Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
2. Personal Liability
Fiduciary Responsibility
Client problems
Cyber Security, the landscape
1
2
3
4
Cybersecurity Executive
Dashboard
5
Vicarious Liability
6
Case Studies
7
Agenda
What needs can we address?
8
3. 3
Cybersecurity is the body of technologies, processes and
practices designed to protect networks, computers,
programs and data from attack, damage or
unauthorized access. In a computing context, security
includes both cybersecurity and physical security.
Cyber Security, the landscape
4. Cyber Security, the landscape
of people will plug a USB
drive they have found on the
ground into their computer.
50% is all it takes for attackers
to compromise an
organisation, 60% of the
time.
6minutes
behind the US and the UK, from
17 examined in a report on
banking "botnets”.
3RD
MOST-TARGETED
of phishing messages were opened
(up from 23%) and in 13% of those
cases, the recipient clicked to open
the malicious attachment or link.
30%
Despite 93% of firms taking steps to
protect their business from digital threats,
two-thirds have been a victim of cyber
crime in the past 2 years
5 QUICK
FACTS ON
CYBER
CRIME
5. Cyber Security, the landscape
• Far from being a technological problem, lack of cybersecurity means that the
aftermath of a cybersecurity attack sits with Executives and Board members who
may not have the right level of technical security knowledge.
• This session will outline what practical steps executives can take to implement a
Cybersecurity Roadmap within an organisation.
• A number of case studies will be presented that demonstrate how to establish
and achieve a set of measurable security objectives and a governance
framework which facilitates practical decisions and spend.
6. Client Problems
First, some definitions:
Threat: expressed or demonstrated intent to harm an asset or cause it
to become unavailable
Vulnerability: a flaw in the measures you take to secure an asset
Exploit: a software program that has been developed to attack an asset
by taking advantage of a vulnerability
Risk: the potential for loss, damage or destruction of an asset as a
result of a threat exploiting a vulnerability
8. Client Problems
The Dark Web, enabling hackers with a means to harm using commodised
software.
Anonymised access
Facilitation of criminal activities where hackers can be hired to hack
organisations and individuals
Stolen data such as credit card information
Exploits that can be used by low skilled hackers who only need to
access exploit programs with basic instructions
9. Client Problems
Cyber Security is more relevant than ever in the face of Digital Disruption
Mobility: Any time/device/where access to business systems
• Business need to protect against vulnerabilities across any
device
Big Data: Data is open and available
• How do you ensure that only authorised people access the
data in the right way
IoT (Internet of Things):
• E.g. Care sector disruption via in-home monitoring
• A new landscape of vulnerabilities and exploits
Smart TV:
• E.g. Activation of microphone allows for remote parties to
listen to private discussions
10. Client Problems
Regulatory matters:
PCI-DSS (Payments Card Industry Data Security Standards)
• E.g. Government agencies, Councils, Utilities
Australian Privacy Principles
• Enforced by the office of the Australian Information
Commissioner
ISO 27K set of standards is part of a growing family of Information
Security Management Systems (ISMS) standards
11. While IT and cybersecurity risks have evolved and intensified, security
strategies have not kept pace with today's mounting risks - and fewer
still understand their vulnerabilities, according to The Global State of
Information Security (GSIS)® Survey 2016.
Client Problems
12. What's needed is a new model of cybersecurity, one that is driven by the
knowledge of vulnerabilities and threats. In other words, advising our
clients of the risk of cybersecurity and helping them define appropriate
policies to mitigate them.
Clients are looking to identify ‘what’ their problems are so they can
make a decision on what risks to deal with. This can only be done by
linking cybersecurity to risk management.
Client Problems
13. Our clients are likely, according to the GSIS survey, rank the assessment
of security risks, inadequate policies and insufficient standards of third-
parties as one of their highest priorities.
A cybersecurity risk assessment is part of the solution in mitigating
these risks.
Client Problems
14. Former mid-market executive directors and co-founders Carl and Alex Woerndle highlight how a cyberattack meant
they were legally liable for a cyberattack against their business so damaging it destroyed their once prospering firm,
Distribute.IT and sent nearly sent them into bankruptcy.
Background: Distribute.IT was founded in 2002 by brothers Carl and Alex Woerndle and by 2011 were providing
services to clients across Australia and overseas.
However, mid-2011 the business suffered a cyberattack. The initial breach occurred at approximately at 5pm on
Friday June 3, 2011, Carl received a call from his CIO alerting him to a breach in the company’s network. The hacker
had managed to bypass the company’s entire security protocol.
Cybersecurity from an Executive’s perspective
Client Problems
15. At 4:30pm on Saturday 11 June Distribute.IT’s network was attacked again. The internal team began
noticing servers were being deleted as well as the backups. The final straw occurred when the IT team
were locked out of the network meaning their only option was to ‘pull the plug’.
The governance, compliance and vicarious liability issues happened immediately within 3 days
after the second attack despite most services having been restored. These reactive measures were not
enough as they weren’t able to demonstrate to the authorities that they had policies and
procedures in place to ensure the confidentiality, integrity and accessibility of their data.
Client Problems
16. Fiduciary Responsibility
• Fiduciary Responsibility, in the context of cybersecurity, is
the requirement to keep corporate information confidential
and to ensure data is handled with a degree of care, skill,
and caution.
• Should the Board or a member of the executive team be
found of breaching their duty of care then they may be up
for Vicarious Liability* (i.e. when senior officers can be held
criminally liable for the lack of due care and due diligence).
• Convictions are more likely when an organisation isn’t able
to concisely and accurately outline their approach to duty
of care and due diligence.
* an example is Mistmorn Pty Ltd (In Liq) v Yasseen and Corporations Act 2001, section 180(1 and 2)
18. How to Deal with Personal Liability
• Board members and executives have fiduciary duties, which require them to
monitor and address corporate risks – including cybersecurity threats.
• Executives and directors are beginning to realise they need to make difficult
cybersecurity choices in a complex legal and regulatory environment, because
guarding against every avenue of potential attack is neither feasible nor a
cost-effective cybersecurity risk management strategy.
• Its incumbent for executives/board members to demonstrate that they are
monitoring cybersecurity risks e.g. if a customer’s personal details are critical
then all technology carrying this data is included in a cybersecurity executive
dashboard at Audit Committee meetings.
• The proactive management of cybersecurity risk allows an Executive and/or
Board member to qualify for Cybersecurity Liability Insurance.
19. Cybersecurity Dashboard: How to bridge the
gap so you can demonstrate ‘Duty of Care’
Executive and
Confirm
Cybersecurity
Risk has been
mitigated
Remediation
Plan
Root Cause
Analysis
1) Implement a Cybersecurity Dashboard based on your firm’s regulatory needs
2) Categorise your data based on level of the compliance
3) Identify data that must be legislatively protected and find the data’s
touchpoints within the organisation
4) Ensure the touchpoints are protected by your cybersecurity policies
5) Work with an external firm to ensure you have a complete set of policies
20. Defence against Vicarious Liability
• Demonstrable proof of the Board’s or executive team’s duty of care is
admissible in court as a complete, thorough and concise set of Policy
documents exist prior to the date of the alleged incident.
• Policies are important reference documents for the resolution of legal
disputes about the Board’s or management’s due diligence. Policies are
documents that act as a clear statement of management’s intent and is
the link between regulatory, legal and IT requirements.
• An affluent policy is written at a reasonable reading level to minimize
technical jargon and includes management terminology unique to the
company, yet conforms to regulatory standards and has management
approval.
• Some basic rules must be followed when shaping a policy:
– Never conflict with law
– Stand up in court
– Properly supported and administered
21. Defence against Vicarious Liability
• Cybersecurity Risk is a function of the likelihood of a given threat-source’s
exercising a particular potential vulnerability, and the resulting impact of that
adverse event on the organisation. (NIST SP800-30)
• therefore……
• Policies which reverse engineer the vulnerability and demonstrate that the
Board and Executives’ reasonable steps to avoid a breach will have
demonstrated due care and due diligence.
22.
23. Case Study
An existing firm client (anonymous)
• Compromised by a spoofed email that aimed to have funds
transferred (via Pitcher Partners) to a beneficiary account
belonging to the hacker
• Reliance on external computer networks was part of the
problem
Australian Super
• Development of an IT Security Operations Dashboard for the
organisation’s Technical Governance Committee (TGC)
• The Dashboard presented metrics to the TGC to enable them
to decide on corrective action through investments to
remediate, change course and strengthen the organisation’s
security posture
25. Case Study: Linking the Major Retailer’s Cybersecurity Policy to
Risk Management frameworks
This involved an three week review of the Administrative Controls of the environment.
ADMINISTRATIVE
CONTROLS
• Policies
• Standards
• Procedures
• Guidelines
• Personnel screening
• Security awareness
training
OPERATIONAL
CONTROLS
• Processes (business
and security)
• Physical access control
• Safety equipment
(UPS, backup)
• DRP/BCP
TECHNICAL CONTROLS
• Logical access control
• Encryption
• Security devices
• Identity management
• Authentication
PHYSICAL CONTROLS
• Facility protection
• Security guards
• Locks, monitoring,
environmental controls
• Intrusion detection
ADMINISTRATIVE CONTROLS
OPERATIONAL CONTROLS
TECHNICAL CONTROLS
PHYSICAL CONTROLS
COMPANY INFORMATION
ASSETS
26. Case Study: A Major Retailer
The approach undertaken uses the guidelines in NIST SP 800-30, PCIDSS
v3.2, ISO 27013, ISO27039, ISO 2700x and ISO31000.
Approach of this Engagement
The policies assessment is quite broad and evaluates the Confidentiality,
Integrity and Accessibility of data. The policies cover a reasonable range of
topic areas covering data security, infrastructure and back-end IT services.
A more thorough approach is taken after the initial review to engage
relevant non-IT stakeholders via interviews, questionnaires and
observations in order to develop a deeper understanding of the procedures
required to action the policies.
27. What needs can we address?
Executive Cybersecurity Dashboard creation
Cybersecurity Policy Gap Analysis and Rectification
Review and development of Cyber Security policies
We support our clients define their IT Security posture and plan to
ensure protection of their most sensitive assets (e.g. Data,
Systems) from internal and external threats
Assessments against guidelines and standards such as PCIDSS, CIS, NIST
SP 800-30, ISO 27013, ISO27039, ISO 2700x and ISO31000
Cybersecurity Strategy
28. What needs can we address?
What is our differentiated value proposition?
• We have existing clients whose businesses we understand
• A firm of auditors with proven frameworks to review and
assess against standards
• We have existing clients such as Councils, Utilities and
Government entities that are subject to regulatory
requirements
29. Next Steps
Engage with an independent service provider to review your IT Policies
Create an Executive Cybersecurity Dashboard
Identify data which can not be leaked from a regulatory and compliance
perspective
Data leakage is not limited to systems; ensure personnel know how to
handle sensitive data
Personal Liability: Increase your insurance coverage to include Cybersecurity
Create a Cybersecurity Strategy to allow the Executive Team to prioritise
what data and systems need to be protected