Page 1
1
© 2018 Credit Union National Association. All rights reserved.
Cyber Security and the C-Suite
Carlos J. Molina, CRM, CFE, CUCE, CU-ERM
Senior Consultant | Risk & Compliance Solutions
800.637.2676 Ext. 665.5096 | (C) 201.321.3870 | (F) 608.218.2108
2
Emerging or Established…
In 2017…
1,579, total breaches, up 44.7 percent
over 2016 breaches.
Massive breach…
148 million consumers
Records compromised…
More than 4 billion data records, exceeds the
combined total for the previous two years.
Sources: 1Identity Theft Resource Center
2017 Cost of Cyber Crime Study, Accenture and the Ponemon Institute
“only 42% believe their
company is extremely
or very effective at managing
cybersecurity”
Deloitte Global Risk
Management Survey
♦ 2017
Page 2
2
33
What’s in store for today…
Cyber Landscape C-Suite Cyber Strategy Whats on the Radar
44
Cyber Threat Landscape
Page 3
3
Cybersecurity
snapshot
Breaches involved
outsiders
Ve r i zon D a t a B re a c h I nve s t i ga t i o ns R e p o r t , 2 0 1 7
75%Breaches featured
hacking
62%Breaches included
malware
51%Malware was installed
via malicious email
attachment
66%Leveraged stolen
and/or
weak passwords
81%
Build your defenses wisely.
Understanding attackers is critical to knowing how to defend your organization.
Mimics the age old crime of kidnapping
Malware hidden in innocuous emails, unbreakable encryption,
and anonymous ransom payment
Offers cyber-criminals fast, low risk, and easily monetizable –
especially with Bitcoin for payment
Penetration
• Remote Code Execution
• Privilege Escalation
• Lateral Movement
Deployment
• Unpacking
• Environment Preparation
• Payload Execution
Crypto
• Encrypt Documents
• Delete Known Local Backup Files
• Display Ransom notes
Ransomware
Page 4
4
Ransom as a
Service (RaaS)
• Big business on the dark web - more
money made by selling
• Buyers use kits to create ransomware and
distribute on their own
• Average ransom demand dropped to $522
in 2017, less than half the 2016 average
• The number of ransomware variants
increased by 46 percent
Cryptojacking
• Incorporate into existing security awareness
and anti-phishing training protocols
• Install an ad-blocking or anti-cryptomining
extension on web browsers
• Keep web filtering tools up to date, web
pages that deliver cryptojacking scripts,
should be blocked
• Train staff for potential for signs of
cryptojacking. The first indication may be
slow computer performance
• Deploy network perimeter monitoring solution
that reviews all web traffic
Mitig
atio
n T
ips
• Unauthorized use of a computer system,
or mobile device to mine cryptocurrency
though crypto-mining malware
• Target organization’s CPU processing
power rather than data
• Potential damages include business
interruption, slower processing time, and
replacing infected hardware
Risks
Page 5
5
DDoS Attacks
• Any attack intended to compromise the availability of networks and systems
• Includes both network and application attacks designed to overwhelm
systems, resulting in poor performance and interruption of service
• Variations:
• Telephone Denial of Service (or TDoS) made possible with
Voice over Internet Protocol (VoIP) calling systems
• PDoS, a.k.a. "phlashing", often damages its target
to such an extent that replacement or reinstallation
of hardware is usually required
ATM Jackpotting(a.k.a. ATM Cash-Out)
• Use of malware to cause ATMs to dispense cash
until empty
• Attacks can be conducted physically or remotely
via the credit union network
• In remote attacks, phishing emails typically used
• ATMs with outdated operating software are more
vulnerable
• Encrypt ATM hard drive
• Replace ATM factory key /
Alarm top hats
• Ensure operating software is
supported and security patches
installed
• Perform daily ATM inspectionsMitig
ation T
ips
Page 6
6
‹#›
75% of the mobile apps scanned have
a critical vulnerability and that
vulnerability could be an easy way for
malware to be attached to that app.
McAfee Labs 2017 Threats Predictions
Mobile apps
Number of
New Variants
17K – 2016
27K - 2017
% increase
Mobile Malware
54%
Mobile Application Malware
Source: http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-
1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_
Page 7
7
Mobile
Device
Management
Regulatory Compliance
Supports BYOD
Remote Management of Users/Devices
Controlled Device Updates
Application/Download Controls
Security Policy Enforcement
Automated Device Registration
Data Backup & Restore of Org Data
There’s a lot at stake
As passwords continue to be hacked,
and attackers circumvent physical
biometrics, multi-factor
authentication is more important than
ever before
Security needs to be a cultural pillar
that is promoted, practiced, and
valued from the top down.
