Cybersecurity

Presenter: Ron Jimerson Chief Information Security Officer City of Tacoma

https://www.youtube.com/watch?v=PPlgvSL00 fA

2 April, 2017 Cybersecurity

AGENDA

- Cybersecurity Overview

- Treat Landscape

- Trends

- Breaches

- Executive Oversight

- Strategies

- Resources

2 April, 2017 Cybersecurity Overview

Cybersecurity is the application of concepts, tools, and - Cyber crime process to protect information resources. is now more lucrative Focus than the Availability drug trade Integrity - 93% of all Confidentiality the money in the world Concentration is digital Risks Threats Vulnerabilities

2 April, 2017 Threat Landscape

1. Weaponized IoT – cars, TVs, medical devices, and more

2. Trend Micro is predicting a 25% growth in Ransomware

3. Attacks on mobile devices

4. Business Email Compromise (BEC): sophisticated scam targeting businesses that regularly perform wire transfer payments

5. The cyber black market has evolved: - drug cartels, mafias, terrorist cells and nation-states

2 April, 2017 Trends

Lost/Stolen Records 28,070 38% Number of attacks the Increase in # of average US company security incidents Every Day had in 2015 from 2014 to 2015 1,358,671

What’s the common Compromised accounts thread in most if not and credentials of …. Every Hour all breaches? Privileged Users 56,611

Social Engineering Every Minute 943 73% $3.79M Finance professionals Average cost of a Every Second reported their company data breach fell victim to payment 16 fraud in 2015 Trends

• 89% of breaches had a financial or espionage motive

• 63% of confirmed breaches involved leveraging weak, default or stolen passwords

• 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link

• 19% of treasurers list cybersecurity as a critical concern and 45% of CFO’s name cybersecurity as a priority (PWC Global Treasury Benchmark Survey 2017)

2 April, 2017 Trends

Source: IT Security Risks Report 2016, data for North American region

2 April, 2017 Trends

2 April, 2017 Notable Breaches in 2016

Breaches: 2016 far worse than 2015

Yahoo broke the record for the largest hack in history—twice

Ransomware hit nearly half of all U.S. businesses

Dyn DNS DDoS (DNS attack) took down access to major sites such as Twitter, GitHub, and Netflix

“Cozy Bear ” and “ Fancy Bear ” actors associated with Russian intelligence linked to compromises of Pentagon, White House, DNC, NATO

NSA hack: Exploit tools for infecting enterprise firewalls were stolen and widely distributed

2 April, 2017 Local Incidents

MultiCare : Exposed 1,200 patient records

Boeing : 36,000 employee data breach after email to spouse for help

Olympia School District breach from “spoofed” email address

2 April, 2017 Data Breach Cost

Estimating the average financial impact of a data breach SMB

2 April, 2017 Data Breach Cost

Estimating the average financial impact of a data breach Enterprise

2 April, 2017 Executive Oversight

Risk Mindset

There is no such thing as perfect protection and the organization cannot buy its way out of this problem.

Business leaders have written off cybersecurity as a technical problem, handled by technical people, buried in IT.

Checkbox thinking is still the predominate mindset.

Executive leadership does not fully understand the risks they sign-off and we do not effectively link risk to business outcomes.

New delivery models to protect (cloud, mobile, IoT, OT):

2 April, 2017 Strategy

Drivers Safeguards Measure Influence of Policy, Executive Measure Influence of Ability Leadership, Protocols, Tools on Ability to Prevent, Detect, and Mitigate to Prevent, Detect, and Mitigate Effects of a Breach on Risk Effects of a Breach

2 April, 2017 Strategy

What should Treasurers do about cybersecurity?

Treasurers face significant 1 Reduce inherent exposure profile obstacles in implementing 2 Establish a well-controlled environment effective cybersecurity and 3 Monitor on an ongoing basis payment fraud prevention 4 Educate staff measures 5 Prepare for an incident

https://www.pwc.com/us/en/risk-management/assets/pwc- cybersecurity-and-payment-fraud-the-challenge-for-treasury.pdf 2 April, 2017 Resources

Department of Homeland Security

Multi-State Information Sharing and Analysis Center (MS-ISAC)

SANS Institute

Washington State Auditor’s Office

American Institute of CPAs (AICPA)

National Institute of Standards and Technology (NIST) Cybersecurity Resource Center

Pwc | United States

2 April, 2017 Questions

2 April, 2017 Sources

https://financetreasury.com.au/february-edition-of-the-exchange/ https://business.kaspersky.com/security_risks_report_financial_impact/ https://hosteddocs.ittoolbox.com/Kaspersky-Lab-Report_IT-Security- Perception_NA_final_web.pdf http://www.aicpa.org/INTERESTAREAS/FRC/ASSURANCEADVISORYSERVICES/Pages/cyber- security-resource-center.aspx http://www.pwc.com/gx/en/information-security-survey/assets/gsiss-report-cybersecurity- privacy-safeguards.pdf

2 April, 2017