CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES - - PowerPoint PPT Presentation

cyber security
SMART_READER_LITE
LIVE PREVIEW

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES - - PowerPoint PPT Presentation

Sep 20, 2023 481 likes •735 views

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019 INTRODUCTION Cyber Security The activity or process, ability or capability, or state whereby information and

slide-1
SLIDE 1

CYBER SECURITY

PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN

London June 2019

slide-2
SLIDE 2

INTRODUCTION

Cyber Security

  • The activity or process, ability or capability, or state whereby information

and communications systems and the information contained therein are protected from and/or defended against damage, unauthorised use or modification, or exploitation (US Institute of Standards and Technologies - NIST).

  • Cyber security can be described as the digital or human measures you

can take to reduce the risk and harm to your company's information and information based systems through theft, alteration or destruction. Cyber Risk and Fraud

  • Cyber risks arise from your company’s exposure to the rapidly increasing

interconnectivity of information. The risks are indeed real, and it is perfectly sensible to assume these risks are emanating from people who have, or seek to have, access to your information or information-based systems both internally and externally with a view to committing fraud.

Date 2

slide-3
SLIDE 3

WHEN THINGS GO WRONG

Date 3

Hacker attack Data breach Virus transmission Cyber extortion Employee sabotage Network downtime Human error

Causes

slide-4
SLIDE 4

WHEN THINGS GO WRONG

Date 4

Butlin's says guest records may have been hacked

Holiday camp firm Butlin's says up to 34,000 guests at its resorts may have had their personal information stolen by hackers.

NHS 'could have prevented' WannaCry ransomware attack

NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said. At least 6,900 NHS appointments were cancelled as a result of the attack.

British Airways: Suspect code that hacked fliers 'found‘

A cyber-security firm has said it found malicious code injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.

Effects

slide-5
SLIDE 5

WHEN THINGS GO WRONG

Date 5

Impact

Economic cost of cyber attack Reputational damage Legal consequences of cyber breach

slide-6
SLIDE 6

Cyber security threat to banks has grown in last decade

  • Bank of England Governor Mark Carney says: "The third class of risk that is new in

the last decade is risk related to cyber security. "The defences have to be in place and we also have to have plans if a bank were to be knocked out because of a cyber attack - how to we keep a system functioning and service to customers functioning in that event.“. BBC Sept 2018

IN THE NEWS

Date 6

Tory app security breach reveals MPs' numbers

  • Boris Johnson was among those whose details could

be accessed through the party's conference app. BBC

Sept 2018

Rise in cyber-attacks on NI universities

  • Universities and further education colleges in NI

suffered 16 serious cyber-attacks in 2017/18 compared to three the year before. BBC Sept 2018 UK cyber-centre thwarts hostile hackers

  • The National Cyber Security Centre has combated about 1,200

attacks since it was created, it reveals. BBC Oct 2018 UK accuses Russian spies of cyber-attacks

  • Alleged attacks include raids on the World Anti-Doping Agency, when

athletes' data was published, and the US Democratic Party. BBC Oct 2018

slide-7
SLIDE 7

WHAT DO THE STATISTICS SAY?

The Cyber Security Breaches Survey 2019 is an Official Statistic, measuring how organisations in the UK approach cyber security and the impact of breaches.

Date 7

slide-8
SLIDE 8

DRIVERS FOR CHANGE

Date 8

slide-9
SLIDE 9

AWARENESS OF GOVERNMENT CYBER SECURITY INITIATIVES AND ACCREDITATIONS

Date 9

slide-10
SLIDE 10

WHAT ARE ORGANISATIONS DOING ABOUT IT?

Date 10

slide-11
SLIDE 11

WHAT ARE ORGANISATIONS DOING ABOUT IT?

Date 11

slide-12
SLIDE 12

AVERAGE INVESTMENT IN CYBER SECURITY IN LAST FINANCIAL YEAR

Date 12

slide-13
SLIDE 13

WHAT ARE ORGANISATIONS DOING ABOUT IT?

Date 13

slide-14
SLIDE 14

THINK ABOUT WHAT YOU HAVE

Date 14

slide-15
SLIDE 15

SOME SPECIFIC CURRENT CYBER THREATS EXPERIENCED

  • Ransomware attacks
  • the attack encrypts the victim’s data and asks for money in exchange for the decryption key
  • Third parties being compromised
  • Cloud based services, third party data holders/processors
  • Phishing & Social Engineering attacks
  • CEO asking for an urgent payment to be made – or offering refund
  • A payment being asked to be processed to a different account than the one on file

Date 15

slide-16
SLIDE 16

THREAT LIFECYCLE

Date 16

PREDICT

Proactive risk analysis Predict attacks Baseline systems Prevent issues Divert attackers Harden and isolate systems Contain issues Confirm and prioritize risk Detect issues Remediate/ Make change/Learn Design/ Model change

RESPOND PREVENT DETECT

Investigate/ Forensics Mobile user attacks Cloud Computer attacks Denial of Service Geolocation attacks High profile target spoofing

slide-17
SLIDE 17

THREAT MONITORING-MANAGEMENT INTERACTION

17

CONTINUOUS THREAT MONITORING

Monitoring and Detection of Unauthorized Activities

  • Monitoring the company’s network and physical environments, IDS/IPS
  • Monitoring activity of third party service providers with access to network
  • Monitoring network for presence of unauthorized users, devices, connections and software
  • Using malicious code detection and data loss prevention software
  • Maintaining written incident alert thresholds
  • Normal routine updates from Management regarding the state of IT systems.
  • Key performance indicators such as how many breach notifications notices have been filed and IT

department trends.

