SlideShare une entreprise Scribd logo

Baker Tilly Presents: Emerging Trends in Cybersecurity

Télécharger en tant que PPTX, PDF
B
BakerTillyConsulting

Presented at the 29th Annual FMA Conference Topics: > Raise awareness of the emerging trends in cybersecurity, such as the threats and the potential cost that a breach could have on your organization > Establish an understanding of what your organization and board can do to reduce the likelihood and impact of a breach > Identify key characteristics and aspects within an incident/breach response plan and how this plan will reduce the impact of the unfortunate event

Économie & finance
1  sur  61
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 29th Annual FMA Conference Wednesday, May 4, 2016 - Friday, May 6, 2016 Emerging Trends in Cybersecurity Brian Sanvidge / Baker Tilly Virchow Krause LLP Patrick Yu / Baker Tilly Virchow Krause LLP
1 Agenda > Introduction > Organizational Data Breach Examples and Advisory > Cybersecurity Risk Landscape Overview > Cyber Risk Governance > Implement Controls and Breach Response
2 Objectives of this presentation > Raise awareness of the emerging trends in cybersecurity, such as the threats and the potential cost that a breach could have on your organization > Establish an understanding of what your organization and board can do to reduce the likelihood and impact of a breach > Identify key characteristics and aspects within an incident/breach response plan and how this plan will reduce the impact of the unfortunate event
3 Organizational data breach examples and advisory
4 Target Stores - Data Breach
5 Target Stores - Data Breach In November 2013 Target Corporation announced that data from around 40 million credit and debit cards was stolen. It is the second largest credit and debit card breach in history. > Engaged a third-party forensic expert to conduct an extensive investigation > The initial intrusion into Target store networks was possible thanks to network passwords stolen from an air conditioning and heating contractor based in Pennsylvania, Fazio Mechanical Services. > Target agreed to reimburse thousands of financial institutions as much as $67 million > The data breach cost Target $252 million in total > Target also spent $100 million shoring up digital security > Sales fell by 46% in the Fourth Quarter of 2013
6 Goodwill - Data Breach
7 Goodwill - Data breach In July 2014 Goodwill Industries fell victim to a breach that lead to the theft of customer credit and debit card data. The stolen data comprised of 868,000 credit cards (names, card numbers, and expiration date) from 330 store locations across 20 states. > Engaged a third-party forensic expert to conduct an extensive investigation > Third-party vendor’s systems was attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers > The impacted Goodwill members used the same affected third-party vendor to process credit card payments > Impacted 20 of 158 Goodwill member locations - Krebs on Security
8 Anthem - Data Breach
9 Anthem - Data Breach In January 2015, Anthem Health suffered a data breach exposing patient and employee names, DOB, Social Security numbers, emails, employment info, and income data. >Anthem did not encrypt their data >Anthem exhausted their $100 million cybersecurity insurance policy from the customer notifications alone (ZDNet: Technology News) >The cost to Anthem well exceeded this amount >Data breaches cost the healthcare industry as a whole about $5.6 billion annually (Forbes)
10 JPMorgan Chase - Data Breach
11 JPMorgan Chase - Data Breach In July 2014, JPMorgan Chase fell victim to a cyberattack that compromised customer usernames, addresses, phone numbers, and email addresses >Protection Group International estimated the cost of the breach at $1 billion >76 million households and 7 million small businesses were exposed to the hack >JPMorgan Chase invests $250 million in cyber security a year
12 E-mail Phishing Advisory Phishing is the attempt to gather sensitive information (such as usernames, passwords and credit card information using a fake request via electronic communication (i.e., a website, e-mail, etc.) that appears to originate from a trustworthy entity. > The NYS Information Technology Services (ITS) Cyber Security Operations Center (CSOC) has been notified of an active phishing email threat targeting government agencies and have received reports of a well-crafted phishing email circulating in the past two weeks at several US universities. The email notifies employees that their electronic W-2s are available and encourages them to click to login and view/print their W-2s. The link takes them to a landing page which has been made to look like the organization’s Human Resources site. > Those who fall victim to the phishing email may have their personal information compromised, including login, password, tax information, bank account information, personal contact information and benefit information.
13 E-mail Phishing Advisory Measures to prevent E-Mail Phishing > Do not reply to e-mails with any personal information or passwords, and do not click a link in an unsolicited e-mail message. If you have reason to believe the request is real, call the institution or company directly to confirm. > Avoid using the same password for your work computer login, bank accounts, Facebook, etc. In the event you do fall victim to a phishing attempt, the thieves will try the compromised password in as many places as they can. > If you suspect any account you have access to may be compromised, change ALL of your passwords. > Be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.
14 IRS - Phishing Hack
15 IRS - Phishing Hack Taxpayers often fall victim to criminals perpetrating phishing schemes. Callers contact individuals via phone or email and demand tax information and immediate payment. > The Phishers appear legitimate by using personal information like taxpayers’ names and addresses > They also utilize false badge numbers and IRS titles > 2016 has seen a 400% increase in phishing schemes > Since October 2013, there have been 896 thousand phishing scam reports > 5,000 victims have paid a total of $26.5 million − Fortune Magazine
16 Home Depot - Phishing Hack
17 Home Depot - Phishing Hack In November 2014, hackers used a vendor’s stolen log-in credentials to perpetrate a massive hack on Home Depot. The breach allowed the criminals to gain access to 53 million email addresses as well as millions of credit card information. > Customers were alerted to look out for phishing scammers > The false emails attempted to lure customers into revealing personal data by “signing up” for exclusive savings > The breach cost the company $62 million − SC Magazine
18 Cybersecurity risk landscape overview
19 Changing cyber risk landscape Past Present Implications Mostly physical assets (plants, equipment) - relatively few digitized assets. Highly digitized asset base (IP, financial, PII), mobile and cloud technologies. Strong cybersecurity controls and processes are required to protect these assets. Simple, unsophisticated attacks (e.g., web site defacement intended to embarrass). Advanced Persistent Threats (APTs) involve high degree of complexity and sophistication; hacker “gangs” steal IP and other assets for financial gain, sometimes using ransom to hold the data “hostage”. Company must have adequate resources and capabilities to protect the IT environment; may even require obtaining third-party assistance or even using Managed Security Services (MSS) provider. May require working closely with law enforcement. IT budgeted hardware and software expenditures; managed deployment and use. Ability of IT to manage alone may be insufficient; budgets increasing. Budget for cybersecurity should be rolled up at an enterprise level, not necessarily tied to one dept. Relatively insulated, self-contained IT environment with limited complexity. Application support provided in-house with limited use of 3rd parties for hosting and cloud services. Cybersecurity needs to be managed in the context of extended “digital ecosystem” involving outside stakeholders and 3rd parties/vendors. Cybersecurity must be managed as an enterprise-wide risk, not just an IT issue. Limited use of mobile data access. IT provided a restricted list of mobile device choices which provided robust security support. Mobile user access to applications containing personal/financial data and use of Bring Your Own Device is nearly commonplace. More challenging for IT to assure security of “end point” devices.
20 What is cybersecurity risk? > For most organizations, value resides in its data and systems > A sophisticated community of hacktivists, cyber criminals, organized crime syndicates, and foreign governments wants to cause competitive harm or profit by exploiting technical and social vulnerabilities of information assets > This combination leads to a high-likelihood of data breaches
21 Data at Rest vs. Data in Motion > Data at Rest – data in computer storage > Data in Motion – data exiting in the network > Encryption – scrambling contents of a file to increase security. The contents can only be read by an individual with the encryption key.
