CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW May 2018 Ed Plawecki General Counsel & Director of Government Relations UHY LLP Jamie See Manager UHY LLP
Iowa Public Employees' Retirement System accounts breached, FBI investigating hack An independent member of UHY International UHY LLP 2017 All Rights Reserved
WHY DO PEOPLE HACK Why do people and organizations hack? Criminal Ransom Selling Information Anarchists Activists Fun Thrills Challenge Sabotage Internal 3
WHY ARE GOVERNMENT ENTITIES A MAJOR TARGET? Sensitive data ID/License, Marriage forms, Birth Certificates, Medical data, SSN, Etc. Potentially easier targets Lack of available funding for security equipment and monitoring Political and social reasons State sponsored and hacktivists 4
WHAT CAN YOU DO IN REGARDS TO CYBER SECURITY A. Ignore the risk B. Run and try to escape C. Blame the IT guy D. Stay Calm 5
WHAT CAN YOU DO IN REGARDS TO CYBER SECURITY Option 1: Throw the computers out of the window. Option 2: Be prepared to prevent, identify, and respond to cyber attacks. 6
CYBER SECURITY PROGRAM? Do you have a cyber security program in place? 7
WHAT IS CYBER SECURITY? 8
2017 BREACH LEVEL INDEX REPORT 9
WHERE ARE THESE BREACHES COMING FROM? Cyber Security breaches originate from multiple sources and can be categorized into five main categories: Malicious Outsider Accidental Loss Malicious Insider Hacktivist State Sponsored 10
WHY ARE GOVERNMENT ENTITIES A MAJOR TARGET? Sensitive data ID/License, Marriage forms, Birth Certificates, Medical data, SSN, Etc. Potentially easier targets Lack of available funding for security equipment and monitoring Political and social reasons State sponsored and hacktivists 11
COST OF CYBER SECURITY BREACHES Financial Costs Stolen Assets Iowa Public Employees' Retirement System lost hundreds of thousands of dollars Breach Response and Remediation Atlanta has $2.7 million in expenses already Operational Impact Public Opinion Press Unauthorized Release of Convicts Emergency Communications Systems Disabled 12
THE REAL HACKERS 13
INITIAL VECTORS OF ATTACK
IDENTIFY TARGETS It s easy to identify and target personnel who are in charge of releasing funds. 15
ANYONE CAN HACK No hacking required. Most malware can be purchased online! 16
PHISHING ATTACK SUMMARY 17
RANSOMWARE ATTACK SUMMARY 18
WHAT CAN WE DO TO REDUCE OUR RISK? Step 1: Cyber Security Insurance Step 2: Perform a cyber security risk assessment Step 3: Implement or update your cyber security program Step 4: Monitoring and continuous improvement 19
COMPONENTS OF A CYBER SECURITY RISK ASSESSMENT Step 1 Identify risks Step 2 Determine the impact and likelihood of the risk Step 3 Evaluate the risk and determine the action plan Step 4 Record the results and implement the action plan Step 5 Review the assessment and update as necessary Cyber Security includes three main areas: Process Technology People 20
PROCESSES Information Security Program Periodic Risk Assessment Incident Response Conduct Standards Procedures for Handling Data Access Provisioning and Decommissioning Monitoring Continuous Improvement 21
TECHNOLOGY Types of Technology Typically in Use: Infrastructure and Hardware Applications and Tools Malware Protection Authentication Tools Encryption Tools Backup Tools Continuous Improvement 22
HUMAN FIREWALL FAILURE 23
PEOPLE People, our greatest resource and biggest risk when it comes to cyber security: Accidental / Lack of Training Trying to be Helpful Malicious Insider 24
PEOPLE Culture and Training is the key: A culture that promotes security is going to be a more secure environment Security starts at the top Practice what we preach Security should not be perceived as punitive or failure Users don t know what they don t know Cyber security training Social media training Phishing campaigns 25
SUMMARY Cyber security is a real threat to organizations of all sizes and backgrounds It s not IF any more, it s WHEN Information Security Program The framework for a secure organization Training Information is the key Monitoring and Continuous Improvement Cyber security threats are always changing, we should too 26
QUESTIONS?