Undetected Breaches and Ransomware Change How We Think About Cybersecurity

By Adam Brand, Director
IT Security and Privacy




As new possibilities in information technology continue to transform organizations, they may outpace any cybersecurity protections already in place. Controls that seemed adequate yesterday might not be equal to the challenges presented by new technology and ever-evolving threats today. Our recently-published issue of Board Perspectives: Risk Oversight (Issue 90) discusses eight of today’s business realities directors should consider as they oversee cybersecurity risk, and it is worth a read. We’d like to comment further on two of these realities here.

  • The first reality represents a change in thinking: Whereas the adage of yesterday was “It’s not a matter of if a cyber risk event will occur, but a matter of when,” we now know that it’s better to acknowledge that cyber risk events are already occurring, whether we’re aware of them or not.
  • The second reality revises the familiar advice to identify and protect the critical data assets and information systems, aka “crown jewels,” extending that advice to include being aware of the adverse business outcomes that result from the unavailability or compromise of business-critical but non-sensitive data.

Both of these realities have one thing in common: Boards must remain open to new ways of thinking about cybersecurity, because organizations’ information technology assets — and the ways criminals exploit them — keep evolving. Or to paraphrase the Greek philosopher Heraclitus, the only constant in cyber threats is change.

Hunting for Hackers

Thinking “cyber risk events are not a matter of if, but a matter of when” is no longer sufficient — unless you think of “when” as having happened already. Breach statistics show that the vast majority of breaches are not self-detected. In one example from our own incident response practice, a firm that had several threat detection measures in place was blissfully unaware of a credit card breach until they were informed about it by the Secret Service. The attacker had been in the environment for over one year! This example is not uncommon, as breach statistics also show that the average time between an attack and its detection is over six months.

In hindsight, the proper response to this kind of threat would have been a proactive one — a technique known as “breach assessment” or “threat hunting.” Rather than using in-place technologies and processes as a check on prospective cyber risk events, threat hunting searches proactively for attacks already in progress by asking, “Are we already breached, but unaware of it?” More organizations are now augmenting their cyber defenses with the creation of internal “threat hunting” teams or engaging third parties for periodic breach assessments. Support of ongoing threat hunting and regular third-party breach assessments are two ways for boards to ward off the possibility of a long-term, undetected breach.

More Than Crown Jewels

Just a short time ago, “identifying and protecting critical data and systems” — aka, crown jewels — was the standard measure of adequate cyber risk management. However, a narrow focus on sensitive data, rather than an outcome-driven approach to cyber risk management, could cause an organization to overlook real threats elsewhere — like those presented by ransomware, for example. In the past few years, ransomware has changed the risk equation for companies by targeting operational rather than sensitive data. Encrypting non-sensitive information for ransom may not be the exact high-risk data loss we’ve all been warned about but it will cripple business operations nevertheless until the ransom is paid.

Until recently, firms who possessed only non-sensitive data could rest easy knowing they had no “crown jewels” to protect. They should rest no longer, as all firms are vulnerable to ransomware. Boards should be vigilant about this risk, and ensure that safeguards are in place — as well as continuity plans. Shifting focus from warding off a specific data breach — like the loss of sensitive data via a specific application — to considering all adverse business outcomes leads to more comprehensive cybersecurity solutions.

While all eight new business realities discussed in our latest Board Perspectives warrant attention, these two in particular highlight the need for evolving an organization’s approach to cyber risk oversight, now and in the future. You can read our latest Board Perspectives issue here, and we’d love to hear from you in the comment section below.

Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory




Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Watch What You Say: Auditing Cybersecurity Disclosures

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit practice




In the face of ongoing, persistent and ever-more dramatic data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators – and insurers – are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs – people, processes and technology – are consistent with reality.

These reviews merit attention for several reasons. For example, the price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim.

Questions about disclosures – and inquiries from external auditors related to cybersecurity – have been raised at several conversations with our clients recently. The basis for the questions can be traced back to a U.S. Securities and Exchange Commission Guidance published in October 2011. But the urgency and frequency of the questions in meeting rooms and board rooms have increased, in apparent contradiction to public corporate cybersecurity assurances.

External auditors are generally asking two questions:

  1. For companies making disclosures: What programs exist to ensure the disclosures are accurate?
  2. For companies without disclosures: What controls and procedures are in place to ensure that there is nothing occurring that should be disclosed?

The typical response, to date, has been for management to provide a memo with a general description of relevant risks; a list of the people, processes and technology in place to address cyber risk; a list of relevant internal audit efforts addressing cyber risk; and a statement that management is not aware of any relevant undisclosed breaches.

These responses tend to be quantitative, which begs the question: Should Internal Audit evaluate and weigh in on the efficacy of cyber risk mitigation programs? A 2015 article in the Harvard Law School Forum on Governance and Financial Regulation says yes. I would agree.

Critical intellectual property (IP) – the so-called “crown jewels” – must be identified and protected. In addition to traditional perimeter defenses, companies need to develop and regularly review an intrusion response plan. The plan needs to account not only for theft, but also for the possible destruction of data. Response plans should be tested with live simulations designed to break and fix vulnerabilities before they can be exploited by hackers.

Sounds like common sense, doesn’t it? It has been my experience, however, that all too often, companies tend to address theoretical risks with theoretical responses. A self-assuring, “no stranger danger here” mentality may, in fact, be your organization’s greatest vulnerability. Instead, what companies are better off doing – and what most cybersecurity experts these days recommend – is to assume that they have already been breached, and focus their security efforts on rapid detection, interdiction and recovery.

To that, I would add the need for a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST).

As for internal audit, it definitely should be auditing cybersecurity disclosures to make sure that what management is telling shareholders is consistent with actual risks. Words matter, and the world is watching.

For more on current IT audit trends, views and challenges, download the latest ISACA/Protiviti IT Audit Benchmarking survey or view the highlights.