22 Types of Data Breaches Hackers come in different stripes and perpetrate data breaches for a variety of goals. The following are some of the more common hacks > Denial of Service (DoS) > Website Defamation > Ransomware > Data Theft
23 Types of Data Breaches - Denial of Service A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users > Buffer Overflow Attacks – overwhelm a network address with traffic > Teardrop Attack – attacker’s IP crashes the system by placing a confusing offset value in a packet fragment > Smurf Attack – flood the host network with IP pings
24 Types of Data Breaches - Website Defamation > In 2013, hacking group anonymously hacked the website of the US Sentencing Commission to avenge the death of internet activist Aaron Swartz, reported RYOT > The group posted a warning that “a line was crossed” > Swartz allegedly committed suicide after being investigated my federal prosecutors
25 Types of Data Breaches - Data Theft > Hackers utilize “Man in the Browser” (MITB) attacks to steal sensitive information from websites > The victim’s website is infected with malware that monitors activity > When a sensitive site is visited, the malware pounces and gathers the relevant data
26 Types of Data Breaches - Ransomware > Ransomware gains access to a computer either via an email attachment or a malicious website > The malware then automatically encrypts files and issues an electronic ransom note > Typically, payment is demanded in the form of a cryptocurrency Bitcoin
27 Impacts of data breaches Negative publicity Regulatory sanctions Refusal to share personal information Damage to brand Regulator scrutiny Legal liability Fines Damaged customer relationships Damaged employee relationships Deceptive or unfair trade charges !
28 Cyber Risk Governance
29 What to do now - Five Principles Source: National Association of Corporate Directors Understand the legal implications of cyber risks as they relate to their organization’s specific circumstances. Understand and Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Gain adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time. Management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. V IV III II I
30 Principle I Issue Risk Recommendation Is often seen as an IT issue requiring little involvement from business stakeholders. Lacks alignment with strategic business and cross-departmental initiatives. Require active participation across the enterprise. IT may lack visibility into risks from business activities (e.g. M&A, social media, breaches from 3rd party cloud and Business Process Outsourcing providers, customers). May raise the company’s cybersecurity risk profile; breaches may be difficult to address or even go undetected. Involve Chief Information Security Officer (CISO) in new initiatives that may raise cyber risk profile. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
31 Principle I - Board Questions for Management > Is management focused on making cyber-risk part of everyone’s job, not just IT? Is there a formal cyber awareness program in place? > Does the organization have an enterprise-wide cyber-risk management team? Has the organization risk appetite been established? > How does the organization ensure that the CISO is involved in assessing new, high-risk business initiatives? > In a M&A context, what is the level of cyber due diligence done on a acquisition target? How is this information used? > Has the organization performed an analysis of the “cyber- robustness” of the organization’s products and services to analyze potential vulnerabilities that could be exploited by hackers?
32 Principle II Issue Risk Recommendations Contractual obligations to customers (e.g. compliance, breach notification requirements) may not be identified and monitored over time. Lack of awareness of specific contractual obligations to protect data. Perform an enterprise-wide contract review to ensure that cyber-related contract obligations are well understood. Lacks a comprehensive, risk- based vendor management program that includes all third- party relationships across the vendor lifecycle (from risk assessment through monitoring). Use of vendors with poor cybersecurity controls may increase risk; inconsistent expectations around notification requirements may complicate timely resolution of data breaches. Implement and maintain comprehensive vendor management program. Company may be unaware of Personal Identifiable Information (PII) held across the enterprise and corresponding legal requirements to protect it. Insufficient understanding of the cyber risks posed by “overlooked” data. Ensure that data is properly classified (confidential, internal use only, public) and that an enterprise-wide data inventory is completed. Inventory should reflect how data should be shared as well as the data “owner”. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
33 Principle II - Board Questions for Management > Has the organization conducted a review of legal contracts in place with vendors, stakeholders, etc. to determine cybersecurity and compliance commitments? Are new contracts reviewed for cyber-risk? > Is there a comprehensive program to ensure that outsourced providers and contractors have cyber controls and policies in place and are clearly monitored? Do those policies align with the organization’s expectations? > Has a formal breach response plan been put in place? Is it practiced at least annually? Who is part of the response team? > What is the organization’s volume of cyber incidents on a weekly or monthly basis? What is the magnitude/severity of those incidents? What is the time taken and cost to respond to those incidents?
34 Principle III Issue Risk Recommendations Directors lack regular interaction with a knowledgeable and independent Chief Information Security Officer (CISO) and/or third-party that can brief them on the state of company cyber risks. Directors may not have full awareness of cyber risks faced by the company, nor internal obstacles that may hamper effectiveness to address. Meet with the company CISO at least annually to: 1. Understand key issues from the CISO’s perspective 2. Discuss the CISO’s security strategy and current projects 3. Provide the CISO with an opportunity to identify any roadblocks (e.g. budget, political agendas) 4. Understand activities around data breaches within the company’s industry and how such knowledge is applied to the company 5. Ensure that relevant management metrics are reviewed regularly on an entity level Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
35 Principle III - Board Questions for Management > Where do business operations and the IT team disagree on cybersecurity? How is this disagreement resolved? > Is the audit committee and full board briefed regularly on cyber-risk? > Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the organization’s senior management, CTOs, and CIOs?
36 Principle IV Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Issue Risk Recommendations Lacks comprehensive cybersecurity risk management framework; audit committee lacks ability to track relevant metrics over time. Unable to identify changes in the company’s cyber risk profile. Establish comprehensive risk management framework (e.g. NIST) and appropriate metrics. Lack of regular, independent assessment of current cybersecurity environment against framework. Weaknesses in current cybersecurity environment may be missed or overlooked. Annual review by Internal Audit or outside consultants.
37 Principle IV - Board Questions for Management > Does the organization use a systematic framework, such as the NIST Framework, in place to address cybersecurity to assure adequate cyber hygiene? > Are policies currently mapped to the framework? > Does the organization have the right gauges to measure the success of its cybersecurity risk management program? > What are the critical assets that must be protected? > Does the organization work with law enforcement and appropriate government agencies to monitor cyber-threats industry-wide?
38 Principle V Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. Issue Risk Recommendations Breaches may expose the company to fines, penalties, consumer credit monitoring, legal/consulting assistance and other costs. Financial Regularly review the company’s cyber liability insurance coverage to determine whether coverage is appropriate.
39 Principle V – Board Questions for Management > When was the organization’s cyber liability insurance coverage last reviewed, who reviewed it and what were results of review (e.g., deductibles and amount and coverage)? > How does the organization determine which cyber-risks to avoid, accept, mitigate or transfer? > How frequently are these decisions discussed with the board?
40 Implement controls and breach response
41 Action: implementing cybersecurity controls 01 02 0304 06 05 Conduct risk assessment Categorize information & applications Select and implement security controls Test security controls for vulnerabilities Remediate vulnerabilities Monitor security controls continually
