents: Emerging Trends in Cybersecurity

22

Types of Data Breaches

Hackers come in different stripes and perpetrate

data breaches for a variety of goals. The following

are some of the more common hacks

> Denial of Service (DoS)

> Website Defamation

> Ransomware

> Data Theft

Page 24: Baker Tilly Presents: Emerging Trends in Cybersecurity

23

Types of Data Breaches -

Denial of Service

A denial-of-service (DoS) attack is an attempt to

make a machine or network resource unavailable

to its intended users

> Buffer Overflow Attacks – overwhelm a network

address with traffic

> Teardrop Attack – attacker’s IP crashes the

system by placing a confusing offset value in a

packet fragment

> Smurf Attack – flood the host network with IP

pings

Page 25: Baker Tilly Presents: Emerging Trends in Cybersecurity

24

Types of Data Breaches -

Website Defamation

> In 2013, hacking group anonymously hacked the

website of the US Sentencing Commission to avenge

the death of internet activist Aaron Swartz, reported

RYOT

> The group posted a warning that “a line was crossed”

> Swartz allegedly committed suicide after being

investigated my federal prosecutors

Page 26: Baker Tilly Presents: Emerging Trends in Cybersecurity

25

Types of Data Breaches -

Data Theft

> Hackers utilize “Man in the Browser” (MITB)

attacks to steal sensitive information from

websites

> The victim’s website is infected with malware

that monitors activity

> When a sensitive site is visited, the malware

pounces and gathers the relevant data

Page 27: Baker Tilly Presents: Emerging Trends in Cybersecurity

26

Types of Data Breaches -

Ransomware

> Ransomware gains access to a computer either

via an email attachment or a malicious website

> The malware then automatically encrypts files

and issues an electronic ransom note

> Typically, payment is demanded in the form of a

cryptocurrency Bitcoin

Page 28: Baker Tilly Presents: Emerging Trends in Cybersecurity

27

Impacts of data breaches

Negative

publicity

Regulatory

sanctions

Refusal

to share personal

information

Damage

to brand

Regulator

scrutiny

Legal

liability

Fines

Damaged

customer

relationships

Damaged

employee

relationships

Deceptive or

unfair trade

charges

!

Page 29: Baker Tilly Presents: Emerging Trends in Cybersecurity

28

Cyber Risk Governance

Page 30: Baker Tilly Presents: Emerging Trends in Cybersecurity

29

What to do now - Five Principles

Source: National Association of Corporate Directors

Understand the legal implications of cyber risks as they relate to their organization’s specific circumstances.

Understand and Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

Gain adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time.

Management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.

Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.

V

IV

III

II

I

Page 31: Baker Tilly Presents: Emerging Trends in Cybersecurity

30

Principle I

Issue Risk Recommendation

Is often seen as an IT issue

requiring little involvement

from business stakeholders.

Lacks alignment with

strategic business and

cross-departmental

initiatives.

Require active

participation across

the enterprise.

IT may lack visibility into

risks from business activities

(e.g. M&A, social media,

breaches from 3rd party

cloud and Business Process

Outsourcing providers,

customers).

May raise the company’s

cybersecurity risk profile;

breaches may be difficult

to address or even go

undetected.

Involve Chief

Information Security

Officer (CISO) in new

initiatives that may

raise cyber risk profile.

Directors need to understand and approach cybersecurity as an

enterprise-wide risk management issue, not just an IT issue.

Page 32: Baker Tilly Presents: Emerging Trends in Cybersecurity

31

Principle I - Board Questions for Management

> Is management focused on making cyber-risk part of everyone’s

job, not just IT? Is there a formal cyber awareness program in

place?

> Does the organization have an enterprise-wide cyber-risk

management team? Has the organization risk appetite been

established?

> How does the organization ensure that the CISO is involved in

assessing new, high-risk business initiatives?

> In a M&A context, what is the level of cyber due diligence done on a

acquisition target? How is this information used?

> Has the organization performed an analysis of the “cyber-

robustness” of the organization’s products and services to analyze

potential vulnerabilities that could be exploited by hackers?

Page 33: Baker Tilly Presents: Emerging Trends in Cybersecurity

32

Principle II

Issue Risk Recommendations

Contractual obligations to

customers (e.g. compliance,

breach notification requirements)

may not be identified and

monitored over time.

Lack of awareness of specific

contractual obligations to protect

data.

Perform an enterprise-wide

contract review to ensure that

cyber-related contract obligations

are well understood.

Lacks a comprehensive, risk-

based vendor management

program that includes all third-

party relationships across the

vendor lifecycle (from risk

assessment through monitoring).

Use of vendors with poor

cybersecurity controls may

increase risk; inconsistent

expectations around notification

requirements may complicate

timely resolution of data breaches.

Implement and maintain

comprehensive vendor

management program.

