Responding to Cybersecurity Threats: What SMEs and Professional Accountants Need to Know
1. IFAC Webinar
July 14th, 2021
7:00 to 9:00 am EDT
Responding to Cybersecurity Threats:
What SMEs and Professional Accountants
Need to Know
2. Page 2
• Understanding key global trends/risks in cybersecurity before the pandemic
• See how these trends/risks have been influenced by the pandemic
• Understand why this is relevant for you especially if you’re not a large operation
• Become further aware of the unique challenges often faced by SMPs/SMEs
trying to address the trends/risks
• Practical insights for SMPs/SMEs to respond to trends/risks and become more
proactive
Session Objectives
3. Page 3
• Julia Seppä, Manager, Risk Advisory Cyber Practice, Deloitte Finland; Council
member, ICAEW; part-time chief of staff, Deloitte Global Identity Leader
• Paul Taylor, FREng; Director, Morgan Stanley International; Chairman, Beyond
Blue Limited; Associate Partner, KPMG in the UK
• Steve Ursillo, Partner, Risk and Advisory Services at Cherry Bekaert; AICPA
Assurance Services Executive Committee (ASEC) Member and Chair of the
Data Privacy ASEC Working Group
Panelists
4. Page 4
• Global humanitarian crisis
• Multiple dimensions of loss – some beyond measure
• Seismic change – every facet of how we think & operate
• Isolation, fear, hopelessness, physical and mental exhaustion – so many individual
experiences
• While some countries continue to experience despair, some now see optimism and hope
• While being vigilant regarding cybersecurity risk, must continue to remain compassionate
and empathetic
Context for the Discussion
5. Page 5
Julia Seppä, Manager, Risk Advisory Cyber Practice, Deloitte Finland; Council
member, ICAEW; part-time chief of staff, Deloitte Global Identity Leader.
• Data on global state of cybersecurity in small and medium-sized businesses and
global cyber security predictions and trends before the pandemic.
Pre-Pandemic Trends
6. Page 6
2019 Global State of Cybersecurity in SMEs – Summary
61%
54%
67%
58%
66%
63%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Cyberattack Data breach
Our company experienced a cyberattack
and data breach in the past 12 months –
Yes responses
FY2017 FY2018 FY2019
$1.2M
Damage & theft of IT assets & infrastructure
$1.9M
Disruption to normal operations
Source: 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, Ponemon Institute, October 2019
7. Page 7
• Phishing and web-based attacks are
the top two cyberattacks
• The time to respond to a cyberattack
has not improved or increased
• Cyber threats against SMEs are
becoming more targeted
• Mobile devices and laptops are
considered, by far, the most
vulnerable endpoint to networks and
enterprise systems
2019 Global State of Cybersecurity in SMEs – Key Findings
60%
59%
59%
62%
60%
59%
69%
61%
60%
54% 56% 58% 60% 62% 64% 66% 68% 70%
Cyberattacks are becoming more
targeted
Cyberattacks experienced are
becoming more severe in terms of
negative consequences (such as
financial impact)
Cyberattacks are becoming more
sophisticated
Perceptions about cyberattacks against their
companies – Strongly agree and Agree
responses combined
FY2019 FY2018 FY2017
Source: 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, Ponemon Institute, October 2019
8. Page 8
• SMEs continue to struggle with
insufficient personnel and money
• More SMEs are engaging managed
security services providers to
support the IT security function
• The majority of SMEs consider
third-party risk a serious threat to
sensitive and confidential
information
2019 Global State of Cybersecurity in SMEs – Governance
and Third-party
36%
12%
36%
12%
37%
13%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Percentage of IT personnel that
support IT security operations
Percentage of IT budget dedicated
to IT security activities
The percentage of IT budget and personnel
support IT security operations
FY2017 FY2018 FY2019
Source: 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, Ponemon Institute, October 2019
9. Page 9
Pre-Pandemic Cyber Security Predictions and Trends
1. Geopolitics as a driver of cyber activity
2. Fear of the cloud
3. Cybersecurity skills gap widening
4. Ransomware shifting toward targeted threats
5. Abuse of personal information: from deepfakes to DNA leaks
Sources: 2020 Predictions by Security Industry Companies – Trend Micro, FireEye, WatchGuard Technologies, Forcepoint, McAfee, Splunk, Kaspersky Labs, Sophos, Checkpoint,
RSA Security, Beyond Trust, Experian, Gartner, Forrester, Forbes, Imperva, Bitdefender, Thycotic, Bitglass, CyberArk, Mobile Iron and others.
10. Page 10
Paul Taylor, FREng; Director, Morgan Stanley International; Chairman, Beyond
Blue Limited; Partner, KPMG in the UK
• COVID-19 and its legacy – cyber challenges and responses.
Impact of the Pandemic
12. 12
COVID-19 Cyber Threat
Masquerade
as health
organisation (e.g.
WHO or CDC)
Trojanised
Coronavirus
maps and
resources
Fake sites
selling
Coronavirus key
supplies
Masquerade
as government
providing tax and
benefits advice
Setup fake
Coronavirus
information sites
and apps
Fake charitable
collections for
health workers
Ransomware
CEO/BEC
Fraud
Crypto
currency
frauds
O365
credential
theft
Hospitals,
pharma and
vaccine labs
targeted
Remote
working
dramatically
increases attack
surface
13. 13
Securing the new reality…
COVID-19
has become a
core theme
for scams
We have a
security debt
to deal with
Our working
model has
changed…
perhaps
forever
A dash to
cloud
services and
collaboration
tools
Supply chains
remain fragile
in the months
ahead
Cost
pressures will
build even on
cyber security
Resilience
has been
tested in
ways we
didn’t expect
Lessons
learnt along
the way… the
hard way
But an
unexpected
community
has been built
15. 15
Fit for purpose IAM
model which keeps pace
with changing needs
Supply chain risk and due
diligence as complexity
and inter-dependency
increases
Security is an after
thought, services go
live without being
“secure by design”
Lack of business
ownership of issue and
real understanding of
risk appetite
Predominantly flat
networks and
minimal segregation
… and a stovepiped
approach which treats
cyber as special
Perennial challenges of managing cyber risk
18. 18
8 key cyber considerations for a new reality
Addressing the security deficit
Over the next few months, businesses adjusting to
the new reality have to start re-examining their
technology environment and re-establishing control.
Digital trust and consumer authentication
New expectations around functionality and convenience is
expected, with trust as a key component of loyalty.
Whoever reigns supreme in terms of the digital customer
experience is likely to enjoy the greatest market share.
The evolving security team
Continuing need to elevate the importance of cyber security at the
board-level. The biggest challenge is for security professionals to
translate their knowledge into an actionable appreciation for what it
actually means to the business.
Cyber
considerations
Aligning business with security
Automate a big portion of cyber functionality by putting
digitized cyber risk management processes in place to
ladder up to the top-line operational and business
strategies.
The next wave of regulation
Cyber-based regulation is moving toward a more holistic
approach, focusing on business priorities and responsibilities,
and board-driven corporate governance functions. The focus
now is on management within the first line of defense.
Automating the security function
The shift to the automation of security functions has
accelerated. There is a greater need for better organized
and more efficiently accessible data that can be extracted
and analyzed for various value-added purposes.
Challenging assumptions around
resilience
Reimagine an approach to understanding, planning and
executing resilience efforts, encompassing security teams,
the business, and the broader operating ecosystem.
Cloud transformation
The CISO and security team must develop processes and
tooling that are vital and align with, the business drivers
and technology needed to support desired business
outcomes from the outset.
20. 20
Board challenges around cyber
Governance and 3LoD
Operational Resilience
Crisis Management
Experience
Independent Advice
Challenge & Oversight
Cyber as a Business Risk
Leadership
Third Parties & Intra-Group
Management Information
1
2
6
3
7
4
8
5
9
1
0
21. 21
Questions for the Board
Board level awareness of emerging cyber threats, direct involvement in determining the response and the
ability to challenge information security teams is critical.
— What are our key
information assets?
— Do we fully understand our
vulnerabilities?
— Have we got the right controls
in place across the business?
— Have we matched our controls
to the business risk appetite?
— Do any of our supply chain
partners put us at risk?
— Is the security culture right?
— Are we able to anticipate and
respond to the threat and deal
with a major incident?
— Who is leading on cyber security
issues?
— What are we really trying to
protect and why?
— Who are you defending against
and what’s their business model?
— Have you embedded security into
your business and at what cost?
— How do you know your approach is
effective and good enough?
— If it goes wrong can we deal with
the consequences?
— Will we be more or less secure in
the future?
Senior
Management
Board
23. Page 23
Steve Ursillo, Partner, Risk and Advisory Services at Cherry Bekaert; AICPA
Assurance Services Executive Committee (ASEC) Member and Chair of the Data
Privacy ASEC Working Group.
• Cybersecurity risk management has so many dynamic considerations,
SMP/SME’s are always under the pressure of inherently evolving to provide the
best value of service delivery. Further discussion on how to focus and manage a
sustainable personal development program to continue to add value as a cyber
SMP/SME.
Relevance and Challenges for SMPs/SMEs
24. Page 24
1. Using passwords to protect your data (eg., how to cope with password
overload, on default passwords) and MFA (multi-factor authentication).
2. Our working model has changed – perhaps forever.
3. Managing supply chain risk through third party risk management assurance
initiatives.
4. Training and awareness actions (what needs to be included in cyber security
training plan for your staff)
5. We have a security Debt to deal with.
6. The importance of an assumed breach culture.
Practical Insights to Respond to Threats
25. Page 25
– Lisa Padmore (Moderator)
– Julia Seppa
– Paul Taylor
– Steve Ursillo
Moderated Audience Q&A
26. Page 26
• By the end of the week, IFAC will make available:
– A recording of the event (IFAC’s website and IFAC’s YouTube channel)
– Slide decks used by our speakers (IFAC’s website)
– “Resources” slide at the end of this slide pack (IFAC’s website)
• We will also post a summary of key takeaways on IFAC’s Knowledge Gateway.
Resources for Attendees
27. Page 27
• IFAC – Guide to Practice Management for
Small- and Medium-Sized Practices –
Module 5 (from page 288)
• IFAC Technology Matrix
• IFAC Knowledge Gateway
• IFAC – Cybersecurity Is Critical for all
Organizations – Large and Small
• Beyond Blue – What We Think
• ICAEW – Practical Help for SMEs on
Cybersecurity
• Ponemon Institute – 2019 Global State of
Cybersecurity in Small and Medium-Sized
Businesses
• ICAEW – Cybersecurity Isn’t Just an IT Issue
• Deloitte Finland – Is All Trust Gone?
Resources for Attendees
Continued on next page
28. Page 28
• UK National Cyber Security Centre – Small
Business Guide: Cyber Security
• UK National Cyber Security Centre –
Password Administration for System
Owners
• David Sanger – The Perfect Weapon: War,
Sabotage, and Fear in the Cyber Age
• Mary Aiken – The Cyber Effect: A
Pioneering Cyberpsychologist Explains How
Human Behavior Changes Online
• Podcasts
– Security Weekly
– Down the Security Rabbithole
– Security Now
– Cyber Security Café
• Webinars held by the Information Security
Forum (ISF)
• Thought leaders
– Dan Lohrmann
– Matt Devost
Resources for Attendees (Con’t)