2 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Protiviti’s 2014 Internal Audit
Capabilities and Needs Survey
3 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Introduction
• Protiviti conducted the survey from September
2013 through October 2013.
• A total of 619 respondents took the survey.
• The survey included close to 326 topic areas
divided into four major sections:
– General Technical Knowledge
– Technical Knowledge specific to U.S.
Financial Services Industry, Healthcare
Provider Industry, Healthcare Payer Industry
and Manufacturing Industry
– Audit Process Knowledge
– Personal Skills and Capabilities
About the Survey
4 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
General Technical Knowledge
S.No. Need to
Improve
"Need to
Improve" Rank Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 51% 1 Mobile Applications 2.6
2 46% 2 NIST Cyber Security Framework 2.4
3 45% 3 Social Media Applications 2.8
4 44% 4 Cloud Computing 2.8
5 43% 5 GTAG 16: Data Analysis Technologies 2.9
Top 5 Parameters based on the “Need to Improve” Percentage
5 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
General Technical Knowledge – Three-Year Comparison
2014 2013 2012
Mobile Applications Social media applications Social media
applications
NIST Cyber Security
Framework
Recently enacted IIA Standard – Functional Reporting Interpretation
(Standard 1110) Cloud computing
Recently enacted IIA Standards – Audit Opinions and Conclusions
(Standards 2010.A2 and 2410.A1)
Social Media
Applications
GTAG 16 – Data Analysis Technologies GTAG 13 – Fraud
Prevention and
Detection in an
Automated World
Recently enacted IIA Standard - Overall Opinions (Standard 2450
Cloud computing
Cloud Computing
The Guide to the Assessment of IT Risk (GAIT)
Fraud risk management GTAG 13 – Fraud Prevention and Detection in an Automated World
ISO 27000 (information security
COSO Internal Control Framework (DRAFT 2012 version)
GTAG 16: Data
Analysis
Technologies
Practice Guide – Assessing the Adequacy of Risk Management
GTAG 16 – Data
Analysis Technologies GTAG 6 – Managing and Auditing IT Vulnerabilities
Fraud risk management
6 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Key Findings
Social media remains a top concern.
Changes from regulatory and rulemaking bodies are garnering attention.
The nature of fraud is changing – as are the ways internal auditors address it.
There is continued interest in leveraging technology - enabled auditing.
Internal auditors aim to think more strategically, collaborate more effectively
Coping with uncertainty, responding to rapidly changing business processes and establishing
more collaborative relationships with colleagues emerge as major themes in this year’s study.
Among the key findings:
7 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
• Organizational social media use is rising and growing increasingly important from risk
management standpoint, and subsequently organizations are putting strategies in
place for this purpose. However, only a little more than half have already developed a
Social Media strategy in order to evaluate and monitor Social Media Risk.
• The Priority Areas of Social Media Risk identified in the Survey are disclosure of
company information, ethical media use and disclosure of employee information.
• Majority of respondents believe that cyber security risk related to the use of social
media is not included in their audit plans.
Key Findings
I am not sure everyone is trained to understand the risks
of social media.
- Director of Auditing, Midsize Hospitality Company
8 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
How does your organization currently
leverage social media technology for
the following?
Activity Yes No
External Communication 74% 26%
Internal Communication 39% 61%
Does your organization have the
following in place?
Activity Yes No
Social Media Strategy 55% 45%
Social Media Policy 63% 37%
• 74% of companies leverage social media for external communication.
• 39% leverage social media for internal communication.
9 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
If your organization has a social media policy, which of the following areas does it
address?*
* Multiple responses permitted
• Majority (89 percent) of the respondents report that their organizations addresses the critical policy
of disclosure of company information.
89%
76% 71% 67% 66%
54% 44%
28% 3%
0%
20%
40%
60%
80%
100%
10 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
Using the following Capability Maturity Model (adapted from the Carnegie Mellon
Institute), how would you rate the current state of your organization's social media
process?
• Social media use may be on the rise, but formalized processes to manage it are in their infancy – 80
percent of respondents place the current state of their organization’s social media processes at one
of the two lowest stages of a five-stage capability maturity model.
41% 39%
13%
5% 1%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Initial State Repeatable State Defined State Managed State Optimized State
11 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
Is evaluating and auditing social media risk part of your audit plan?
• The survey results suggest that social media risk will soon be a part of most audit plans: ~56 percent
of respondents report that the evaluation and auditing of social media risk is either included in the
current audit plan or will be included in next year’s audit plan.
25%
31%
44%
0%
10%
20%
30%
40%
50%
2014
12 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
Where do you currently perceive the greatest value for addressing social media risk
to your organization?
• The four greatest sources of value from social media risk management include: Monitoring of
reputation risk; Earlier identification of issues, risks or control problems; Improvements to overall
business strategy; and Stronger regulatory compliance.