  • Updates on any initiates management such as employee training and outsourcing of key security

functions.

  • Employee access to the Board
  • Whistleblower policy
  • Employee/customer hotline

BOARD AND MANAGEMENT INTERACTION

slide-18
SLIDE 18

CYBERSECURITY TRAINING & TECHNOLOGY

18

EMPLOYEE TRAINING

Workforce

  • Are cybersecurity roles and responsibilities assigned and communicated to work force?
  • Regular training? Awareness of policy and reporting breaches
  • Employees to practice computer security best practices (e.g., use passwords with a mix of upper case

and lower case letters, numbers and symbols)?

TECHNOLOGY UPGRADE

  • Pace of Technology

– Review and reassess data privacy and computer security policies and procedures

  • Are policies and procedures staying up to date with technological advances (e.g., do they

address the plethora of mobile devices that are now available to employees)?

  • Are firewalls, anti-spam and anti-virus software updated regularly?
  • Are patches for the operating system and other software updated regularly?
  • Monitoring of computer system defenses to potential threats?
slide-19
SLIDE 19

INCIDENT RESPONSE AND RECOVERY

19

  • Review and reassess your data breach policy

– Is it sufficiently detailed to provide guidance for what needs to be done immediately in the event

  • f a security breach or a near miss?
  • Updated in light of GDPR?

– Data breach investigation to discover and perform analysis? – Are key stakeholders represented on the team? – Data Breach team lead granted sufficient authority to quickly execute? – Lessons are learnt – Senior management and Board level awareness.

INCIDENT RESPONSE RECOVERY PLAN

  • Business Continuity Plan

– Review and reassess business continuity and disaster recovery plans

  • Business continuity plan cover a cyber attack or other type of computer disruption in

addition to more commonly covered business disruptions, such as natural disasters and fire?

  • Test and re-test computer networks and systems
slide-20
SLIDE 20

CYBER SECURITY BEST PRACTICE

20

BEST PRACTICES

National Cyber Security Centre (NCSC)

  • Expert, trusted, and independent guidance for UK industry, government departments, the

critical national infrastructure and private SMEs. International Standardization Organization

(ISO) 27000 and 27001 Standards

  • Cyber Essentials
  • Cyber Security Information Sharing Partnership (CiSP) run by the NCSC
  • Current environment practices should be measured against best practices in key areas:

– Policy – Threat prevention

  • Perimeter, Insider and vendor.

– Threat detection – Training and Awareness – Response

BEST PRACTICES – Key Areas

slide-21
SLIDE 21

THIRD PARTY CYBER SECURITY RISK & RECOVERY PLAN

21

THIRD PARTY RISK AVERSION

Third Party Vendors

  • Review and reassess the data privacy and computer security policies and procedures of third party

service providers

  • Obtain and review Statement on Controls (SOC) reports from key third parties that process information
  • Review and reassess service contracts with third-party service provides to assure that privacy and

computer security issues are adequately addressed

  • Review and reassess policies segregating network resources from 3rd party accessible resources
  • Review and reassess policies regarding remote maintenance of network by 3rd parties
slide-22
SLIDE 22

INSURANCE & AUDIT

22

CYBER SECURITY INSURANCE

Review Insurance Policies

  • Traditional insurance policies such as commercial general liability, fidelity insurance bond, directors’

and officers’ liability or errors and omissions liability coverage often contain express “electronic data”

  • r “data breach” exclusions
  • Insurers have sought to deny policy coverage for data security breaches
  • Cybersecurity insurance often offers first party (i.e., losses related to the policy holder) and third

party (i.e., losses related to clients) coverage

AUDIT COMMITTEE CONSIDERATIONS

  • Gap between where security is and where it needs to be
  • Significant/Material findings by external/internal auditors with regards to key systems.
  • Potential consequences
  • Questions that the audit committee should pose

– Has the number of breaches increased since last month/year? – New initiatives to bolster its information security program? – Is information security an IT function in house? If so, to whom does it report? – audit committee or on the board member with an IT background? – audit committee involvement in planning of information security risks? – How often does the committee discuss cybersecurity? Is the full board aware?

slide-23
SLIDE 23

Q&A?

Date 23

slide-24
SLIDE 24

WANT TO KNOW MORE?

Date 24

Go to www.mazars.co.uk/cybersecurity and download: Or contact us: Cyber Security Breaches Survey - DCMS Martin Baird – Martin.Baird@mazars.co.uk Director – London Francisco Sanches – francisco.sanches@mazars.co.uk Director – London Neil Belton – neil.belton@mazars.co.uk – Manager, Birmingham