Cyber Security - nact.org · Cyber Security: Top Risks and Trends for Protecting Your Assets NACT...
Transcript of Cyber Security - nact.org · Cyber Security: Top Risks and Trends for Protecting Your Assets NACT...
© 2015 Greenwich Associates, LLC. Javelin Strategy & Research is a division of Greenwich Associates. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise.
Helping You Make Smarter Business Decisions
Cyber Security: Top Risks and Trends for Protecting Your Assets
NACT Presentation Thursday,
June 18th , 2015
Today’s Presenters
Marc Harrison Principal Banking
Al Pascual Director
Fraud & Security
Maribeth Farley Relationship Manager
Moderator
About Greenwich Associates
Treasury Department Priorities and Plans
Summary
Agenda
Who’s Being Targeted, Why, and to What Effect?
Attack Vectors
Threat Remediation
2
We help our customers:
• Make smarter business decisions
• Gain a significant competitive advantage
• Improve customer experience
• Transform research into behavioral change
• Deliver actionable insights & identify implementable action steps
• Drive cultural change
• Link financial performance to customer experience
About Greenwich Associates
Firm Facts • Founded in 1972 • Privately held • Headquartered in
Stamford, CT • Fourth largest
interview facility in North America
Greenwich Associates provides authoritative market data, insights and consulting solutions to senior financial professionals worldwide
3
About Greenwich Associates
Treasury Department Priorities and Plans
Summary
Agenda
Who’s Being Targeted, Why, and to What Effect?
Attack Vectors
Threat Remediation
4
Treasury Department Priorities
16%
8%
11%
5%
6%
2%
3%
2%
38%
45%
33%
29%
29%
24%
24%
20%
46%
47%
56%
66%
66%
74%
74%
78%
Supply Chain Interruption Risk
Economic Risks
Financing Risks
Business Interruption
Efficient Management ofWorking Capital
Regulatory/Compliance Issues
Cost Management
Information (IT) Security
High Priority Low Priority Not a Priority
Source: 2014 U.S. Large Corporate Banking Study – Above $2BB. Question: Using a 3-point scale from 1 = Not a Priority to 3 = High Priority, how focused is your company on each of the following: (A) Business Interruption (B) Supply Chain Interruption Risk (C) Economic Risks (D) Financing Risks (E) Information Security (F) Regulatory/Compliance Issues (G) Cost Management (H) Efficient Management of working capital
What Finance Departments Will Focus on in the coming year
5
Treasury Department Plans
6
18%
22%
10%
31%
11%
63%
Outsource More Functions
Bring More Functions In-House
Reduce Staff
Add Staff
Take More Risk in Short-TermInvesting
Increase Technology Spending
Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Note: Respondents may offer multiple responses Question: In the next 12 months, is your treasury department planning to: (1) increase technology spending, (2) reduce staff, (3) add staff, (4) take more risk in short-term investing, (5) outsource more functions, and/or (6) bring more functions in house? What are 2 or 3 top priorities of your finance department in the coming year?
What Treasury Departments Will Do Over the Next 12 Months to Ensure Operational Efficiency
“The first is regulatory compliance requirements. IT and security issues seem to be coming up quite a bit as well.” Fortune 200-300
“Definitely consolidation and IT in the sense that we are secured in information reporting. And reducing risks.” – Fortune 100-200
“We are reviewing our banking relationships, fees, and how to improve and streamline our banks. We are also looking at how we can automate more of the banks' processes and how we can reduce the number of bank accounts.” – Fortune 100
“Reducing our bank fees. Every single year we have pressure to reduce our costs. So we're implementing this treasury system, but we're also going to implement a new upgrade. We're upgrading our BRM, which is what we use to analyze the bank fees.” – Fortune 100
“Allocation of cash. Specifically improving returns on cash and re-evaluation of banking relationships and bank accounts” – Fortune 300-400
“We're putting in a new treasury workstation. We recently expanded into the international space, so we're trying to bring everything up from a cash management perspective to have that for currency and international capabilities on the system.” – Fortune 100
Regulatory
Compliance
Information
Technology
& Security
Relationship
Management
Treasury
Management
Systems
Market Trends
Capital Structure
and Allocation
Cost/ Bank Fee
Reduction
Source: 2014 U.S. Large Corporate Cash Management Study – Above $2BB Question: What are the 2 or 3 cash management challenges you foresee in the next 12-18 months?
Cash Management Priorities
7
About Greenwich Associates
Treasury Department Priorities and Plans
Summary
Agenda
Who’s Being Targeted, Why, and to What Effect?
Attack Vectors
Threat Remediation
8
All Industries Are Vulnerable to Breaches It’s the Data That Matters
In 2015, Year-to-Date: Nearly 440 Disclosed Breaches Which represents:
Millions of Records at Risk
According to Data Loss DB, June 10th, 2015
9
Who’s Data Is It? And Then What? Different Parties, Different Data, Different Business Complications
“High Profile Breaches”
Data: Wide variety of PII is being targeted
Complication: Compliance and Customer Avoidance
“High Value Targets”
Data: IP, Trade Secrets, Financial Info, and Business ID
Complication: Unfair Competition and Fraud
“The Worst of Both Worlds”
Data: Any of the above
Complications: Lost Profits All Around
Consumer
Internal
Partner
10
When Personally Identifiable Information Leaves, So Do Customers
Consumer rate of post-breach avoidance, by business type
44% 43%
34% 33% 32% 31% 30% 27% 26%
24% 24% 19% 18%
22%
0%5%
10%15%20%25%30%35%40%45%50%
Pe
rce
nt
of
con
sum
ers
*Caution: Low base Type of organization where data breach occurred
October 2013, n varies 44 to 415 Base: Data breach victims in the past 12 months
©2014 Javelin Strategy & Research 11
Financial Account Info and Credentials Fuel for Account Takeover Fraud
Frequency of reported account takeovers: • 2.11 per 1,000 commercial customers
Of all reported account takeovers: • 65% in did not involve monetary transactions • 9% resulted in funds leaving the institution
For takeovers where monetary transactions were created: • 76% in involved wire transfers (with 4% ACH and 18% check writing and
other)
Where funds were fraudulently transferred from the financial institution: • 82% in involved wire transfers (with 14% ACH and 4% check writing and
other) • 39% of losses involved wire transfers (with 52% ACH and 9% check writing
and other)
Business Financial Accounts are High-Value Targets for Criminals
Source: FS-ISAC Commercial Account Takeover Survey Press Release, January 9th, 2013
12
Using Internal Communications Against You Business Email Compromise (a.k.a. “Masquerading”)
$1 billion in total losses projected by year end, according to FBI
13 Image courtesy of www.leadcincinnati.com
Rather than compromise a commercial account directly: • Cybercriminals compromise the
email of a C-suite executive
• Read weeks of emails to understand how employees interact and recent business activity
• Alter contact information in email signatures (i.e., phone numbers)
• Instruct AP staff via email to initiate a wire to an account under their control using a legitimate sounding premise
About Greenwich Associates
Treasury Department Priorities and Plans
Summary
Agenda
Attack Vectors
Who’s Being Targeted, Why, and to What Effect?
Threat Remediation
14
Employees Remote Access
Company Data
Suppliers
Website Workstations
Servers
Social Engineering
Weak Authentication
Company Data
Compromised Vendors
Web Injection Malware
Unpatched Vulnerabilities
Zero-Days Need Not Apply Common Threats by Type
Criminals rely on tried-and-true methods for compromise, long before they resort to more sophisticated measures such as “zero-day” attacks
15
Everyday Threats Compromising Businesses and Their Customers
• Non-complex passwords without additional authentication factors are easily bypassed (guessed, stolen, etc.)
Weak Authentication
• Hackers rely on known vulnerabilities in operating systems and other common software to gain entry and glean data
Unpatched Vulnerabilities
• Trojans and other forms of malware can exfiltrate data, be used to access financial accounts, or create “bots” Malware
• Vendors are targeted for their access to clients’ systems, either directly or through products they provide
Compromised Vendors
• Employees throughout the organization are at risk, as hackers utilize seemingly legitimate communications Social Engineering
• Public-facing websites are compromised and misused to glean customer data or to deliver malware Web Injection
16
When All Else Fails… And Hackers Absolutely Have to Have it…
Zero-day exploits rely on previously unknown vulnerabilities to compromise systems, and typically target common software platforms, including operating systems, browser software, productivity software, and various plug-ins.
Most commonly in use and development by nation states, such as China, Russia, and the U.S., independent security firms now offer zero-day exploits on the open market. Cybercrime has created a market for “near zero-day exploits” to be packaged together into kits available for purchase on underground markets.
According to RAND: “Zero-day prices range from a few thousand dollars to $200,000–$300,000, depending on the severity of the vulnerability, complexity of the exploit, how long the vulnerability remains undisclosed, the vendor product involved, and the buyer.”
What are
they?
Who creates them?
Once the purview of nation states, “zero-days” have become accessible for top-tier cybercrime groups, or are repurposed into exploit kits later in their lifecycle
How much
do they cost?
17
Russia China
18
Nation States’ Cyberattacks are Changing
Image courtesy of www.NationalDefenseMagazine.com
Targets change, but China’s motivation remains the same • China remains focused on nationalistic goals, including bolstering domestic
industries and espionage • Healthcare organizations = learnings to bolster national healthcare infrastructure • Federal employee data = PII to compromise other systems or support blackmail
Russia has less to lose and is actively supporting cybercrime • Since it’s incursion into Ukraine and the subsequent response from the West,
Russia has become a more belligerent cyberactor • Anecdotal evidence suggests that Russian state services are actively supporting
the efforts of cybercriminal organizations, supplying technical expertise
About Greenwich Associates
Treasury Department Priorities and Plans
Summary
Agenda
Threat Remediation
Who’s Being Targeted, Why, and to What Effect?
Attack Vectors
19
Seven Steps for Mitigating Threats From the Everyday to the Zero-day
1. Secure buy-in from senior leadership
2. Educate employees
3. Upgrade authentication inside and out
4. Harden externally facing web properties
5. Monitor network traffic for anomalous activity
6. Update software promptly and thoroughly
7. Prepare for the worst case scenario
20
About Greenwich Associates
Summary
Agenda
Who’s Being Targeted, Why, and to What Effect?
Treasury Department Priorities and Plans
Threat Remediation
Attack Vectors
21
Summary
Treasurers recognize that business profitability is at risk because of cyber threats.
22
Corporations can reduce their risk by:
• Becoming aware of the threats they currently face
• Creating a culture of cyber-awareness throughout their organization
• Adjusting security policies and procedures to address current threats
• Understanding and planning for the risks they face from counterparties
• Partnering with their financial service providers to constantly improve the security of their accounts
Thank You
© 2015 Greenwich Associates, LLC. Javelin Strategy & Research is a division of Greenwich Associates. All rights reserved. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of Greenwich Associates, LLC. Greenwich Associates®, Competitive Challenges®, Greenwich Quality Index®, Greenwich ACCESS™, Greenwich AIM™, and Greenwich Reports® are registered marks of Greenwich Associates, LLC. Greenwich Associates may also have rights in certain other marks used in these materials.
Greenwich Associates provides authoritative market data, insights and consulting solutions to senior financial professionals worldwide.
Thank you for taking the time to attend our discussion today.
Additional information or questions contact:
Maribeth Farley +1 203.625.4314
23