Top Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

Similar documents
Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Personal Cybersecurity

How NOT To Get Hacked

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Cyber Criminal Methods & Prevention Techniques. By

Cyber security tips and self-assessment for business

Education Network Security

HIPAA 2017 Compliancy Group, LLC

How Cyber-Criminals Steal and Profit from your Data

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Best Practices Guide to Electronic Banking

PCI Compliance. What is it? Who uses it? Why is it important?

ACM Retreat - Today s Topics:

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Internet of Things Toolkit for Small and Medium Businesses

Incident Response Table Tops

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

mhealth SECURITY: STATS AND SOLUTIONS

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Chapter 6 Network and Internet Security and Privacy

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Train employees to avoid inadvertent cyber security breaches

Securing the SMB Cloud Generation

CYBER SECURITY AND MITIGATING RISKS

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Cyber fraud and its impact on the NHS: How organisations can manage the risk

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

Sage Data Security Services Directory

Cyber Risks in the Boardroom Conference

Healthcare HIPAA and Cybersecurity Update

Cyber Crime Seminar. No Victim Too Small Why Small Businesses Are Low Hanging Fruit

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Cyber Insurance: What is your bank doing to manage risk? presented by

A practical guide to IT security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Cybersecurity and Nonprofit

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Cybersecurity Session IIA Conference 2018

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Service Provider View of Cyber Security. July 2017

Information Governance, the Next Evolution of Privacy and Security

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

Must Have Items for Your Cybersecurity or IT Budget in 2018

Defensible and Beyond

2017 Annual Meeting of Members and Board of Directors Meeting

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Employee Security Awareness Training

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Business continuity management and cyber resiliency

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Electronic Communication of Personal Health Information

Ransomware A case study of the impact, recovery and remediation events

Online Threats. This include human using them!

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Cybersecurity Today Avoid Becoming a News Headline

Keys to a more secure data environment

Defense in Depth Security in the Enterprise

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cybersecurity and Hospitals: A Board Perspective

Are You Avoiding These Top 10 File Transfer Risks?

Governance Ideas Exchange

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Altius IT Policy Collection

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

PRACTICING SAFE COMPUTING AT HOME

What is Cybersecurity?

Onapsis: The CISO Imperative Taking Control of SAP

Securing Information Systems

2017 RIMS CYBER SURVEY

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Cybersecurity The Evolving Landscape

June 2 nd, 2016 Security Awareness

HIPAA & Privacy Compliance Update

A General Review of Key Security Strategies

Addressing the elephant in the operating room: a look at medical device security programs

Kaspersky Small Office Security 5. Product presentation

FDIC InTREx What Documentation Are You Expected to Have?

Web Cash Fraud Prevention Best Practices

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Healthcare Privacy and Security:

Modern two-factor authentication: Easy. Affordable. Secure.

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Preparing for a Breach October 14, 2016

Security Using Digital Signatures & Encryption

Fraud and Social Engineering in Community Banks

U.S. State of Cybercrime

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber Security: What s the Big Deal?

Transcription:

Top Ten IT Security Risks - 2017 CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES

INTRODUCTION IT S ALL CONNECTED IN 2017. All of our Top 10 risks impact both us as consumers and as professionals The Risks Created from input from all areas of our Firm What we ll learn today. Overview of the risks Based on what we see every day From a blend of healthcare, private sector, governmental, and higher education industries The potential impact to you and your organization Suggestions for mitigating the risks Changing Regulations

1. THE INTERNET OF THINGS (IoT) The IoT refers to any device that connects directly or indirectly through a Bluetooth connection, to a mothership device, and to the internet On a consumer level Amazon Echo, Google Home, Home security systems, your iwatch and fitness trackers In business conference room systems, healthcare monitoring tools, printing presses, and surveillance systems Life is easier, but there is risk.

INTERNET OF THINGS What s the Risk? Symantec estimates that in 2016, nearly 6.4 billion IoT devices around the world connected to the internet and that there were 25 IoT devices per 100 inhabitants in the U.S Devices come shipped ready for plug and play Default Settings sure it works, but it does for everyone else too Hackers can easily hijack the device if default settings are not changed. Think of the impact. Connected to your network and the Internet

INTERNET OF THINGS It s already in the news

INTERNET OF THINGS What to do Change your password and other settings where possible Turn it off when not it use Update and re-boot at least weekly Organizations where devices are used should consider separate and secure wireless networks for devices Monitor your network for suspicious activity

2. NETWORK SECURED ONLY AT PERIMETER It used to be just about the front door Firewalls at the point of your network and the Internet were sufficient protection Your data is not just on your network now Multiple access points now should adjust that thinking Threats from the inside

NETWORK SECURED ONLY AT PERIMETER Multiple firewalls should be in place throughout network Segmentation break servers apart by function with strong access rules Segregation of Duties much like accounting roles Log review and alerting Monitor network traffic throughout systems

3. THE WORLD OF FAKES Not entirely what you are thinking. Fake information that gets you to act or click Fake ransomware/virus notifications Fake news (it was a thing before our President changed the meaning) Social Media accounts Fake helpdesk tickets or calls

THE WORLD OF FAKES It s Not Just Political A 2016 Pew Research study found that 62% of adults in the United States regularly used social media sources to get news