Page 8
8
1515
Cyber Strategy
16
1
2
3
4
DISCOVERY™ CONFERENCE 16
Increased Accountability
Awareness & Communication
Talent Identification
Readiness
Cyber Security
Strategic
Planning
Page 9
9
17
Understanding threat landscape to establish strategy
The executive needs to understand threat actors and their capabilities
What data does your organization have that threat actors might target
and for what purpose?
How has the industry been targeted by cyber threat actors
in the past? What was the impact?
How does your organization gain insight into the
landscape?
How well do you understand your “Plan B”?
18
• Cyber Literacy:
Understand cyber-language and
terminology
• Risk Appetite:
Be aware of the implications of a
breach
• Threat Intelligence:
Seek relevant information about
threats
• Legislation and Regulation:
Understand compliance and
regulatory requirements
Executive Responsibilities
Page 10
10
1919
CISO
Risks to security
infrastructure
“They aren’t making
patches for these
legacy servers, so we
can’t update firmware
which leaves us open
to attack.”
Cyber problem
Different ways of
describing and
thinking about risks
2020
CISO
Risks to security
infrastructure
“They aren’t making
patches for these
legacy servers, so we
can’t update firmware
which leaves us open
to attack.”
Cyber problem
CEO
Risks to the
organization
“Legacy servers are
where the accounting
system lives, and if that
goes down we’ll lose all
of our financial data.”
Org problem
Different ways of
describing and
thinking about risks
translation
Page 11
11
2121
The Accountability
Gap
Public scrutiny of business leaders is at
an all-time high
Technology used to protect has failed to
keep pace with the speed and agility of
threats – creating billions of dollars of
damage annually
2 out of 5 C-Suite execs admit they
don’t feel responsible for cyberattack
repercussions
21
Source: The Accountability Gap: Cybersecurity & Building a
Culture of Responsibility, Tanium / Nasdaq, 2016
22
• Corporate governance isn’t the typical
place people begin when speaking about
cybersecurity
• A lack of awareness and readiness defines
the threat around cybersecurity
• If an organization lacks confidence in its
operational controls, but boards and
executives don’t understand enough to
assess and oversee the risk, who is actually
accountable?
✓ 91% of board members say they
can’t interpret a cybersecurity report
✓ 98% of the executives are not
confident in their organization's ability
to track all devices and users on the
system at all times
✓ 87% board members and executives
don’t consider their malware,
antivirus, software and patches to be
100% up-to-date at all time
✓ Only 10% of the respondents agree
that they were regularly updated with
information about the types of threats
to cybersecurity that are pertinent to
their business
Why the increased
accountability?
https://www.tanium.com/resources/accountability-gap-cybersecurity-building-culture-responsibility/
Page 12
12
23
Establish cyber committee
with regular report outs
• Meeting should be led by C-suite
• Be clear on how you like to
consume information
• Request sources, industry
publications, and takeaway sheets
(cyber crib notes)
• Do not focus on the tech, focus on the
threat, and the process
• Review benchmarking opportunities
• Report outs should be short and to the point
• High level strategy, not tactical application
2424
Talent Development
Page 13
13
‹#›
The Job Market
> 209,000 cybersecurity jobs in the U.S. are unfilled
Cyber job postings are up 74% over the past five years
Demand for information security talent is expected to
grow by 53% in 2018
Source: http://peninsulapress.com/2015/03/31/cybersecurity-jobs-
growth/ (a project of the Stanford University Journalism Program)
2626
Fixing the cybersecurity
talent shor tage
Know the needed skills /
experience – adjust hiring efforts
Workforce
Strategy
Get involved in community
colleges & tech programs
Engagement &
Outreach
Connect with groups and events.
Consider a mentor program.
