cybersecurity financial accounting 2016

From presentation given at December, 2015 Financial Accounting & Reporting Update at Philadelphia Hyatt Bellevue

Link to upcoming events: 2016 Calendar

Presenter: Scott Laliberte is Protiviti’s Managing Director leading the firm’s Vulnerability and Penetration Testing Solution, and is one of three Managing Directors that reviews and approves all of Protiviti’s PCI reports on compliance. Laliberte has been with Protiviti since the start of the firm in 2002 and has more than 20 years of experience in information technology risk and security consulting. He is a published author and accomplished speaker.  He has security expertise in numerous industries including financial services, retail, hospitality,  healthcare, higher education, manufacturing, and consumer packaged goods.

Scott opened up the presentation by referring to recent breach trends and top of mind cyber issues.  The most common recent attack include Phishing and Spear Phishing (directed at higher level for wire transfers), sophisticated malware, attacks directed through third parties etc.

The purpose of these new attacks are multifaceted to gather data for identity theft, fraudulent wires, stealing intellectual property and ransom.  Some of the future issues – as a result of interconnectivity – may include planes, trains and automobiles and other infrastructure.

The industry sectors impacted by these attacks in order by percentage: healthcare, retail, education, government, financial, software, hospitality, insurance, transportation and arts/media.

Some of the key findings from the Protiviti IT Security and Privacy Survey according to Scott:

Board Engagement is key: Organizations with a high level of board engagement in these risks have significantly stronger IT security profiles.

Lack of key “core’ information security policies: One in three companies do not have a written information security policy (WISP). More than 40 percent lack a data encryption policy. One in four do not have acceptable use or record retention/destruction policies. 

Lack high confidence in ability to prevent cyber attack or data breach: Lower confidence levels among IT executives and professionals in preventing an attack or breach likely speak to the creativity of cyberattackers and, in many respects, the inevitability of a breach – and the need for strong incident response planning and execution.

Not all data is equal: The percentage of organizations that retain all data and records without a defined destruction date has more than doubled – not necessarily a positive development. 

Many are unprepared for a crisis: There is a significant year-over-year jump in the number of organizations without a formal and documented crisis response plan to execute in the event of a data breach or cyberattack.  

Link to upcoming events: 2016 Calendar