THE WORLD OF FAKES What Can You Do? Understand the source and think about the context Validate through multiple sources information Run your anti-virus software before you click Set Google alerts for your Organization Have a PR plan ready There is bias in the media. Don t friend unknown people

THE WORLD OF FAKES Not Every Source is Equal

4. SMARTPHONE HACKING Lost or stolen phones 72% of American s own a smart phone In the last 3 years it is estimated that 2.1 to 3.3 million phones are lost of stolen in the US each year 4.5% of a company s mobile assets are lost or stolen each year Those numbers combined with - 30-35% of smart phone owners do not use a passcode to access their phone Users continued insistence on merging personal device for work information

SMARTPHONE HACKING A combination of risks Other risks and factors - Phishing Texts text messages seeking to deceit or trick a user Sick Applications Scare-ware software fake threats that they found illegal material on phone pay us now to fix it! Sniffing software software that steals data, such as account information for online banking Spam-bots Software that takes over your social medial accounts and spams contacts

SMARTPHONE HACKING What Can You Do? Use a passcode! Avoid clicking on short links (used on social media most often) Only purchase/download applications from the itunes or Android store Train employees on phishing attempts banks will never text you for account information Use a container application for work email and data Maintain ability to wipe employee s phone s who are lost or stolen

5. MERGERS AND ACQUISITIONS Bigger is not always better Big issue in healthcare merging systems (ERP systems) Lack of testing for integration Two sets (or more) of data Focus on branding and not on systems Personnel and Management changes that cause confusion and conflict

MERGERS AND ACQUISITIONS Failed System Have Impacted Us All Header A B C Header 1. A 2. B 3. C

MERGERS AND ACQUISITIONS What Can You Do Slow down! Understand systems of both organizations which system will become the master or is a new system needed? Take inventory of systems, data, and hardware Back it up! Run systems in parallel until you are confident the merged system works Phase in the merger department by department approach Test systems extensively before merging Continuous verification and data integrity checks Understand roles and personnel

6. GOVERNMENT HACKING This is not a new concept Includes what we see in the news with attempts to influence political direction and results of elections New kind of a war through technology we can cripple infrastructure and supply chains More than politics 0-day vulnerabilities known by governments but kept secret Those vulnerabilities also impact industry as they are holes in systems and software

GOVERNMENT HACKING This Is In The News Every Day

GOVERNMENT HACKING What You Can Do How do you reduce data leaks and breaches? Employee background checks Manage access rule of least privilege Know what data you have and where it is Monitor internal activity Prevent local saving data grabbing Patch! Don t ignore patches often these are addressing 0-day vulnerabilities Force Weekly server re-boots Firewalls and Intrusion Detection Systems should be in place

7. CYBER INSURANCE Used in conjunction with risk management transfer of risk but there is over reliance Helps with costs of data breach, hacking, reputation loss, and remediation The key concept for cyber insurance is that you understand your policy. What is covered, what are the expectations and responsibilities, and what are the covered events? Data Security is still your responsibility

CYBER INSURANCE What You Can Do One survey found the average total organizational cost of a data breach in the US was $7.01 million dollars. The biggest loss to an organization is the loss of business and customer trust. Cyber Insurance is used as a last resource Critical to have, but you should have a robust security program in place as well Backups and Business Continuity Things to Consider 1. Does not cover your reputation 2. Expensive for good coverage 3. Effective if you have the right coverage.law School Example

8. ADVANCED PHISHING SCAMS The risks are all related The world of fakes deception through realistic appearing texts, emails A bit easier since a lot of organizations use third-parties to update your claim account information Whaling Account information or getting you to download something is the goal On the phone now I am calling from your help desk

ADVANCED PHISHING SCAMS They ve Gotten Better

ADVANCED PHISHING SCAMS What You Can Do Always be a skeptic. If it looks fake, it is fake. Call the company from the number on your card or statement. Companies do not email customers over account information Security Awareness Training Social Engineering Testing Email filers, anti-virus, patching Hover over the link.

9. LACK OF IT SECURITY RISK ASSESSMENTS The foundation of everything is risk Risk = Impact x Likelihood to occur A risk is the reason you have a control environment protect assets, reputation, and people You cannot secure your systems properly if you do not know where the potential gaps may be Regulators require risk assessments

RISK ASSESSMENTS HIPAA OCR Audits What you can do Risk Management Program Financial Controls/ SOC Reports Helps with management buy-in for expansion of controls and systems/tools Pick a framework CoBit, COSO, NIST, etc. Re-visit annually This is not an easy nor quick project

RISK ASSESSMENTS A Good Approach

10. ADVANCED RANSOMWARE Ransomware is impactful System lockout through encryption Impacts: 1. Humiliation of victims Ashley Madison Entire network encryption and lockout (worm) 2. Reputation loss we locked out Target! Webpage Denial of Service Attacks 3. Loss of business What if Amazon.com went down for 10 minutes?

ADVANCED RANSOMWARE What Can You Do? In 2016, a ransomware attack locked out all the users of the Hollywood Presbyterian Hospital, jeopardizing patient care, until the ransom was paid. Employee training STOP CLICKING! Take away local administrator use of employee workstations prevents installation of software Backups and patches Software whitelisting Disable auto-play Micro-segmentation Email filtering

ADVANCED RANSOMWARE Not What You Want To See!

Thank you! Questions? Top Ten IT Security Risks - 2017 CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES cellingwood@berrydunn.com 207-541-2290

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback