Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014.

Published byLydia Audra Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014."— Presentation transcript:

1 Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014

2 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 1 Panelist – Benoit-Luc St-Pierre, KPMG Benoit-Luc St-Pierre, CISA, CISSP Directeur / Manager Management et Gestion des risques / Management and Risk Consulting KPMG LLP bstpierre@kpmg.ca

3 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 2 2. What are the most challenges pertaining to security risks when IT contracting? 1. Data location risks Make sure that the party you are dealing with does not store and/or outsource the work – implicitly your data – to a third party in foreign countries or to an external organization with poor cyber security practices. 2.Proper due diligence It is a good security practice to ensure proper background checks have been done on external contractors that will have privileged access to your data prior beginning of the work. Federal Canadian Government clearance requirement such as the “Reliability Status” and “Secret” levels for individual is very common. Depending on the risks involved, ensuring that the 3rd party has a cyber insurance with adequate coverage. 3.Addressing 3rd party cyber security risks New 3rd party vendor access to the network could introduce new risks and threat source to data integrity and confidentiality. Depending on the nature of the service delivered by the 3rd party, it could be a good practice to ensure that 3rd party vendor have implemented sound security practices. It is very common for outsourcing IT companies to perform independent IT controls and security audits

4 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 3 3. What is the most important cybersecurity technical development and why? Cybersecurity Framework for Critiqua Infrastructure Cyber Security Questionnaire Issuer (Country) NIST (US)OSFI (Canada) Issue date February 12, 2014October 28, 2013 Industry Power and water utilities, gas and oil transportation* Federally Regulated Financial Institutions (Banks, Trusts, some Credit Unions, Insurance Companies)* Highlights Controls are divided in 5 sections (functions): 1.Identify (Governance, assets and risk mgmt, etc..) 2.Protect (access control, data security, protective tech, etc..) 3.Detect (Security monitoring, etc..) 4.Respond (Communications, analysis, Mitigations, etc,,) 5.Recover (Recovery planning, etc..) Self-assessment questionnaire on cyber security practices designed to assess the maturity level (5 levels) of the organization. Divided in 6 sections: 1.Organization and Resources 2.Cyber Risk and Control Assessment 3.Situational Awareness 4.Threat and Vulnerability Risk Management 5.Cyber Security Incident Management 6.Cyber Security Governance * Can be adapted or used in any type of industry

5 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 4 ReconnaissanceWeaponizationDeliveryExploitationInstallationCommand & ControlAction on Objectives The “Cyber Kill Chain” methodology developed by Lockheed Martin in 2011, is gaining traction in organizations which are constantly under pressure of advance persistence Threat (APT). Developed in response to the increasing threat of APTs across the globe, this methodology breakdown an attack in 7 chained steps. An attacker must have successfully executed all steps to “win” while the defender has to block the attacker in any one of the steps to stop the attack. 4 RECON 01 LURE 02 REDIRECT 03 EXPLOIT KIT 04 DROPPER FILE 05 CALL HOME 06 DATA THEFT 07 3. What is the most important cybersecurity technical development and why?

6 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 5 4. What is one of the most useful practice when addressing cybersecurity risks? 1 - Test the effectiveness of your cyber security controls and your incident response process. Knowing that your security is good is better than just thinking / assuming it is good. 2 - Security monitoring / analytics is crucial for rapid breach detection and response actions. Failure to act upon security alerts could be disastrous. For example, malware detection alerts were sent to Target security team but they did not act in a timely manner to stop the attack. 3 - Performing an independent assessment of your cyber defenses (firewalls, IDS/IPS, WAF, anti-virus, anti-spam, DLP, etc..). This can materialized in many forms such as: Network penetration testing (at least once a year); Web application security testing (common attack vector for data breaches); Social engineering testing (common attack vectior for APTs); Physical testing (building & server room access, card security, piggy backing); System security configuration audits : servers, workstations, firewall rules, databases, etc..

7 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 6 5. What is one of the most important best practice when dealing with data breaches? 1. Have a plan ready for external communications. Customers, shareholders and regulators are now very demanding on organizations to respond quickly. 2. Have a cybersecurity incident response team with experienced people. 3. Have data breach containment procedures well documented and tested. 4. Maturity of the forensic shop is an important factor, it must be competent and fast. For large incident it a good practice to engage an independent party to secure the evidences and perform the investigation.

8 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 7 6. What do you consider as being the biggest impact triggered by Edward Snowden’s revelations? NDAs and personnel security vetting does not suffice for organizations to protect against internal threat. The application of a very structured and global cybersecurity framework should be implemented by organizations.

