Must Have Items for Your Cybersecurity or IT Budget in 2018 CBAO Regional Meeting Dan Desko (Senior Manager, IT Risk Advisory) Matt Dunn (Senior Security Analyst, IT Risk Advisory)
Who is Schneider Downs? Top 50 public accounting firm in the United States. We have client s worldwide but our primary service area includes OH, PA, MI, NY and WV. Two Offices, 450 personnel: Columbus, OH & Pittsburgh, PA Highly specialized IT Risk Advisory Services Practice that provides IT Audit Co-Source/Out-Source/Special Projects; IT Security Services (Penetration Testing, Phishing Assessment, End-User Awareness Training, etc.); SOC Report Services; Third- Party Risk Management. Dedicated Financial Services Industry Group that focuses on matters related to the Banking Industry.
Daniel Desko Senior Manager of IT Risk Advisory Services at Schneider Downs CISA, CISSP, CTPRP; 12 years of experience, began working in IT; Current ISACA Pittsburgh Chapter President; Experience in delivering IT Audit, Security, Vendor Risk Management services to multiple clients in the Banking Industry; Responsible for product delivery, client satisfaction and quality control.
Matt Dunn Currently Senior Security Analyst within IT Risk Advisory Services at Schneider Downs Certified Information Systems Security Professional (CISSP) Over 10 years of experience in: Information Security and IT Responsible for technical delivery of penetration testing and other security related services.
Agenda Current State of Cybersecurity Budget Items for 2018 Questions
State of Cybersecurity 24% Breaches affected the financial sector 96% Financial organization breaches had monetary motivation 66% Malware was delivered via email Other considerations: Denial of Service attacks ATM skimming attacks Stats from 2017 Verizon Data Breach Investigations Report (DBIR)
State of Cybersecurity ATM skimmers and shimmers
State of Cybersecurity Bigger Breaches 143 Million Consumers Affected Blueprint of What Not To Do When Responding to a Breach Follow-on Attacks Occurring (e.g. phishing scams)
Primary Problems in Cybersecurity Firewalls and antivirus are not enough Phishing emails a serious threat Information Technology is not Information Security Lack of qualified defensive personnel
Item One: Asset Inventory Do you know where your data is? Accurate inventory of devices Accurate inventory of software Accurate inventory of data and data ownership Staff time and potential software costs
Item Two: Enhance Defensive Measures Improve your Defenses Audits like the FFIEC CAT assessment can be used as a guide Focus on Key Improvements Two-factor authentication Advanced endpoint protection Advanced email protection Mimecast Proofpoint Etc. Various costs for defensive systems Staff time required to actively manage
Item Three: FFIEC CAT Self-Assessment Self-Assessment using the FFIEC Cybersecurity Assessment Tool Internal Review; Identify Risks; Identify Maturity The tool has two components Inherent Risk Profile fancy name for risk assessment Cyber Security Maturity Evaluation Five Domains 1. Cyber Risk Management & Oversight 2. Threat Intelligence & Collaboration 3. Cyber Security Controls 4. External Dependency Management 5. Cyber Incident Management & Resilience Staff time and energy
Item Three (Cont d): FFIEC CAT Self-Assessment Independent Assessment of the FFIEC Cybersecurity Assessment Tool Results Have an independent party review and evaluate management s assessment of cybersecurity risks and controls. May be performed by internal audit or qualified independent external party. In our experience we ve seen self-assessment results that aren t quite accurate or represent a pollyannaish view. Internal resource efforts; Cost of external review.
Item Four: Prepare for a Breach It s a Matter of When, Not If. Make sure you have a robust Incident Response Program that is tested regularly. To validate the effectiveness of the institution's incident response program, management should periodically test it through different test types, including scenario planning and tabletop testing, and perform the tests with appropriate internal and external parties. FFIEC Information Security Guide Remember, an incident response program is useless if you can t detect an incident. Internal resource efforts; Cost of external resources to perform test scenarios.
Item Five: Vulnerability Scanning Vulnerability Scanning Many breaches exploit known vulnerabilities Provide regular automated security checks Tools can be purchased and used on a regular basis Nessus Qualys Allows management to improve processes Employee time and cost for service/software.
Item Six: Penetration Testing Simulated Attacks Can I get in Where can I get Can you detect and defend? Be wary of services that provide nothing more than automated vulnerability scans Include phishing attacks and other social engineering attacks to make the test realistic. Employee time and testing fees
Item Seven: Phishing Email Simulations Realistic Test of Employee and Email Security Email attacks target all organizations. Don t hack the firewall dig a tunnel under it. How many employees fall for scams? What is the impact if someone clicks? Employee time and cost of phishing services.
Item Eight: Board and Director Involvement Cybersecurity Governance Does your board have the appropriate experience to hold IT and IT Security Management accountable for central oversight and coordination, assignment of responsibility, and effectiveness of the information security program? Does the board give the information security officer a seat at the table? Ensure regular comprehensive reporting. Guidance notes at least Annually, we recommend Quarterly. Covers key risks; Tracks improvements, requests investments. Employee time, board time.
Item Nine: Highlight Key Risks IT Audit Plan that Highlights Key Risks When is the last time you ve taken a fresh look at your IT audit plan? Is your IT audit plan risk based? Do you audit cybersecurity? Measure risks and re-visit these measurements regularly Employee time and auditing fees
Item Ten: Invest in Security Personnel Do you have a Chief Information Security Officer (CISO) and other supporting personnel? Responsible for cybersecurity and keeping systems and data secure Independent of IT, works with, but does not report to CIO Information Technology and Information Security often have conflicting ideals A CISO alone is usually not enough, a supporting cast is needed Recruitment fees, salary, benefits. CISO or Security as a Service may be an option.
Questions? Contact Information Dan Desko ddesko@schneiderdowns.com Matt Dunn mdunn@schneiderdowns.com