DIGITAL ACCOUNTANCY FORUM CYBER SESSION Sheila Pancholi Partner, Technology Risk Assurance
Section 1: The background
World s biggest data breaches 10 years ago 2007 2006 accidentally published hacked inside job lost/stolen device or media Poor security 2005 2004 Source: Information is Beautiful
World s biggest data breaches now 2017 2016 accidentally published hacked inside job lost/stolen device or media Poor security 2015 2014 Source: Information is Beautiful
Why the increase in risk? Big Data & Analytics Increase in... Wearable Technology Connectivity Access points Remote access Mobile Working Personal information Data sharing The Cloud Internet of Things Internet Transactions Social Media
Reported cyber breaches, 2017 The extent of the (reported) problem 53,000 incidents 2,216 confirmed breaches 73% Perpetrated by outsiders 49% non PoS installed via email
The challenges some recent comments Why would anyone want to attack our organisation? We do not know what our most critical information assets are in our organisation. We have our networks well protected by good technology We know we have already been attacked but do not know how best to respond and recover effectively. We do not know what good cyber resilience looks like for our organisation Our current information/cyber security training is ineffective in driving new behaviour's across the organisation.
The motives Financial incentive theft and extortion Nation-sponsored cyber espionage Competitive advantage Reputation Data incentive Hacking for a cause Leading to financial and data loss, loss to reputation etc.
The culprits STATE- SPONSORED ATTACKERS HACKTIVISTS CYBER TERRORIST / SYNDICATES INDIVIDUALS National basis Hacking for a cause Modern form of terrorism Personal gain
Types of attacks Insider attacks Phishing and whaling Vulnerability attacks Ransomware
How easy is it?
Internet forum Forged qualification Became a pilot
Your cyber footprint Services provided ITC Services consumed Entity Cyber boundary entity 4 Cyber boundary entity1 Real cyber boundary Services engaged Third Parties Cyber boundary entity 3 Cyber boundary - ITC Cyber boundary entity 2 External threats Services engaged Cloud
Question: Would you recognise a malicious email?
What is phishing and whaling? Phishing Targeting many individuals, mainly with blanket e- mails, and hoping that some will follow links, open attachments, reply with information, or transfer funds Whaling Targeting a small group of individuals with significant data access (often disguised as a manager/ceo) and requesting personal information, bank details changes, or a large funds transfer
Malicious content - ransomware
Example Gained entry into an employee's computer through 'spear phishing infected it with malware called Carbanak. Sent authentic-looking emails from his account that other staff clicked on, spreading the malware through the bank. Found the administrator account for the CCTV equipment They used the CCTV to record everything that happened on the screens of staff who serviced the cash transfer systems. They mimicked the activity of these staff activity in order to transfer money out.
What action can you take?
Preparedness for response to a data breach event. Calling on experts with years of experience across industry to advise and guide. Physical security and cyber security are on the same continuum. 07 06 08 01 Cyber Maturity Roadmap 05 04 IT & data assets are built in to a corporate risk register. 02 03 IT security has direct representation in to C-Suite. Industry leading frameworks used as a foundation, not be-all, end-all to manage risks. Metrics appropriate to the organisation defined and monitored. Risk based: How much risk can you reduce or offset? How much residual risk are you prepared to accept?
Questions to know the answer to Where is my data? Where does it go? Who has access to it? How is it used?
Why transform to cyber maturity Forward thinking, anticipating trends and threats Financial penalties of losing customer data Cyber maturity = competitive advantage in marketplace
What does good look like? Triple security lock CYBER SECURITY STRATEGY assess technology risk profile security on board agenda update cyber control framework EMPLOYEE EDUCATION make staff aware of cyber risks and how to respond test effectiveness of your cyber awareness programmes formal cyber incident management process THIRD PARTY ASSURANCE check security measures third parties have to protect data secure links between your organisation and third parties ensure third parties conform with your policies and procedures
Further information Some useful sites Action Fraud - www.actionfraud.police.uk UK Cyber Security Forum - www.ukcybersecurityforum.com Information Security Forum - www.securityforum.org National Crime Agency - www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime Cyber UK - www.cyber.uk
Questions and answers? Whilst every care has been taken to ensure that the information provided in this presentation is as accurate, complete and timely as possible, no complete guarantee, assurance or warranty can be given with regard to the advice and information contained herein.