9 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 8 7. CYBER INSURANCE: What are some of the key consideration for companies considering cyber insurance or seeking to improve coverage in a renewal? 1 - Good understanding of cybersecurity risks and their mitigating controls in place before buying cyber security insurance. 2 - Cybersecurity maturity level of the organization. It is important that companies assess themselves or by a third party before buying cyber security insurance. 3 - Have well designed and effective security controls in place. The weaker in terms of cyber security risks is the IT environment the more likely are the premium fees to be higher. 4 - Companies may have to disclose to an insurer their cyber security risks and demonstrate mitigating controls through self-questionnaire or 3 rd party audit on behalf of the insurer. 5 - Choose cyber insurance product with the best added value for the organization. Chubb, for example, offers some customers a form of no-loss deductible on some cyber policies where – if no claims are made in a given year – part of the deductible is returned to the customer in order to be used on enhancing their level of security (i.e.: performing external penetration tests, etc..).

10 Extra slides

11 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 10 Threat awareness | The cyber criminals Petty CriminalsHacktivists / Terrorists Organized CriminalsState sponsored … Motives: Financial gainMotives: Political support Motives: Financial gainMotives: State agenda

12 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 11 Data Breaches in the News 2004-2014 Data source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

13 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 12 Lesson learned from Target data breach – Highlights 1.Having sufficient cyber insurance coverage – The data breach cost them at least $235 million dollars so far and they were only able to recoup $90 million from their cyber insurance policy coverage. Hackers stole the financial and personal information of 110 million customers. 2.Third party can be a potential data breach source – The root cause of the breach was identified to be from a small Pennsylvania HVAC company compromised remote access account. Hackers targeted the third party company first. Then they managed to obtain vendor remote access VPN credentials and access Target’s network. Third party vendor remote access was for electronic billing, contract submission and project management. 3.Act upon alerts received – Malware detection alerts were sent to Target security team but they did not act in a timely manner to stop the attack. 4.Network segregation is important – It appears that hackers were successful at accessing POS systems from a less sensitive network area. PCI regulation is very strict about POS network access controls. 5.Data breaches impact shareholders as well – Stock price lost 11.3% of its value in the first 3 months after public disclosure. Also CEO Gregg Steinhafel was removed by the Board of Directors on May 5 2013. On May 28, Institutional Shareholder Services (ISS) recommended that Target shareholders vote out seven of its 10 board members including members of the Audit and Corporate Responsibilities committees.

14 © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG CONFIDENTIAL. 13 Lesson learned from Target data breach – Stock price don’t like bad publicity Stock price lost 11.3% of its value in the first 3 months

15 Thank you Presentation by Benoit-Luc St-Pierre

16 KPMG CONFIDENTIAL The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2014 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Download ppt "Cybersecurity: Mitigating Business Risk IT.CAN 2014 18 th Annual Conference October 20 th 2014."

Similar presentations

Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.

Els Hostyn Partner Internal Audit, Risk & Compliance Services Forensic 13 October 2009 FORENSIC ADVISORY Internal Audit and other assurance providers.
Driving change in information risk within the financial services industry Subtitle Date.

Driving change in information risk within the financial services industry Subtitle Date.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.

Eurasian Economic Union – challenges and opportunities from customs perspective March 2015.
0 © 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.

0 © 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.

How well is the Life Insurance Industry keeping pace with rapidly changing technology? International Insurance Society 23 June 2014 London.
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.

Start-ups & big business Competition or competitive advantage? Imperial Business Insights Lecture 13 February 2014.
Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.

Institute of Operational Risk Breakout Session - Operational Risk Nirvana KPMG Giles Triffitt Peter Watson Peter Docherty 1 November 2013.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
RIBA / UK TI Conference ‘Working Internationally’ Getting Paid Martin Kelly, KPMG LLP Ruth Adams, KPMG LLP 23rd March 2012.

RIBA / UK TI Conference ‘Working Internationally’ Getting Paid Martin Kelly, KPMG LLP Ruth Adams, KPMG LLP 23rd March 2012.
Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice

Presentation to EACUBO Tax Update October 16, 2012 Presentation by Donald E. “Dee” Rich, Jr. Partner, KPMG LLP Exempt Organizations Tax Practice
Increasing customer value through effective security risk management

Increasing customer value through effective security risk management
Actuaries in China 2 nd December 2011. 1 © 2010 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of.

Actuaries in China 2 nd December © 2010 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of.
WHAT ARE MY AUDITORS DOING?. Your Presenter Dianne Batistoni, CPA –EisnerAmper Insurance Group Audit Partner – Bridgewater, NJ –908-218-5002, ext. 2239.

WHAT ARE MY AUDITORS DOING?. Your Presenter Dianne Batistoni, CPA –EisnerAmper Insurance Group Audit Partner – Bridgewater, NJ – , ext
V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.

V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.
TRANSACTION SERVICES ADVISORY Romania conference – IPO process Victor Kevehazi, Senior Partner 18 October 2005.

TRANSACTION SERVICES ADVISORY Romania conference – IPO process Victor Kevehazi, Senior Partner 18 October 2005.
IAS 16―Property, Plant & Equipment IFRS vs. GAAP AUDIT The information contained herein is of a general nature and is not intended to address the circumstances.

IAS 16―Property, Plant & Equipment IFRS vs. GAAP AUDIT The information contained herein is of a general nature and is not intended to address the circumstances.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Similar presentations

Ads by Google