CYBERSECURITY STRATEGIES TO MANAGE BUSINESS RISKS A C O N V E R S A T I O N W I T H H O R N E I T S P E C I A L I S T S
P A N E L I S T S M I K E S K I N N E R , C PA , C I S A , C I T P S e n i o r M a n a g e r I T A s s u r a n c e & R i s k S e r v i c e s K E N M I L L E R , C PA , C I A , C R M A , C H C , C I S A S e n i o r M a n a g e r S A L LY H E R B E RT, C PA , C G M A I n d e p e n d e n t S e n i o r A d v i s o r F o r m e r Te c h n o l o g y I n d u s t r y S e n i o r E x e c u t i v e A u d i t C o m m i t t e e M e m b e r, S u s a n G . K o m e n f o r t h e C u r e
WHAT IS CYBERSECURITY? Technologies and processes designed to protect from unauthorized access, vulnerabilities and attacks. ¡ 3
2014 YEAR OF THE DATA BREACH $400M Estimated 70M Customers’ personal info 56M Credit/debit cards financial loss from 700M 40M Credit/debit cards 53M Email addresses compromised records 42.5% 11TB of information Identified 47% of US adults 5 films breaches 6,000 top salaries had personal info were in Embarrassing emails exposed by hackers HC industry 4 Source: Verizon 2015 Data Breach Investigation Report; Forbes; CNN
CYBERSECURITY OUTLOOK & TRENDS • Attacks will increase in number and sophistication • Political events will continue to shape the cyber threat environment • Evolving attack vectors 5
CHALLENGES TO CYBER RISK MANAGEMENT Third-party service providers Use of employee-owned devices Cloud computing Access management complexities 6
CYBER RISK IS AN ENTERPRISE-WIDE ISSUE • Disrupts business • Damages management credibility • Negative impact on brand • Financial cost of breach 7
LEADERSHIP’S ROLE IN CYBERSECURITY GOVERNANCE • Be risk and threat aware RISK • Understand the changing business and technology landscape • Spend resources wisely to mitigate the greatest threats CONTROLS • Implement effective policies and procedures • Create a formal cybersecurity plan 8
ROOT CAUSES OF DATA BREACHES Malicious or Criminal Attack System Design Source: Verizon 2015 Data Breach Investigation Report Human Error Source: Ponemon Institute 9
HACKERS WANT In addition to credit card and financial information, hackers are seeking: Medical Record Data Employee Data Corporate Data Customer Data Vendor Data Organization IT Assets Intellectual Property 10
REGULATORY IMPACT INCREASING OVERSIGHT FROM REGULATORS 11
KEY RISK AREAS • Education • Access Management • Weak or Non-Existent IT Policies and Procedures • Network Security • Operating System / Application Security • Data Encryption • 3 rd Party Oversight • Disaster Recovery Environment 12
EXAMPLE APPROACH TO CYBERSECURITY FUNCTION CATEGORY PRIMARY RESPONSIBILITY IDENTIFY • Asset Management • Management • Business Environment • Board / Governing Body • Governance • Risk Assessment • Risk Management Strategy PROTECT • Access Control • IT • Awareness & Training • Data Security • Information Protection Processes • Maintenance • Protective Technology DETECT • Anomalies & Events • IT • Security Continuous Monitoring • Detection Processes RESPOND • Response Planning • IT • Communications • Management • Analysis • Board / Governing Body • Mitigation • Improvements RECOVER • Recovery Planning • IT • Improvements • Management • Communications • Board / Governing Body Source: NIST Cybersecurity Framework 13
THREE LINES OF DEFENSE MODEL Source: na.theiia.org 14
GONE IN 60 SECONDS Initial attack takes minutes. Discovery and response takes weeks. 15
QUESTIONS TO ASK • Has our organization identified our most important assets? • How are we protecting critical IT assets? • Does our organization use a security framework? • Has our organization conducted an IT risk assessment? 16
STEPS TO TAKE NOW • Perform a risk/vulnerability assessment • Develop and implement a security plan • Maintain threat awareness 17
QUESTIONS & COMMENTS 18
Recommend
More recommend