42 Ongoing Monitoring Ongoing monitoring is where either in house or a managed service, someone is watching over your security environment. This can be in many forms: > Log Based is the easiest and most common as these systems leverage the output of your current security estate, however this method is subject to the device manufacturers’ interpretation of how a digital environment should operate. > SoC services for ongoing monitoring are the next step up, as these are security professionals looking over your environment for you. These are predominately log based, and the same rules as above apply. > The best way to ensure security is through ongoing monitoring using a Full Packet Capture based system. These systems pull the raw data off of the network, store it, and run analytics against it. The data cannot be skewed, and the data is not open to the interpretation of the manufacturer. These systems give you near immediate visibility into your environment. Also in the event of a breach, these systems can aid a forensic examiner in identifying pertinent evidence.
43 Why is cybersecurity incident/breach response important? Frequency Breaches are happening more frequently. Media attention 2015 was a record year for breaches in the press/media. Requirements Regulations require incident/breach response plans Damage Inappropriate or inadequate response can lead to reputational and financial damage
44 Why is cybersecurity incident/breach response important? > According to Symantec, 60% of all targeted attacks in 2014 affect small and medium size organizations. > It is estimated that 25% of all mobile devices encounter a threat each month (Source: Skycure Mobile Threat Defense). > As one example, from September 2013 through May 2014, a viral program known as CrytoLocker affected thousands of computers, before the spread was stopped by the US Department of Justice, the FBI, Interpol and security software vendors. During this time, the program would infect a computer, encrypt files on the local machine and on network drives (making them inaccessible to the user), and display a prompt for an online payment of as much as $400 within 72 hours in order for the files to be unlocked. The operators of this scheme are believed to have extorted around $3 Million. It is estimated that as many as 3% of users who were infected chose to pay. Many others had unaffected offline backups in place, and used these backups to recover the lost data. The use of offline backups for data recovery is an important response tool when cybersecurity threats impact data and daily operations.
45 What is a cybersecurity incident/breach response plan? “Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits” – ISACA (formerly known as Information Systems Audit and Control Association)
46 What goes into a cybersecurity incident/breach response? Cybersecurity incident/breach response plan Laws, regulations IT Risk framework Data and system inventory
47 What should a cybersecurity incident/breach response plan accomplish? Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity
48 Breach Response - Digital Forensics & Forensic Analysis SCENARIOS When to call a digital forensic expert… SERVICES Our digital forensic experts provide… • Employee suddenly departs from an organization (especially on less than positive terms) • Employee leaves to join a competitor and there is a concern that trade secrets or other intellectual property may have been stolen • Suspicion of vendor / employee collusion • Suspicion of employee conflict of interest • Suspicion that an employee is creating fictitious invoices and submitting for reimbursement  Forensically acquiring and analyzing digital devices such as computers, iPads, and smartphones  Tracing internet activity  Identifying a timeline of user activity  Identifying files copied to external devices such as USB drives
49 Quote > “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” - Robert S. Mueller (Director of the FBI)
50 Key cybersecurity program element #1 Cyber Risk Assessment > Understand all information systems at a granular level > Figure out what assets really matter (crown jewels) > Translate and align to business objectives and priorities > A clear definition of risk tolerance levels is required > The assessment must be unique to the organization and its industry > The process must be iterative and dynamic to adopt to constant change > Standard frameworks improve effectiveness (e.g., NIST, COSO)
51 Key cybersecurity program element #2 Cybersecurity Countermeasures > Policies and procedures must be documented > Layered security is critical (Multiple Lines of Defense) > Use a combination of preventative and detective controls (IT and Business Controls) > Support with cyber-focused standards (e.g., ISO, COBIT, NIST) > Event correlation is becoming increasingly important > Ongoing assessment is critical to keep pace with change > Ultimately, controls must be deployed that are commensurate with the value of the assets you are trying to protect
52 Key cybersecurity program element #3 Training and Communication > Reaching beyond the boundaries of the organization is critical > Embed security within key business processes > IT topics must be translated into meaningful information (Common language) > Involve everyone - Education and building consensus is critical among all stakeholders. > Train continually, and look for active learning scenarios > Leadership must establish the tone at the top
53 Board Questions for Management > What do we consider our most valuable assets (e.g., data)? How does our IT system interact with those assets? Do we believe we can fully protect those assets? > Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected? > Are we investing enough so that our corporate operating and network systems are not easy targets by a determined hacker?
54 Questions for the Board to consider: − What training do employees receive regarding privacy and security? − What are the organization’s cybersecurity policies and procedures? − What is the organization doing to test and update its incident response plan? − What is the organization doing to monitor and address cybersecurity legal, regulatory and industry developments? − What is being communicated to the Board about developments and addressing them?
55 Questions for the Board to consider: − What are criteria for an incident to be communicated to the the Board (e.g., type and amount of information at issue, legal, regulatory and industry requirements and practices, financial amount at issue, etc.)? Decision point: the Board needs to define what constitutes an incident that is reportable to the Board − What are the channel and means of communication for reporting an incident to the Board? What and how much information about an incident is reported? − What are timing and other considerations regarding reporting (e.g., incident is disclosed first by the media, law enforcement is involved, etc.)
56 Questions for the Board to consider: − Actions the organization takes (e.g., whether notification is made and basis for making or not making notification) − Actions other parties take (e.g., other parties involved in or affected by incident, litigants, regulators, law enforcement, insurers, media, service providers, etc.) − Whether to request additional information about incident − Impact of incident on the organization and consequences (e.g., legal, business, financial, public relations, etc.) − Determinations or actions for the Board to take
57 Questions for the Board to consider: − Is there a defined process for determining whether, how and when notification regarding an incident needs to be made? − Who is involved in making this decision? − Which parties are notified (e.g., affected parties, regulators, insurers, media, credit reporting agencies, etc.)? − What are possible consequences of making notification (e.g., litigation, regulator enforcement, notifications become public, media attention, financial, etc.)? − What are risks in not making notification (e.g., litigation, regulator enforcement, violation of law or guidance or where required by policy or contract, reasons for making or not making notification, etc.)
58 Questions for the Board to consider: − Has a reserve been established for incidents? If yes, when was this reserve established and what is the amount of reserve? − When was the organization’s cyber liability insurance coverage last reviewed, who reviewed and what were results of review (e.g., deductibles and amount and coverage)? − Should directors’ and officer’s liability insurance coverage be reviewed regarding cybersecurity and data breaches? − Do any developments regarding the organization (e.g., acquisitions) or impacting the organization (e.g., legal, regulatory, litigation, business, insurance, etc.) warrant a review of the reserve and insurance coverage?
59 Questions?
60 Contact Information: Brian Sanvidge, CIG, CFE Principal, National Forensic Litigation and Valuation Services (212) 792-4836 Patrick Yu, CPA Not-For-Profit Assurance Service Partner (212) 792-4802

