Cybersecurity Academies roundtable Tina Allison Audit Tax Advisory
What is cybersecurity? Cybersecurity can be defined as the protection of information assets by addressing threats to information processed, stored and transported by information systems connected to the internet. By implication if a business closed all of the openings to their IT network e.g. no email or internet traffic then they would protect themselves from cyber attacks, however this is obviously not an option for modern day businesses. 2
The risks are known but appropriate action is still not being taken Institute of Internal Auditor (IIA) survey: When asked, How would you characterise the board s perception of cybersecurity risks over the last one to two years? more than 65% of board of director respondents indicated that the cybersecurity risks were at a high level or had increased. However, when asked, How involved was the board during the last fiscal year in regard to specific action or request on cybersecurity preparedness? only 14% responded that they were actively involved in cybersecurity preparedness. However, in the same survey, 58% of the respondents said that they should be actively involved in cybersecurity matters. 3
Who are the cybercriminals? Corporations - attempting to gain a competitive advantage. Nation states - usually targeting government and private entities. Hacktivists - target specific organizations for ideological ends. Cyberterrorists - usually target infrastructures and governments. Cybercriminals - usually to carry out fraudulent financial transactions motivated by the desire for profit. Cyber warriors - similar to hacktivists but are nationally motivated. Script kiddies - usually young individuals who learn to hack from information or scripts they find on the internet. Online social hackers - involved in social engineering, cyberbullying, identity theft and collection of confidential information. Employees - typically low-tech methods and tools; dissatisfied current or former employees. 4
The most common cyber risks? Rather than listing all the different types of cyber attacks it is perhaps more useful to categorise them according to their general effect/cause. Adding malicious code: adding bad code to good code so as to gain access or disrupt e.g. viruses, Trojans, website infections, etc. Exploiting software imperfections: vulnerabilities in software that the software manufacturers may or may not be aware of e.g. backdoors, out of date patches, website code vulnerabilities. Volume attacks: fenial of service attacks: e.g. botnets, brute force attacks to disrupt company services by the sheer volume of the attack. Surveillance: e.g. spyware, keylogging to gain intelligence on vulnerabilities or obtain privileged information. Human element: taking advantage of human weaknesses e.g. social engineering or identity theft. Interception: intercepting data or communications in transit sent e.g. via email, network or the internet and interfering with them. 5
The scale of the cybersecurity risk for charities? There are certain characteristics which may put charities at risk. Cash rich - they often hold high level of funds or receive high profile donations. Easy target - may not have devote the level of resources as Corporates to IT. Charity workers often use their own devices which may be insecure. Workers may be volunteers and so are more difficult to control. Personal data - charities need to store personal data. This can be misused in carrying out identity theft, spamming, junk mailing and selling details on for personal gain. Personal data could include those of famous benefactors. Malicious - most cyber attacks are not done for profit. Some attackers perversely prefer to target those organisations who are pledged to carry out good deeds rather than attack commercial ones instead. 6
Strategy for tackling cybersecurity Enterprise wise: approach cybersecurity as an enterprise wide issue rather than just an IT one. Expertise/resources: cybersecurity may require expertise and resources not currently available within the organisation. Board level: decisions need to be taken at the board level to ensure that there is adequate personnel and budget for implement effective cybersecurity. Risk management: identification of which cyber risks to avoid, accept, mitigate or transfer e.g. through insurance. Legal implications: organisations need to explicitly consider the legal implications for failing to stop cyber attacks. 7
Old methods still work Cybersecurity has been a hot topic in recent years but traditional IT controls are still effective in protecting against these threats. IT network: understand the layout of the and the weak points. Internet: firewalls, penetration testing, internet traffic monitoring. Email: anti-spam software, email monitoring, anti-virus. Patching: all key systems are up to date on security patches. Users: user security awareness training. 8
Follow us on: @crowecw Crowe Clark Whitehill LLP is a member of Crowe Horwath International, a Swiss verein (Crowe Horwath). Each member firm of Crowe Horwath is a separate and independent legal entity. Crowe Clark Whitehill LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath or any other member of Crowe Horwath and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath or any other Crowe Horwath member. 2015 Crowe Clark Whitehill LLP This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organisation from qualified advisors in your jurisdiction. Crowe Clark Whitehill LLP is registered to carry on audit work in the UK by the Institute of Chartered Accountants in England and Wales and is authorised and regulated by the Financial Conduct Authority.