LET’S THRIVE TOGETHER

LET’S THRIVE TOGETHER

Creating a Culture of

Security Awareness

within your OrganizationPaul M. Perry, CDPSE, CISM, CITP, CPA

PresenterPaul M. Perry, CDPSE, CITP, CPAPaul Perry has been with Warren Averett since 2004 and is thePractice Leader of the Security, Risk and Controls Group ofWarren Averett – focusing on internal controls, security andinformation technology related projects(i.e. ITGCs, SOCengagements, internal audits, and Risk Assessments).

Paul is also a leader in the Firm’s Data Analysis Group, a team ofindividuals within the Firm who provide data analysis solutionsto both internal and external clients.

Paul is involved in articles, podcasts and presentations on a wide variety of security, technology and control related topics to groups including the ASCPA, FICPA, HFMA, IIA and various corporate organizations.


4

Security is a people problem, not a technology problem.

Business impact from cybersecurity

5

Convenience vs Privacy?

• Understand how technology works

• Apps• Learn from this app setting?• Always Listening – Google, Alexa, Siri?

• COVID-19 Exposure Notification Apps• Pros and Cons (Personal level)

Data Breach Statistics

1. 2,013 confirmed cases (2019)

2. 206 Days – average time to identify a breach

3. 73 Days to Contain a breach

4. 34% involve inside actors

5. 71% are financially motivated

6. 24% are user (human) errorSources: IBM and Verizon

Data Breach Causes

• Weak and Stolen Credentials

• Back Doors, Application Vulnerabilities

• Malware

• Social Engineering

• Too Many Permissions (least privilege)

• Insider Threats

• Improper Configuration and User ErrorSources: IBM and Verizon

Data Breach / Cyber Predictions

1. Biometric Hacking – Touch ID, facial recognition and passcodes

2. Enterprise-wide Skimming (major financial institution)

3. Major Wireless Carrier (disrupting phone service)

4. Cloud Vendor (Fortune 1000 Companies)

5. Online Gaming CommunitySource: Experian

Has your Organization had a breach or cybersecurity related hack in the last 12 months?

A. Yes – internal personnel related

B. Yes – external 3rd party vendor related

C. Yes – both

D. No

IT Security Awareness Culture

- Governance’s Role – Crucial for Buy-in

- EVERYONE is responsible for IT Security Controls

- Everything (and everyone) is vulnerable

- Mobile devices and mobile apps are a primary threat vector in today’s environment

- Remote Workforce

Remote Workforce

1. Home Networks (secure and update often)a) Admin and Password

2. Personal vs Company Equipment3. Smart Devices4. Secure Websites / Apps5. VPNs (Virtual Private Networks)

Remote Workforce

5. MFA (Multi Factor Authentication)

6. Avoid Public WIFI• Trust what you connect to

7. Protect Sight Lines• Be mindful of who can see your screen

8. Thumb Drives – known vs unknown

Remote Work Policy

A remote work policy sets the proper expectations for the employees. Consider including the following in your policy:• Only approved personal devices are allowed.• No use of public devices (i.e. hotel kiosks, library computers, etc.)• No use of public WIFI.• Only connect to the company's network through the VPN.• Have password standards, • Have approved anti-virus and anti-malware software installed on personal devices.• Update your confidentiality agreement to include proper care procedures for remotely handling corporate information.

US Government Assistance

National Counterintelligence and Security Center (NCSC)

Strategy for USA (2020-2022)

- Counterintelligence – information gathered, and activities conducted (offensive posture)

- Counterintelligence = Insider Threat = Security Awareness

- Critical infrastructure – 16 sectors around global energy, financial markets, healthcare, consumer goods, telecommunications services, government functions and defense capabilities

US Government Assistance

National Counterintelligence and Security Center (NCSC)

Strategy for USA (2020-2022) - Continued

- Increased threat around next level technology (IoT, 5G, quantum computing, and AI)

- Integrated Cyber Counterintelligence posture- Whole-of-society approach

- Partnership Approach (Infragard)

- Innovation

- Aligning of resources

Threat Actions

Threat actors

Threat Actions

• Business Email Compromise • Phishing emails – attempts to deceive personnel into

divulging information or clicking corrupt links• Email forwarding – obtaining access to settings and

forwarding mail with certain “words” or vendors

• Malware Attacks – malicious software (i.e. keylogging viruses

• Zero-day threats – programs and applications with built in security flaws

Threat Actions

• Denial of Service (DoS) – attempts to overwhelm services and interrupt business

• Insider Threat – attempts to steal valuable information from within the company (financial information, product or service information, etc)

• Ransomware – attempts to lockup servers and data to demand money for release

Ransomware

- San Miguel County, NM - $250,000

- City of Florence, Al - $291,000

- Tillamook County, Oregan - $300,000 (12-24 mos. & $1M)

- Grubman, Shire Meiselas & Sacks - $365,000 (756 GB of data, $21 million doubled to $42 million)

- La Salle County, ILL - $500,000

- Communications & Power Industries (CPI) - $500,000 (defense contractor)

- Univ. Of Cali – San Francisco - $1.14 million

- Travelex - $2.3 million

- Redcar and Cleveland Council (England) - $13.6 to $22.2M

- Cognizant - $50 to $70M

- ISS - $75 - $112M

www.crn.com

Ransomware

• Initial infection performed through• Vulnerability exploitation

• Phishing email – click link or open attachment

• Extortion through “uneasy Es” (per Forbes)• Exfiltrate – capture and send data to another server

• Eliminate – identify and delete backups

• Encrypt – fully encrypt data

• Expose – Proof of data and threaten exposure

• Extort – Demand exorbitant payment (usually through cryptocurrency)

OFAC Sanctions on Ransomware Payments

Financial Impact of Cybercrimes

Financial Impact of CybercrimesShort Term Middle Term Long Term

Direct

Costs− Consultants

− Cyber ransom losses

− Financial theft

− Insurance excess

− Staff response (Overtime)

− Staff response costs (external staff)

− Changes in cyber security practices

− Compensation/discounts

− Complaints (external)

− Fines

− Investigation (external)

− Legal

− PR /Marketing (External)

− Recruitment costs

− Third party liability

− Credit ratings

− Insurance Premiums

− Cyber security improvements

− Investment/donor/funding loss

− Staff costs (long term)

− Training Costs

− Training Costs (external resources)

− Share Value

Indirect

Costs− Containment

− Data and software loss

− IP Theft

− Business Interruption (opportunity cost)

− IT equipment damage

− Notification costs (Authorities)

− Notification costs (customer)

− Physical equipment damage

− Interruption of service

− Complaints (internal)

− Investigation (internal)

− Post-breach customer protection

− PR/Marketing (internal)

− Customer attrition

− Cyber security improvements

(opportunity cost)

− Long-term productivity

− Supply chain attrition

− Training costs (internal resources)

− Training costs (opportunity costs)

Source: Ipsos MORI (2021)

Security Awareness Training

Security Awareness Training

…this presentation.

Security awareness training

– Live or webinar/video series– Pros and cons of both

– Update on threats from society– See Section 1 of this presentation

– Constant Message of Being Aware– “Unusual” is a red flag– Trust but Verify / Be Cautious– See something, Say something (FBI)

Security awareness training

– Paper + Technology– Human Factor

– Different for Different People (not all employees learn the same)

– Lots of Examples and Stories (with results and issues overcome)

– Update Annually or as Risks Change

Breach Notification Laws

Breach Notification Laws

- Apply to residents of the state (different laws)

- Contains common items- Security Measures that should be in place

- Fines for Non-compliance related to a breach

- Florida Statute - Chapter 501.171 Para 2- REQUIREMENTS FOR DATA SECURITY.—Each covered entity,

governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.

What type of “Threat Actor” steals proprietary information for personal, financial, or ideological reasons?

A. Crime

B. Insider

C. Espionage

IT Environment Controls

Tenet of Cybersecurity

• An entity that operates in cyberspace is likely to experience one or more security events or breaches at some point in time, regardless of the effectiveness of the entity’s cyber security controls.

• Understanding this tenet is essential to dispelling user misconceptions that an effective cyber security risk management program will prevent all security events from occurring.

Tenet of Cybersecurity

• Inherent limitations in a cyber security risk management program, an entity may achieve reasonable, but not absolute, assurance that security events are prevented and, for those not prevented, that they are detected, responded to, mitigated against, and recovered from on a timely basis.

• An effective cyber security risk management program is one that enables the entity to detect security events on a timely basis and to respond to and recover from such events with minimal disruption to the entity's operations

Structure and Strategy

Does your Organization have a formal information technology (IT) structure in place? Do you meet on IT related issues on a regular basis?

• Overall IT governance and strategy

• Structure of IT department• 2019 Stat - 25% of Companies have dedicated Security

Personnel

• Internal personnel vs outsourced groups

Structure and Strategy

• Overall IT governance

• IT Strategy

• IT Steering Committee• Are others involved outside IT (HR, C-Suite, etc.)

• Business Processes and Owners of Key Systems

• Structure of IT department• Separate Security Department (sole focus on overall security)

• 2019 Stat - 25% of Companies have dedicated Security Personnel

Change Management

Does your Organization have a regular schedule for reviewing and installing updates to networks and systems?

- Patch Tuesdays

- Updated servers and workstation software

- Windows 10 is only supported operating system(as of today)

Vendor Management

Does your Organization outsource certain functions for processing or data security? What functions are outsourced?

- Payroll process

- Data storage / backups

- Transactional processing

- Security functions (activity monitoring, etc)

Vendor Management

Does your Organization outsource certain functions for processing or data security? What functions are outsourced?

- Payroll process

- Data storage / backups

- Transactional processing

- Security functions (activity monitoring, etc)

Vendor Management

• Vendor management policies

• Vendor listing and risk assessment

• Vendor Questionnaires

• Reviewing SSAE 18/System and Organization Control (SOC 1 and SOC 2)

• Vendor’s Vendors (4th and 5th-Party Vendors)

Vendor Risk Management Policy

Policy Areas- Vendor Risk Assessment – Critical vs Non-Critical- Vendor Selection – due diligence, technical expertise,

controls and operations, financial condition- SOC report reviews vs Security questionnaire

- Contract Review – scope, performance standards, security,controls, audits, business continuity plans

- Ongoing monitoring – annual updates and review of newsand press releases related to vendors (security incidents)

Assessing Vendors

1. Identify the Vendors

- A listing of all vendors used by the company, including a description of the services provided by the vendor, the contract period covered, who is assigned to manage accountability of the vendor relationship, and a determination whether each vendor is a critical

- Enterprise Buy-in for Accurate / Complete Listings

Vendor Risk Assessment Listing

Assessing Vendors

2. Rank The Vendors

- Sample Questions to Determine Vendor Risk Level

a. Require Access to Your Data?b. Do they process data outside of the United States?c. Ability to alter/modify your data?d. Utilize a 3rd party for data processing (4th party?)e. Address some type of legal or regulatory concern?f. Types of data they may have access to (PHI, PII etc)

Assessing Vendors

2. Rank The Vendors (Continued)Ti

er 3

- Annual Relationship Review

- Quality of Service Review

- Confidentiality Agreement Tier

2

- Control Questionnaire

- Non-Disclosure Agreement

- Privacy Policy Acknowledgement

- Contract Review Tier

1

- Quarterly Review of System Access / Roles

- Review of Financials (Going Concern)

- Review of Third Party Assessments (SOC 1 or 2 Report)

Assessing Vendors

3. Vendor Maintenance

- Identify a Vendor Relationship Owner (VRO) to coordinate on-going due diligence activities for each vendor

- If Vendor has access to your systems – periodic logical access reviews

- Re-Assess Vendor Relationship Annually – Services may change

System and Application Security

Do you periodically review threats and risks to data you hold for yourself or your customers (i.e. risk assessment)?

- What are the risks to our IT environment?

- Qualitative/Quantitative Factors

- Controls to combat those risks

- Remediation plans for missing controls

System and Application Security – Risk Assessment


Does your Organization have security or IT-related policies that are communicated to your employees (i.e. information security policies, acceptable use policies)? - Information Security Policy- Data Classification Policy- Data Encryption Policy- Mobile Device Management Policy- Acceptable Use Policy- IT Change Management Policy- Data Protection Policy- Data Retention Policy


Does your Organization have specific password parameters that are used with your Organization's network and applications? (i.e. required length, complexity, changed often, cannot use last 3 passwords, etc.)

• Two Methodologies• UC | lc | Numbers | Symbols | >8 | 90 | 5 | 15

• Complex | >16 | Never changing (only recommend with MFA)


Do your employees or contractors use multi-factor authentication for access to systems either locally or remote? (MFA or 2FA)

- Google Authenticator

- Microsoft Authenticator

- Authy

- Duo

- RSA SecureID Access


Does your Organization have a process for removing user accounts from systems, applications and websites upon termination?

