Abstract image of a woman sitting on books and studying on a laptop

Weakest links of an organization's Cybersecurity chain

S
Sanjay Chadha, CPA, CA

The document discusses the importance of cybersecurity in organizations, highlighting that it is a shared responsibility involving people, processes, tools, and technologies. It emphasizes the critical role of governance, risk management, and the necessity for effective policies, awareness training, and vendor management to mitigate cyber threats. The document also outlines best practices for cybersecurity, including asset management, access controls, and the need for an interdisciplinary approach to treat cybersecurity as an enterprise-wide issue.

Technology
Related topics:
Information SecurityISO 27001 Overview
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
Weakest links of the Cybersecurity Chain
SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
The Recommended Risk Mitigation Strategies
SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: INFO@SAVASSOCIATES.CA

More Related Content

PDF
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
PDF
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
PDF
Adam Bulava GCC 2019
ImekDesign
 
PDF
Security Framework for Digital Risk Managment
Securestorm
 
PDF
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
PDF
Websense
CMR WORLD TECH
 
PDF
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 
PPTX
Banks and cybersecurity v2
Semir Ibrahimovic
 
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
Adam Bulava GCC 2019
ImekDesign
 
Security Framework for Digital Risk Managment
Securestorm
 
Cybersecurity Goverence for Boards of Directors
Paul Feldman
 
Websense
CMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 
Banks and cybersecurity v2
Semir Ibrahimovic
 

What's hot (18)

PDF
speaking-to-board-securiity-whitepaper
Bilha Diaz
 
PDF
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
PDF
Cyber Security Risk Management
Shaun Sloan
 
PDF
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
PDF
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Aladdin Dandis
 
PDF
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Inno Eroraha [NetSecurity]
 
PDF
Simple Safe Steps to Cyber Security
Hudson Valley Public Relations
 
PDF
CISO_Paper_Oct27_2015
Scott Smith
 
PDF
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
PPTX
What is WebSense?
touchdown777a
 
PDF
CISO_Paper_Oct27_2015
John Budriss
 
PDF
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
PPTX
WHY SOC Services needed?
manoharparakh
 
PDF
Ch4 cism 2014
Aladdin Dandis
 
PDF
CISO Case Study 2011 V2
candy_alexander
 
PDF
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
PDF
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
PPTX
Security architecture frameworks
John Arnold
 
speaking-to-board-securiity-whitepaper
Bilha Diaz
 
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
Cyber Security Risk Management
Shaun Sloan
 
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Aladdin Dandis
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Inno Eroraha [NetSecurity]
 
Simple Safe Steps to Cyber Security
Hudson Valley Public Relations
 
CISO_Paper_Oct27_2015
Scott Smith
 
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
What is WebSense?
touchdown777a
 
CISO_Paper_Oct27_2015
John Budriss
 
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
WHY SOC Services needed?
manoharparakh
 
Ch4 cism 2014
Aladdin Dandis
 
CISO Case Study 2011 V2
candy_alexander
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Security architecture frameworks
John Arnold
 
Ad

Similar to Weakest links of an organization's Cybersecurity chain (20)

PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
Topic11
Anne Starr
 
PPT
Risk Assessment And Management
vikasraina
 
PDF
Almanac 2023. Top Cyber News MAGAZINE. Published in January 2024
Dr. Ludmila Morozova-Buss
 
PPT
Chapter 1 overview
dr_edw777
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PPTX
Cloud Security.pptx
Binod Rimal
 
PPTX
Cybersecurity-Course.9643104.powerpoint.pptx
AfsanaMumal2
 
PDF
Cyber Security Risk Mitigation Checklist
timsnp
 
PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PPTX
A guide to Sustainable Cyber Security
Ernest Staats
 
PDF
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
PDF
Incident Response
MichaelRodriguesdosS1
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
PPT
Guard Era Security Overview Preso (Draft)
GuardEra Access Solutions, Inc.
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
PDF
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Shawn Tuma
 
PPTX
Your cyber security webinar
Intergen
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Topic11
Anne Starr
 
Risk Assessment And Management
vikasraina
 
Almanac 2023. Top Cyber News MAGAZINE. Published in January 2024
Dr. Ludmila Morozova-Buss
 
Chapter 1 overview
dr_edw777
 
Dancyrityshy 1foundatioieh
Anne Starr
 
Cloud Security.pptx
Binod Rimal
 
Cybersecurity-Course.9643104.powerpoint.pptx
AfsanaMumal2
 
Cyber Security Risk Mitigation Checklist
timsnp
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
A guide to Sustainable Cyber Security
Ernest Staats
 
