Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

cybercrime

11 Cyber Security Questions Every Small Business Should Ask

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

In cloud environments, 75% of the security risk can be attributed to just 1% of users

Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Consequently, developing a comprehensive understanding of user behavior and the implications thereof becomes paramount to corporate security strategy.

In analysing user behavior across 10 million users, 1 billion files, and over 91,000 cloud applications, CloudLock surfaced surprising trends.

In this report, Cloudlock examine cloud cybersecurity trends across three primary dimensions: users, collaboration, and applications. The Pareto Principle, the “80/20” rule, holds true across all three dimensions, revealing a truth with surprising implications for security professionals.

Key Findings

Users: 1% of users create 75% of cloud cybersecurity risk, signalling abnormal user behavior whether unintentional or malicious.

  • Collaboration: While organizations on average collaborate with 865 external parties, just 25 of these account for 75% of cloud-based sharing per organization. Unexpectedly, 70% of sharing occurs with non-corporate email addresses security teams have little control over.
  • Apps: 1% of users represent 62% of all app installs in the cloud – a high concentration. Without security awareness, this small user base introduces a high volume of risk. Additionally, 52,000 installs of applications are conducted by highly privileged users – a number that should be zero given privileged accounts are highly coveted by malicious cybercriminals.

4 Actionable Takeaways for a more secure cloud environment

The findings of this report show disproportionate cloud cybersecurity risk across users, collaboration, and applications. Consider the four following risk remediation strategies.

1. Focus on the User Behavior

Focusing on the riskiest subset of users, security professionals can efficiently and dramatically reduce risk. Any abnormal behavior by data-dense and risky users should be prioritized providing the security team with valuable direction on what truly requires attention and resolution immediately.

2. Focus Security on Organizations You Collaborate With Most

Given that, on average, 75% of inter-organizational sharing is with 25 external organizations, focus on the frequent collaborative organizations to eliminate the bulk of risk, then address the long tail of remaining organizations.

3. Take Application Security beyond Discovery

Discovering third-party applications that reside on the network is only the tip of the iceberg. Elevate your security game beyond app discovery through enforcement capabilities, policy-driven app control, and end-user education. If users are blocked, they will find a way around.

4. Correlate Insights Across Cloud Environments

With multi-cloud intelligence, security teams can correlate security events across platforms, preventing cybercriminal exploits from slipping through the cracks. Consider an individual logging into Salesforce in San Francisco and ServiceNow in Kuala Lumpur using the same credentials simultaneously, indicating account compromise. Avoid point security solutions in favor of platforms offering multi-cloud insights across not only SaaS applications, but also laaS, PaaS, and IDaaS environments.

Data Breaches: Are You Prepared?

Data privacy and security continues to be a growing concern for many organizations. With cyber attacks increasing each year, businesses must be mindful of how data breaches occur in order to prevent the exposure of confidential information. Recognizing vulnerabilities in data security efforts can help minimize the effects a cyber attack may have on an organization.

Thomson Reuters data-breaches

Original produced here by Thomson Reuters.

Cyber Security a Major Threat for Metals Industry: Top Three Lessons for Executives

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

  • The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study
  • The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

  1. Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.
  2. The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).
  3. If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

.

The insurance implications of a cyber attack on the US power grid

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

  • The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.
  • While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
  • The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
  • Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
  • A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  • The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

The report can be found here.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

Cyber insurance is a major growth area for commercial insurers

The Insurance Information Institute (I.I.I.) conducted it’s 19th annual Property/Casualty Insurance survey and found Cyber-Crime is exposing businesses, both in the U.S. and abroad to greater levels of liability than ever before, which is why the market is far from saturated.

The survey’s key findings are below:-

  • 80% of executives said they see Cyber insurance as a major growth area for commercial insurers
  • 78% expect industry capacity (as measured by policyholder surplus) to increase in 2015
  • 72% believe the federal government is interested in further expanding its regulatory oversight of insurers
  • 56% believe the economy will accelerate; 6% believe it will decelerate and 38% believe it will remain about the same
  • 92% believe that M&A activity among insurers/reinsurers increase in 2015? For example the XL Group’s acquisition of Catlin for $4.2billion

The U.S. economy appears to be picking up steam, which translates into more economic activity and the addition of capacity. This means more businesses and people will need more insurance, implying further increases in insurance premium volume,” said Dr. Steven Weisbart, senior vice president and chief economist with the I.I.I. “Moreover, business bankruptcies in 2014 dropped below their lowest level in the last two decades, so the erosion of commercial accounts will continue to ease. As the economy inches closer to full employment, we may begin to see wage increases that outpace inflation for the first time in nearly a decade, primarily affecting the workers compensation line. Further, the low-interest rate climate, which has lasted longer than virtually everyone thought likely, is expected to begin a return to normality sometime in the second half of 2015. Absent devastating natural catastrophes, 2015 could be another profitable year for insurers

The sponsoring organizations of the Forum represent a broad range of insurance interests and audiences and include: ACORD, American Insurance Association, the Association of Bermuda Insurers and Reinsurers, The Geneva Association, Insurance Institute for Business & Home Safety, Insurance Information Institute, Insurance Institute for Highway Safety, International Insurance Society, National Association of Mutual Insurance Companies, National Council on Compensation Insurance, National Insurance Crime Bureau, Property Casualty Insurers Association of America, Property & Liability Resource Bureau, Reinsurance Association of America, The Institutes and Verisk Analytics.

Find the original article here.

Reducing Cyber Risk; Marine transportation system Cybersecurity standards, liability protection and Cyber Insurance

An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool Container shipcontains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.

An excerpt:

Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.

While this technology provides great benefits, it also introduces vulnerabilities.

In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.

Some examples include:

  • Somali pirates have exploited online navigational data to choose which vessel to target for hijack
  • hackers incapacitated a floating oil rig by tilting it and forcing it to shut down
  • malware caused another drilling rig to shut down for 19 days, after bringing systems to a standstill
  • hackers infiltrated computers connected to the Port of Antwerp, located specific containers, made off with
    smuggled drugs, and deleted the records.

The full article can be found in the journal by clicking here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: