Cybersecurity Academies roundtable Tina Allison



Similar documents
Are your assets tax efficient?

Cybercrime: risks, penalties and prevention

Unit 3 Cyber security

New PCI Standards Enhance Security of Cardholder Data

Cybersecurity and internal audit. August 15, 2014

Credit where credit s due. UK theatre tax relief

University of Kent Information Services Information Technology Security Policy

Our favourite places

Top tips for improved network security

ESKISP Conduct security testing, under supervision

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Social Media Risk Assessment. The Unique Alternative to the Big Four

Information Security Summit 2005

External Supplier Control Requirements

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security Survey

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

2009 Antispyware Coalition Public Workshop

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

How are we keeping Hackers away from our UCD networks and computer systems?

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Promoting Network Security (A Service Provider Perspective)

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI

Cybersecurity: Emerging Legal Risks

Network Security and the Small Business

Cybersecurity: Protecting Your Business. March 11, 2015

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

The Attacker s Target: The Small Business

Anthony Minnaar Dept of Criminology & Security Science School of Criminal Justice College of Law University of South Africa

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Best Practices Top 10: Keep your e-marketing safe from threats

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Penetration Testing Service. By Comsec Information Security Consulting

Mitigating and managing cyber risk: ten issues to consider

Malicious cyber activity is on the increase at risk. This may involve the loss of critical data and consumer confidence, as well as profits

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Overview TECHIS Carry out security testing activities

EC Council Certified Ethical Hacker V8

ISO27032 Guidelines for Cyber Security

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Cyber Risk Management

Data Center Security in a World Without Perimeters

How To Audit The Mint'S Information Technology

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Penetration Testing. ISACA - Atlanta

ESKISP Manage security testing

The Mile High Denver Chapter of ARMA welcomes you to our virtual meeting!

EY Cyber Security Hacktics Center of Excellence

EC-Council. Certified Ethical Hacker. Program Brochure

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Cybersecurity Awareness. Part 1

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Don t Fall Victim to Cybercrime:

Top 20 IT Risks for the Healthcare Industry and How to Mitigate Them

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Global Corporate IT Security Risks: 2013

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Botnets: The dark side of cloud computing

Cyber Risks in the Boardroom

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP

Computer Security Literacy

TMCEC CYBER SECURITY TRAINING

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Commissioned Study. SURVEY: Web Threats Expose Businesses to Data Loss

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Leveraging Your ERP System to Enhance Internal Controls

Digital Barracuda Information Security Reports that the Risk from Viruses and Worms is Only the Tip of the Iceberg FACT SHEET

Addressing Cyber Risk Building robust cyber governance

Cyber and Data Security. Proposal form

A Decision Maker s Guide to Securing an IT Infrastructure

PCI Security Scan Procedures. Version 1.0 December 2004

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

DOWNTIME BREACHES DATA LOSS. SYMANTEC TECHNICAL SERVICES HELP YOU AVOID THEM.

IQware's Approach to Software and IT security Issues

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

2012 Endpoint Security Best Practices Survey

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Protecting Your Organisation from Targeted Cyber Intrusion

Level 3 Cambridge Technical in IT 05839/ 05840/ 05841/ Unit 3 Cyber security. Date Morning/Afternoon Time Allowed: 1 hour

Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander

Statistical Analysis of Internet Security Threats. Daniel G. James

How To Audit The Minnesota Department Of Agriculture Network Security Controls Audit

Cyber Essentials Scheme

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Information Services. The University of Kent Information Technology Security Policy

Information Security Insights From and For Canadian Small to Medium Sized Enterprises

Transcription:

Cybersecurity Academies roundtable Tina Allison Audit Tax Advisory

What is cybersecurity? Cybersecurity can be defined as the protection of information assets by addressing threats to information processed, stored and transported by information systems connected to the internet. By implication if a business closed all of the openings to their IT network e.g. no email or internet traffic then they would protect themselves from cyber attacks, however this is obviously not an option for modern day businesses. 2

