Emerging Technology and Security Updatewebs.wichita.edu/depttools/depttoolsmemberfiles/accountancy... · Protiviti’s 2014 Internal Audit ... Data Analysis Technologies 2.9 ... There

Emerging Technology and

Security Update

2 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Protiviti’s 2014 Internal Audit

Capabilities and Needs Survey



Introduction

• Protiviti conducted the survey from September

2013 through October 2013.

• A total of 619 respondents took the survey.

• The survey included close to 326 topic areas

divided into four major sections:

– General Technical Knowledge

– Technical Knowledge specific to U.S.

Financial Services Industry, Healthcare

Provider Industry, Healthcare Payer Industry

and Manufacturing Industry

– Audit Process Knowledge

– Personal Skills and Capabilities

About the Survey



General Technical Knowledge

S.No. Need to

Improve

"Need to

Improve" Rank Areas Evaluated by Respondents

Competency

(5-pt. scale)

1 51% 1 Mobile Applications 2.6

2 46% 2 NIST Cyber Security Framework 2.4

3 45% 3 Social Media Applications 2.8

4 44% 4 Cloud Computing 2.8

5 43% 5 GTAG 16: Data Analysis Technologies 2.9

Top 5 Parameters based on the “Need to Improve” Percentage



General Technical Knowledge – Three-Year Comparison

2014 2013 2012

Mobile Applications Social media applications Social media

applications

NIST Cyber Security

Framework

Recently enacted IIA Standard – Functional Reporting Interpretation

(Standard 1110) Cloud computing

Recently enacted IIA Standards – Audit Opinions and Conclusions

(Standards 2010.A2 and 2410.A1)

Social Media

Applications

GTAG 16 – Data Analysis Technologies GTAG 13 – Fraud

Prevention and

Detection in an

Automated World

Recently enacted IIA Standard - Overall Opinions (Standard 2450

Cloud computing

Cloud Computing

The Guide to the Assessment of IT Risk (GAIT)

Fraud risk management GTAG 13 – Fraud Prevention and Detection in an Automated World

ISO 27000 (information security

COSO Internal Control Framework (DRAFT 2012 version)

GTAG 16: Data

Analysis

Technologies

Practice Guide – Assessing the Adequacy of Risk Management

GTAG 16 – Data

Analysis Technologies GTAG 6 – Managing and Auditing IT Vulnerabilities

Fraud risk management



Key Findings

Social media remains a top concern.

Changes from regulatory and rulemaking bodies are garnering attention.

The nature of fraud is changing – as are the ways internal auditors address it.

There is continued interest in leveraging technology - enabled auditing.

Internal auditors aim to think more strategically, collaborate more effectively

Coping with uncertainty, responding to rapidly changing business processes and establishing

more collaborative relationships with colleagues emerge as major themes in this year’s study.

Among the key findings:



Social Media Risk and the Audit Process

• Organizational social media use is rising and growing increasingly important from risk

management standpoint, and subsequently organizations are putting strategies in

place for this purpose. However, only a little more than half have already developed a

Social Media strategy in order to evaluate and monitor Social Media Risk.

• The Priority Areas of Social Media Risk identified in the Survey are disclosure of

company information, ethical media use and disclosure of employee information.

• Majority of respondents believe that cyber security risk related to the use of social

media is not included in their audit plans.

Key Findings

I am not sure everyone is trained to understand the risks

of social media.

- Director of Auditing, Midsize Hospitality Company




How does your organization currently

leverage social media technology for

the following?

Activity Yes No

External Communication 74% 26%

Internal Communication 39% 61%

Does your organization have the

following in place?

Activity Yes No

Social Media Strategy 55% 45%

Social Media Policy 63% 37%

• 74% of companies leverage social media for external communication.

• 39% leverage social media for internal communication.




If your organization has a social media policy, which of the following areas does it

address?*

* Multiple responses permitted

• Majority (89 percent) of the respondents report that their organizations addresses the critical policy

of disclosure of company information.

89%

76% 71% 67% 66%

54% 44%

28% 3%

0%

20%

40%

60%

80%

100%




Using the following Capability Maturity Model (adapted from the Carnegie Mellon

Institute), how would you rate the current state of your organization's social media

process?

• Social media use may be on the rise, but formalized processes to manage it are in their infancy – 80

percent of respondents place the current state of their organization’s social media processes at one

of the two lowest stages of a five-stage capability maturity model.

41% 39%

13%

5% 1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Initial State Repeatable State Defined State Managed State Optimized State




Is evaluating and auditing social media risk part of your audit plan?

• The survey results suggest that social media risk will soon be a part of most audit plans: ~56 percent

of respondents report that the evaluation and auditing of social media risk is either included in the

current audit plan or will be included in next year’s audit plan.

25%

31%

44%

0%

10%

20%

30%

40%

50%

2014




Where do you currently perceive the greatest value for addressing social media risk

to your organization?

