Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader




Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy


Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

Top Risks in Financial Services: Ever the Same, Always Changing

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on the financial services industry.


Cory Gunderson MD NYC

By Cory Gunderson, Managing Director
Global Leader, Financial Services Industry




When we conducted our survey in the fourth quarter of last year, the top risks on the minds of financial services directors and executives, in order of priority, included: regulatory changes and increased scrutiny, cybersecurity, information security, economic volatility, and succession. However, risk is never static. If we were to conduct the survey today, with the significant changes over the past six months, including growing nationalist sentiment across the globe – Brexit being the most recent example – economic concerns would probably rise as high as second place, even with cybersecurity and information security remaining strong and “evergreen” concerns.

Executives perceive risk in much the same way the body perceives pain. New risks arise sharp and top-of-mind, but recede in perceived importance as the corporate body adapts to the stimulus. My colleague Richard Childs alluded to this “anesthetizing effect” in his recent post on top risks in the consumer products and services industry. In financial services, the reigning top risk – regulatory changes and scrutiny – continued a steady decline in perceived severity, and at least two other top risks from 2015 – social media and disruptive technology – dropped out of the top five.

That’s not to say these risks have receded. If anything, regulations continue to evolve and they change with greater frequency, reflecting the critical importance of a sound financial system to the world’s economy. And the level of investment in fintech – the technology driving the bleeding-edge of financial services – is growing in leaps and bounds. Rather, financial institutions are now dealing with these risk areas on a daily basis, so they are not perceived as sharply as when they first arose.

Similarly, other risks fundamental to a financial institution’s survival – such as market risk and credit risk – are so much a part of everyday life that they don’t even register on a survey like this. Things could change soon, however. We have lived in a low interest environment for well over 20 years, creating an entire generation of risk managers who have never had to manage volatile interest rate risk – at least not on the scale of the 1970s and 1980s. With the Federal Reserve strongly hinting of higher interest rates to come, regulators are keeping an increasingly close eye on this fundamental. Interest rate risk could very well become one to watch. And as in any cycle, the spectre of credit risk looms on the horizon, with many regulators looking at evidence of the risk-compounding scenario of loosened underwriting standards coupled with overheated pricing bubbles.

The bottom line is that the financial services industry, because it is central to the world’s liquidity, movement of capital, financing of business expansion and the safekeeping of wealth, is always going to be risk-heavy – and while the ranking of risks matters, it is not to be seen as an indication of one risk or another going away completely. Financial services firms are in the business of managing risk by their very nature, meaning the rankings are really more a reflection of what’s top of mind at a given point in time.

We are entering a period of increasing volatility. There are going to be stresses on financial institutions’ systems. It is important, going forward, that executives and directors work hard to remain agile and adaptive in their risk management roles, challenging all layers of defense – especially the first line – to remain engaged, and avail themselves of the latest in risk management capabilities. History has shown that when organizations become complacent, or assume that the situation of today won’t change tomorrow, risks have a way of becoming realities, and neither the regulators and policy makers nor the public at large appear to be in a forgiving mood.

IT Security and Privacy Survey Webinar Highlights

Cal Slemp mugScott LaliberteBy Cal Slemp, Managing Director, IT Security and Privacy
and Scott Laliberte, Managing Director, Vulnerability and Penetration Testing



We covered the release of our 2015 IT Security and Privacy Survey here on our blog in September, but given the survey’s finding that there was a widespread lack of cybersecurity confidence among organizations surveyed, we wanted to revisit this important topic with discussion from our October 27 webinar.

Cyberattacks are increasing in frequency and sophistication. One in three targets falls victim. If your organization is not keeping pace with the threats, then you are falling behind.

Directors take note: The most significant differentiator in an organization’s preparedness for a security breach or cyberattack is the degree to which the board is engaged in IT security and asking hard questions that management has to answer. These include:

  • Does the organization have a formal and documented IT crisis response plan?
  • Is it tested at least annually?
  • How robust is the testing – perimeter only, or more enterprise-oriented war games? Does it evaluate the efficacy of breach detection and kill chain disruption?
  • How deep is our training/knowledge?
  • What is our average time to detection of breaches and how does it compare to the industry?
  • Are we testing for social engineering attacks?

Executives beware: The cyber threat landscape is evolving faster than typical IT security measures can keep up. One of the rising threats is social engineering attacks (especially spear phishing), designed to trick high-level executives into downloading malware/spyware. Statistics show that such schemes have over thirty percent success rate. This rate can drop significantly with proper training but even so, it only takes a single high-level breach to gain access to high-value, “crown jewel”-type information.

In addition to the questions listed above for board members, executives should be asking:

  • Who is responsible for IT governance – especially information security?
  • Does everybody in the organization know that?
  • How deep is our bench? If one or two key people were removed from the chain of command, would we still be able to effectively executive our crisis plan?
  • What are our “crown jewels?” What information do we have that needs to be protected?
  • How would we know if we’ve been breached?

IT leaders: Make sure you’ve got your bases covered. Recognize that the threat landscape is constantly changing. Stay up to date on data security certifications, such as ISO 27001 and PCI DSS. Make sure you have a solid, vetted IT crisis plan in place, test it regularly, communicate it to employees and train everyone in their role. Drill your team with real-life war game scenarios until you are confident that everyone knows their role and your plan will work as intended. Pull out a couple of key people and run the simulation again to ensure sustainability. Constantly ask yourself: “What are we missing?”

It is worth pointing out that most breaches go undetected for more than 6 months, and are usually discovered by a third party. This highlights the need to test detection capability, in addition to response capability.

The survey revealed a decrease in certain key IT security elements – such as policies and training – over the past three years. Although disconcerting, such dips are not uncommon as organizations transition from a rote “check-the-box” mentality to real readiness.

All signs point to an increased awareness of IT security challenges. For a more robust discussion and solid background on this issue, listen to the webinar and download the survey report.

Just Released: Protiviti’s 2015 IT Security and Privacy Survey

Cal Slemp mugBy Cal Slemp, Global Leader of Protiviti’s IT Security and Privacy Practice




Cybersecurity is top of mind from the boardroom and C-suite to IT, Legal, Finance and more. But does that translate to effective policies and actions? That’s the focus of Protiviti’s 2015 IT Security and Privacy Survey Report, published today.

The answers are mixed.

Our 2014 report identified notable gaps between top-performing companies and other organizations in terms of best practices in IT security and privacy; it also pointed to where these organizations needed to progress to bridge these gaps.

A year later, much progress has been made – yet many gaps remain.

Bright spots in our 2015 survey: Many organizations have changed with confidence to become what we classify as top performers. These organizations are characterized by high board-level engagement in information security, and strong security frameworks with specific information security policies.

Other insights from the survey:

  • “Tone at the top” is a critical differentiator. From strong board engagement to management-driven “best practice” policies, effective security begins at the top. A strong tone at the top is as important as any policy, because even the best policies are merely words on paper. It takes people to put those words into action, and people take their cues from company leadership.

Have you communicated to the people in your organization what you expect regarding information security and privacy? Are you setting a good example?

  • A strong security foundation must include the right policies. Organizations that have in place all “core” information security policies – including acceptable use, data encryption and more – demonstrate higher levels of confidence and stronger capabilities throughout their IT security activities.

What are your policies? Do you know them? Do your employees?

  • Many companies lack critical policies and an understanding of their “crown jewels.” One in three companies lack policies for information security, data encryption and data classification. Most lack a strong understanding of their most sensitive data and information, as well as potential exposures. Such gaps open the organization to cyberattacks and significant security issues.

What are your informational “crown jewels”? How are you protecting them?

  • There isn’t a high level of confidence in the ability to prevent an internal or external cyberattack. While two out of three organizations report being more focused on cybersecurity as a result of recent press coverage, most lack a high level of confidence that they could prevent a targeted cyberattack, either from external hackers or insiders. This mindset is not necessarily a bad thing – in fact, it may be a healthy one if the perspective drives a focus on improvement. Many in the cybersecurity community would argue that cyber breaches are inevitable and that the best risk management strategy is to focus on rapid detection and on ensuring that valuable data is encrypted and unidentifiable, rendering it worthless to an unauthorized user.