Recommandé

Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersUnited Security Providers AG
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 

Recommandé

Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Target data breach case study
Target data breach case studyTarget data breach case study
Target data breach case studyAbhilash vijayan
 
What Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersWhat Cybercriminals Want: Company Data – by United Security Providers
What Cybercriminals Want: Company Data – by United Security ProvidersUnited Security Providers AG
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Target data breach presentation
Target data breach presentationTarget data breach presentation
Target data breach presentationSreejith Nair
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesAmerican Chamber of Commerce in Bahrain
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB'sGuise Bule
 
Informationsecurity
InformationsecurityInformationsecurity
InformationsecurityUmme habiba
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Securityprimeteacher32
 
E commerce
E commerceE commerce
E commerceHumayun Khalid Qureshi
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016thinkASG
 
Hackers
HackersHackers
Hackersguesta04f59b
 
Hackers
HackersHackers
HackersAlvaro Cipriano
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 

Contenu connexe

Tendances

Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB'sGuise Bule
 
Informationsecurity
InformationsecurityInformationsecurity
InformationsecurityUmme habiba
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10seadeloitte
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudGoutama Bachtiar
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...ArielMcCurdy
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Securityprimeteacher32
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach AnalysisTal Be'ery
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016thinkASG
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 

Tendances (20)

Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Cyber Defense For SMB's
Cyber Defense For SMB'sCyber Defense For SMB's
Cyber Defense For SMB's
 
Informationsecurity
InformationsecurityInformationsecurity
Informationsecurity
 
December 2019 Part 10
December 2019 Part 10December 2019 Part 10
December 2019 Part 10
 
Conducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and FraudConducting Digital Forensics against Crime and Fraud
Conducting Digital Forensics against Crime and Fraud
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki... Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
Business Fraud and Cybersecurity Best Practices in the Office or While Worki...
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
E commerce
E commerceE commerce
E commerce
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
 
Target Breach Analysis
Target Breach AnalysisTarget Breach Analysis
Target Breach Analysis
 
IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016IBM X-Force Threat Intelligence Report 2016
IBM X-Force Threat Intelligence Report 2016
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 

En vedette

Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Cybersecurity and Internet Governance
Cybersecurity and Internet GovernanceCybersecurity and Internet Governance
Cybersecurity and Internet GovernanceKenny Huang Ph.D.
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Affects of Media on the Mind
Affects of Media on the MindAffects of Media on the Mind
Affects of Media on the MindJanvi Pattni
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityBen Liu
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017NRC
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boardsPaul McGillicuddy
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 

En vedette (12)

Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk Management
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Cybersecurity and Internet Governance
Cybersecurity and Internet GovernanceCybersecurity and Internet Governance
Cybersecurity and Internet Governance
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Affects of Media on the Mind
Affects of Media on the MindAffects of Media on the Mind
Affects of Media on the Mind
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017
 
7 cyber security questions for boards
7 cyber security questions for boards7 cyber security questions for boards
7 cyber security questions for boards
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 

Similaire à Baker Tilly Presents: Emerging Trends in Cybersecurity

Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsBen Graybar
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonnORagh
 
Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar SessionKalilur Rahman
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
cyber terrorism
cyber terrorism cyber terrorism
cyber terrorism Accenture
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?CBIZ, Inc.
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
A Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityA Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityMichele Thomas
 

Similaire à Baker Tilly Presents: Emerging Trends in Cybersecurity (20)

Cyber security
Cyber securityCyber security
Cyber security
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools Tactics
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
 
Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar Session
 
Task 3
Task 3Task 3
Task 3
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorism
 
cyber terrorism
cyber terrorism cyber terrorism
cyber terrorism
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?Cybersecurity: How Safe Is Your Organization?
Cybersecurity: How Safe Is Your Organization?
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
A Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information SecurityA Survey On Cyber Crime Information Security
A Survey On Cyber Crime Information Security
 

Plus de BakerTillyConsulting

Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...
Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...
Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...BakerTillyConsulting
 
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...BakerTillyConsulting
 
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...BakerTillyConsulting
 
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...BakerTillyConsulting
 
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...BakerTillyConsulting
 
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...BakerTillyConsulting
 
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to Know
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to KnowBaker Tilly Presents: GSA's Transactional Data Rule: What You Need to Know
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to KnowBakerTillyConsulting
 

Plus de BakerTillyConsulting (7)

Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...
Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...
Baker Tilly Presents: Rights in Technical Data & Computer Software: Maximize ...
 
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...
Baker Tilly Presents: New to Cost Reimbursement Contracts? Meet Your New Frie...
 
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...
Baker Tilly Presents: Government Contractor Mergers & Acquisitions: Making th...
 
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...
Baker Tilly Presents: Managing Compliance Concerns Throughout the Contract Li...
 
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...
Baker Tilly Presents: GSA Schedule Reseller-Manufacturer Relationships...Risk...
 
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...
Baker Tilly Presents: Government Contract Reporting Requirements: What did yo...
 
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to Know
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to KnowBaker Tilly Presents: GSA's Transactional Data Rule: What You Need to Know
Baker Tilly Presents: GSA's Transactional Data Rule: What You Need to Know
 

Dernier

( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumFinTech Belgium
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...Henry Tapper
 
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...Call Girls in Nagpur High Profile
 
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Call Girls in Nagpur High Profile
 
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...jeffreytingson
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...dipikadinghjn ( Why You Choose Us? ) Escorts
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...priyasharma62062
 
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7jayawati511
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesFalcon Invoice Discounting
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823
 
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...priyasharma62062
 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...priyasharma62062
 
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...priyasharma62062
 
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...Delhi Call girls
 

Dernier (20)

( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul 💧 7737669865 💧 by Dindigul Call G...
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
 
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...
Top Rated Pune Call Girls Sinhagad Road ⟟ 6297143586 ⟟ Call Me For Genuine S...
 
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...
VIP Call Girl in Mira Road 💧 9920725232 ( Call Me ) Get A New Crush Everyday ...
 
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
Booking open Available Pune Call Girls Talegaon Dabhade 6297143586 Call Hot ...
 
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...
 
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
 
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
Diva-Thane European Call Girls Number-9833754194-Diva Busty Professional Call...
 
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now 👉9920725232👈 Mumbai Escorts 24x7
 
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
(INDIRA) Call Girl Mumbai Call Now 8250077686 Mumbai Escorts 24x7
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunities
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
Navi Mumbai Cooperetive Housewife Call Girls-9833754194-Natural Panvel Enjoye...
 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
 
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-📞📞9833754194 No 1 Vipp HIgh...
 
(INDIRA) Call Girl Srinagar Call Now 8617697112 Srinagar Escorts 24x7
(INDIRA) Call Girl Srinagar Call Now 8617697112 Srinagar Escorts 24x7(INDIRA) Call Girl Srinagar Call Now 8617697112 Srinagar Escorts 24x7
(INDIRA) Call Girl Srinagar Call Now 8617697112 Srinagar Escorts 24x7
 
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...
Call Girls in New Friends Colony Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escort...
 