• The four greatest sources of value from social media risk management include: Monitoring of

reputation risk; Earlier identification of issues, risks or control problems; Improvements to overall

business strategy; and Stronger regulatory compliance.

50%

17%

12%

8%

5%

4%

2%

1%

0% 10% 20% 30% 40% 50% 60%

Monitor reputation risk

Earlier identification of issues, risk or control problems

Overall business strategy

Regulatory compliance

Improved operational performance

Validation of control effectiveness or failure

Cost recovery/improvement

Other (please describe below)




How effective is your organization at identifying/assessing/mitigating social media

risk to an acceptable level?

• When asked to describe the effectiveness of their function’s and their organization’s management of

social media risk, respondents appeared a bit uncertain.

• Such uncertainty can be mitigated by addressing the obstacles currently inhibiting internal audit’s

involvement in the assessment of social media risk.

25%

60%

15%

22%

62%

17% 17%

62%

20%

0%

10%

20%

30%

40%

50%

60%

70%

Very effective Moderately effective Not effective

Identifying

Assessing

Mitigating



6%

8%

13%

14%

15%

16%

23%

26%

27%

29%

0% 5% 10% 15% 20% 25% 30% 35%

Other (please describe below)

HR policies

Perceived cost

Inadequate technology

Lack of IT support

Data availability

Lack of management support

No inhibitors

Inadequately trained staff

Perceived risk


What inhibits internal audit's involvement in assessing social media risk?*

* Multiple responses permitted

Lack of time to monitor social media risk is an issue – our team is too lean to address this new risk.

- Chief Audit Executive, Large Manufacturing Company



Top 3 Rated Results from the 2014 IA Capabilities and Needs

Survey

1. Mobile Applications

2. NIST Cyber Security Framework

3. Social Media Applications



Mobile Applications



The Impact of Mobile

Source: Cutofmac

Announcement of Pope Benedict in 2005

Announcement of Pope Francis in 2013

http://www.cultofmac.com/219813/how-apple-has-changed-the-world-in-just-7-years-picture-1000-words/



"Be Mobile"

Source: Accenture

http://www.accenture.com/SiteCollectionDocuments/PDF/Accenture-Next-Generation-Mobile-Technology-For-More-Effective-Policing.pdf



Types of Mobile Apps

Source: AppsWorld

Business Apps: Eg. Evernote, Google Drive, and ProtoPromp

Social Networking Apps: Skype, Yahoo! Messenger, Let’s Share, Instagram, Flickr, Twitter, Facebook, LinkedIn.

Utility Apps: Camera flash, Emoticons, Text-to-speech, Google Translate, TOTs

Educational Apps: Dictionary, Grammar, Tutorials, Memory games.

Gaming Apps: Temple Run, Subway Surfers, Angry Birds, Safe Invasion.

Retail Apps: Starbucks Card, Best Buy app (scans QR codes in the store to

access reviews and compare product specs)

Travel Apps: Expedia, Google Flights, SkyScanner app

The Average Smartphone User Has Installed 26 Apps

Top 10 Countries with the highest average number

of installed apps per smartphone user

http://www.apps-world.net/media/docs/resources/Whitepaper.pdf



Mobile App Usage by Software Segment and Region 2013

The largest and fastest growing mobile data traffic segment is video. It is expected to increase

by around 55 percent annually up until the end of 2019, by which point it is forecasted to account

for more than 50 percent of global mobile traffic.

In 2019,

video will

account for

>50%

of mobile

data traffic

In 2013, video

accounts for

~35%

of mobile data

traffic

Web

browsing

accounts

for ~10% in

2013

Social

networking

accounts for

~10% in 2013

and 2019

Source: Ericsson

http://www.ericsson.com/res/docs/2013/ericsson-mobility-report-november-2013.pdf, http:/www.atkearney.com/documents/10192/760890/The_Mobile_Economy_2013.pdf



Mobile App Trends in 2013

Mobile App Trends in

2013

Geo-Targeted

Push Notifications

Geo-Targeted

Advertising

Prevent shopping cart abandonment

Data Gathering

Build NFC Mobile

Application

Create Energy

Efficient Mobile Apps

This feature in mobile apps helps businesses stay closely

connected to their customers intimidating them with

location-based information on offers, deals, events and

even weather forecast.

Geographic and contextually

optimized smart ad campaigns

are strategically used to target

users by their specific

geographic location using this

feature.

One of the key challenges of

online mobile shopping is

dealing with the ‘bounce’

factor.

Tracking signals and data gathering from

mobile devices is opening up a whole new

world of analytics and marketing

opportunities for retailers who operate their

businesses online or though brick-and-

mortar establishments.

One of the most sought-

after mobile app

development trend in 2013,

with NFC only a swift tap

against a sensor yields an

instant result, even faster

than a barcode scan.

Studies have revealed that

Android app ad-serving — the

process that connects apps to

digital ad networks — was

responsible for up to 75 percent

of app-related battery drain in

Android phones. However now

app-makers are concentrating

their resources to create mobile

apps that won’t drain battery.

Source: AppsWorld

http://www.apps-world.net/media/docs/resources/Whitepaper.pdf



The Rise of M-Payments

Large Merchants and Consumer Electronics Industry Lead the Pack in Mobile

Mobile Becoming Bigger Part of eCommerce

Source: CyberSource

• The rapid adoption of consumer mobile

technology, coupled with the subsequent

changes in consumer shopping behavior, are

primary drivers of mCommerce growth.

• Many merchants enable their customers to

shop through multiple channels — for example,

buying via mobile and picking up in-store.

• While mCommerce is still nascent, careful

monitoring of the mobile channel is helping

merchants maximize revenue while providing a

positive consumer shopping experience.

https://www.cybersource.com/resources/collateral/Resource_Center/service_briefs/Mobile_Trends_DS.pdf



Mobile Application Users

Source: TextBoard, InternetRetaiier, InternetRetailer

• Google’s new Nexus S Android smartphone, which has an NFC chip built in, is just one example of a

coming wave of Android smartphones that can be used to: find a consumer’s location, give him or her

nearby store recommendations, report discounts or coupons available for every retailer or product,

show product availability at each nearby store, and let the consumer purchase the item with just his or

her cell phone.

• Apple’s reported Near Field Communication plans of building NFC chips into the next generation of

iPhone smartphones could definitely make mobile payments much more popular.

• Tying NFC into the company’s cash cow, iTunes, could dramatically transform Apple into the biggest

company in the world, in fact.

• Amazon has 500,000 customers transacting with it through mobile devices. They access Amazon on

87 different kinds of devices, most of which have the Amazon application

• Mobile devices are also useful in sending customers alerts about order status, sales and promotions or

to send coupons, especially coupons tied to a location.

• Amazon uses a voice recognition system that allows customers to search, browse and buy and check

on order status.

• Walmart has added an in-store aisle location feature to its app, telling store shoppers the aisle where

they can find each item on their shopping list.

• Wal-Mart also added a tool to its app that lets consumers select the store they visit most often and

create a shopping list at home by scanning, typing, or speaking items to buy.

http://www.text-board.com/marketing/google%E2%80%99s-and-apple%E2%80%99s-plans-for-mobile-commerce/

http://www.internetretailer.com/2003/06/12/m-commerce-is-alive-and-well-at-amazon-and-providing-more-than

http://www.internetretailer.com/2003/06/12/m-commerce-is-alive-and-well-at-amazon-and-providing-more-than



Mobile Payment Trends 2013

Source: CyberSource

MCommerce Merchants Should Take Steps to Preserve Customer Experience

Vigilance Required to Monitor MCommerce Fraud

• Because mobile is so new, MCommerce merchants are

more likely to reject orders — by up to 24% more

versus all eCommerce merchants.

• This may limit growth at a time that is critical to

establishing an MCommerce presence.

• As a result, merchants should carefully evaluate the

performance of their existing fraud system and test new

fraud screening configurations to ensure a positive

customer experience across all sales channels.

• While merchants are focused on ensuring a good

customer experience with MCommerce, they must also

focus on security and monitor for fraudulent activities.

• While MCommerce fraud tends to be higher in general,

fraud rates vary across industries.

• However, orders coming from mobile devices provide

additional data that merchants can use to screen

effectively for fraud. IP address, device type, operating

system, and app data can all be used to identify

fraudulent purchase patterns.

Fraud Risks

https://www.cybersource.com/resources/collateral/Resource_Center/service_briefs/Mobile_Trends_DS.pdf



The Case of Starbucks

Source: Mobile Payments Today, Mobile Payments Today, Appthority

Background:

Security Breach:

Status today:

• Starbucks launched it’s mobile payment app in 2009.

• Through the closed loop mobile app, smartphone users display a barcode on their device screen and the barista scans

it at the point of sale.

• The payment is deducted from funds linked to the user's Starbucks Card account, which can be topped up through the

app

• Mobile and gift card payments now represent more than 30 percent of total U.S. payments for Starbucks.

• About 10 million customers now pay through the mobile app, with nearly 5 million mobile payments per week.

• In mid-January, security researcher Daniel Wood discovered that the Starbucks Mobile Payment App stores passwords,

user names and email addresses in plain/clear text.

• It stored credentials in such a way that anyone with access to the phone can see the credential information and a list of

geolocation tracking points of the account by connecting the phone to a PC, regardless of whether or not it is PIN-

protected.

• This was possible because the app used the convenient “save credentials” feature that allowed users to save their

information. As a result, users wouldn’t have to re-enter their username and password with every use.

• On January 17, 2014, the Seattle-based coffee chain reported that it has released a new app that adds more protection.

And well, Daniel Wood has been hired as a security consultant at Starbucks.

http://www.mobilepaymentstoday.com/article/226745/Starbucks-reports-continued-growth-in-mobile-app-usage?rc_id=627

http://www.mobilepaymentstoday.com/article/226415/Starbucks-updates-mobile-app-after-reports-of-security-threats

https://www.appthority.com/blog/news-update-starbucks-app-vulnerability-and-planet-of-the-apps



Mobile App Risks – Examples

Study by Security arm of HP Fortify

HP Fortify (the enterprise security arm of HP) conducted tests on 2107 applications published by 601 companies on the

Forbes Global 2000, which indicated that 90% of these mobile apps have at least one security vulnerability.

In particular:

• 86% apps lacked binary hardening protection

• 75% of the apps did not encrypt data before storing it on the device

• 18% transmitted data over the network without using SSL encryption.

Only iOS apps were tested, but HP believes that the same problems exist in any Android counterparts.

Source: ZDNet, DarkReading

Study by Security Firm Praetorian

In December 2013, Security firm Praetorian tested 275 Apple iOS- and Android-based mobile banking apps from 50 major

financial institutions, 50 large regional banks, and 50 large U.S. credit unions.

• Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software

development.

• Among the big-name banks whose mobile apps were tested include Bank of America, Citigroup, Wells Fargo,

Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks.

The two firms given below conducted studies on a number of apps to test their risk level and

found the following results:

http://www.zdnet.com/hp-research-finds-vulnerabilities-in-9-of-10-mobile-apps-7000023324/

http://www.darkreading.com/vulnerability/weak-security-in-most-mobile-banking-app/240164731



NIST Cyber Security

Framework



Cybersecurity Facts

Malware Remains The Most

Dominant Cyber Threat

Internet Access In Least

Developed Countries Has

Increased Significantly

Cybercrime Goes

Mobile and Social

Number Of Cybercrime victims

Increases Steadily

US Tops Malicious URL Volume

By Country

Source: ITU

http://www.itu.int/en/ITU-D/Partners/Pages/Call4Partners/CYBLDCStats.aspx



Cyber Security Facts

The United States loses $100 billion annually as a result of cyber crime, which targets over 556

million victims per year.

Source: Florida Tech Online, Forbes, ITU

Source: Pandasecurity

• In the first quarter of 2013 alone, more than six and a half

million new malware samples were created, following the trend

of increasingly prevalent malware statistics of previous years.

• Trojans continue to dominate the threat landscape,

representing nearly three out of every four new malware

samples in circulation.

Desktop and laptop users,

specially Apple users need to

pay close attention to their

computer security. The 2013

Flashback Attack, during

which cyber criminals took

control of 600,000 Macs is

testimony to this fact. Only

2.5% of all threats in 2012

were targeted towards Macs,

but this number is expected

to grow as Apple continues to

grow within the market.

http://www.floridatechonline.com/online-degree-resources/interesting-facts-on-cyber-security

http://www.forbes.com/sites/ciocentral/2012/12/05/the-biggest-cybersecurity-threats-of-2013-2

http://www.itu.int/en/ITU-D/Partners/Pages/Call4Partners/CYBLDCStats.aspx



Cybersecurity and Business

Wyndham Hotels: were sued by the

US Federal Government after

sensitive customer data, including

credit card numbers and personal

information, allegedly were stolen

three times in less than two years.

Source: CNN, NBC, CSO Online

2008

AOL: Data on more than 20

million web inquiries, from

more than 650,000 users,

including shopping and

banking data were posted

publicly on a web site.

2006 2005

Google/other Silicon

Valley companies:

Stolen intellectual

property

2009

VeriSign:

Undisclosed

information stolen

2010

Sony's PlayStation Network:

77 million PlayStation

Network accounts hacked;

Sony is said to have lost

millions while the site was

down for a month.

2011

Monster.com:

Confidential

information of 1.3

million job seekers

stolen and used in a

phishing scam.

2007

2013

Target and Neiman

Marcus Credit and

Debit Card data

breach!!

CardSystems Solutions: 40

million credit card accounts

exposed. CSS, one of the

top payment processors

for Visa, MasterCard,

American Express is

ultimately forced into

acquisition

“Some of the more obvious results of IS failures include reputational damage,

placing the organization at a competitive disadvantage, and contractual

noncompliance. These impacts should not be underestimated.”

― The IIA Research Foundation

http://www.cnn.com/2012/06/26/travel/wyndham-hacking/index.html

http://www.nbcnews.com/id/43847056/.UvNI7fmSzww

http://www.csoonline.com/article/700263/the-15-worst-data-security-breaches-of-the-21st-century



The Case of Target

Target sent out a press release revealing that a major data breach took place between November 27 and December 15,

2013 potentially involving millions of customer credit and debit card records. Upto 70 million consumer credit and debit

card account information, including debit card PIN data was compromised. Target disclosed that the names, mailing

addresses, phone numbers or email addresses of up to 70 million additional people had also been stolen, bringing the

possible number of customers affected up to 110 million.

Event

December 19, 2013

Hacker Involved

According to TIME Magazine, a 17-year-old Russian teen was suspected to be the author of the Point of Sale (POS)

malware program, "BlackPOS", which was used by others to attack unpatched Windows computers used at Target. Later,

a 23-year-old Russian, Rinat Shabayev, claimed to be the malware author.

• Target reported total transactions for the same time last year were down 3-4%, as of December 23, 2013.

• An estimated loss of $17 billion in sales revenue was reported during the holiday season.

• Target plans to close eight U.S. stores on May 3, 2014.

• Loss of revenue due to apology discount of 10% on all products.

• Loss of guest confidence in the Company’s ability to protect their information because of the data breach, and the

adverse impact such loss of confidence may have on sales

• The outcome of the pending and ongoing investigation, including discovery of additional information relating to the data

breach and guests’ and other stakeholders’ reactions to that additional information

• Costs related to the investigation and resulting liabilities

One of the Largest Retail Cyber Attack in History

Impact on Target

Major Risks



The Case of Neiman Marcus

January 02, 2014

The company is a recent victim of criminal cyber-security intrusion involving data breach of over 1.1 million credit cards. It

exposed payment card information from transactions at 77 of 85 stores between July and October of last year. However,

key personal data such as social security numbers and birth dates were not compromised. According to sources, Neiman

Marcus was hit by hackers in mid-July 2013 but the company notified its customers in January 2014.

Event

Hacker Involved

According to a report by IntelCrawler, a cyber intelligence group, a 17-year-old Russian teen with username ‘ree4’, appear

to be the author of point-of-sale malware used for Neiman Marcus hack. Ree4 doesn’t seem to have personally taken part

in the hack beyond writing and selling the malware.

• Neiman Marcus notified the customers very late about the data breach. This has resulted in loss of confidence and trust

in the brand.

• Since banks want the company to bear the cost of data breaches, this would increase the cost and losses incurred by

the firm.

• Fall in sales and profits due to loss of customers’ confidence.

• Major impact on firm’s subsidiaries- Bergdorf Goodman, Horchow, Cusp and Last Call

• This could put some consumers at risk for identity theft, thus, impacting their credit reports and credit scores.


Impact on Neiman Marcus

Major Risks



The Case of Michaels

January 25, 2014

Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently

had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.

Event

Hacker Involved

It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity.

But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit

and debit card information from point-0f-sale registers at those stores.

• Last year the Irving, Texas-based retailer settled a class-action consumer lawsuit related to the matter, without admitting

to any wrongdoing. In a high-profile 2011 attack, hackers replaced some 84 PIN pads on payment-card terminals at a

small number of Michaels stores, resulting in the theft of about 94,000 payment card numbers.

• Michaels disclosed the 2011 attack in an S-1 registration statement that it filed with the Securities and Exchange in

March of last year.

• As the company plans for an IPO these event could harm the image of the company and it may face fall in sale and loss

of customers’ confidence.

• This could put some consumers at risk for identity theft, thus, impacting their credit reports and credit scores.


Impact on Michaels

Major Risks



NIST Cybersecurity Framework

It is the policy of the United States to enhance the

security and resilience of the Nation’s critical

infrastructure and to maintain a cyber environment that

encourages efficiency, innovation, and economic

prosperity while promoting safety, security, business

confidentiality, privacy, and civil liberties

This Cybersecurity Framework is being developed in an open

manner with input from stakeholders in industry, academia, and

government, including a public review and comment process,

workshops, and other means of engagement.

NIST is directed to work with stakeholders to develop a voluntary

framework for reducing cyber risks to critical infrastructure

The US Department of Commerce's National Institute of Standards and Technology (NIST) has,

after months of planning and feedback-gathering, released its Preliminary Cybersecurity

Framework in October 2013



Risk Management and the Cybersecurity Framework

While not a risk management process itself, the Framework enables the integration of

Cybersecurity risk management into the organization’s overall risk management process.

Source: Enisa

The Framework Fosters:

Cybersecurity risk management approaches that take into account the interaction of multiple risks

Cybersecurity risk management approaches that address both traditional information technology and

operational technology (industrial control systems)

Cybersecurity risk management practices that encompass the entire organization, exposing

dependencies that often exist within large, mature, and/or diverse entities, and with the interaction

between the entities and their partners, vendors, suppliers, and others

Cybersecurity risk management practices that are internalized by the organization to ensure decision-

making is conducted by a risk-informed process of continuous improvement.

Cybersecurity standards that can be used to support risk management activities

http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/conference/2nd-enisa-conference/presentations/adam-sedgewick-nist-2013-the-cybersecurity.pdf



Framework Core: Functions

The five Framework Core Functions provide the highest level of structure:

Source: Enisa

NIST Cybersecurity Framework

Identify

Develop the

institutional

understanding of

which organizational

systems, assets,

data, and capabilities

need to be protected,

determine priority in

light of organizational

mission, and

establish processes

to achieve risk

management goals.

