Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting




Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Will Hiring Hackers Help Energy’s Cybersecurity Efforts?


Tyler Chase

cal-slempBy Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Cal Slemp, Managing Director
IT Security and Privacy Practice Leader


The chief cybersecurity engineer for a major industrial process company advocated not long ago that oil and gas companies hire hackers to improve their cybersecurity defenses. At an annual European-Middle East-Africa user group conference in The Hague last October, Eric Knapp urged attendees to drop their negative perceptions and put hackers to work on their teams.

Knapp’s advice followed a presentation of survey findings stating that 82 percent of oil and gas industry respondents have experienced an increase in successful cyberattacks over the past 12 months. Executives of European petrochemical companies SARAS and SABIC estimated that cyberattacks cost businesses up to $400 billion per year.

Several weeks earlier, the World Energy Council (WEC) issued a report that, among other conclusions, found that the demand for cyber specialists is growing twice as fast as for all other IT jobs. The WEC cited research linking recent high-profile security breaches to a shortage of almost one million skilled cybersecurity professionals.

Our perspective:

The idea of leveraging “hackers” needs to be put into context. Many organizations have resources (internally or through consulting firms) who mimic the activity that various types of real hackers execute to illegally break into a company’s IT infrastructure. These “white hat” penetration testers are excellent at testing infrastructures, applications, networks and databases. The use of trained personnel who act as hackers but have written agreements and rules of engagement can make a lot of sense for an organization and is worth considering.

However, cybersecurity, much like other strategic initiatives, cannot be addressed with technology resources or tools alone. It requires a joint effort among departments and employees of all levels. In the same way that police cannot solve all crimes by themselves (despite being the “experts”), cybersecurity professionals need the knowledge and assistance of everyone in the organization. Employees who have been educated on matters of cybersecurity become empowered and thus an extension of the security program.

Finding the similarities between cyber risks and existing risks (e.g., safety) can help translate this subject to nontechnical resources. Many of the lessons learned with regard to overall risk management through more traditional departments, such as internal audit or compliance, can be applied to cybersecurity. Sharing data points that are already being collected by these departments can add value to analyzing security threats. At an even higher level, sharing information across the industry in cyber intelligence groups (CIGs) can allow firms to collaborate on specific threats and solutions, and share data that can add value to their overall threat analyses.

Is hiring “hackers” the answer to the cybersecurity challenge? It’s not quite that simple. White hat hackers certainly have a key skill set organizations need to face the growing threat of cyber crime, but the ultimate success of an organization lies in how well the leadership empowers the overall enterprise to combat cyber risks together.

Luis Castillo of Protiviti Technology Consulting contributed to the development of this content.


IT Innovation, Part 2: Maximizing the Value of Security Investments

Jonathan Wyatt

By Jonathan Wyatt, Managing Director
Technology Consulting Practice Leader, UK



As my colleague Ed Page indicated in his January 11 post, digital transformation represents one of the biggest innovation opportunities of the 21st century, and failure to respond quickly to innovation opportunities is one of the biggest risks faced by any business today.

A recent Protiviti white paper, Catching the Digital Wave of Change, points out that no industry is isolated from the challenges and opportunities of disruptive technology. Wearable technology, driverless cars, the Internet of Things, robotics, blockchain, biometrics, drones and nanotech are but a few examples of disruptive technologies that leaders of the future are harnessing today. In many cases, however, while business leaders recognize the opportunities, their IT counterparts struggle to deliver the digital innovation, hamstrung by day-to-day operational challenges and associated budget pressures.

It’s not for lack of trying. Over the past decade, IT departments have been reducing operations and maintenance costs consistently. Most of these savings, however, have gone to fund other priorities, the biggest being security, which now accounts for 16 percent of the average IT budget, according to our most recent benchmarking study of technology trends. Taking into account other priorities, including compliance and system enhancements, mature businesses are left with only 13 percent of their budgets free for innovation.

With a strained budget, it then becomes critical for IT leaders to prioritize spending according to top-down strategic risks. Cybersecurity is one area ripe for such prioritization.

