Presentation

Five Questions Every CEO

Should Ask the IT Guy

Chief Executive Officers

Of Rhode Island

October 1, 2015

www.JackHampton.com

1

Cyber Risk

A recently-coined term to identify insurable and non-insurable exposures that arise from technology:

• Supporting business operations.

• Delivering business products or services.

2

Cyber Risk

An intangible insurable and non-insurable exposure that arises from technology:

• Loss of data.

• Interruption to delivery of products or services.

• Failures to support business operations.

• Destruction of assets.

Insurable Cyber Risks

Information Loss. Stolen social security numbers, health care records, or user passwords.

Financial Loss. Stolen bank account or credit card numbers or other information.

Operational Loss. Hackers shutting down, altering, or destroying operations or damaging business support systems.

Information Loss (1)

Stolen social security numbers.

• Proof of Identification.

• IRS and Military.

Health care records.

• Expensive drugs.

• Restricted drugs.

• Medical devices.

Information Loss (2)

June 2012.

• Internet operation.

• 50,000 stolen credit cards and personal data.

• Hacking tools for banks and hotels.

• 24 people arrested.

• U.S., UK, Bosnia, Bulgaria, Norway, Germany.

Financial Loss (1)

Operation High Roller (Netherlands 2012)• 60 banks.• 74 million dollars.• Commercial firms and private individuals.• €500 to €100,000 per transaction.• Money sent to “mule” accounts.*

*(Email addresses to maintain privacy while transacting business on the Internet)

Financial Loss (2)

"Apple call-in" scheme.

• Steal credit card information.

• Use social engineering skills.

• Fraudulently obtain replacement products from Apple.

• Sell the products.

A Few Cyber Attacks

Target Store 45-70 million customers.

Neiman Marcus 350,000 customers. 9,000 used.

Yahoo! Mail 280 million users multiple hacks.

AT&T Data stolen by authorized user.

eBay 200 million told change passwords.

P.F Chang Lost credit card information.

Home Depot 56 million shoppers, 2,300 stores

Google 5 million Gmail names & passwords.

Apple iCloud Celebrity photos posted online.

9

Operational Loss

• Destruction of business support systems.

• Replacement costs.

• Upgrade costs.

• Business disruption costs.

• Aon Corporation (2001) World Trade Center.

Is it News?

Cyber Attacks (2011)

• 855 successful data-breach incidents.

• 174 million records stolen.

• 81% of attacks by hacking.

• 69% used special software (malware).

• 97% would have easily been stopped with simple controls.

Did the Government Know about it?

U.S. Government Activity (2011).

The FBI:

• Identified 400,000 stolen credit cards.

• Avoided economic losses of $205 million.

• Notified 47 companies, government entities, and educational institutions of unauthorized entry into systems.

Did we know about it?

Lack of Risk Management (2011)

•94% of attacks involved servers.

•92% were discovered by third parties.

•85% took weeks or more to discover.

•79% were targets of opportunity, not prior targets identified for attack.

So what do we do about it?

High

Reduce it Avoid it

Transfer it

Severity

Reduce it Reduce it

Retain it Retain it

Low

Low Frequency High

14

Another way to look at it

Reduce for all.

Low frequency, high severity. Transfer

Low frequency, low severity. Retain

High frequency, high severity. Avoid

High frequency, low severity. Retain

Plus we ask a question

Which of the following describes cyber risk?

• Is it Risk? That which can be seen or for which we have evidence.

• Is it Uncertainty? That which is largely unknown.

16

Another Question

What do we want to know about our own cyber risk?

17

Table Discussions

Let’s Develop Some Questions

18

Resume

Let’s Share the Questions

19

Conclusion

Speaker Summary

and

Handout

20

Jack's Question #1

What are we doing to protect ourselves from hackers that are motivated to damage or destroy our physical assets?

• What motivates them?

• How can they do damage?

• What are we currently doing to protect ourselves?

• What can we do better?21

Jack's Question #2

What are we doing to protect ourselves from rogue employees and others with access to our IT system and communications?

• Who is authorized to access data?

• Who can change data?

• Who can share data?

• How do we decide who is authorized?

• What can we do better?22

Jack's Question #3

What are we doing to protect the proprietary intellectual property embedded in our business practices?

• How do we identify it?

• Where do we keep it?

• Who has access to it?

• Who can share it?

• How do we safeguard it?

• What can we do better?23

Jack's Question #4

 What are we doing to improve the processing of daily transactions?

• What can we do to make it more timely?

• To make it more accurate?

• To reduce the cost?

• To protect the data?

• To safeguard the data?

• What can we do better?

24

Jack's Question #5

What are the biggest weaknesses in our IT system?

• Do we agree on what they are?

• How can we correct them?

• How long will it take?

• What will it cost?

• Who can get it done?

• What is a point of entry to start?

25

From Chris Mandel, RF, ARM-E SVP, Strategic Solutions Sedgwick, Inc.

Have you:• Assessed Social Media/Cyber vulnerabilities beyond

reputation risk?• Expanded existing risk governance structures &

activities to include Social Media/Cyber Risk?• Established advanced Social Media/Cyber monitoring

tools and technologies?• Enhanced existing performance management to analyze

and act on cyber risk monitoring metrics?• Designed & deployed a more Cyber risk aware culture?

26

From Lance J. Ewing ARM, CRM, ERMPAIG Hospitality, Leisure, & Real Estate Groups Leader

• Have we used penetration testing both on line and in the real world?

• Have we chunked our sensitive data so that no one person or laptop has it all in one place?

• Are we using honeypots related to hackers?• Have you reviewed the Wyndham cyber issues

that involved the parent company, their franchisees, and the Federal government?

 

27

Penetration Testing

We simulate cyber attacks to find security weaknesses in technology.

Used on networks, operating systems, and software applications.

Evaluate hacking defenses.

28

Question to Lance Ewing

On Penetration Testing:

Should companies always bring in outside security firms to do penetration testing for them?

29

Answer from Lance Ewing

On Penetration Testing:

Internal resources may assist with penetration, but a prophet is not welcome until an outside organization validates the suggestion.

30

Chunking Data

Chunked transfer encoding speeds up data transfer and protects it from hackers. 

• The size of each chunk is sent right before the chunk itself.

• Code separates chunk size from the chunk.

• Chunk length zero ends the transmission.

 

31

 ”Hi Lance Thank you Jack”

8 characters for “Hi Lance,” 9 for “Thank you, 4 for “Jack, Zero to end.•8\a\b•Hi Lance\a\b•9\a\b•Thank you\a\b•4\a\b•Jack\a\b•0\a\b

32

Question to Lance Ewing

On chunking data:

How do I respond if a CEO says the question on chunking data is a CIO, not a CEO, question?

33

Answer from Lance Ewing (1)

On chunking data:

It will be the CEO answering the question on the stand when the lawsuit happens.

34

Answer from Lance Ewing (2)

On chunking data:

It will be the CEO answering the question on the stand when the lawsuit happens.

...ask the CEO of Target who was there.

35

Answer from Lance Ewing (3)

On chunking data:

It will be the CEO answering the question on the stand when the lawsuit happens.

...ask the CEO of Target who was there.

CEO needs to know the answer to that question and had better get it in writing.

36

37

Conclusion (1)

How can a company remove all worry from dealing with cyber risk?

38

Conclusion (2)

Remove all worry? Cannot answer. Time is up.