Cyber risk no business too big or too small

Transcription

1 Cyber risk no business too big or too small Cameron Oxley Partner 27 July 2016

2 Is your Board of Directors aware of the potential personal fall out from breaches? Institutional Shareholder Services (ISS) in the US prepared a report on the Target data breach and aftermath. The results and fall out included: The Target Board was not adequately informed of the risks and should have been Audit committee should have been better informed of Cyber risks Board members didn t understand the importance of directing more resources toward security programs 7 of Target s 10 board members were dismissed Target s CEO lost his job 140 law suits being filed against the retail giant Share price didn t recover for over a year after the incident

3 Ranking + Cyber hacks are getting greater organisational attention 1st Storms and cyclones Severe income disparity Severe income disparity Income disparity Interstate conflict with regional consequences Large scale involuntary migration 2nd Flooding Chronic fiscal imbalances Chronic fiscal imbalances Extreme weather events Extreme weather events Extreme weather events 3rd Corruption Rising greenhouse gas emission Rising greenhouse gas emissions Unemployment and under employment Failure of national governance Failure of climate-change mitigation and adaptation 4th Biodiversity loss Cyber attacks Water supply crises Climate change State collapse or crisis Interstate conflict with regional consequences 5th Climate change Water supply crises Mismanagement of population ageing Cyber attacks High structural unemployment or under employment Major natural catastrophes Source: World Economic Forum, Global Risks by Likelihood Economic Environmental Societal Geopolitical Technological

4 Cyber traffic vs Cyber crime 2.2 million s sent in a second 34,000 Google searches per second 1 million Facebook business views per second 4600 Twitter tweets per 15% of the trillions of s sent are spam and viruses One in every s is a phishing attack second Over 19,000 malicious website addresses (URLs) are identified daily A unique malware file is created almost every second Annualised cost of cyber crime for a U.S. organization was $5.9M last year Over 300,000 Internet Crime Complaints reported per year in US

5 Cost of Setting up Cyber Crime Denial of Service $535 for 5 hours a day for one week Infection Spreading Services $100 per 1000 installs Money Exchange and Mule services 25% Commission Botnets Old Version $700 Newer Versions $3000 Credit Card Number only $1 With Pin $10 Exploit kits $1000 to $2000

6 Distribute IT

7 Background Formed 2002 as a startup Web services provide Domain name registrar Web/Server Hosting SSL Products SMS messaging ~10% Market Share -.au domain names Offices in Melbourne & Jakarta 30+ Employees 200,000+ domain name clients 30,000+ hosting clients 8-10 million SMS messages per annum 3,000+ Resellers Profitable, growing, cash flow positive business

8 Initial Breach: June 3 June 10, 2011 Fri. 3/6 4/6 5/6 6/6 7/6 8/6 9/6 Fri. 10/6 Breach Detected

9 Initial Breach: June 3 June 10, 2011 Fri. 3/6 Network Lockdown 4/6 Compliance 5/6 6/6 7/6 8/6 9/6 Fri. 10/6 Breach Detected Customer Fallout Reconfigure Entire Network

10 Major Breach: June 11 June 23, 2011 Sat. 11/6 12/6 13/6 14/6 15/6 16/6 17/6 18/6 19/6 20/6 21/6 22/6 23/6 ~ 4:30 pm Major Incident ~ 5:30 pm Shutdown entire network

11 Major Breach: June 11 June 23, 2011 Network Rebuild Sat. 11/6 12/6 13/6 14/6 15/6 16/6 17/6 18/6 19/6 20/6 21/6 22/6 23/6 ~ 4:30 pm Major Incident ~ 5:30 pm Shutdown entire network

12 Sat. 11/6 12/6 Major Breach: June 11 June 23, 2011 First Servers come back online Network Rebuild Approx. 96% of servers online Mon 13/6 14/6 15/6 Thu 16/6 Media Governing Body Support (auda, etc) Compliance Fri Media 17/6 18/6 19/6 Privacy Commissioner Government Sale of Assets PCI/Banks Staff Loss to Netregistry Mon 20/6 21/6 22/6 Thu 23/6 ~ 4:30 pm Major Incident ~ 5:30 pm Shutdown entire network Client Comms Social Media AFP Analysis Compliance auda nzdnc ICANN Board Meeting Staff Loss Customer Loss Complete Assessment AFP Meetings Board Meeting Solvency? Social Media Announcement Re: 4 servers Insurance Media Liquidator Meetings Accreditations Damage Mitigation

13 Carl s top Cyber Security and Crisis Management learnings The Cyber security buck ultimately stopped with CEO but IT, Risk and the rest of the Exec needed to all be involved. They deferred it all to IT. Should have asked for external expertise to alleviate the strain on the organisation and people. Fatigue diminishes decision making capability and reduces the effectiveness of individuals. Although aware of the Cyber Security Risks did not place enough value on preparing and testing IT & the business for managing the crisis.

14 Carl s top Cyber Security and Crisis Management learnings Prepare, Prepare, Prepare - Have the plans prepared in advance in all aspects of business risk so the you are ready to deal with a major event. Spread the load - Knowledge retention with key staff is a major issue, in a crisis everything depends on those key people. Part of managing risk has to be spreading the knowledge, and documenting key processes. What's important to the business? How much time do you have to recover? What are the critical assets of the business that need to be protected and recovered first in a crisis. Don't forget your clients - How does an outage affect them? How you manage the clients during (and before) a crisis will influence the business impacts and future client churn.

15 Six practical steps Contractual review Protecting data Employee investment Software as a first line of defence Cyber risk insurance Allocation of risks and responsibilities Identify critical data, systems and services Ensure employees are invested in your organisation s success Make it your business to understand antivirus software, firewalls and data encryptions Allocate risk by securing a suitable insurance policy Seek advice

16 LPLC RISK MANAGEMENT INTENSIVE Ian Bloomfield Managing Director Ignite Systems 27 July 2016

17 2

18 Cybercrime 3

19 Cybercrime 4

20 5

21 6

22 7

23 8

24 In Australia, cybercrime has a narrow statutory meaning as used in the Cybercrime Act 2001 (Cwlth), which details offences against computer data and systems. Source: Australian Institute of Criminology 9

25 Cybercrime is an umbrella term to refer to an array of criminal activity involving computer data, computer systems, or the internet 10

26 11

27 Forbes, 17 Jan Cyber Crime Costs Projected To Reach $2 Trillion by 2019 IBM Corp. s Chairman, CEO and President, Ginni Rometty, recently said that cyber crime may be the greatest threat to every company in the world. In 2015, the British insurance company Lloyd s estimated that cyber attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. From 2013 to 2015 the cyber crime costs quadrupled, and it looks like there will be another quadrupling from 2015 to

28 The Telegraph, 12 Apr Cybercriminals target half their attacks at small businesses Nearly half of the global attacks logged during the course of 2015 were against small companies with fewer than 250 staff. Small businesses are a softer target, said Sian John, a chief strategist at Symantec. 43percent of all attacks are now targeted at small businesses, she said. They are paying the price for being online. I ve known of small companies that have had ransomware in their main systems, which hold their financial records, Ms John said. They had to stop trading and it cost them a lot of money. They only just managed to survive. 13

29 14

30 Malware products & services for sale: Proxy-Server-Hosting Services Exploits and Exploit Bundles Proxy-Server-Hosting Services Rootkits Traffic Crypters Flooding Services Spamming Services Account-Hacking Services Trojans Fake Documents Stolen Credit Cards and Other Credentials Dedicated-Server-Hosting Services Social-Engineering Services VPN Services Pay-per-Install Services Denial-of-Service Attack Services 15

31 16

32 Theft Extortion Fraud 17

33 18

34 19

35 20

36 All your files 21

37 22

38 23

39 24

40 25

41 26

42 27

43 28

44 29

45 30

46 Information communicated externally should be considered a potential risk 31

47 32

48 33

49 Centrally store and secure all business files File sharing software is a risk 34

50 Cybercrime 35

51 Data loss 36

52 Legal action 37

53 Financial loss 38

54 Reputation 39

55 40

56 In a time of turbulence and change, it is more true than ever that knowledge is power. John F. Kennedy Address at the University of California. March 23,

57 42

58 43

59 manage risk 44

60 Policies Data Disaster recovery Security Access controls Network protection on remote devices 45

61 46

62 47

63 Ian Bloomfield Online Check of Your Risk Profile