Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting




Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.


New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: www.protiviti.com/ITpriorities.







From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit www.protiviti.com/IAsurvey, where you can download a complimentary copy of our research report.






Is Your Data Safe and Are You Sure?

Cal Slemp mug



by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice

Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:

Is your business really safe?

There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.

Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:

  • Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
  • Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
  • Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
  • Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
  • Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.

With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?

Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit www.singlehop.com.

Cybersecurity in Retail: Hope for the Best but Plan for the Worst

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

by Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice


The recent uptick in retail data breaches is significant for all companies in a couple of important ways. First, it is important to point out that some of these highly publicized breaches have occurred at companies that were “PCI compliant.” Second, just when it appeared that the breaches had become as widespread as one could imagine, the continued line of additional companies falling victim has gotten larger, with no end in sight.

Furthermore, law enforcement investigators have indicated that there are many other organizations that have been compromised – the only difference is that they don’t know it yet.

It’s becoming painfully apparent that there is no such thing as penetration-proof data security. It’s no longer even enough to assume that you CAN be breached. We advise companies to conduct exercises that simulate that they have been compromised, and to focus, going forward, on how to address vulnerabilities and minimize the damage through rapid detection and response – both in containing the breach and in communicating with customers, employees, shareholders and the media.

Further to identifying potential areas of compromise, organizations need to transition from being reactive with their incident response plan and create a “proactive response” to potential compromises. This should include enhancing response plans, testing them through simulated tabletop exercises, conducting simulated forensics investigations to determine “the unknown,” and ultimately having partners aligned in advance of a potential attack or compromise.

That’s not to say that vulnerability and penetration testing aren’t important. It’s critical for organizations to understand where they are vulnerable and establish strong security processes and measures to ensure data remains safe.

But as we explain in our Point-of-View paper, High-Value Targets – Retailers Under Fire, security is a lot more than having a strong firewall. It must be applied to all layers in the organization, not just the “outer shell.” The right security best practices can identify and disrupt a cyberattack at the perimeter and also prevent a data breach, even if the attacker gets past the first layer of defense.

It’s frightening to consider how many companies are still relying only on fixed-point-in-time data security methods, such as penetration testing. As we found in our just-released 2014 IT Security and Privacy Survey, many companies don’t even have a written incident response plan. Among those that do, many have plans that are out-of-date or not mature, and too few rehearse and drill it to perfection through table-top exercises or simulated forensics investigations to help address the all-too-common questions coming from the board: Are we prepared to respond to an attack? Are we secure?

This is akin to a football coach who devises a trick play and tells his players all about it, but neglects to have them run the play at practice. Imagine the chaos that would ensue if they decided to run that play in a big game. Needless to say, the fan base would not like what they see!

Practice makes perfect.

Going forward, we need to assume that breaches are inevitable. I’d go so far as to suggest you assume that your organization has already been breached. That assumption puts you in immediate response mode and adds urgency to subsequent efforts to address the issue. Believe it or not, many organizations don’t figure out that they’ve been hacked until weeks, or months, after the intrusion.

Given the ubiquity of data breaches, organizations are going to be judged not by their ability to prevent an attack, but by the speed and efficacy of their response.

You have your board’s attention and directors want to know: Are you ready to respond? Are we secure? Are you sure? How do you know? If any of these questions give you pause, it’s time to up your game. Now more than ever, the bad guys are more sophisticated in attack techniques and with the holidays ahead, we’re entering the busy season for data theft. It may give “Black Friday” a new meaning in the retail industry.