CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S - - PowerPoint PPT Presentation

CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS

A C O N V E R S A T I O N W I T H H O R N E I T S P E C I A L I S T S

M I K E S K I N N E R , C PA , C I S A , C I T P

S e n i o r M a n a g e r I T A s s u r a n c e & R i s k S e r v i c e s

S A L LY H E R B E RT, C PA , C G M A

I n d e p e n d e n t S e n i o r A d v i s o r F o r m e r Te c h n o l o g y I n d u s t r y S e n i o r E x e c u t i v e A u d i t C o m m i t t e e M e m b e r, S u s a n G . K o m e n f o r t h e C u r e

P A N E L I S T S

K E N M I L L E R , C PA , C I A , C R M A , C H C , C I S A

S e n i o r M a n a g e r

WHAT IS CYBERSECURITY?

Technologies and processes designed to protect from unauthorized access, vulnerabilities and attacks. ¡

3

2014 YEAR OF THE DATA BREACH

56M Credit/debit cards 53M Email addresses 70M Customers’ personal info 40M Credit/debit cards

42.5%

Identified breaches were in HC industry

47% of US adults

had personal info exposed by hackers

$400M Estimated

financial loss from 700M compromised records

Source: Verizon 2015 Data Breach Investigation Report; Forbes; CNN

4

11TB of information 5 films 6,000 top salaries

Embarrassing emails

CYBERSECURITY OUTLOOK & TRENDS

• Attacks will increase in number and sophistication
• Political events will continue to shape the cyber

threat environment

• Evolving attack vectors

5

CHALLENGES TO CYBER RISK MANAGEMENT

Third-party service providers Use of employee-owned devices Cloud computing Access management complexities

6

CYBER RISK IS AN ENTERPRISE-WIDE ISSUE

• Disrupts business
• Damages management credibility
• Negative impact on brand
• Financial cost of breach

7

LEADERSHIP’S ROLE IN CYBERSECURITY

GOVERNANCE RISK CONTROLS

• Be risk and threat aware
• Understand the changing business and technology landscape
• Spend resources wisely to mitigate the greatest threats
• Implement effective policies and procedures
• Create a formal cybersecurity plan

8

ROOT CAUSES OF DATA BREACHES

Source: Ponemon Institute Source: Verizon 2015 Data Breach Investigation Report

Malicious or Criminal Attack System Design Human Error

9

HACKERS WANT

In addition to credit card and financial information, hackers are seeking:

10

Organization IT Assets Employee Data Medical Record Data Corporate Data Customer Data Vendor Data Intellectual Property

REGULATORY IMPACT

INCREASING OVERSIGHT FROM REGULATORS

11

KEY RISK AREAS

• Education
• Access Management
• Weak or Non-Existent IT Policies and Procedures
• Network Security
• Operating System / Application Security
• Data Encryption
• 3rd Party Oversight
• Disaster Recovery Environment

12

FUNCTION CATEGORY PRIMARY RESPONSIBILITY IDENTIFY

• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management Strategy
• Management
• Board / Governing Body

PROTECT

• Access Control
• Awareness & Training
• Data Security
• Information Protection Processes
• Maintenance
• Protective Technology
• IT

DETECT

• Anomalies & Events
• Security Continuous Monitoring
• Detection Processes
• IT

RESPOND

• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• IT
• Management
• Board / Governing Body

RECOVER

• Recovery Planning
• Improvements
• Communications
• IT
• Management
• Board / Governing Body

EXAMPLE APPROACH TO CYBERSECURITY

Source: NIST Cybersecurity Framework

13

THREE LINES OF DEFENSE MODEL

Source: na.theiia.org

14

GONE IN 60 SECONDS

Initial attack takes minutes. Discovery and response takes weeks.

15

QUESTIONS TO ASK

• Has our organization identified our most important assets?
• How are we protecting critical IT assets?
• Does our organization use a security framework?
• Has our organization conducted an IT risk assessment?

16

STEPS TO TAKE NOW

• Perform a risk/vulnerability assessment
• Develop and implement a security plan
• Maintain threat awareness

17

QUESTIONS & COMMENTS

18