Protect

Develop and

implement the

appropriate

safeguards,

prioritized through

the organization’s

risk management

process, to ensure

delivery of critical

infrastructure

services.

Detect

Develop and

implement the

appropriate activities

to identify the

occurrence of a

cybersecurity event.

Respond

Develop and

implement the

appropriate activities,

prioritized through


risk management

process (including

effective planning), to

take action

regarding a detected


Recover

Develop and

implement the

appropriate activities,

prioritized through


risk management

process, to restore

the appropriate

capabilities that were

impaired through a


http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/conference/2nd-enisa-conference/presentations/adam-sedgewick-nist-2013-the-cybersecurity.pdf



A Framework Profile:

A Framework Profile can be used to identify opportunities for improving cybersecurity by

comparing a “Current” Profile with a “Target” Profile hitherto supporting it with prioritization and

measurement of progress toward the Target Profile, while factoring in other business needs

including cost-effectiveness and innovation.

Source: NIST

Identifying the “gaps” between the Current Profile and the Target Profile allows the creation of a prioritized

roadmap that organizations will implement to reduce cybersecurity risk.

http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf



Framework Implementation Tiers

The Framework Implementation Tiers (“Tiers”) describe how an organization manages its

cybersecurity risk. The Tier selection process considers an organization’s current risk

management practices, threat environment, legal and regulatory requirements, business/mission

objectives, and organizational constraints.

Source Enisa, NIST

Risk Management Process Integrated Program External Participation

Tier 1

• Informal organizational

cybersecurity risk management

practices

• Adhoc risk management

(sometimes reactive)

• Prioritization of cybersecurity

activities not directly informed by

organizational risk objectives, the

threat environment, or

business/mission requirements

• Limited awareness of cybersecurity risk at the

organizational level

• No organization-wide approach to managing

cybersecurity risk

• Irregular, case-by-case implementation of

cybersecurity risk management due to varied

experience or information gained from outside

sources

• May not have processes that enable cybersecurity

information sharing

• May not have processes

in place to participate in

coordination/collaboratio

n with other entities

Tier 2

• Risk management practices

approved by management but

may not be established as

organizational-wide policy

• Aware about cybersecurity risk at the

organizational level but no organization-wide

approach to managing cybersecurity risk

• Defined and implemented risk-informed,

management-approved processes and

procedures

• Staff has adequate resources to perform their

cybersecurity duties

• Informal sharing of cybersecurity information

within the organization

• Organization knows its

role in the larger

ecosystem, but no

formal capability to

interact and share

information externally.

: http:/www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/conference/2nd-enisa-conference/presentations/adam-sedgewick-nist-2013-the-cybersecurity.pdf




Framework Implementation Tiers (Contd.)

Risk Management Process Integrated Program External Participation

Tier 3

• Formally approved risk

management practices which are

expressed as policy

• Regularly updated cybersecurity

practices based on the application

of risk management processes to

a changing threat and technology

landscape

• Organization-wide approach to manage

cybersecurity risk

• Defined, implemented as intended, and validated

risk-informed policies, processes, and procedures

• Consistent methods in place to effectively

respond to changes in risk

• Personnel possess the knowledge and skills to

perform their appointed roles and

responsibilities

• Organization

understands its

dependencies and

partners and receives

information from these

partners enabling

collaboration and risk-

based management

decisions within the

organization in

response to events

Tier 4

• Cybersecurity practices adapted

based on lessons learned and

predictive indicators derived

from previous cybersecurity

activities

• Active adoption of continuously

evolving cybersecurity landscape

• Timely response to

emerging/evolving threats

• Organization-wide approach to managing

cybersecurity risk that uses risk-informed

policies, processes, and procedures to address

potential cybersecurity events

• Cybersecurity risk management is part of the

organizational culture and evolves from an

awareness of previous activities, information

shared by other sources, and continuous

awareness of activities on their systems and

networks

• Management of risk and

active sharing of

information with

partners to ensure

accurate, current

information being

distributed and

consumed to improve

cybersecurity before an

event occurs

Source: NIST

The Framework Implementation Tiers (“Tiers”) describe how an organization manages its

cybersecurity risk. The Tier selection process considers an organization’s current risk

management practices, threat environment, legal and regulatory requirements, business/mission

objectives, and organizational constraints.




What Are Our Clients Asking For Help With?

Is my current security program appropriate for my specific environment (knowing from above

what my “crown jewels” are)? How can I tell? How can I communicate that to myself and

others? Security Program

and Policy 2

Have I updated and communicated my organizations expectations of behavior to include new

technologies like cloud and social media?

What data do I have that are/should be considered my “crown jewels”? What should I focus on

protecting?

Data-Centric

Awareness 1 Where is that data stored? Am I sure? How can I be?

Am I sure that only the right people and applications have access to this information?

