Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Similar documents
Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

How NOT To Get Hacked

Personal Cybersecurity

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

ACM Retreat - Today s Topics:

Cyber Criminal Methods & Prevention Techniques. By

CYBER SECURITY AND MITIGATING RISKS

Cyber security tips and self-assessment for business

Internet of Things Toolkit for Small and Medium Businesses

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Train employees to avoid inadvertent cyber security breaches

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Incident Response Table Tops

How Cyber-Criminals Steal and Profit from your Data

Defense in Depth Security in the Enterprise

PRACTICING SAFE COMPUTING AT HOME

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Employee Security Awareness Training

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Education Network Security

Cybersecurity and Nonprofit

Cyber Crime Seminar. No Victim Too Small Why Small Businesses Are Low Hanging Fruit

Online Threats. This include human using them!

Sage Data Security Services Directory

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Defensible and Beyond

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Chapter 6 Network and Internet Security and Privacy

A practical guide to IT security

Keys to a more secure data environment

The Cyber War on Small Business

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Fraud and Social Engineering in Community Banks

HIPAA 2017 Compliancy Group, LLC

Ransomware A case study of the impact, recovery and remediation events

Must Have Items for Your Cybersecurity or IT Budget in 2018

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

PCI Compliance. What is it? Who uses it? Why is it important?

Managing an Active Incident Response Case. Paul Underwood, COO

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Easy IT Audit Engagements

2017 Annual Meeting of Members and Board of Directors Meeting

Top 10 Considerations for Securing Private Clouds

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Best Practices Guide to Electronic Banking

Addressing the elephant in the operating room: a look at medical device security programs

Cybersecurity Session IIA Conference 2018

The most extensive identity protection plan available

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Cybersecurity Today Avoid Becoming a News Headline

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Business continuity management and cyber resiliency

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

U.S. State of Cybercrime

Cyber-Threats and Countermeasures in Financial Sector

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Governance Ideas Exchange

Altitude Software. Data Protection Heading 2018

Cyber Risks in the Boardroom Conference

Securing the Grid and Your Critical Utility Functions. April 24, 2017

June 2 nd, 2016 Security Awareness

A General Review of Key Security Strategies

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

KSI/KAI Cyber Security Policy / Procedures For Registered Reps

Security Using Digital Signatures & Encryption

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Are You Avoiding These Top 10 File Transfer Risks?

Modern two-factor authentication: Easy. Affordable. Secure.

CYBERSECURITY RISK LOWERING CHECKLIST

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Cybersecurity The Evolving Landscape

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

10 FOCUS AREAS FOR BREACH PREVENTION

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

Securing Your Secured Data

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Healthcare HIPAA and Cybersecurity Update

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Cyber Insurance: What is your bank doing to manage risk? presented by

Securing Industrial Control Systems

Who We Are! Natalie Timpone

Cyber Security. Our part of the journey

Cyber Security Audit & Roadmap Business Process and

A Review Paper on Network Security Attacks and Defences

IT Security Protecting Ourselves From Phishing Attempts. Ray Copeland Chief Information Officer (CIO)

2017 RIMS CYBER SURVEY

Transcription:

Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services

Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2

IT S ALL CONNECTED Introduction All of our Top 10 risks impact us both as consumers and as professionals. THE RISKS Created from input from all areas of our Firm Based on what we see every day From a blend of healthcare, private sector, governmental, and higher education industries WHAT WE LL LEARN TODAY. Overview of the risks The potential impact to you and your organization Suggestions for mitigating the risks 3

#1 THE INTERNET OF THINGS (IoT) THE IoT Any device that connects directly or indirectly through a Bluetooth connection, to a mothership device, and to the internet ON A CONSUMER LEVEL Amazon Echo, Google Home, Home security systems, your iwatch and fitness trackers IN BUSINESS Conference room systems, healthcare monitoring tools, printing presses, and surveillance systems LIFE IS EASIER, BUT THERE IS RISK. 4

#1 THE INTERNET OF THINGS (IoT) WHAT S THE RISK? Symantec estimates that in 2016, nearly 6.4 billion IoT devices around the world connected to the internet and that there were 25 IoT devices per 100 inhabitants in the US. Devices come shipped ready for plug and play Default Settings sure it works, but it does for everyone else too Connected to your network and the Internet HACKERS CAN EASILY HIJACK THE DEVICE IF DEFAULT SETTINGS ARE NOT CHANGED. THINK OF THE IMPACT. 5

#1 THE INTERNET OF THINGS (IoT) WHAT CAN YOU DO? Change your password and other settings where possible Turn it off when not in use Update and re-boot at least weekly Monitor your network for suspicious activity Separate and secure wireless networks for devices 6

#2 NETWORK SECURED ONLY AT PERIMETER IT USED TO BE JUST ABOUT THE FRONT DOOR Firewalls at the point of your network and the Internet were sufficient protection Multiple access points now should adjust that thinking Threats from the inside Your data is not just on your network now 7

FIREWALLS #2 NETWORK SECURED ONLY AT PERIMETER Multiple firewalls should be in place throughout network SERVERS Segmentation break servers apart by function with strong access rules DUTIES Segregation of duties much like accounting roles TRAFFIC Monitor network traffic throughout systems ALERTS Log review and alerting 8

#3 THE WORLD OF FAKES NOT ENTIRELY WHAT YOU ARE THINKING. Fake information that gets you to act or click Fake ransomware/virus notifications Fake helpdesk tickets or calls News alerts or order shipment Social Media accounts 9

#3 THE WORLD OF FAKES WHAT CAN YOU DO? Understand the source and think about the context Validate information through multiple sources Run your antivirus software before you click Hover before you click Don t friend unknown people Set Google alerts for your Organization Have a PR plan ready 10

#4 SMARTPHONE HACKING LOST OR STOLEN PHONES In the last 3 years it is estimated that 2.1 to 3.3 million phones are lost or stolen in the US each year Americans own a 72% smart phone 4.5% Company s mobile assets are lost or stolen each year THOSE NUMBERS COMBINED WITH - Users continued insistence on merging personal device for work information 30 TO 35% Smart phone owners do not use a passcode to access their phone 11

A COMBINATION OF RISKS #4 SMARTPHONE HACKING PHISHING TEXTS text messages seeking to deceit or trick a user SICK APPLICATIONS SCARE-WARE SOFTWARE fake threats that they found illegal material on phone pay us now to fix it! SNIFFING SOFTWARE software that steals data, such as account information for online banking SPAM-BOTS software that takes over your social medial accounts and spams contacts 12

#4 SMARTPHONE HACKING WHAT CAN YOU DO? Use a passcode! Avoid clicking on short links (used on social media most often) Only purchase/download applications from the itunes or Android store Train employees on phishing attempts banks will never text you for account information Use a container application for work email and data Maintain ability to wipe employee s phone s who are lost or stolen 13

#5 MERGERS & ACQUISITIONS BIGGER IS NOT ALWAYS BETTER Big issue in healthcare merging systems (ERP systems) Focus on operations/patient services and not on systems Personnel and Management changes that cause confusion and conflict Lack of testing for integration Two sets (or more) of data 75% OF MERGERS AND ACQUISITIONS FAIL DUE TO UNSUCCESSFUL SOFTWARE SYSTEM INTEGRATION 14

#5 MERGERS & ACQUISITIONS WHAT CAN YOU DO? SLOW DOWN! Understand systems of both organizations which system will become the master or is a new system needed? Take inventory of systems, data, and hardware Test systems extensively before merging Understand roles and perform user reviews BACK IT UP! Run systems in parallel until you are confident the merged system works Phase in the merger department by department approach Continuous verification and data integrity checks 15