The risks are known but appropriate action is still not being taken Institute of Internal Auditor (IIA) survey: When asked, How would you characterise the board s perception of cybersecurity risks over the last one to two years? more than 65% of board of director respondents indicated that the cybersecurity risks were at a high level or had increased. However, when asked, How involved was the board during the last fiscal year in regard to specific action or request on cybersecurity preparedness? only 14% responded that they were actively involved in cybersecurity preparedness. However, in the same survey, 58% of the respondents said that they should be actively involved in cybersecurity matters. 3

Who are the cybercriminals? Corporations - attempting to gain a competitive advantage. Nation states - usually targeting government and private entities. Hacktivists - target specific organizations for ideological ends. Cyberterrorists - usually target infrastructures and governments. Cybercriminals - usually to carry out fraudulent financial transactions motivated by the desire for profit. Cyber warriors - similar to hacktivists but are nationally motivated. Script kiddies - usually young individuals who learn to hack from information or scripts they find on the internet. Online social hackers - involved in social engineering, cyberbullying, identity theft and collection of confidential information. Employees - typically low-tech methods and tools; dissatisfied current or former employees. 4

The most common cyber risks? Rather than listing all the different types of cyber attacks it is perhaps more useful to categorise them according to their general effect/cause. Adding malicious code: adding bad code to good code so as to gain access or disrupt e.g. viruses, Trojans, website infections, etc. Exploiting software imperfections: vulnerabilities in software that the software manufacturers may or may not be aware of e.g. backdoors, out of date patches, website code vulnerabilities. Volume attacks: fenial of service attacks: e.g. botnets, brute force attacks to disrupt company services by the sheer volume of the attack. Surveillance: e.g. spyware, keylogging to gain intelligence on vulnerabilities or obtain privileged information. Human element: taking advantage of human weaknesses e.g. social engineering or identity theft. Interception: intercepting data or communications in transit sent e.g. via email, network or the internet and interfering with them. 5

The scale of the cybersecurity risk for charities? There are certain characteristics which may put charities at risk. Cash rich - they often hold high level of funds or receive high profile donations. Easy target - may not have devote the level of resources as Corporates to IT. Charity workers often use their own devices which may be insecure. Workers may be volunteers and so are more difficult to control. Personal data - charities need to store personal data. This can be misused in carrying out identity theft, spamming, junk mailing and selling details on for personal gain. Personal data could include those of famous benefactors. Malicious - most cyber attacks are not done for profit. Some attackers perversely prefer to target those organisations who are pledged to carry out good deeds rather than attack commercial ones instead. 6

Strategy for tackling cybersecurity Enterprise wise: approach cybersecurity as an enterprise wide issue rather than just an IT one. Expertise/resources: cybersecurity may require expertise and resources not currently available within the organisation. Board level: decisions need to be taken at the board level to ensure that there is adequate personnel and budget for implement effective cybersecurity. Risk management: identification of which cyber risks to avoid, accept, mitigate or transfer e.g. through insurance. Legal implications: organisations need to explicitly consider the legal implications for failing to stop cyber attacks. 7

Old methods still work Cybersecurity has been a hot topic in recent years but traditional IT controls are still effective in protecting against these threats. IT network: understand the layout of the and the weak points. Internet: firewalls, penetration testing, internet traffic monitoring. Email: anti-spam software, email monitoring, anti-virus. Patching: all key systems are up to date on security patches. Users: user security awareness training. 8

Follow us on: @crowecw Crowe Clark Whitehill LLP is a member of Crowe Horwath International, a Swiss verein (Crowe Horwath). Each member firm of Crowe Horwath is a separate and independent legal entity. Crowe Clark Whitehill LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath or any other member of Crowe Horwath and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath or any other Crowe Horwath member. 2015 Crowe Clark Whitehill LLP This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organisation from qualified advisors in your jurisdiction. Crowe Clark Whitehill LLP is registered to carry on audit work in the UK by the Institute of Chartered Accountants in England and Wales and is authorised and regulated by the Financial Conduct Authority.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information