Local, cyber
ecosystem
Rotational assignments,
shadowing, project engagement
Robust Support
Program
Keep talent and skill sets current
through classes & certifications
Continuous
Learning
Source: Harvard Business Review, Cybersecurity Has a
Serious Talent Shortage. Here’s How to Fix It., 2017
Page 14
14
‹#›
Consider the “New Collar” approach
• Prioritize skills, knowledge, and willingness to learn
• Understand characteristics of a successful cybersecurity
professional are not always gained in a classroom:
• Unbridled curiosity
• Passion for problem solving
• Strong ethics
• Understanding of business risks
Shifting Strategies for Cloud Security
Growing maturity of the cloud ecosystem
Becoming a more desirable target for cyber-criminals,
Shared cloud services can be more cost effective but
may be less secure and/or unstable due to the increased demands
Increased desire for IT professionals with experience managing
cloud security models
Page 15
15
29
Cybersecurity Needs to get Operational
Cybersecurity is no longer just a technical responsibility – it should be an
operational responsibility as well
Shorter Lines of Communication
IT staff should have opportunities to communicate with BOD’s
Be Resilient
Be resilient in the way you prepare, the way you implement and the way you
monitor
Protect the Crown Jewels
Identify, map and protect your most critical assets
Key Points
1
2
3
4
DISCOVERY™ CONFERENCE 30
Zero Trust Security
Deception Technologies
CARTA Framework
Advanced Artificial
Intelligence
Additional
Discussion
Items
Page 16
16
31DISCOVERY™ CONFERENCE
• Regulates the processing of personal data for subjects in the EU
• If your credit union is processing the personal data of someone in the EU, it is
likely that GDPR applies
• If not….GDPR may still apply
• What does GDPR require us to do differently?
– 72 hour notification requirement
– Data Protection Officer: Triggers include collecting; Genetic data, Race, Ethnic
origin, Biometric data, Political opinions, Religious beliefs
– Honor a right to be forgotten
GDPR (General Data Protection Regulation)
32DISCOVERY™ CONFERENCE
Q & A
How can a credit union located in the U.S. and without a physical presence
in the EU be fined for non-compliance with GDPR?
GDPR cites “public international law” as the means for imposing penalties on
entities that don’t have a physical presence in the EU. EU Regulation 2016/679,
Ch. 1, Art. 3(3). However, it is uncertain whether this EU law applies and if
penalties can be assessed in the United States. Until this is litigated in the
courts, it will remain unclear.
Page 17
17
33DISCOVERY™ CONFERENCE
Q & A
What are the penalties for non-compliance?
There are two tiers of fines based on the severity of non-compliance. The first
tier is 2.00% of annual revenue or €10 million, whichever is greater. The second
tier, for more severe non-compliance, is up to 4.00% of annual revenue or €20
million, whichever is greater.
34DISCOVERY™ CONFERENCE
Q & A
Is my Credit Union at Risk?
It is clear that GDPR poses a risk to credit unions. Unfortunately, determining
exactly how much of a risk it poses may be difficult until enforcement actions are
issued and litigated. If you’re uncertain about whether GDPR applies to your
credit union, don’t make that determination until you’ve consulted with your
attorney. For those subject to GDPR, it is essential to continually assess how
your credit union protects your members’ data.
Page 18
18
Questions?Understand
key drivers of
success
Continually assess risk
oversight and needs
Define roles of all
employees & BOD
involved
is appropriate and has
sufficient resources
Know what’s around the next cornerConsider if your risk & compliance efforts,
including people & processes,
Emerging risks35
Assess the risk
in your strategy
and culture
Encourage
risk dialogue and
challenge
assumptions
Make strategic decisions
with the future in mind
CUNA Mutual Group Proprietary | Reproduction, Adaptation or Distribution Prohibited | © 2016 CUNA Mutual Group, All Rights Reserved.
JOIN US AUG 16 / 2018
REGISTER TODAY at cunamutual.com/discovery
Page 19
19
www.cunamutual.com
This presentation was created by the CUNA Mutual Group based on our experience in the credit union and insurance market. It
is intended to be used only as a guide, not as legal advice. Any examples provided have been simplified to give you an overview
of the importance of selecting appropriate coverage limits, insuring-to-value and implementing loss prevention techniques. No
coverage is provided by this presentation/ publication, nor does it replace any provisions of any insurance policy or bond.
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its
subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS
Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may
not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency,
Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our
customers’ needs. For example, the Workers’ Compensation Policy is underwritten by non-affiliated admitted carriers. CUMIS
Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted
market. Data breach services are offered by Kroll, a member of the Altegrity family of businesses. Cyber liability may be
underwritten by Beazley Insurance Group.
This summary is not a contract and no coverage is provided by this publication, nor does it replace any provisions of any
insurance policy or bond. Please read the actual policy for specific coverage, terms, conditions, and exclusions.
012018 © CUNA Mutual Group 2018 All Rights Reserved.