- Number 1 deficiency in IT Audits

- Checklist or procedure to notify immediately

- Detective control – periodic review of current user listing and active employees (quarterly or annually)


Does your IT environment have updated firewalls to protect intrusions into your systems and data?

- Next generation firewalls

- Segmentation for CUI, PHI, PII

- Segmentation of Public Wifi


Does your Organization utilize anti-virus software on the networks and laptops/desktops?

- Reviewing for known malware at all times

- Quarantining and purging activitly


Does your Organization monitor the internet traffic for unusual activity or threats?

- Intrusion detection software / services- (IDS / IPS)

- Reviewing regularly and consistently


Does your Organization have a mobile device management software to monitor activity on portable devices (laptops, tablets or smartphones)?

- Wipe remotely

- Monitor locations

- Personal vs company issued devices


Does your Organization encrypt all portable devices?

- Bitlocker

- Encryption of data at rest and in transit

Incident Management

Does your Organization have an incident response plan in place for different scenarios? If so, when was the last time those were tested?

- Multiple scenarios – 7 to 9 – (Breach, insider threat, ransomware, key-person, disaster)

- Available to all personnel

Data Management

Does your Organization have a data backup policy and regular schedule? If so, where is it maintained?

- hourly, daily, weekly, monthly, annually

- Back-up policies and procedures- Include record retention policies for different types

- Daily – 14 days, Monthly – 6 months, Annual – 7 years

- At least 2 different locations (virtual and hard disk)

- At least 7 miles away

Data Management

Does your Organization have a disaster recovery plan in place? If so, has it been tested?

- who, what, when and how.

- Testing annually (table-top or live test)

- Available to all personnel

Vulnerability Management

Does your Organization require security awareness training for all employees?

- At least annually (quarterly or monthly for others)

- Recommended with Cyber liability insurance

- Documentation (who, what, when)


Does your Organization complete social engineering testing with your employees?

- Email and physical testing

- Suggestions for who needs more education

- Surprise and random


Does your Organization perform external penetration testing against your networks?

- External attempt to infiltrate your network, servers, laptops and databases

- Performed at least annually

- Certified Ethical Hacker (person vs automatic)

- Roadmap for remediation


Does your Organization perform internal vulnerability testing inside your networks?

- Scanning servers, networks and applications for vulnerabilities or needed patching

- At least annually- PCI – quarterly from an Approved Scanning Vendor (ASV)

- Roadmap for remediation


Does your Organization have cyber liability insurance policies in place? If so, does the policy require security measures to be in place for the policy to be valid?

- Rider vs full policy

- General insurance company vs Cyber-only Company

Which of the following categories does a Disaster Recovery Plan fall under?

A. Data Management

B. Incident Management

C. Vulnerability Management

Cyber liability Insurance


• Increased regulatory attention (e.g., SEC)

• Security Measures in place

• Vendor/business associate risk

• Insider threats

• Exclusions in legacy coverages (e.g., CGL, D&O)


•Covered Costs • Forensics • Legal and PR • Data Restoration • Lost Income

•Who can perform these covered activities

Cybersecurity Response Plan

Cybersecurity RESPONSE PLAN

1. Event (trigger)

2. Mobilize (actual table top exercise)

3. Legal Posture (lawyer)

4. Law Enforcement (police or FBI)

5. Stabilize (fix problem)

6. Investigate (understand what happened)

Cybersecurity RESPONSE PLAN

7. Legal Analysis (lawyer again, sorry)

8. Notify (tell people)

9. Regulatory Response (legal requirement to tell)

10.Lawsuits (Lawyers, again? Really?)

11.Review & Improve (Risk Assessment)

Cybersecurity Recap

1. Know the threats – always changing

2. Security Awareness Training 1. Self education

3. Vendor Management

4. Passwords – strong and consistently follow

5. Risk assessments and Know your vulnerabilities

6. Cyber insurance policy

7. Add something every day, week, month and year

Questions?Paul M. Perry, CDPSE, CISM, CITP, CPA

E | [email protected]

P | (205) 769-3251

mailto:[email protected]


Documents

LET’S THRIVE TOGETHER