I see too many businesses look at cyber as a generic risk that must be avoided, without taking the time to clearly define the organization’s risk appetite and the adverse business outcomes that they are concerned about. As a result, many businesses end up focusing on the wrong things, reacting to technical vulnerabilities rather than focusing on the desired business outcomes. This, in turn, causes many security programmes to become a drain on resources, without delivering significant results in terms of risk reduction of the business outcomes that the business is most concerned about. Conversely, when IT leaders look at information security risks more holistically, focusing on strategies to manage adverse business outcomes rather than every technical weakness, they end up investing in very different things and adopting very different strategies.

In other words, IT leaders need to step back and ensure that they are getting the results they want from their cybersecurity investments. This means focusing on protecting what’s important (the “crown jewels”) rather than trying to achieve the impossible and completely locking down the entire perimeter; keeping up with the cyber threat landscape to know what kind of attacks are most likely to occur; and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity will continue to consume larger and larger portions of the IT budget. Innovation will suffer and the business may ultimately fail — not because a cyber threat is realized, but because the disproportional and unfocused spending on one operational risk has distracted the business from the more strategic risk of failing to mount a competitive response to new entrants and/or innovators.

10 Tips for Companies to Raise Cyber Awareness Among Employees

October is Cyber Security Awareness Month. Follow our blog for the latest from our experts on how to reduce your cybersecurity risk and related issues.


By Scott Laliberte, Managing Director
IT Consulting



Although much of the media attention surrounding cybersecurity tends to focus on hackers forcing their way into systems, research shows companies are almost twice as likely to suffer from a self-inflicted breach via email phishing, or other inadvertent employee-assisted action.

According to the latest data from ISACA, 74 percent of companies expect to fall victim to a cyberattack in 2016. A majority of those attacks (60%) are coming via email, with 30 percent of companies reporting daily occurrences.

Cyber criminals favor this and similar employee-assisted attack vectors because they provide access to secure networks through the front door, eliminating the need to hack in. Email security concerns and the importance of developing and following strict network security protocols have escalated to the point of becoming a point of contention in the current election cycle.

Here are ten ways companies can raise employee awareness of the threats, and the important role employees can play in protecting valuable and sensitive information.

  1. Beware of email links and downloads — This is true even if the sources appear to be known to the user. Cyber criminals are becoming adept at embedding malware and credential-stealing code in emails that appear to be coming from friends or colleagues. This practice, called phishing, is the most common source of employee-assisted breach, and has become so sophisticated that the fake emails often contain personal details designed to break down natural suspicions. We advise users to hover over links with their cursor to reveal hidden hyperlinks, or typing a specific URL into a web browser rather than relying on an email hyperlink.
  2. Don’t email sensitive information — This should be common sense, but it happens more often than you might think, often in connection with providing vendors with administrative access to accounts using another user’s credentials.
  3. Assume people are listening — Treat unencrypted email like a conversation in a crowded room. Even if the company doesn’t have good policies on it, employees need to use common sense. Sensitive information should only be transmitted via encrypted email or secure file transfer.
  4. Trust but verify — No one should ever ask you to share your password. A good practice when dealing with any sensitive information by telephone is to hang up and call back using a known telephone number. The same practice should be applied to hyperlinks in email or web pop-ups, which can be used either to collect sensitive information, or as a gateway for criminals into a secure network.
  5. One user, one password — Never share passwords; change them frequently and pick secure ones based on phrases, using a combination of upper and lower-case letters, and substituting special characters for alphanumeric values. Example: Pa$sw0rd. Two-factor authentication (combining, say, token authentication or biometric scan with a user password) is highly recommended and is becoming the standard for administrative access.
  6. Practice safe social media — Hackers are increasingly mining social media for personal details — from political party affiliations and hobbies, to travel plans and friends and family — that can be used to personalize harmful emails in order to get targets to click on them. A common tactic is for hackers to pose as a new contact following up on a conversation at a conference. This type of social engineering, also called “spear phishing,” has proven to be highly effective. Employees must be thoughtful about what they are posting and how that information could be used to target the organization. In a similar vein, network engineers should be cautioned against posting sensitive information such as IP addresses or configuration details to vendor support forums, the so-called “watering holes” where criminals have been known to lie in wait for unsuspecting prey.
  7. No unauthorized software — This is a common policy, but given the unpredictability of human behavior, many companies now routinely disable administrative access on company-issued workstations, phones and laptops. Given the trend toward remote access and “bring your own device” (BYOD), organizations need firewalls to segment secure systems from malware residing on user-owned devices. The use of USB sticks of unknown or uncertain origin should be prohibited.
  8. No access via shared public workstations — It is safe to assume that any unsecured public workstation — such as those at libraries or hotel business centers — has been compromised. Do not use these to log into corporate networks or sensitive sites such as your personal email or banking. Connecting to any unknown Wi-Fi networks, as well as inadvertently creating a personal hotspot with mobile device connected to a corporate network, can provide a backdoor avenue into the company.
  9. Don’t mix business and pleasure — Company phones and laptops should only be used by the authorized user, and only for business purposes. Children playing on company-owned computers have been known to inadvertently infect computers with malware present in many free online entertainment applications.
  10. Don’t forward work email to a non-work account — This is a common mistake, but one that should be avoided. The practice of auto-forwarding email from work to a personal email account or cell phone puts sensitive information on a potentially unsecure system and could violate regulations on privacy and data security.