#6 GOVERNMENT HACKING THIS IS NOT A NEW CONCEPT Includes what we see in the news with attempts to influence political direction and results of elections New kind of a war through technology we can cripple infrastructure and supply chains MORE THAN POLITICS 0-day vulnerabilities known by governments but kept secret Those vulnerabilities also impact industry as they are holes in systems and software 16

#6 GOVERNMENT HACKING WHAT CAN YOU DO? REDUCE DATA LEAKS AND BREACHES Employee background checks Manage access rule of least privilege Know what data you have and where it is Monitor internal activity Prevent local saving data grabbing PATCH! Don t ignore patches often these are addressing 0-day vulnerabilities Force weekly server re-boots Firewalls and Intrusion Detection Systems should be in place 17

#7 CYBER INSURANCE TRANSFER OF RISK Used in conjunction with risk management transfer of risk but there is over reliance COSTS Helps with costs of data breach, hacking, reputation loss, and remediation RESPONSIBILITY Data security is still your responsibility KEY CONCEPT The key concept for cyber insurance is that you understand your policy. What is covered, what are the expectations and responsibilities, and what are the covered events? 18

#7 CYBER INSURANCE WHAT CAN YOU DO? Cyber Insurance is used as a last resource Critical to have, but you should have a robust security program in place as well Backups and Business Continuity THINGS TO CONSIDER 1. Does not cover your reputation 2. Expensive for good coverage 3. Effective if you have the right coverage 4. The biggest loss to an organization is the loss of business and customer trust 19

#8 ADVANCED PHISHING SCAMS THE RISKS ARE ALL RELATED The world of fakes deception through realistic appearing texts, emails A bit easier since a lot of organizations use third-parties to update your claim account information Whaling Account information or getting you to download something is the goal On the phone now I am calling from your help desk 20

THEY VE GOTTEN BETTER #8 ADVANCED PHISHING SCAMS 21

#8 ADVANCED PHISHING SCAMS WHAT CAN YOU DO? Always be a skeptic. If it looks fake, it is fake. Call the company from the number on your card or statement. Companies do not email customers over account information Hover over the link. Security awareness training Social engineering testing Email filters, antivirus, patching 22

#9 LACK OF IT SECURITY RISK ASSESSMENTS THE FOUNDATION OF EVERYTHING IS RISK A risk is the reason you have a control environment protect assets, reputation, and people You cannot secure your systems properly if you do not know where the potential gaps may be Quantify and rank risk to set priorities Regulators require risk assessments 23

#9 LACK OF IT SECURITY RISK ASSESSMENTS WHAT CAN YOU DO? Risk Management Program Pick a framework CoBit, COSO, NIST, etc. Re-visit annually This is not an easy nor quick project RISK RANKING RISK LIKELIHOOD TO OCCUR IMPACT OF RISK OVERALL RISK RATING Financial Security Operational Low likelihood: 1 Low impact: 1 Low impact: 1 Low impact: 1 Low overall risk: 4-5 Medium likelihood: 2 Medium Impact: 2 Medium Impact: 2 Medium Impact: 2 Medium overall risk: 6-8 High Likelihood: 3 High Impact: 3 High Impact: 3 High Impact: 3 High overall risk: 9-12 24

#10 ADVANCED RANSOMWARE RANSOMWARE IS IMPACTFUL System lockout through encryption Entire network encryption and lockout (worm) Webpage Denial of Service Attacks IMPACTS: 1. Humiliation of victims Ashley Madison 2. Reputation loss we locked out Target! 3. Loss of business What if Amazon.com went down for 10 minutes? 25

#10 ADVANCED RANSOMWARE WHAT CAN YOU DO? Employee training STOP CLICKING! Take away local administrator use of employee workstations prevents installation of software Backups and patches Antivirus software Software whitelisting Incident response plan Micro-segmentation Email filtering for executable files 26

Contact Us TINA BODE Manager tbode@berrydunn.com 207.541.2253 Reviewed: 09/29/17 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback