Educational Toys Consisting Chiefly of Coping-saw Problems 1920
CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain...
Transcript of CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain...
![Page 1: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/1.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
CYBER RISK: WHAT’S ATSTAKE FOR YOUR BUSINESS?
![Page 2: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/2.jpg)
Presented byDaniel M. Andrea, CPA, CITP, CISA
Dan has over 30 years of experience in public accounting and specializes in the performance of forensic
accounting and litigation support procedures, SOC examinations, internal accounting controls assessments
and information technology consulting services.
![Page 3: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/3.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
CYBER RISK: WHAT’S ATSTAKE FOR YOUR BUSINESS?
![Page 4: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/4.jpg)
• CURRENT ENVIRONMENT
• CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
• CYBER SECURITY: IMPLEMENTATION PROGRAM
• CYBER SECURITY: BEST PRACTICES –ESSENTIAL CONTROLS
AGENDA
![Page 5: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/5.jpg)
CURRENT ENVIRONMENT
![Page 6: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/6.jpg)
The average price for small businesses to clean
up after a “hack” is $690,000
CURRENT ENVIRONMENT
%of all cyber attacks
(approximately 4,000 per day) occur in small to mid‐size businesses
%of small businesses
that experience a cyber attack are out of
business in 6 months
K
![Page 7: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/7.jpg)
CURRENT ENVIRONMENT
The average time to identify that an event has occurred is 6
months with an average time of 2 months to contain the incident
of companies breached learn from an outside party
%
![Page 8: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/8.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
PROMINENT CYBER ATTACK TYPES
1. PHISHING2. CREDENTIALS3. RANSOMWARE
![Page 9: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/9.jpg)
CURRENT ENVIRONMENT
A form of social engineering in which a message, typically an email, with a malicious
attachment is sent to a victim with the intent of tricking the recipient to open an attachment.
Phishing
13% of people are estimated to click on attachments.
![Page 10: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/10.jpg)
CURRENT ENVIRONMENT
Use of stolen information such as usernames and passwords. Standard mode of operation for organized
criminal groups and state‐affiliated attackers.
Credentials
63% of confirmed data breaches involved weak, default or stolen passwords.
![Page 11: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/11.jpg)
CURRENT ENVIRONMENT
A form of malware that encrypts files resident on the infected device and, in worst cases, attached file shares.
Extortion demands follow.
Ransomware
![Page 12: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/12.jpg)
Small to mid size business threats are real – not just the province of large corporations
KEY TAKEAWAYS
Various types of cyber attacks – phishing and ransomware are currently the attack de jour
Credentials – we all need to do a better job of protecting our credentials (usernames and passwords) ; as well as not publicizing potentially exploitable information on social media
![Page 13: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/13.jpg)
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
![Page 14: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/14.jpg)
• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments.
• Regulators (or interested third parties) increasingly expect that Board Members and Senior Managers have a sufficient grasp of cyber security core principles.
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
![Page 15: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/15.jpg)
Directors should ask questions about the types of scenarios that the company should plan
for.
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
Threat is escalating (mobile devices, social media and the Internet of Things (IoT)).
![Page 16: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/16.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
of Directors discuss cyber security at most meetings but 66% lack confidence in their company’s ability to protect
itself.
%
![Page 17: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/17.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
The biggest fear of 41% of Directors is
brand damage due to loss of customers.
% • cost of responding to breaches
• loss of competitive advantage
• regulatory and compliance violations
OTHER FEARS:
![Page 18: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/18.jpg)
CYBER RISK: CORPORATE GOVERNANCE IMPLICATIONS
Cyber Defense should incorporate these five themes
Awareness | Governance | Systems | Process | Strategy
![Page 19: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/19.jpg)
Not just an IT issue
KEY TAKEAWAYS
Senior Management needs to take an active role
Unavoidable – Regulators and Interested 3rd parties are mandating policies and procedures to protect
![Page 20: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/20.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
![Page 21: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/21.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
1. Conduct a Risk Assessment
2. Build an Incident Response Team (“IRT”)
3. Share Information
4. Test the Incident Response Plan
5. Satisfy Legal Obligations
Overview
![Page 22: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/22.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
• Identify
• Protect
• Detect
• Respond
• Recover
Risk Assessment
NIST Framework
has 5 elements
(“functions”)
![Page 23: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/23.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
Risk Assessment• Inventory of Systems
• Risk Assessment
• Implement measures to eliminate/mitigate risks
• Implement measures to detect potential incidents
![Page 24: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/24.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
• Comprised of All Key Stakeholders (internal/external)
• Define Incident Scenarios
• Build an Incident Response Plan (“IRP”)
Build an IRT
![Page 25: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/25.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
• Subscribe/Get Involved in Industry Groups
• Stay current on latest threats
• Modify Risk Assessment and IRP as appropriate
• Remediation
Share Information
![Page 26: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/26.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
• Should be done at least annually
• Build realistic scenarios based upon Risk Assessment
• Conduct test
• Conduct Post‐Mortem (“lessons learned”)
• Modify IRP and Risk Assessment as appropriate
Test the IRP
![Page 27: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/27.jpg)
CYBER SECURITY: IMPLEMENTATION PROGRAM
• Know the laws at the federal, state and local jurisdiction relevant to you
• Consider cyber insurance
Satisfy LegalObligations
![Page 28: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/28.jpg)
CYBER SECURITY: BEST PRACTICES
![Page 29: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/29.jpg)
CYBER SECURITY: BEST PRACTICES
1. Establish Technical Controls based upon the following Security Framework:
• Enterprise Security• Endpoint Security• Data Security• Monitoring and Testing• Security Review and Evaluation
2. Controls should be established after the Risk Assessment
EssentialControls
TECHNICAL
![Page 30: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/30.jpg)
CYBER SECURITY: BEST PRACTICES
• Firewalls
• Intrusion Detection/Intrusion Prevention
• Network Segmentation
• DMZ
• Multi‐Factor Authentication into the environment
EnterpriseSecurity
![Page 31: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/31.jpg)
CYBER SECURITY: BEST PRACTICES
• Antivirus/Anti‐Malware
• Patch Management
• Data Loss Prevention (“DLP”)
• Encryption
• Mobile Device Management (“MDM”)
EndpointSecurity
![Page 32: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/32.jpg)
CYBER SECURITY: BEST PRACTICES
• Access Controls
• Encryption
• File Access Monitor (“FAM”)
• Segmentation
DataSecurity
![Page 33: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/33.jpg)
CYBER SECURITY: BEST PRACTICES
• Vulnerability and Penetration Testing
• Security Information and Event Management (“SIEM”)
• Internal Scans
Monitoring and Testing
![Page 34: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/34.jpg)
CYBER SECURITY: BEST PRACTICES
• Quarterly Access Review
• Social Engineering Testing
• 3rd Party Examinations/Audits
Security Review & Evaluation
![Page 35: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/35.jpg)
CYBER SECURITY: BEST PRACTICES
• Continuous USER EDUCATION
• Security Awareness Training
• Robust Policies and Procedures with annual user attestation
• Limit Removable Media
• Limit Remote Access
• Password vs Passphrase policies
• Administrative Privilege Control
EssentialControls
NON-TECHNICAL
![Page 36: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/36.jpg)
KEY TAKEAWAYS
Not an IT issue – it’s an Enterprise Issue
Not “If” but “When”
Start your Risk Assessment Today
Understand what you are trying to protect
Implement technical controls based upon the Risk Assessment
Training, Training, Training
![Page 37: CYBER RISK: WHAT’S AT STAKE FOR YOUR BUSINESS...• Cyber Security is no longer chiefly the domain of CIOs, CISOs and IT Departments. • Regulators (or interested third parties)](https://reader031.fdocuments.us/reader031/viewer/2022011905/5f2ba2571dc47774f216ecf3/html5/thumbnails/37.jpg)
BOSTON | NEWPORT | PROVIDENCE | SHANGHAI | WALTHAMKAHNLITWIN.COM
Let’s Connect
KLR Not-for-Profit Services Group888-KLR-8557
Let’s Connect
[email protected]‐KLR‐8557
KahnLitwin.com