Although these tips apply to all employees, I would note that executives are targeted at least as often as other employees, because of the greater access granted by their high-level security credentials. As with most policies and procedures, proper training, reinforced through repetition, is critical to success.

While we as security practitioners strive to design security controls to be seamless and not dependent on end users, we are still years away from not having to rely on the vigilance of the end user community. Each person needs to do their part to keep the organization safe. Finally, if inadvertently you fall victim to a cyber attack, immediately report it to the proper channels. Bad news does not get better with age, and prompt action can limit the damage from an attack.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy


Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

2015 IT Audit Benchmarking Survey: Key Takeaways

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit Practice




With the global proliferation of mobile devices and the Internet of Things connecting technologies and people like never before, IT audit leaders have an increasingly critical role to play. They need to work in collaboration with executive management, the board of directors, IT, HR, and numerous other departments to ensure their organizations identify, mitigate and monitor an escalating volume of IT risks that could cripple the enterprise if left unmanaged.

ISACA and Protiviti surveyed more than 1,200 chief audit executives (CAEs), IT audit vice presidents and directors in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address these key challenges. We published the results in the 5th Annual IT Audit Benchmarking Survey.

Notable takeaways include:

  • IT changes and IT security are top of mind – Respondents cited emerging technology, transformation, innovation, disruption and cybersecurity as their top technology challenges.
  • There are significant concerns about finding qualified resources and skills – Not only was this noted by respondents as one of today’s top IT challenges, but numerous results suggest that finding the right people with the right skills to do the job right remains a significant challenge.
  • Many IT audit reporting lines are still off the mark – Having the IT audit director report to the CAE or an equivalent role is ideal, yet many organizations still have other reporting lines in place, raising questions of objectivity and independence.
  • IT audit risk assessments are an absolute must – There is a small but meaningful number of companies that are not conducting any type of IT risk assessment. For these organizations, this represents a significant risk given the cybersecurity threat environment. Other organizations are adhering to best practices by conducting these risk assessments more frequently.
  • IT audit departments should get involved early in major IT projects – The good news: Half of all IT audit departments do. The survey found a moderate level of involvement in major technology projects among organizations, with many getting involved in the early planning and design stages. On the other hand, many have little to no involvement in such projects.
  • Effective communication is critical – A strong majority of IT audit leaders and professionals rate the ability to explain complex IT issues for a nontechnical audience as a critical part of their interpersonal skills.

With rapid change already the norm, and the future promising an even wilder ride, it is critical that organizations take the time now to establish a strong IT risk management and audit framework. When organizations do not know the risks they face, serious threats can go unaddressed and mushroom into major problems.

The 2015 survey is a fascinating study, and well worth your time. See results at a glance here and here. For a more in-depth discussion, listen to our recorded webinar, which I had the honor of hosting, along with Anthony Chalker, Internal Audit Managing Director at Protiviti, Nancy Cohen, Director of Privacy and Assurance Practices at ISACA, and Bob Kress, Managing Director of Global IT Audit at Accenture. I would be interested to read your reaction in the comment section below.