CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S - PowerPoint PPT Presentation

CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S A T I O N W I T H H O R N E I T S P E C I A L I S T S

P A N E L I S T S M I K E S K I N N E R , C PA , C I S A , C I T P S e n i o r M a n a g e r I T A s s u r a n c e & R i s k S e r v i c e s K E N M I L L E R , C PA , C I A , C R M A , C H C , C I S A S e n i o r M a n a g e r S A L LY H E R B E RT, C PA , C G M A I n d e p e n d e n t S e n i o r A d v i s o r F o r m e r Te c h n o l o g y I n d u s t r y S e n i o r E x e c u t i v e A u d i t C o m m i t t e e M e m b e r, S u s a n G . K o m e n f o r t h e C u r e

WHAT IS CYBERSECURITY? Technologies and processes designed to protect from unauthorized access, vulnerabilities and attacks. ¡ 3

2014 YEAR OF THE DATA BREACH $400M Estimated 70M Customers’ personal info 56M Credit/debit cards financial loss from 700M 40M Credit/debit cards 53M Email addresses compromised records 42.5% 11TB of information Identified 47% of US adults 5 films breaches 6,000 top salaries had personal info were in Embarrassing emails exposed by hackers HC industry 4 Source: Verizon 2015 Data Breach Investigation Report; Forbes; CNN

CYBERSECURITY OUTLOOK & TRENDS • Attacks will increase in number and sophistication • Political events will continue to shape the cyber threat environment • Evolving attack vectors 5

CHALLENGES TO CYBER RISK MANAGEMENT Third-party service providers Use of employee-owned devices Cloud computing Access management complexities 6

CYBER RISK IS AN ENTERPRISE-WIDE ISSUE • Disrupts business • Damages management credibility • Negative impact on brand • Financial cost of breach 7

LEADERSHIP’S ROLE IN CYBERSECURITY GOVERNANCE • Be risk and threat aware RISK • Understand the changing business and technology landscape • Spend resources wisely to mitigate the greatest threats CONTROLS • Implement effective policies and procedures • Create a formal cybersecurity plan 8

ROOT CAUSES OF DATA BREACHES Malicious or Criminal Attack System Design Source: Verizon 2015 Data Breach Investigation Report Human Error Source: Ponemon Institute 9

HACKERS WANT In addition to credit card and financial information, hackers are seeking: Medical Record Data Employee Data Corporate Data Customer Data Vendor Data Organization IT Assets Intellectual Property 10

REGULATORY IMPACT INCREASING OVERSIGHT FROM REGULATORS 11

KEY RISK AREAS • Education • Access Management • Weak or Non-Existent IT Policies and Procedures • Network Security • Operating System / Application Security • Data Encryption • 3 rd Party Oversight • Disaster Recovery Environment 12

EXAMPLE APPROACH TO CYBERSECURITY FUNCTION CATEGORY PRIMARY RESPONSIBILITY IDENTIFY • Asset Management • Management • Business Environment • Board / Governing Body • Governance • Risk Assessment • Risk Management Strategy PROTECT • Access Control • IT • Awareness & Training • Data Security • Information Protection Processes • Maintenance • Protective Technology DETECT • Anomalies & Events • IT • Security Continuous Monitoring • Detection Processes RESPOND • Response Planning • IT • Communications • Management • Analysis • Board / Governing Body • Mitigation • Improvements RECOVER • Recovery Planning • IT • Improvements • Management • Communications • Board / Governing Body Source: NIST Cybersecurity Framework 13

THREE LINES OF DEFENSE MODEL Source: na.theiia.org 14

GONE IN 60 SECONDS Initial attack takes minutes. Discovery and response takes weeks. 15

QUESTIONS TO ASK • Has our organization identified our most important assets? • How are we protecting critical IT assets? • Does our organization use a security framework? • Has our organization conducted an IT risk assessment? 16

STEPS TO TAKE NOW • Perform a risk/vulnerability assessment • Develop and implement a security plan • Maintain threat awareness 17

QUESTIONS & COMMENTS 18