Company may be unaware of

Personal Identifiable Information

(PII) held across the enterprise

and corresponding legal

requirements to protect it.

Insufficient understanding of the

cyber risks posed by “overlooked”

data.

Ensure that data is properly

classified (confidential, internal use

only, public) and that an

enterprise-wide data inventory is

completed. Inventory should reflect

how data should be shared as well

as the data “owner”.

Directors should understand the legal implications of cyber risks

as they relate to their company’s specific circumstances.

Page 34: Baker Tilly Presents: Emerging Trends in Cybersecurity

33

Principle II - Board Questions for Management

> Has the organization conducted a review of legal contracts in

place with vendors, stakeholders, etc. to determine cybersecurity

and compliance commitments? Are new contracts reviewed for

cyber-risk?

> Is there a comprehensive program to ensure that outsourced

providers and contractors have cyber controls and policies in

place and are clearly monitored? Do those policies align with the

organization’s expectations?

> Has a formal breach response plan been put in place? Is it

practiced at least annually? Who is part of the response team?

> What is the organization’s volume of cyber incidents on a weekly

or monthly basis? What is the magnitude/severity of those

incidents? What is the time taken and cost to respond to those

incidents?

Page 35: Baker Tilly Presents: Emerging Trends in Cybersecurity

34

Principle III

Issue Risk Recommendations

Directors lack regular

interaction with a

knowledgeable and

independent Chief

Information Security

Officer (CISO) and/or

third-party that can

brief them on the state

of company cyber

risks.

Directors may not have

full awareness of cyber

risks faced by the

company, nor internal

obstacles that may

hamper effectiveness to

address.

Meet with the company CISO at least

annually to:1. Understand key issues from the CISO’s

perspective

2. Discuss the CISO’s security strategy and current

projects

3. Provide the CISO with an opportunity to identify

any roadblocks (e.g. budget, political agendas)

4. Understand activities around data breaches within

the company’s industry and how such knowledge

is applied to the company

5. Ensure that relevant management metrics are

reviewed regularly on an entity level

Boards should have adequate access to cybersecurity expertise, and

discussions about cyber risk management should be given regular and

adequate time on the board meeting agenda.

Page 36: Baker Tilly Presents: Emerging Trends in Cybersecurity

35

Principle III - Board Questions for Management

> Where do business operations and the IT team disagree on cybersecurity? How is this disagreement resolved?

> Is the audit committee and full board briefed regularly on cyber-risk?

> Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the organization’s senior management, CTOs, and CIOs?

Page 37: Baker Tilly Presents: Emerging Trends in Cybersecurity

36

Principle IV

Directors should set the expectation that management will establish an

enterprise-wide cyber risk management framework with adequate

staffing and budget.

Issue Risk Recommendations

Lacks comprehensive

cybersecurity risk

management framework;

audit committee lacks ability

to track relevant metrics

over time.

Unable to identify changes

in the company’s cyber risk

profile.

Establish comprehensive

risk management framework

(e.g. NIST) and appropriate

metrics.

Lack of regular, independent

assessment of current

cybersecurity environment

against framework.

Weaknesses in current

cybersecurity environment

may be missed or

overlooked.

Annual review by Internal

Audit or outside consultants.

Page 38: Baker Tilly Presents: Emerging Trends in Cybersecurity

37

Principle IV - Board Questions for Management

> Does the organization use a systematic framework, such as

the NIST Framework, in place to address cybersecurity to

assure adequate cyber hygiene?

> Are policies currently mapped to the framework?

> Does the organization have the right gauges to measure the

success of its cybersecurity risk management program?

> What are the critical assets that must be protected?

> Does the organization work with law enforcement and

appropriate government agencies to monitor cyber-threats

industry-wide?

Page 39: Baker Tilly Presents: Emerging Trends in Cybersecurity

38

Principle V

Board-management discussion of cyber risk should include

identification of which risks to avoid, accept, mitigate or

transfer through insurance, as well as specific plans

associated with each approach.

Issue Risk Recommendations

Breaches may expose the

company to fines,

penalties, consumer

credit monitoring,

legal/consulting

assistance and other

costs.

Financial Regularly review the

company’s cyber liability

insurance coverage to

determine whether

coverage is appropriate.

Page 40: Baker Tilly Presents: Emerging Trends in Cybersecurity

39

Principle V – Board Questions for Management

> When was the organization’s cyber liability insurance

coverage last reviewed, who reviewed it and what were

results of review (e.g., deductibles and amount and

coverage)?

> How does the organization determine which cyber-risks to

avoid, accept, mitigate or transfer?

> How frequently are these decisions discussed with the

board?

Page 41: Baker Tilly Presents: Emerging Trends in Cybersecurity

40

Implement controls and breach response

Page 42: Baker Tilly Presents: Emerging Trends in Cybersecurity

41

Action: implementing cybersecurity controls

01

02

0304

06

05

Conduct risk assessment

Categorize information &applications

Select and implementsecurity controls

Test security controls for vulnerabilities

Remediatevulnerabilities

Monitor securitycontrols continually

Page 43: Baker Tilly Presents: Emerging Trends in Cybersecurity

42

Ongoing Monitoring

Ongoing monitoring is where either in house or a managed service,

someone is watching over your security environment. This can be in

many forms:

> Log Based is the easiest and most common as these systems leverage the

output of your current security estate, however this method is subject to the

device manufacturers’ interpretation of how a digital environment should

operate.

> SoC services for ongoing monitoring are the next step up, as these are

security professionals looking over your environment for you. These are

predominately log based, and the same rules as above apply.

> The best way to ensure security is through ongoing monitoring using a Full

Packet Capture based system. These systems pull the raw data off of the

network, store it, and run analytics against it. The data cannot be skewed,

and the data is not open to the interpretation of the manufacturer. These

systems give you near immediate visibility into your environment. Also in

the event of a breach, these systems can aid a forensic examiner in

identifying pertinent evidence.

Page 44: Baker Tilly Presents: Emerging Trends in Cybersecurity

43

Why is cybersecurity incident/breach

response important?

FrequencyBreaches are happening more frequently.

Media attention2015 was a record year for breaches in the press/media.

Requirements Regulations require incident/breach response plans

DamageInappropriate or inadequate response can lead to reputational and financial

damage

Page 45: Baker Tilly Presents: Emerging Trends in Cybersecurity

44

Why is cybersecurity incident/breach

response important?

> According to Symantec, 60% of all targeted attacks in 2014 affect small and

medium size organizations.

> It is estimated that 25% of all mobile devices encounter a threat each month

(Source: Skycure Mobile Threat Defense).

> As one example, from September 2013 through May 2014, a viral program

known as CrytoLocker affected thousands of computers, before the spread

was stopped by the US Department of Justice, the FBI, Interpol and security

software vendors. During this time, the program would infect a computer,

encrypt files on the local machine and on network drives (making them

inaccessible to the user), and display a prompt for an online payment of as

much as $400 within 72 hours in order for the files to be unlocked. The

operators of this scheme are believed to have extorted around $3 Million. It is

estimated that as many as 3% of users who were infected chose to pay. Many

others had unaffected offline backups in place, and used these backups to

recover the lost data. The use of offline backups for data recovery is an

important response tool when cybersecurity threats impact data and daily

operations.

Page 46: Baker Tilly Presents: Emerging Trends in Cybersecurity

45

What is a cybersecurity

incident/breach

response plan?

“Capability to effectively manage unexpected

disruptive events with the objective of

minimizing impacts and maintaining or

restoring normal operations within defined

time limits”

– ISACA (formerly known as Information

Systems Audit and Control Association)

Page 47: Baker Tilly Presents: Emerging Trends in Cybersecurity

46

What goes into a cybersecurity

incident/breach response?

Cybersecurity incident/breach response plan

Laws, regulations

IT Risk framework

Data and system

inventory

Page 48: Baker Tilly Presents: Emerging Trends in Cybersecurity

47

What should a cybersecurity

incident/breach response plan

accomplish?

Preparation

Detection and Analysis

Containment, Eradication,

and Recovery

Post-Incident Activity

Page 49: Baker Tilly Presents: Emerging Trends in Cybersecurity

48

Breach Response - Digital Forensics &

Forensic Analysis

SCENARIOS

When to call a digital forensic expert…

SERVICES

Our digital forensic experts provide…

• Employee suddenly departs from an

organization (especially on less than positive

terms)

• Employee leaves to join a competitor and

there is a concern that trade secrets or other

intellectual property may have been stolen

• Suspicion of vendor / employee collusion

• Suspicion of employee conflict of interest

• Suspicion that an employee is creating

fictitious invoices and submitting for

reimbursement

Forensically acquiring and

analyzing digital devices such as

computers, iPads, and smartphones

Tracing internet activity

Identifying a timeline of user activity

Identifying files copied to external

devices such as USB drives

Page 50: Baker Tilly Presents: Emerging Trends in Cybersecurity

49

Quote

> “I am convinced that there are only two types of

companies: those that have been hacked and

those that will be. And even they are

converging into one category: companies that

have been hacked and will be hacked again.”

- Robert S. Mueller (Director of the FBI)

Page 51: Baker Tilly Presents: Emerging Trends in Cybersecurity

50

Key cybersecurity program element #1

Cyber Risk Assessment

> Understand all information systems at a granular level

> Figure out what assets really matter (crown jewels)

> Translate and align to business objectives and priorities

> A clear definition of risk tolerance levels is required

> The assessment must be unique to the organization and its industry

> The process must be iterative and dynamic to adopt to constant change

> Standard frameworks improve effectiveness (e.g., NIST, COSO)

Page 52: Baker Tilly Presents: Emerging Trends in Cybersecurity

51

Key cybersecurity program element #2

Cybersecurity Countermeasures

> Policies and procedures must be documented

> Layered security is critical (Multiple Lines of Defense)

> Use a combination of preventative and detective controls

(IT and Business Controls)

> Support with cyber-focused standards (e.g., ISO, COBIT, NIST)

> Event correlation is becoming increasingly important

> Ongoing assessment is critical to keep pace with change

> Ultimately, controls must be deployed that are commensurate with the

value of the assets you are trying to protect

Page 53: Baker Tilly Presents: Emerging Trends in Cybersecurity

52

Key cybersecurity program element #3

Training and Communication

> Reaching beyond the boundaries of the organization is critical

> Embed security within key business processes

> IT topics must be translated into meaningful information

(Common language)

> Involve everyone - Education and building consensus is critical among

all stakeholders.

> Train continually, and look for active learning scenarios

> Leadership must establish the tone at the top

Page 54: Baker Tilly Presents: Emerging Trends in Cybersecurity

53

Board Questions for Management

> What do we consider our most valuable assets (e.g., data)? How

does our IT system interact with those assets? Do we believe we

can fully protect those assets?

> Do we think there is adequate protection in place if someone

wanted to get at or damage our corporate “crown jewels”? If not,

what would it take to feel comfortable that our assets were

protected?

> Are we investing enough so that our corporate operating and

network systems are not easy targets by a determined hacker?

Page 55: Baker Tilly Presents: Emerging Trends in Cybersecurity

54

Questions for the Board

to consider:

− What training do employees receive regarding privacy and

security?

− What are the organization’s cybersecurity policies and

procedures?

− What is the organization doing to test and update its

incident response plan?

− What is the organization doing to monitor and address

cybersecurity legal, regulatory and industry developments?

− What is being communicated to the Board about

developments and addressing them?

Page 56: Baker Tilly Presents: Emerging Trends in Cybersecurity

55

Questions for the Board

to consider:

− What are criteria for an incident to be communicated to the the

Board (e.g., type and amount of information at issue, legal,

regulatory and industry requirements and practices, financial

amount at issue, etc.)?

Decision point: the Board needs to define what constitutes an

incident that is reportable to the Board

− What are the channel and means of communication for

reporting an incident to the Board? What and how much

information about an incident is reported?

− What are timing and other considerations regarding reporting

(e.g., incident is disclosed first by the media, law enforcement is

involved, etc.)

Page 57: Baker Tilly Presents: Emerging Trends in Cybersecurity

56

Questions for the Board

to consider:

− Actions the organization takes (e.g., whether notification is

made and basis for making or not making notification)

− Actions other parties take (e.g., other parties involved in or

affected by incident, litigants, regulators, law enforcement,

insurers, media, service providers, etc.)

− Whether to request additional information about incident

− Impact of incident on the organization and consequences (e.g.,

legal, business, financial, public relations, etc.)

− Determinations or actions for the Board to take

Page 58: Baker Tilly Presents: Emerging Trends in Cybersecurity

57

Questions for the Board

to consider:

− Is there a defined process for determining whether, how and

when notification regarding an incident needs to be made?

− Who is involved in making this decision?

− Which parties are notified (e.g., affected parties, regulators,

insurers, media, credit reporting agencies, etc.)?

− What are possible consequences of making notification (e.g.,

litigation, regulator enforcement, notifications become public,

media attention, financial, etc.)?

− What are risks in not making notification (e.g., litigation,

regulator enforcement, violation of law or guidance or where

required by policy or contract, reasons for making or not making

notification, etc.)

Page 59: Baker Tilly Presents: Emerging Trends in Cybersecurity

58

Questions for the Board

to consider:

− Has a reserve been established for incidents? If yes, when was

this reserve established and what is the amount of reserve?

− When was the organization’s cyber liability insurance coverage

last reviewed, who reviewed and what were results of review

(e.g., deductibles and amount and coverage)?

− Should directors’ and officer’s liability insurance coverage be

reviewed regarding cybersecurity and data breaches?

− Do any developments regarding the organization (e.g.,

acquisitions) or impacting the organization (e.g., legal,

regulatory, litigation, business, insurance, etc.) warrant a review

of the reserve and insurance coverage?

Page 60: Baker Tilly Presents: Emerging Trends in Cybersecurity

59

Questions?

Page 61: Baker Tilly Presents: Emerging Trends in Cybersecurity

60

Contact Information:

Brian Sanvidge, CIG, CFE

Principal, National Forensic Litigation and Valuation Services

(212) 792-4836

Patrick Yu, CPA

Not-For-Profit Assurance Service Partner

(212) 792-4802