Could your security protocols detect and contain a breach in progress, or are you still just patrolling the perimeter?

This is an interesting and timely survey report and one where the results are likely to change significantly from year to year as both the cyber threat and cybersecurity landscape evolve and become more aggressive and sophisticated. For a more detailed analysis, you can view and download the entire report here.

Clear and Present Danger: Cybersecurity Should Be a Top Priority

With organizations large and small falling victim to a troubling number of cybersecurity issues, 2014 infamously became the year of the data breach.

To avoid making 2015 the same, internal auditors must play an important role in securing the organization. That responsibility entails working closely with the board, executive management and functional leaders to ensure that cybersecurity is incorporated into the flow of daily business and its multitude of processes.

In our 2015 Internal Audit Capabilities and Needs Survey, we’ve devoted a special section to the current state of cybersecurity. With the help of more than 800 chief audit executives and internal audit professionals who participated in the study, we’ve identified organizational traits and practices that lead to effective cybersecurity measures.

The two most critical success factors?

  1. High level of engagement in cybersecurity by the board of directors
  2. Evaluating cybersecurity risk as part of the current audit plan

There is a clear correlation between the two. For example, 69 percent of organizations that reported a high level of board engagement in information security risks include cybersecurity in their audit plans. By comparison, only 46 percent of organizations reporting lesser levels of board engagement address cybersecurity in their audit plans. The correlation goes the other way too: 40 percent of organizations with audit plans tackling cybersecurity report high level of engagement by their boards. Only 20 percent of organizations without such audit plans say their boards are similarly engaged in information security issues.

A pressing priority for nearly every organization is strengthening its ability to identify, assess and mitigate cybersecurity risk to an acceptable level. Most of the organizations that rate themselves as “very effective” in tackling these tasks are organizations that have either a high level of board engagement or those that have included cybersecurity in their audit plans. For example, 39 percent of companies with boards that are highly engaged in information security issues say they mitigate issues very effectively. Only 15 percent of companies with less involved boards exhibit the confidence to say so.

Internal auditors must prioritize and cultivate the critical success factors because it’s their job to make sure their companies are prepared to deal with a variety of threats. On a scale of 1 to 10, with 10 posing the highest level of risk, participants in our survey cited the following as their biggest cybersecurity concerns: data security (company information) – 7.9; brand/reputational damage – 7.7; regulatory and compliance violations – 7.5; data leakage (employee personal information) – 7.5; and viruses and malware – 7.3.

For CAEs and internal auditors to achieve “top performer” status, Protiviti recommends the following ten cybersecurity action items:

  • Work with management and the board to develop a cybersecurity strategy and policy.
  • Seek to have the organization become “very effective” in its ability to identify, assess and mitigate cybersecurity risk to an acceptable level.
  • Leverage board relationships to a) heighten the board’s awareness and knowledge of cybersecurity risk; and b) ensure that the board remains highly engaged with cybersecurity matters and up to date on the changing nature and strategic importance of cybersecurity risk.
  • Focus on the organization’s most critical data and information assets and information systems (the so-called “crown jewels”); these are the assets of highest value that the organization cannot afford to lose.
  • Ensure cybersecurity risk is formally integrated into the audit plan.
  • Stay in touch with the threat landscape by developing an understanding of and keeping current with emerging technologies and technological trends that are affecting the company and its cybersecurity risk profile.
  • Evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not run to the control level and therefore may require additional evaluations from an ISO 27001 and 27002 standpoint.
  • Recognize that with regard to cybersecurity, the strongest preventive capability is a combination of technology and human involvement – a complementary blend of education, awareness, vigilance, and technology tools.
  • Make cybersecurity monitoring and cyber incident response a top management priority. A clear escalation protocol can help make the case for and sustain this priority.
  • Address any IT/audit staffing and resource shortages – this represents a top technology challenge in many organizations and can hamper efforts to address cybersecurity issues.

For a more in-depth discussion on cybersecurity risks and what internal audit functions can do to ensure their organizations are adequately addressing the risks, I’d highly recommend that you read the full report. In addition, check out Issue 66 of Board Perspectives: Risk Oversight, Managing Cyber Threats with Confidence.