Baker Tilly Presents: Emerging Trends in Cybersecurity

  • 1. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 29th Annual FMA Conference Wednesday, May 4, 2016 - Friday, May 6, 2016 Emerging Trends in Cybersecurity Brian Sanvidge / Baker Tilly Virchow Krause LLP Patrick Yu / Baker Tilly Virchow Krause LLP
  • 2. 1 Agenda > Introduction > Organizational Data Breach Examples and Advisory > Cybersecurity Risk Landscape Overview > Cyber Risk Governance > Implement Controls and Breach Response
  • 3. 2 Objectives of this presentation > Raise awareness of the emerging trends in cybersecurity, such as the threats and the potential cost that a breach could have on your organization > Establish an understanding of what your organization and board can do to reduce the likelihood and impact of a breach > Identify key characteristics and aspects within an incident/breach response plan and how this plan will reduce the impact of the unfortunate event
  • 4. 3 Organizational data breach examples and advisory
  • 5. 4 Target Stores - Data Breach
  • 6. 5 Target Stores - Data Breach In November 2013 Target Corporation announced that data from around 40 million credit and debit cards was stolen. It is the second largest credit and debit card breach in history. > Engaged a third-party forensic expert to conduct an extensive investigation > The initial intrusion into Target store networks was possible thanks to network passwords stolen from an air conditioning and heating contractor based in Pennsylvania, Fazio Mechanical Services. > Target agreed to reimburse thousands of financial institutions as much as $67 million > The data breach cost Target $252 million in total > Target also spent $100 million shoring up digital security > Sales fell by 46% in the Fourth Quarter of 2013
  • 8. 7 Goodwill - Data breach In July 2014 Goodwill Industries fell victim to a breach that lead to the theft of customer credit and debit card data. The stolen data comprised of 868,000 credit cards (names, card numbers, and expiration date) from 330 store locations across 20 states. > Engaged a third-party forensic expert to conduct an extensive investigation > Third-party vendor’s systems was attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers > The impacted Goodwill members used the same affected third-party vendor to process credit card payments > Impacted 20 of 158 Goodwill member locations - Krebs on Security
  • 10. 9 Anthem - Data Breach In January 2015, Anthem Health suffered a data breach exposing patient and employee names, DOB, Social Security numbers, emails, employment info, and income data. >Anthem did not encrypt their data >Anthem exhausted their $100 million cybersecurity insurance policy from the customer notifications alone (ZDNet: Technology News) >The cost to Anthem well exceeded this amount >Data breaches cost the healthcare industry as a whole about $5.6 billion annually (Forbes)
  • 11. 10 JPMorgan Chase - Data Breach
  • 12. 11 JPMorgan Chase - Data Breach In July 2014, JPMorgan Chase fell victim to a cyberattack that compromised customer usernames, addresses, phone numbers, and email addresses >Protection Group International estimated the cost of the breach at $1 billion >76 million households and 7 million small businesses were exposed to the hack >JPMorgan Chase invests $250 million in cyber security a year
  • 13. 12 E-mail Phishing Advisory Phishing is the attempt to gather sensitive information (such as usernames, passwords and credit card information using a fake request via electronic communication (i.e., a website, e-mail, etc.) that appears to originate from a trustworthy entity. > The NYS Information Technology Services (ITS) Cyber Security Operations Center (CSOC) has been notified of an active phishing email threat targeting government agencies and have received reports of a well-crafted phishing email circulating in the past two weeks at several US universities. The email notifies employees that their electronic W-2s are available and encourages them to click to login and view/print their W-2s. The link takes them to a landing page which has been made to look like the organization’s Human Resources site. > Those who fall victim to the phishing email may have their personal information compromised, including login, password, tax information, bank account information, personal contact information and benefit information.
  • 14. 13 E-mail Phishing Advisory Measures to prevent E-Mail Phishing > Do not reply to e-mails with any personal information or passwords, and do not click a link in an unsolicited e-mail message. If you have reason to believe the request is real, call the institution or company directly to confirm. > Avoid using the same password for your work computer login, bank accounts, Facebook, etc. In the event you do fall victim to a phishing attempt, the thieves will try the compromised password in as many places as they can. > If you suspect any account you have access to may be compromised, change ALL of your passwords. > Be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.
  • 16. 15 IRS - Phishing Hack Taxpayers often fall victim to criminals perpetrating phishing schemes. Callers contact individuals via phone or email and demand tax information and immediate payment. > The Phishers appear legitimate by using personal information like taxpayers’ names and addresses > They also utilize false badge numbers and IRS titles > 2016 has seen a 400% increase in phishing schemes > Since October 2013, there have been 896 thousand phishing scam reports > 5,000 victims have paid a total of $26.5 million − Fortune Magazine
  • 17. 16 Home Depot - Phishing Hack
  • 18. 17 Home Depot - Phishing Hack In November 2014, hackers used a vendor’s stolen log-in credentials to perpetrate a massive hack on Home Depot. The breach allowed the criminals to gain access to 53 million email addresses as well as millions of credit card information. > Customers were alerted to look out for phishing scammers > The false emails attempted to lure customers into revealing personal data by “signing up” for exclusive savings > The breach cost the company $62 million − SC Magazine
  • 20. 19 Changing cyber risk landscape Past Present Implications Mostly physical assets (plants, equipment) - relatively few digitized assets. Highly digitized asset base (IP, financial, PII), mobile and cloud technologies. Strong cybersecurity controls and processes are required to protect these assets. Simple, unsophisticated attacks (e.g., web site defacement intended to embarrass). Advanced Persistent Threats (APTs) involve high degree of complexity and sophistication; hacker “gangs” steal IP and other assets for financial gain, sometimes using ransom to hold the data “hostage”. Company must have adequate resources and capabilities to protect the IT environment; may even require obtaining third-party assistance or even using Managed Security Services (MSS) provider. May require working closely with law enforcement. IT budgeted hardware and software expenditures; managed deployment and use. Ability of IT to manage alone may be insufficient; budgets increasing. Budget for cybersecurity should be rolled up at an enterprise level, not necessarily tied to one dept. Relatively insulated, self-contained IT environment with limited complexity. Application support provided in-house with limited use of 3rd parties for hosting and cloud services. Cybersecurity needs to be managed in the context of extended “digital ecosystem” involving outside stakeholders and 3rd parties/vendors. Cybersecurity must be managed as an enterprise-wide risk, not just an IT issue. Limited use of mobile data access. IT provided a restricted list of mobile device choices which provided robust security support. Mobile user access to applications containing personal/financial data and use of Bring Your Own Device is nearly commonplace. More challenging for IT to assure security of “end point” devices.
  • 21. 20 What is cybersecurity risk? > For most organizations, value resides in its data and systems > A sophisticated community of hacktivists, cyber criminals, organized crime syndicates, and foreign governments wants to cause competitive harm or profit by exploiting technical and social vulnerabilities of information assets > This combination leads to a high-likelihood of data breaches
  • 22. 21 Data at Rest vs. Data in Motion > Data at Rest – data in computer storage > Data in Motion – data exiting in the network > Encryption – scrambling contents of a file to increase security. The contents can only be read by an individual with the encryption key.
  • 23. 22 Types of Data Breaches Hackers come in different stripes and perpetrate data breaches for a variety of goals. The following are some of the more common hacks > Denial of Service (DoS) > Website Defamation > Ransomware > Data Theft
  • 24. 23 Types of Data Breaches - Denial of Service A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users > Buffer Overflow Attacks – overwhelm a network address with traffic > Teardrop Attack – attacker’s IP crashes the system by placing a confusing offset value in a packet fragment > Smurf Attack – flood the host network with IP pings
