Presentation
Five Questions Every CEO
Should Ask the IT Guy
Chief Executive Officers
Of Rhode Island
October 1, 2015
www.JackHampton.com
1
Cyber Risk
A recently-coined term to identify insurable
and non-insurable exposures that arise
from technology:
• Supporting business operations.
• Delivering business products or services.
2
Cyber Risk
An intangible insurable and non-insurable
exposure that arises from technology:
• Loss of data.
• Interruption to delivery of products or
services.
• Failures to support business operations.
• Destruction of assets.
Insurable Cyber Risks
Information Loss. Stolen social security
numbers, health care records, or user
passwords.
Financial Loss. Stolen bank account or
credit card numbers or other information.
Operational Loss. Hackers shutting down,
altering, or destroying operations or
damaging business support systems.
Information Loss (1)
Stolen social security numbers.
• Proof of Identification.
• IRS and Military.
Health care records.
• Expensive drugs.
• Restricted drugs.
• Medical devices.
Information Loss (2)
June 2012.
• Internet operation.
• 50,000 stolen credit cards and personal
data.
• Hacking tools for banks and hotels.
• 24 people arrested.
• U.S., UK, Bosnia, Bulgaria, Norway,
Germany.
Financial Loss (1)
Operation High Roller (Netherlands 2012)
• 60 banks.
• 74 million dollars.
• Commercial firms and private individuals.
• €500 to €100,000 per transaction.
• Money sent to “mule” accounts.*
*(Email addresses to maintain privacy while
transacting business on the Internet)
Financial Loss (2)
"Apple call-in" scheme.
• Steal credit card information.
• Use social engineering skills.
• Fraudulently obtain replacement products
from Apple.
• Sell the products.
A Few Cyber Attacks
Target Store
Neiman Marcus
Yahoo! Mail
AT&T
eBay
P.F Chang
Home Depot
Google
Apple iCloud
45-70 million customers.
350,000 customers. 9,000 used.
280 million users multiple hacks.
Data stolen by authorized user.
200 million told change passwords.
Lost credit card information.
56 million shoppers, 2,300 stores
5 million Gmail names & passwords.
Celebrity photos posted online.
9
Operational Loss
•
•
•
•
•
Destruction of business support systems.
Replacement costs.
Upgrade costs.
Business disruption costs.
Aon Corporation (2001) World Trade
Center.
Is it News?
Cyber Attacks (2011)
• 855 successful data-breach incidents.
• 174 million records stolen.
• 81% of attacks by hacking.
• 69% used special software (malware).
• 97% would have easily been stopped with
simple controls.
Did the Government Know about it?
U.S. Government Activity (2011).
The FBI:
• Identified 400,000 stolen credit cards.
• Avoided economic losses of $205 million.
• Notified 47 companies, government
entities, and educational institutions of
unauthorized entry into systems.
Did we know about it?
Lack of Risk Management (2011)
• 94% of attacks involved servers.
• 92% were discovered by third parties.
• 85% took weeks or more to discover.
• 79% were targets of opportunity, not prior
targets identified for attack.
So what do we do about it?
High
Reduce it
Transfer it
Avoid it
Reduce it
Retain it
Reduce it
Retain it
Severity
Low
Low
Frequency
High
14
Another way to look at it
Reduce for all.
Low frequency, high severity. Transfer
Low frequency, low severity.
Retain
High frequency, high severity. Avoid
High frequency, low severity. Retain
Plus we ask a question
Which of the following describes cyber risk?
• Is it Risk? That which can be seen or for
which we have evidence.
• Is it Uncertainty? That which is largely
unknown.
16
Another Question
What do we want to know about our own
cyber risk?
17
Table Discussions
Let’s Develop Some Questions
18
Resume
Let’s Share the Questions
19
Conclusion
Speaker Summary
and
Handout
20
Jack's Question #1
What are we doing to protect ourselves
from hackers that are motivated to
damage or destroy our physical
assets?
• What motivates them?
• How can they do damage?
• What are we currently doing to protect
ourselves?
• What can we do better?
21
Jack's Question #2
What are we doing to protect ourselves
from rogue employees and others with
access to our IT system and
communications?
• Who is authorized to access data?
• Who can change data?
• Who can share data?
• How do we decide who is authorized?
• What can we do better?
22
Jack's Question #3
What are we doing to protect the
proprietary intellectual property
embedded in our business practices?
• How do we identify it?
• Where do we keep it?
• Who has access to it?
• Who can share it?
• How do we safeguard it?
• What can we do better?
23
Jack's Question #4
What are we doing to improve the
processing of daily transactions?
• What can we do to make it more timely?
• To make it more accurate?
• To reduce the cost?
• To protect the data?
• To safeguard the data?
• What can we do better?
24
Jack's Question #5
What are the biggest weaknesses in our
IT system?
• Do we agree on what they are?
• How can we correct them?
• How long will it take?
• What will it cost?
• Who can get it done?
• What is a point of entry to start?
25
From Chris Mandel, RF, ARM-E
SVP, Strategic Solutions Sedgwick, Inc.
Have you:
• Assessed Social Media/Cyber vulnerabilities beyond
reputation risk?
• Expanded existing risk governance structures &
activities to include Social Media/Cyber Risk?
• Established advanced Social Media/Cyber monitoring
tools and technologies?
• Enhanced existing performance management to analyze
and act on cyber risk monitoring metrics?
• Designed & deployed a more Cyber risk aware culture?
26
From Lance J. Ewing ARM, CRM, ERMP
AIG Hospitality, Leisure, & Real Estate Groups Leader
• Have we used penetration testing both on line
and in the real world?
• Have we chunked our sensitive data so that no
one person or laptop has it all in one place?
• Are we using honeypots related to hackers?
• Have you reviewed the Wyndham cyber issues
that involved the parent company, their
franchisees, and the Federal government?
27
Penetration Testing
We simulate cyber attacks to find security
weaknesses in technology.
Used on networks, operating systems, and
software applications.
Evaluate hacking defenses.
28
Question to Lance Ewing
On Penetration Testing:
Should companies always bring in outside
security firms to do penetration testing for
them?
29
Answer from Lance Ewing
On Penetration Testing:
Internal resources may assist with
penetration, but a prophet is not
welcome until an outside organization
validates the suggestion.
30
Chunking Data
Chunked transfer encoding speeds up data
transfer and protects it from hackers.
• The size of each chunk is sent right before
the chunk itself.
• Code separates chunk size from the
chunk.
• Chunk length zero ends the transmission.
31
”Hi Lance Thank you Jack”
8 characters for “Hi Lance,” 9 for “Thank you, 4 for
“Jack, Zero to end.
•8\a\b
•Hi Lance\a\b
•9\a\b
•Thank you\a\b
•4\a\b
•Jack\a\b
•0\a\b
32
Question to Lance Ewing
On chunking data:
How do I respond if a CEO says the
question on chunking data is a CIO, not a
CEO, question?
33
Answer from Lance Ewing (1)
On chunking data:
It will be the CEO answering the question on
the stand when the lawsuit happens.
34
Answer from Lance Ewing (2)
On chunking data:
It will be the CEO answering the question on the
stand when the lawsuit happens.
...ask the CEO of Target who was there.
35
Answer from Lance Ewing (3)
On chunking data:
It will be the CEO answering the question on the
stand when the lawsuit happens.
...ask the CEO of Target who was there.
CEO needs to know the answer to that question
and had better get it in writing.
36
Conclusion (1)
How can a company remove all worry from
dealing with cyber risk?
37
Conclusion (2)
Remove all worry?
 Cannot answer.
 Time is up.
38