Cybersecurity A presentation to the National Association of Black Accountants – Cleveland Chapter
Contents Cybersecurity and risk management 1 Cybersecurity and the regulatory 2 environment Cybersecurity and the audit 3 4 Appendix Page 2
Cybersecurity What is it and what is the risk landscape “Resources devoted to cyber-based threats are expected to eclipse resources devoted to terrorism.” The Honorable James B. Comey, Jr., Director of the Federal Bureau of Investigation Statement of the Federal Bureau of Investigation before the Committee on Homeland Security and Governmental Affairs United States Senate “The constant threat of cyber attack is real, lasting and cannot be ignored.” Luis Aguilar Commissioner of the Securities and Exchange Commission SEC Cybersecurity Roundtable Page 3
Cybersecurity What is cybersecurity What is cybersecurity? ► Cybersecurity is the body of: ► Technologies ► Processes ► Practices ► Designed to protect networks, computers, applications and data from attack, damage or unauthorized access, typically via the internet or other forms of connectivity. Page 4
Cybersecurity What is cybersecurity risk Cybersecurity risk ► Represents the possibility that these technologies, processes and practices can be circumvented, allowing unauthorized users to: ► Access or exfiltrate protected or sensitive information, such as: ► Intellectual property ► Proprietary information ► Credit card information ► Personally identifiable information ► Protected health information ► Modify and/or delete key applications and information, which could affect the accuracy and/or integrity of processing (both financial and/or operating). ► Disrupt computer-controlled operations Page 5
Cybersecurity Is every company a target? Common misconception “I don’t process credit card transactions internally; therefore, my company is not a target.” Reality Companies can be targeted for many reasons: Company is a vendor of the ultimate target ► Gain access to research and development ► information Stock price manipulation ► Gain access to sensitive merger and ► acquisition information Disrupt operations ► Page 6
Cybersecurity How have cybersecurity threats evolved? Corporate espionage Unsophisticated attackers Sophisticated attackers Organized crime State-sponsored attacks and (malicious insiders) (script kiddies) (hackers) (criminal gangs) advanced persistent threat 1 (APT) Your current or former employee You are attacked because you are You are attacked because you are You are attacked because you have seeks financial gain from stealing You are targeted because of who you are, what you do on the internet and have a on the internet and have money or something else of value and selling your intellectual or the value of your IP. vulnerability. information of value. that can be sold. property (IP). APT State-sponsored espionage Market manipulation Competitive advantage Military/political objectives Criminal Cash, gangs credit cards, Identities, inside information Malicious insiders Revenge, Risk personal gain, stock price manipulation Money, Hackers embarrassment, political, social or environmental causes Amusement, experimentation, kiddies Script nuisance, notoriety Attacker resources and sophistication 1 An advanced persistent threat (APT) is a set of sophisticated, stealthy and continuous computer attacks often targeting a specific entity with business or political motives. The processes used involve a high degree of covertness over a long period of time using sophisticated techniques to exploit vulnerabilities in systems. Page 7
Cybersecurity What can a targeted attack look like? Point where most targets Potential detection are notified of point with robust Accelerating attack detection the attack threat intelligence (generally by third parties) Intelligence Initial Command Privilege Data gathering exploitation and control escalation exfiltration Move Conduct Execute Gather and Exfiltrate data Maintain Establish Enable Conduct enterprise laterally to Escalate background initial encrypt data of from victim persistent foothold persistence reconnaissance new privileges research attack interest systems presence systems Degrading security posture or health as the attack life cycle progresses Page 8
Cybersecurity How are security programs positioned to deal with today’s cyber risks? 36% 57% 59% unlikely they would be see criminal syndicates as lack of skilled resources is able to detect a the most likely source of an challenging Information sophisticated attack attack today Security’s contribution and value to the organization Some top-of-mind questions for today’s information security executives are: How does my information security program compare with those of my peers in the industry? ► Is my information security strategy aligned with business objectives? ► How well do we protect high-value information, especially given today’s increasingly mobile workforce? ► Are we well prepared to monitor, detect and respond to information security threats? ► Do we have the right people and skill sets? ► Are we spending on the right information security priorities? ► Am I or have I been the victim of an attack or a breach? ► Today’s information security programs must enable business objectives and defend against threats while investing in the right priorities. Source – Global Information Security Survey, Ernst & Young LLP, 2015. Page 9
Cybersecurity Spend considerations Source – Global Information Security Survey, Ernst & Young LLP, 2015. Page 10
Who or what do you consider the most likely source of an attack? Respondents were asked to choose all that apply. 0% 10% 20% 30% 40% 50% 60% 70% Criminal syndicates 59% Employee 56% Hacktivists 54% Lone Wolf hacker 43% External contractor working on our site 36% State sponsored attacker 35% Supplier 14% Other business partner 13% Customer 12% Other (please specify) 3% Source – Global Information Security Survey, Ernst & Young LLP, 2015. Page 11
Cybersecurity What are the motivations and who are the common attackers? Motivations Common targets Common attackers Financial gain through the theft of Companies that manufacture/produce products • State sponsored Intellectual Property and/or proprietary that leverage certain IP to maximize their • Organized crime information advantage in the marketplace (e.g., aerospace and defense, drug manufacturing, companies • Accelerate company/country research negotiating M&A transactions) and development • Competitive advantage • Sales and economic growth Financial gain through access to non- Companies with credit card information and/or • Organized crime monetary assets (e.g., personally other PII of a target audience • Employees and identifiable information - PII), which can contractors be sold to others Financial gain through direct access to Banks, insurance companies, trading firms • Competitors monetary assets and/or financially • Organized crime relevant information • Employees/contractors Political disruption, terrorism, service Financial markets, power generation and • State sponsored disruption distribution facilities, oil and gas exploration and • Organized crime distribution facilities • “Hacktivists” Manipulation of stock price Companies competing in emerging or • State sponsored expanding markets • Organized crime Page 12
Cybersecurity Trends Ransomware Market Manipulation Attacks Compromised corporate assets leading to Criminals disabling company networks with manipulation of financial markets (e.g. Twitter ransomware such as “CryptoLocker” attacks on AP and Burger King) as well as demanding ransom payment. compromising trading activity and acting on it and/or front running 3 rd Party Attack Vector Convergence of Attacks Cybersecurity attacks are converging with Cyber criminals attacking company networks using 3 rd party vendor connections. physical security attacks to cause comprehensive damage ( e.g. cyber attack on critical national infrastructure) Page 13
Cybersecurity What is the current risk landscape • It is no longer possible to simply prevent cyber attacks or breaches. • With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more damaging to an organization and its brands. • The interconnectivity of people, devices and organizations opens up new vulnerabilities. • New technologies, regulatory pressure and changing business requirements call for more security measures. • What companies used to know and do to protect their most valued information is no longer enough. Page 14
Cybersecurity What is the current risk landscape? • The growing attacking power of cyber criminals • Cybercrime is big business. Today’s attackers: Are more organized – they are not just opportunists • Have significant funding • Are patient and sophisticated – they will often gain access and wait • until the right moment to pounce • Cybercrime is an organization-wide issue Attackers take advantage of vulnerabilities in the whole operating • environment – including people and process Page 15
Recommend
More recommend