Am I already the victim of a breach?

Security Operations 3

How do I best organize my people to assimilate the sensor data quickly and correctly and then

react with speed?

Do I have a response plan that can be executed; what should the plan include?

Incident Response 4

Who should the plan include; do I have the right people involved?



Social Media Applications



Types of Social Media

Source: Teachers&SocialMedia , OutthinkGroup

6. Micro

Blogging

5. Blogging 7. Image Sharing

3. Bookmarking

Sites 4. Video Sharing

1. Collaboration 2. Networking

8. Social News

http://www.teachersandsocialmedia.co.nz/what-social-media

http://outthinkgroup.com/tips/the-6-types-of-social-media



Top Social Media Sites

728 million people

log onto Facebook

daily, which

represents a 25%

increase from 2012.

36 million unique

visitors log into

Twitter every month

as of 2013

540 million+ users,

300 million of them

active and 190 million

using the stream.

Two new users join

LinkedIn every second

as of 2013.

60 hours of video are

uploaded every

minute and over 4

billion videos are

viewed a day.

Source: Social Bakers



According to a survey conducted by IDC, not only does Facebook have millions of users who

don't access it from a desktop or laptop, but mobile use generates 30% of Facebook's ad

revenue as well. This is a 7% increase from the end of 2012 already.

Source: Huffington Post

189 Million Of Facebook's Users Are ‘Mobile Only'

http://www.huffingtonpost.com/belle-beth-cooper/10-surprising-social-medi_b_4325088.html



25% Of Facebook Users Don't Bother With ‘Privacy Settings’

We've seen a lot of news about social media companies and privacy. But despite these high-

profile cases of security-conscious users pushing back against social networks and web

services, Velocity Digital reports that 25% of Facebook users don't even look at their privacy

settings.

Source: Huffington Post

http://www.huffingtonpost.com/belle-beth-cooper/10-surprising-social-medi_b_4325088.html



Statistics Reveal Business can Leverage Social Media

• 79% of social media log ins by online retailers are with Facebook, compared to 12%

for Google+, and 4% for Twitter

• 47% of Americans say Facebook is their #1 influencer of purchases.

• 70% of marketers used Facebook to gain new customers.

• Twitter users send 400M tweets each day.

• 34% of marketers use Twitter to successfully generate leads.

• 69% of online business-to-consumer marketers use Twitter, compared to 80% for

business-to-business.

Source: TopDog, SocialMediaToday

• YouTube reaches more U.S. adults between 18-34 years old than any cable network.

• 99% of US online specialty retailers use YouTube, up from 93% in 2012.

• LinkedIn is 277% more effective for lead-generation than Facebook or Twitter.

• Over 10 million endorsements are given daily on LinkedIn.

• 43% of US marketers have found a customer through LinkedIn.

• 60% of LinkedIn users have clicked on an ad on the site.

http://topdogsocialmedia.com/social-media-statistics-2013/

http://socialmediatoday.com/stevepyoung/1656466/24-must-see-social-media-statistitcs-2013



Growth in Number of Facebook Users Over Time

Facebook Users, 2004-2013 (in Millions)

* October 2007

** August 2008

CAGR:

103.03%

Source: Yahoo News, The Next Web

• As of Oct 2013, Facebook

passed 1.19 billion monthly

active users, 874 million

mobile users, and 728

million daily users.

So many things are unlocked on mobile. You don’t bring your computer to a restaurant or a party.

Dan Rose, Vice President, Facebook

http://news.yahoo.com/number-active-users-facebook-over-230449748.html

http://thenextweb.com/facebook/2013/10/30/facebook-passes-1-19-billion-monthly-active-users-874-million-mobile-users-728-million-daily-users/



Predicting Users' Individual Attributes and Preferences

A study has demonstrated the degree to which relatively basic digital records of human

behavior can be used to automatically and accurately estimate a wide range of personal

attributes that people would typically assume to be private.

According to the study, Facebook “likes” could be used to accurately predict:

Race (African Americans vs. Caucasians) in 95% of the cases

Gender in 93% of the cases

Sexual orientation for males (88%) and females (75%)

Political party (Democrat vs. Republican) in 85% of the cases

Religion (Christian vs. Muslim) in 82% of the cases

Substance use 73% of the time

Relationship status 65% of the time

Source: CSOOnline

This kind of

information could

pose a threat to an

individual’s well-

being, freedom, or

even life, especially

in repressive

countries.

http://www.csoonline.com/article/730220/what-you-like-in-facebook-can-come-back-to-haunt-you?source=CSONLE_nlt_update_2013-03-14



The Power of Push Notifications Global-marketing company Responsys, surveyed 1,200 adults and found that almost six in 10

adults have downloaded apps from their favorite brands and of those who have downloaded

apps, seven in 10 have enabled push notifications. Those percentages are higher when only the

younger set is surveyed.

http://www.responsys.com/marketing-software-services/contact-us



Example – Unauthorized Use

Source: Huffington Post; moneymorning.com

On January 23, 2014, CNN's social media accounts and blogs were compromised. The affected

accounts included CNN's main Facebook account, CNN Politics' Facebook account and the

Twitter pages for CNN and CNN's Security Clearance. Blogs for Political Ticker, The Lead,

Security Clearance, The Situation Room and Crossfire were also hacked.

http://www.huffingtonpost.com/2013/02/19/jeep-twitter-hack_n_2718653.html

http://moneymorning.com/2013/03/11/how-social-media-stock-scams-could-put-your-money-at-risk/



Example – Authorized Use, Poor Judgment

"Cisco just offered me a job! Now I have to weigh the utility of a fatty

paycheck against the daily commute to San Jose and hating the work."



Example – Immediate Unwanted Publicity

5

START

1 2 4 3

As the story began to circulate, many

Twitter users were at first flummoxed.

And it didn’t take long before confusion

turned to anger.

He tweeted it at 1:30, to immediate notice of

other reporters. Other members of the media

took notice, and began interacting with Sacco’s

Twitter account directly.

She had only about 200 followers, but

someone emailed it to Valleywag editor

Sam Biddle. He published a brief item

about three hours after it was sent.

At 10:19 a.m. on 21, December, Justine

Sacco, a PR director at InterActiveCorp

(IAC), posted this tweet shortly before an

11-hour flight from London to Cape

Town, South Africa.

Just before 5:30, a woman in Miami started the

hashtag #HasJustineLandedYet. Soon it was

trending worldwide.

The whole world waited for one person’s

plane to land so she could get back online

and respond to her critics.

#HasJustineLandedYet.

6

When Sacco’s plane landed about 11:20 p.m.

ET, she deleted the tweet and her Twitter,

Facebook, and Instagram accounts without

offering an apology.

7

On Saturday, IAC announced that it had

“parted ways” with Sacco, but asked that she

herself not be condemned.

8

Dec. 22, 8:51 a.m., Justine Sacco issued an

apology, first to a South African newspaper

and then to ABC News.

Since her tweet blew up, her name

was tweeted more than 30,000

times, and the hashtag almost

100,000.

Source: Buzzfeed

http://www.buzzfeed.com/alisonvingiano/this-is-how-a-womans-offensive-tweet-became-the-worlds-top-s



Policy Risks

• Companies without adequate social media policies place themselves

at risk of security breaches and reputational damage, among other

issues.

• There are a growing number of cases where firms have vague or out-

of-date social media policies that are unenforceable if inappropriate

activity takes place.

• Companies should provide their employees real guidance regarding

the use of social media sites and should have very clear policies

targeted at issues specific to social networking.

• Companies should develop or update not only their social media

policies, but they should also review all their HR and IT policies as

many have become out-dated in the era of social networking.

Source: Protiviti; Medical Office

In May 2012, Huston-based fashion retailer Francesca's Holdings Corp. fired their CFO for improperly

communicating company information through social media. The CFO had multiple times mentioned

about the company’s board meetings, earnings calls and sale of shares on various social media

platforms.

An Example of Social Media Policy Breach

http://www.protiviti.com/en-UK/Pages/UK-Companies-at-Risk-from-Inadequate-Social-Media-Policies.aspx

http://medicaloffice.about.com/od/privacyandsecurity/a/Social-Medias-Role-In-Privacy-Breaches.htm



Risk Management for Social Networking

• Social Networking Policy

─ States who can/cannot post information about your company and the objective of using

Social Networking sites

─ What types of information can be shared publicly

─ Are there any approvals required to post information

─ Should the information be publicly available or only to friends/subscribers

• Who has access to post authorized information about your company?

─ Should identify that user/account as the official representative for your company

• Identify what types of content are currently being shared that are not authorized and try to

mitigate and issues with it

─ Try to get in front of the postings/issues.

• Determine if social networking is working depending on number of subscribers/users

─ No reason to continue a program that is not providing value to the organization.



Key Questions to Consider

• Can mobile commerce solutions be integrated effectively, efficiently and

securely with your overall IT infrastructure and existing management

tools?

• Does your IT function maintain and update clear mobile commerce and

social media policies that clearly convey the acceptable use and

security requirements of these capabilities to employees who engage in

mobile commerce and/or social media activities? How are these policies

monitored and audited?

• How robust are your information security measures? Are these

measures applied differently depending on the sensitivity or importance

of the data being processed and stored?

• Is your organization in compliance with all relevant industry standards

for security and privacy as well as applicable laws and regulations?

• Does your organization have efficient systems and processes for

monitoring the quality of compliance as well as processes for monitoring

ongoing regulatory issues and anticipating new rules and regulations?



Thank You

Gordon Braun

Managing Director

Kansas City

913.661.7406

[email protected]



Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RH"). RH is a publicly-traded company and as such,

the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to

your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not

be distributed to third parties.