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
 
Incident Response
MichaelRodriguesdosS1
 
OSB50: Operational Security: State of the Union
Ivanti
 
Guard Era Security Overview Preso (Draft)
GuardEra Access Solutions, Inc.
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las Vegas
Shawn Tuma
 
Your cyber security webinar
Intergen
 
Ad

Recently uploaded (20)

PDF
Unlock new opportunities with location data.pdf
Precisely
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Unlock new opportunities with location data.pdf
Precisely
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
What is a Computer? Input Devices /output devices
GulJan8
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 

Weakest links of an organization's Cybersecurity chain

  • 1. SAV LLP FOR INFORMATION ONLY - DISTRIBUTION IS PROHIBITED WITHOUT PERMISSION Weakest links of an organization’s Cybersecurity Chain and Mitigation Options An Auditor’s Perspective SEPTEMBER 09, 2019
  • 2. SAV LLP This material is for educational purposes only. As it deals with technical matters which have broad application, it is not practical to include all situations. As well, this material and the references contained therein may reflect laws and practices which are subject to change. Some content of this presentation has been copied or obtained from other sources, hence the preparer takes no responsibility on content’s validity and accuracy. For this reason a particular fact situation should be reviewed by a qualified professional. The references can be shared upon formal request. Although the presentation material has been carefully prepared, none of the persons involved in the preparation of the material accepts any legal responsibility for its contents or for any consequences arising from its use. Distribution of this presentation for commercial purposes is prohibited. Disclaimer
  • 3. SAV LLP Cyber Security There is a wide range of currently accepted cybersecurity definitions. The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Myth about Cyber Security – Cyber risk can be reduced, security posture can be improved, by purchasing products and outsourcing support.  There is no absolute security. The only way to prevent death is to already be dead, otherwise there is always a risk.  Security is a balancing act of defending an organization according to the organization’s risk tolerance and profile. In Summary - Cybersecurity is the combination of processes, practice and technologies designed to protect network, computers, programs, data and information from attack, damage or unauthorized access.
  • 4. SAV LLP 4 Cyber Threat A cyber threat is an activity intended to compromise the security of an information system by altering the availability, integrity, or confidentiality of a system or the information it contains. Define what is at Risk (Physical and Digital)?  Do you know what your “worst possible day” looks like? (not being able to transact, theft of sensitive information, inability to perform physical function)  Once an organization identifies and qualifies risk and assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident.  Consequently , the organization will be better prepared to appropriately mitigate risks and spend security resources sensibly.
  • 5. SAV LLP Threat Landscape As per ENISA ( European Union Agency For Network and Information Security) some of the main trends in the 2018’s cyberthreat landscape are:  Mail and phishing messages.  Staff retention  Raising awareness at the level of security and executive management.  Automated attacks through novel approaches  IoT environments
  • 6. SAV LLP Is Cybersecurity an IT Problem or a Human Problem? DNA OF AN ATTACKER  Attackers are humans, with human goals  Humans are not perfect – some are good, some are bad, but they aren’t perfect  Perfection doesn’t exist in offence or defense To defend against attack, your strategy must have capabilities to detect, respond and build back up controls to prevent next steps. However it is very important to know what is mission critical and what is trivial?
  • 7. War Games Learnings from conventional war to mitigate Cyber Threat Cu Chi Tunnels in Ho Chi Minh City during Vietnam War https://www.reddit.com/r/secretcompartments/comments/82fhg3/tunnels_used_by_viet_cong_forces_during_the/
  • 8. SAV LLP Role of a CFO / Head of Finance  The CFO’s role has always ranged from a fiduciary one (a custodian preserving value) to a visionary one (an architect creating value). This role is becoming much more about strategy and the future rather than stewardship and even more about value realization and optimization.  IFAC (International Federation of Accountants) explains that a professional CFO should: 1. Be an effective organizational leader and a key member of senior management 2. Balance the responsibilities of stewardship with business partnership 3. Act as the integrator and navigator for the organization
  • 9. SAV LLP Cybersecurity – What do CFOs need to know? Planning and Management • How do we identify our critical assets and associated risks and vulnerabilities? • How do we meet our critical infrastructure operations and regulatory requirements? • What is our strategy and plan to protect our assets? • How robust are our incident response and communication plans? Assets • How do we track what digital information is leaving our organization and where that information is going? • How do we know who’s really logging into our network, and from where? • How do we control what software is running on our devices? • How do we limit the information we voluntarily make available to a cyber adversary?
  • 10. SAV LLP Cybersecurity Frameworks What is a Framework The framework is voluntary guidelines, and practices for organizations to better manage and reduce cybersecurity risk Well accepted Cybersecurity Frameworks Most frequent adopted cybersecurity frameworks are:  NIST Framework  PCI DSS (Payment Card Industry Data Security Standard),  ISO 27001/27002 (International Organization for Standardization),  CIS Critical Security Controls,  COBIT 2019  TSP 2017 (SOC2) Why adopt a security framework  Framework takes out a lot of guesswork and shows you often with supporting evidence, where to apply the pressure.  Planning and implementing a framework can help organizations understand the operational maturity level and provide matrices that will feedback into the organization.
  • 11. SAV LLP SOC SOC (Service Organization Control) Reports for outsourced services and SOC For Cybersecurity A high level introduction
  • 12. Weakest links of the Cybersecurity Chain
  • 13. SAV LLP Weakest Links of the Cybersecurity Chain Cybersecurity is a shared responsibility – people, processes, tools, and technologies work together to protect an organization's assets. Few of the common Weakest Links in cybersecurity chain are (and it is not tools) - 1. Weak tone at the top - Governance framework 2. Poor user management and access controls 3. Weak asset management 4. Lack of cyber policy 5. Lack of awareness regarding information sharing and breach reporting 6. Lack of monitoring of service providers
  • 14. The Recommended Risk Mitigation Strategies
  • 15. SAV LLP Tone at the Top - Governance Framework Governance Framework  Key initial steps  Who should be involved in the development of a cybersecurity program.  Identify known risks and established controls.  Establish a cross-organizational committee of senior executives that brings together the full range of enterprise knowledge and capabilities. This should include IT and corporate security, as well as business owners.  Leadership is key  Selecting an executive with broad cross-functional responsibilities such as the CFO or COO to lead this committee can help broader corporate adoption.  This effort should report to a specialized committee, such as the Audit or the Risk Committees, or in some cases, to the board itself. Board and Senior Management involvement The National Association of Corporate Directors (NACD) cites five cybersecurity principles for boards: 1. Cybersecurity is an enterprise-wide risk management issue, not just an IT issue 2. Legal implications of cyber risks 3. Adequate access to cybersecurity expertise, and regular discussions about cyber-risk management. 4. Establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
  • 16. SAV LLP User Account Management and Access Control Need to Know basis The following are recommendations for user account management and access control:  Centrally manage all user accounts e.g. Active directory, UUID.  Disable system accounts that cannot be associated with a business process and owner.  Disabling accounts upon termination of an employee or contractor  Periodic user access review  Force users to automatically re-login after a standard period of inactivity.  Require strong passwords  Limit the number of privileged accounts.  Require two-factor authentication for privileged accounts  Control access to the computer system’s audit logs.  Make cybersecurity training and awareness mandatory for all personnel
  • 17. SAV LLP Asset Management You can’t control something that you don’t know The following are recommendations for asset management:  Deploy and maintain an automated asset inventory discovery tool that will also assist the entity in building an inventory of systems connected to the organization's private and public network.  Use Dynamic Host Configuration Protocol (DHCP) server logging for asset inventory - it can help detect unknown systems through this DHCP information.  Ensure that the inventory system is updated when newly acquired and approved equipment connects to the network.  Deploy Network level authentication and Network Access Control (NAC). These services will assist in preventing unauthorized devices from connecting to the network.  Utilize client certificates to validate and authenticate systems prior to connecting to an organization’s network.
  • 18. SAV LLP Cyber Policy Some of the key elements of a good cyber policy:  Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception  Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted”  Management goals for secure handling of information in each classification category  Specific instruction on organization-wide security mandates (e.g. no sharing of passwords)  Specific designation of established roles and responsibilities  Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) The implementation of a policy is not a single event, but rather an iterative process revisited as business models, relationships, and technology changes. Absent policy, there can be no effective governance of the cybersecurity program as there can be no clear guidance upon which to make program decisions.
  • 19. SAV LLP Information Sharing and Breach Reporting Requirements Microsoft makes the following eight recommendations for information sharing. 1. Develop a strategy for information sharing and collaboration. 2. Design with privacy protections in mind. 3. Establish a meaningful governance process. 4. Focus sharing on actionable threat, vulnerability, and mitigation information. 5. Build interpersonal relationships. 6. Require mandatory information sharing only in limited circumstances. 7. Make full use of information shared, by conducting analyses on long-term trends. 8. Encourage the sharing of best practices. The exchange of best practices with peer organizations can allow organizations to play a proactive role, by engaging with each other as well as external organizations.
  • 20. SAV LLP Vendor Risk Management Service Risks:  Volume of transactions processed  Concentration associated with service  Sensitivity risk of the data to which the vendor could potentially have access  Compliance and regulatory risk related to the service  Customer and financial impact Vendor Risks:  Location of the vendor (subject to multinational laws, regulations, etc.)  Previous data or security breaches  Extent of outsourcing performed by the vendor  Performance history Common Deficiencies with 3rd Party Vendors:  Incident Response Management Plan  Inadequate Security Awareness  Data Loss Prevention  Encryption for data at rest and in transit  Administrator Privilege Lockdown  Vulnerability testing or penetration testing Common approaches to evaluating Third Party Vendors and ongoing oversight Include:  Perform vendor evaluation as part of RFP  Desk assessments to evaluate requested information  On-site visits as appropriate by either in- house or contacted experts  Penetration tests of potential vendors  Outside independent reporting company to continuously monitor the cyber posture of any third-party vendor and ensure it’s on par with the security risk level that the evaluating organization accepts.  Process to alert the organization of infractions or breaches, so that they can easily work with vendors to correct and improve their security posture. To be successful, vendor risk management should be an element of an enterprise risk management program with established, repeatable processes in place that are consistent for all areas within the firm.
  • 21. SAV LLP Key Takeaways Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning and human expertise.  A sound governance framework with strong leadership is essential to effective enterprise-wide cybersecurity. Board-level and senior management-level engagement is critical to the success of firms’ cybersecurity programs, along with a clear chain of accountability.  A well-trained staff can serve as the first line of defense against cyber attacks. Effective training helps to reduce the likelihood of a successful attack by providing well-intentioned staff with the knowledge to avoid becoming inadvertent attack vectors (for example, by unintentionally downloading malware).  One size doesn’t fit all. The level of sophistication of technical controls employed by an individual firm is highly contingent on that firm’s individual situation. While a smaller firm may not be positioned to implement the included controls in their entirety, these strategies can serve a critical benchmarking function to support an understanding of vulnerabilities relative to industry standards.  Many organizations typically use third-party vendors for services, which requires vendor access to sensitive firm or client information, or access to firm systems. At the same time, the number of security incidents at companies attributed to partners and vendors has risen consistently, year on year. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence and developing clear performance and verification policies.  Cybersecurity is not only an IT problem, it is an enterprise-wide problem that requires an interdisciplinary approach, and a comprehensive governance commitment to ensure that all aspects of the business are aligned to support effective cybersecurity practices. Security isn’t simply one team’s job – it’s everyone’s job however security team need to lead the role to improve overall organization’s security deployment
  • 22. SAV LLP Summary of Best Practices  Tone at the top – The business itself needs to take security seriously, not just write some policy, support security team with a budget and some people and tools.  Basic IT Security Foundation  Asset Management – What you have, what you value most and where are they now? (You can’t protect it if you can’t find it)  Process / Procedures -  Access Controls - Authentication, Limit Administrative Accounts on Systems, Least Privilege Principle for Access  Data Management, Change Management, Problem Management  Network Security – UTM (Unified Threat Management) tool, and maintain BYOD away from main network  Endpoint Security – EDR (Endpoint Detection & Response) or at least some protection from downloads, attacks, data leakage prevention  Security Operations – Detect, Act and Defend against future Attacks  Encryption - A process of converting data into an unreadable form to prevent unauthorized access and thus ensuring data protection  People - Hire and train people to defend the network (including critical data) and not solely rely on technology  System Updates - Keep your systems UpToDate. Turn on auto update on all devices. Remove legacy applications that are at a sunset stage and can’t be secured  Control Framework - Implement critical security controls framework such as NIST Cybersecurity Framework, PCI, COBIT, ISO 27K+
  • 23. SAV LLP THERE IS NO SINGLE SILVER BULLET FOR CYBER THREAT Thank You PRESENTER – SANJAY CHADHA CPA, CA, LPA, CISA, CITP SAV LLP CHARTERED PROFESSIONAL ACCOUNTANTS HULLMARK CENTRE AT YONGE AND SHEPPARD 3M-4773 YONGE STREET, TORONTO, ON, M2N 0G2 TEL: 647.831.8322, 416.822.8570 EMAIL: [email protected]