  • 25. 24 Types of Data Breaches - Website Defamation > In 2013, hacking group anonymously hacked the website of the US Sentencing Commission to avenge the death of internet activist Aaron Swartz, reported RYOT > The group posted a warning that “a line was crossed” > Swartz allegedly committed suicide after being investigated my federal prosecutors
  • 26. 25 Types of Data Breaches - Data Theft > Hackers utilize “Man in the Browser” (MITB) attacks to steal sensitive information from websites > The victim’s website is infected with malware that monitors activity > When a sensitive site is visited, the malware pounces and gathers the relevant data
  • 27. 26 Types of Data Breaches - Ransomware > Ransomware gains access to a computer either via an email attachment or a malicious website > The malware then automatically encrypts files and issues an electronic ransom note > Typically, payment is demanded in the form of a cryptocurrency Bitcoin
  • 28. 27 Impacts of data breaches Negative publicity Regulatory sanctions Refusal to share personal information Damage to brand Regulator scrutiny Legal liability Fines Damaged customer relationships Damaged employee relationships Deceptive or unfair trade charges !
  • 30. 29 What to do now - Five Principles Source: National Association of Corporate Directors Understand the legal implications of cyber risks as they relate to their organization’s specific circumstances. Understand and Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Gain adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time. Management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. V IV III II I
  • 31. 30 Principle I Issue Risk Recommendation Is often seen as an IT issue requiring little involvement from business stakeholders. Lacks alignment with strategic business and cross-departmental initiatives. Require active participation across the enterprise. IT may lack visibility into risks from business activities (e.g. M&A, social media, breaches from 3rd party cloud and Business Process Outsourcing providers, customers). May raise the company’s cybersecurity risk profile; breaches may be difficult to address or even go undetected. Involve Chief Information Security Officer (CISO) in new initiatives that may raise cyber risk profile. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  • 32. 31 Principle I - Board Questions for Management > Is management focused on making cyber-risk part of everyone’s job, not just IT? Is there a formal cyber awareness program in place? > Does the organization have an enterprise-wide cyber-risk management team? Has the organization risk appetite been established? > How does the organization ensure that the CISO is involved in assessing new, high-risk business initiatives? > In a M&A context, what is the level of cyber due diligence done on a acquisition target? How is this information used? > Has the organization performed an analysis of the “cyber- robustness” of the organization’s products and services to analyze potential vulnerabilities that could be exploited by hackers?
  • 33. 32 Principle II Issue Risk Recommendations Contractual obligations to customers (e.g. compliance, breach notification requirements) may not be identified and monitored over time. Lack of awareness of specific contractual obligations to protect data. Perform an enterprise-wide contract review to ensure that cyber-related contract obligations are well understood. Lacks a comprehensive, risk- based vendor management program that includes all third- party relationships across the vendor lifecycle (from risk assessment through monitoring). Use of vendors with poor cybersecurity controls may increase risk; inconsistent expectations around notification requirements may complicate timely resolution of data breaches. Implement and maintain comprehensive vendor management program. Company may be unaware of Personal Identifiable Information (PII) held across the enterprise and corresponding legal requirements to protect it. Insufficient understanding of the cyber risks posed by “overlooked” data. Ensure that data is properly classified (confidential, internal use only, public) and that an enterprise-wide data inventory is completed. Inventory should reflect how data should be shared as well as the data “owner”. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  • 34. 33 Principle II - Board Questions for Management > Has the organization conducted a review of legal contracts in place with vendors, stakeholders, etc. to determine cybersecurity and compliance commitments? Are new contracts reviewed for cyber-risk? > Is there a comprehensive program to ensure that outsourced providers and contractors have cyber controls and policies in place and are clearly monitored? Do those policies align with the organization’s expectations? > Has a formal breach response plan been put in place? Is it practiced at least annually? Who is part of the response team? > What is the organization’s volume of cyber incidents on a weekly or monthly basis? What is the magnitude/severity of those incidents? What is the time taken and cost to respond to those incidents?
  • 35. 34 Principle III Issue Risk Recommendations Directors lack regular interaction with a knowledgeable and independent Chief Information Security Officer (CISO) and/or third-party that can brief them on the state of company cyber risks. Directors may not have full awareness of cyber risks faced by the company, nor internal obstacles that may hamper effectiveness to address. Meet with the company CISO at least annually to: 1. Understand key issues from the CISO’s perspective 2. Discuss the CISO’s security strategy and current projects 3. Provide the CISO with an opportunity to identify any roadblocks (e.g. budget, political agendas) 4. Understand activities around data breaches within the company’s industry and how such knowledge is applied to the company 5. Ensure that relevant management metrics are reviewed regularly on an entity level Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.
  • 36. 35 Principle III - Board Questions for Management > Where do business operations and the IT team disagree on cybersecurity? How is this disagreement resolved? > Is the audit committee and full board briefed regularly on cyber-risk? > Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the organization’s senior management, CTOs, and CIOs?
  • 37. 36 Principle IV Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Issue Risk Recommendations Lacks comprehensive cybersecurity risk management framework; audit committee lacks ability to track relevant metrics over time. Unable to identify changes in the company’s cyber risk profile. Establish comprehensive risk management framework (e.g. NIST) and appropriate metrics. Lack of regular, independent assessment of current cybersecurity environment against framework. Weaknesses in current cybersecurity environment may be missed or overlooked. Annual review by Internal Audit or outside consultants.
  • 38. 37 Principle IV - Board Questions for Management > Does the organization use a systematic framework, such as the NIST Framework, in place to address cybersecurity to assure adequate cyber hygiene? > Are policies currently mapped to the framework? > Does the organization have the right gauges to measure the success of its cybersecurity risk management program? > What are the critical assets that must be protected? > Does the organization work with law enforcement and appropriate government agencies to monitor cyber-threats industry-wide?
  • 39. 38 Principle V Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach. Issue Risk Recommendations Breaches may expose the company to fines, penalties, consumer credit monitoring, legal/consulting assistance and other costs. Financial Regularly review the company’s cyber liability insurance coverage to determine whether coverage is appropriate.
  • 40. 39 Principle V – Board Questions for Management > When was the organization’s cyber liability insurance coverage last reviewed, who reviewed it and what were results of review (e.g., deductibles and amount and coverage)? > How does the organization determine which cyber-risks to avoid, accept, mitigate or transfer? > How frequently are these decisions discussed with the board?
  • 41. 40 Implement controls and breach response
  • 42. 41 Action: implementing cybersecurity controls 01 02 0304 06 05 Conduct risk assessment Categorize information & applications Select and implement security controls Test security controls for vulnerabilities Remediate vulnerabilities Monitor security controls continually
  • 43. 42 Ongoing Monitoring Ongoing monitoring is where either in house or a managed service, someone is watching over your security environment. This can be in many forms: > Log Based is the easiest and most common as these systems leverage the output of your current security estate, however this method is subject to the device manufacturers’ interpretation of how a digital environment should operate. > SoC services for ongoing monitoring are the next step up, as these are security professionals looking over your environment for you. These are predominately log based, and the same rules as above apply. > The best way to ensure security is through ongoing monitoring using a Full Packet Capture based system. These systems pull the raw data off of the network, store it, and run analytics against it. The data cannot be skewed, and the data is not open to the interpretation of the manufacturer. These systems give you near immediate visibility into your environment. Also in the event of a breach, these systems can aid a forensic examiner in identifying pertinent evidence.
  • 44. 43 Why is cybersecurity incident/breach response important? Frequency Breaches are happening more frequently. Media attention 2015 was a record year for breaches in the press/media. Requirements Regulations require incident/breach response plans Damage Inappropriate or inadequate response can lead to reputational and financial damage
  • 45. 44 Why is cybersecurity incident/breach response important? > According to Symantec, 60% of all targeted attacks in 2014 affect small and medium size organizations. > It is estimated that 25% of all mobile devices encounter a threat each month (Source: Skycure Mobile Threat Defense). > As one example, from September 2013 through May 2014, a viral program known as CrytoLocker affected thousands of computers, before the spread was stopped by the US Department of Justice, the FBI, Interpol and security software vendors. During this time, the program would infect a computer, encrypt files on the local machine and on network drives (making them inaccessible to the user), and display a prompt for an online payment of as much as $400 within 72 hours in order for the files to be unlocked. The operators of this scheme are believed to have extorted around $3 Million. It is estimated that as many as 3% of users who were infected chose to pay. Many others had unaffected offline backups in place, and used these backups to recover the lost data. The use of offline backups for data recovery is an important response tool when cybersecurity threats impact data and daily operations.
  • 46. 45 What is a cybersecurity incident/breach response plan? “Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits” – ISACA (formerly known as Information Systems Audit and Control Association)
  • 47. 46 What goes into a cybersecurity incident/breach response? Cybersecurity incident/breach response plan Laws, regulations IT Risk framework Data and system inventory
  • 48. 47 What should a cybersecurity incident/breach response plan accomplish? Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity
  • 49. 48 Breach Response - Digital Forensics & Forensic Analysis SCENARIOS When to call a digital forensic expert… SERVICES Our digital forensic experts provide… • Employee suddenly departs from an organization (especially on less than positive terms) • Employee leaves to join a competitor and there is a concern that trade secrets or other intellectual property may have been stolen • Suspicion of vendor / employee collusion • Suspicion of employee conflict of interest • Suspicion that an employee is creating fictitious invoices and submitting for reimbursement  Forensically acquiring and analyzing digital devices such as computers, iPads, and smartphones  Tracing internet activity  Identifying a timeline of user activity  Identifying files copied to external devices such as USB drives
  • 50. 49 Quote > “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” - Robert S. Mueller (Director of the FBI)
  • 51. 50 Key cybersecurity program element #1 Cyber Risk Assessment > Understand all information systems at a granular level > Figure out what assets really matter (crown jewels) > Translate and align to business objectives and priorities > A clear definition of risk tolerance levels is required > The assessment must be unique to the organization and its industry > The process must be iterative and dynamic to adopt to constant change > Standard frameworks improve effectiveness (e.g., NIST, COSO)
  • 52. 51 Key cybersecurity program element #2 Cybersecurity Countermeasures > Policies and procedures must be documented > Layered security is critical (Multiple Lines of Defense) > Use a combination of preventative and detective controls (IT and Business Controls) > Support with cyber-focused standards (e.g., ISO, COBIT, NIST) > Event correlation is becoming increasingly important > Ongoing assessment is critical to keep pace with change > Ultimately, controls must be deployed that are commensurate with the value of the assets you are trying to protect
  • 53. 52 Key cybersecurity program element #3 Training and Communication > Reaching beyond the boundaries of the organization is critical > Embed security within key business processes > IT topics must be translated into meaningful information (Common language) > Involve everyone - Education and building consensus is critical among all stakeholders. > Train continually, and look for active learning scenarios > Leadership must establish the tone at the top
  • 54. 53 Board Questions for Management > What do we consider our most valuable assets (e.g., data)? How does our IT system interact with those assets? Do we believe we can fully protect those assets? > Do we think there is adequate protection in place if someone wanted to get at or damage our corporate “crown jewels”? If not, what would it take to feel comfortable that our assets were protected? > Are we investing enough so that our corporate operating and network systems are not easy targets by a determined hacker?
  • 55. 54 Questions for the Board to consider: − What training do employees receive regarding privacy and security? − What are the organization’s cybersecurity policies and procedures? − What is the organization doing to test and update its incident response plan? − What is the organization doing to monitor and address cybersecurity legal, regulatory and industry developments? − What is being communicated to the Board about developments and addressing them?
  • 56. 55 Questions for the Board to consider: − What are criteria for an incident to be communicated to the the Board (e.g., type and amount of information at issue, legal, regulatory and industry requirements and practices, financial amount at issue, etc.)? Decision point: the Board needs to define what constitutes an incident that is reportable to the Board − What are the channel and means of communication for reporting an incident to the Board? What and how much information about an incident is reported? − What are timing and other considerations regarding reporting (e.g., incident is disclosed first by the media, law enforcement is involved, etc.)
  • 57. 56 Questions for the Board to consider: − Actions the organization takes (e.g., whether notification is made and basis for making or not making notification) − Actions other parties take (e.g., other parties involved in or affected by incident, litigants, regulators, law enforcement, insurers, media, service providers, etc.) − Whether to request additional information about incident − Impact of incident on the organization and consequences (e.g., legal, business, financial, public relations, etc.) − Determinations or actions for the Board to take
  • 58. 57 Questions for the Board to consider: − Is there a defined process for determining whether, how and when notification regarding an incident needs to be made? − Who is involved in making this decision? − Which parties are notified (e.g., affected parties, regulators, insurers, media, credit reporting agencies, etc.)? − What are possible consequences of making notification (e.g., litigation, regulator enforcement, notifications become public, media attention, financial, etc.)? − What are risks in not making notification (e.g., litigation, regulator enforcement, violation of law or guidance or where required by policy or contract, reasons for making or not making notification, etc.)
  • 59. 58 Questions for the Board to consider: − Has a reserve been established for incidents? If yes, when was this reserve established and what is the amount of reserve? − When was the organization’s cyber liability insurance coverage last reviewed, who reviewed and what were results of review (e.g., deductibles and amount and coverage)? − Should directors’ and officer’s liability insurance coverage be reviewed regarding cybersecurity and data breaches? − Do any developments regarding the organization (e.g., acquisitions) or impacting the organization (e.g., legal, regulatory, litigation, business, insurance, etc.) warrant a review of the reserve and insurance coverage?
  • 61. 60 Contact Information: Brian Sanvidge, CIG, CFE Principal, National Forensic Litigation and Valuation Services (212) 792-4836 Patrick Yu, CPA Not-For-Profit Assurance Service Partner (212) 792-4802

Notes de l'éditeur

  1. TPAs, auditors – business associate agreement
  2. the Commerce Department's National Institute of Standards and Technology (NIST)