Presentation Five Questions Every CEO Should Ask the IT Guy Chief Executive Officers Of Rhode Island October 1, 2015 www.JackHampton.com 1 Cyber Risk A recently-coined term to identify insurable and non-insurable exposures that arise from technology: • Supporting business operations. • Delivering business products or services. 2 Cyber Risk An intangible insurable and non-insurable exposure that arises from technology: • Loss of data. • Interruption to delivery of products or services. • Failures to support business operations. • Destruction of assets. Insurable Cyber Risks Information Loss. Stolen social security numbers, health care records, or user passwords. Financial Loss. Stolen bank account or credit card numbers or other information. Operational Loss. Hackers shutting down, altering, or destroying operations or damaging business support systems. Information Loss (1) Stolen social security numbers. • Proof of Identification. • IRS and Military. Health care records. • Expensive drugs. • Restricted drugs. • Medical devices. Information Loss (2) June 2012. • Internet operation. • 50,000 stolen credit cards and personal data. • Hacking tools for banks and hotels. • 24 people arrested. • U.S., UK, Bosnia, Bulgaria, Norway, Germany. Financial Loss (1) Operation High Roller (Netherlands 2012) • 60 banks. • 74 million dollars. • Commercial firms and private individuals. • €500 to €100,000 per transaction. • Money sent to “mule” accounts.* *(Email addresses to maintain privacy while transacting business on the Internet) Financial Loss (2) "Apple call-in" scheme. • Steal credit card information. • Use social engineering skills. • Fraudulently obtain replacement products from Apple. • Sell the products. A Few Cyber Attacks Target Store Neiman Marcus Yahoo! Mail AT&T eBay P.F Chang Home Depot Google Apple iCloud 45-70 million customers. 350,000 customers. 9,000 used. 280 million users multiple hacks. Data stolen by authorized user. 200 million told change passwords. Lost credit card information. 56 million shoppers, 2,300 stores 5 million Gmail names & passwords. Celebrity photos posted online. 9 Operational Loss • • • • • Destruction of business support systems. Replacement costs. Upgrade costs. Business disruption costs. Aon Corporation (2001) World Trade Center. Is it News? Cyber Attacks (2011) • 855 successful data-breach incidents. • 174 million records stolen. • 81% of attacks by hacking. • 69% used special software (malware). • 97% would have easily been stopped with simple controls. Did the Government Know about it? U.S. Government Activity (2011). The FBI: • Identified 400,000 stolen credit cards. • Avoided economic losses of $205 million. • Notified 47 companies, government entities, and educational institutions of unauthorized entry into systems. Did we know about it? Lack of Risk Management (2011) • 94% of attacks involved servers. • 92% were discovered by third parties. • 85% took weeks or more to discover. • 79% were targets of opportunity, not prior targets identified for attack. So what do we do about it? High Reduce it Transfer it Avoid it Reduce it Retain it Reduce it Retain it Severity Low Low Frequency High 14 Another way to look at it Reduce for all. Low frequency, high severity. Transfer Low frequency, low severity. Retain High frequency, high severity. Avoid High frequency, low severity. Retain Plus we ask a question Which of the following describes cyber risk? • Is it Risk? That which can be seen or for which we have evidence. • Is it Uncertainty? That which is largely unknown. 16 Another Question What do we want to know about our own cyber risk? 17 Table Discussions Let’s Develop Some Questions 18 Resume Let’s Share the Questions 19 Conclusion Speaker Summary and Handout 20 Jack's Question #1 What are we doing to protect ourselves from hackers that are motivated to damage or destroy our physical assets? • What motivates them? • How can they do damage? • What are we currently doing to protect ourselves? • What can we do better? 21 Jack's Question #2 What are we doing to protect ourselves from rogue employees and others with access to our IT system and communications? • Who is authorized to access data? • Who can change data? • Who can share data? • How do we decide who is authorized? • What can we do better? 22 Jack's Question #3 What are we doing to protect the proprietary intellectual property embedded in our business practices? • How do we identify it? • Where do we keep it? • Who has access to it? • Who can share it? • How do we safeguard it? • What can we do better? 23 Jack's Question #4 What are we doing to improve the processing of daily transactions? • What can we do to make it more timely? • To make it more accurate? • To reduce the cost? • To protect the data? • To safeguard the data? • What can we do better? 24 Jack's Question #5 What are the biggest weaknesses in our IT system? • Do we agree on what they are? • How can we correct them? • How long will it take? • What will it cost? • Who can get it done? • What is a point of entry to start? 25 From Chris Mandel, RF, ARM-E SVP, Strategic Solutions Sedgwick, Inc. Have you: • Assessed Social Media/Cyber vulnerabilities beyond reputation risk? • Expanded existing risk governance structures & activities to include Social Media/Cyber Risk? • Established advanced Social Media/Cyber monitoring tools and technologies? • Enhanced existing performance management to analyze and act on cyber risk monitoring metrics? • Designed & deployed a more Cyber risk aware culture? 26 From Lance J. Ewing ARM, CRM, ERMP AIG Hospitality, Leisure, & Real Estate Groups Leader • Have we used penetration testing both on line and in the real world? • Have we chunked our sensitive data so that no one person or laptop has it all in one place? • Are we using honeypots related to hackers? • Have you reviewed the Wyndham cyber issues that involved the parent company, their franchisees, and the Federal government? 27 Penetration Testing We simulate cyber attacks to find security weaknesses in technology. Used on networks, operating systems, and software applications. Evaluate hacking defenses. 28 Question to Lance Ewing On Penetration Testing: Should companies always bring in outside security firms to do penetration testing for them? 29 Answer from Lance Ewing On Penetration Testing: Internal resources may assist with penetration, but a prophet is not welcome until an outside organization validates the suggestion. 30 Chunking Data Chunked transfer encoding speeds up data transfer and protects it from hackers. • The size of each chunk is sent right before the chunk itself. • Code separates chunk size from the chunk. • Chunk length zero ends the transmission. 31 ”Hi Lance Thank you Jack” 8 characters for “Hi Lance,” 9 for “Thank you, 4 for “Jack, Zero to end. •8\a\b •Hi Lance\a\b •9\a\b •Thank you\a\b •4\a\b •Jack\a\b •0\a\b 32 Question to Lance Ewing On chunking data: How do I respond if a CEO says the question on chunking data is a CIO, not a CEO, question? 33 Answer from Lance Ewing (1) On chunking data: It will be the CEO answering the question on the stand when the lawsuit happens. 34 Answer from Lance Ewing (2) On chunking data: It will be the CEO answering the question on the stand when the lawsuit happens. ...ask the CEO of Target who was there. 35 Answer from Lance Ewing (3) On chunking data: It will be the CEO answering the question on the stand when the lawsuit happens. ...ask the CEO of Target who was there. CEO needs to know the answer to that question and had better get it in writing. 36 Conclusion (1) How can a company remove all worry from dealing with cyber risk? 37 Conclusion (2) Remove all worry? Cannot answer. Time is up. 38