50%
17%
12%
8%
5%
4%
2%
1%
0% 10% 20% 30% 40% 50% 60%
Monitor reputation risk
Earlier identification of issues, risk or control problems
Overall business strategy
Regulatory compliance
Improved operational performance
Validation of control effectiveness or failure
Cost recovery/improvement
Other (please describe below)
13 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Risk and the Audit Process
How effective is your organization at identifying/assessing/mitigating social media
risk to an acceptable level?
• When asked to describe the effectiveness of their function’s and their organization’s management of
social media risk, respondents appeared a bit uncertain.
• Such uncertainty can be mitigated by addressing the obstacles currently inhibiting internal audit’s
involvement in the assessment of social media risk.
25%
60%
15%
22%
62%
17% 17%
62%
20%
0%
10%
20%
30%
40%
50%
60%
70%
Very effective Moderately effective Not effective
Identifying
Assessing
Mitigating
14 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6%
8%
13%
14%
15%
16%
23%
26%
27%
29%
0% 5% 10% 15% 20% 25% 30% 35%
Other (please describe below)
HR policies
Perceived cost
Inadequate technology
Lack of IT support
Data availability
Lack of management support
No inhibitors
Inadequately trained staff
Perceived risk
Social Media Risk and the Audit Process
What inhibits internal audit's involvement in assessing social media risk?*
* Multiple responses permitted
Lack of time to monitor social media risk is an issue – our team is too lean to address this new risk.
- Chief Audit Executive, Large Manufacturing Company
15 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Top 3 Rated Results from the 2014 IA Capabilities and Needs
Survey
1. Mobile Applications
2. NIST Cyber Security Framework
3. Social Media Applications
16 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile Applications
17 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Impact of Mobile
Source: Cutofmac
Announcement of Pope Benedict in 2005
Announcement of Pope Francis in 2013
18 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
"Be Mobile"
Source: Accenture
19 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Types of Mobile Apps
Source: AppsWorld
Business Apps: Eg. Evernote, Google Drive, and ProtoPromp
Social Networking Apps: Skype, Yahoo! Messenger, Let’s Share, Instagram, Flickr, Twitter, Facebook, LinkedIn.
Utility Apps: Camera flash, Emoticons, Text-to-speech, Google Translate, TOTs
Educational Apps: Dictionary, Grammar, Tutorials, Memory games.
Gaming Apps: Temple Run, Subway Surfers, Angry Birds, Safe Invasion.
Retail Apps: Starbucks Card, Best Buy app (scans QR codes in the store to
access reviews and compare product specs)
Travel Apps: Expedia, Google Flights, SkyScanner app
The Average Smartphone User Has Installed 26 Apps
Top 10 Countries with the highest average number
of installed apps per smartphone user
20 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile App Usage by Software Segment and Region 2013
The largest and fastest growing mobile data traffic segment is video. It is expected to increase
by around 55 percent annually up until the end of 2019, by which point it is forecasted to account
for more than 50 percent of global mobile traffic.
In 2019,
video will
account for
>50%
of mobile
data traffic
In 2013, video
accounts for
~35%
of mobile data
traffic
Web
browsing
accounts
for ~10% in
2013
Social
networking
accounts for
~10% in 2013
and 2019
Source: Ericsson
21 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile App Trends in 2013
Mobile App Trends in
2013
Geo-Targeted
Push Notifications
Geo-Targeted
Advertising
Prevent shopping cart abandonment
Data Gathering
Build NFC Mobile
Application
Create Energy
Efficient Mobile Apps
This feature in mobile apps helps businesses stay closely
connected to their customers intimidating them with
location-based information on offers, deals, events and
even weather forecast.
Geographic and contextually
optimized smart ad campaigns
are strategically used to target
users by their specific
geographic location using this
feature.
One of the key challenges of
online mobile shopping is
dealing with the ‘bounce’
factor.
Tracking signals and data gathering from
mobile devices is opening up a whole new
world of analytics and marketing
opportunities for retailers who operate their
businesses online or though brick-and-
mortar establishments.
One of the most sought-
after mobile app
development trend in 2013,
with NFC only a swift tap
against a sensor yields an
instant result, even faster
than a barcode scan.
Studies have revealed that
Android app ad-serving — the
process that connects apps to
digital ad networks — was
responsible for up to 75 percent
of app-related battery drain in
Android phones. However now
app-makers are concentrating
their resources to create mobile
apps that won’t drain battery.
Source: AppsWorld
22 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Rise of M-Payments
Large Merchants and Consumer Electronics Industry Lead the Pack in Mobile
Mobile Becoming Bigger Part of eCommerce
Source: CyberSource
• The rapid adoption of consumer mobile
technology, coupled with the subsequent
changes in consumer shopping behavior, are
primary drivers of mCommerce growth.
• Many merchants enable their customers to
shop through multiple channels — for example,
buying via mobile and picking up in-store.
• While mCommerce is still nascent, careful
monitoring of the mobile channel is helping
merchants maximize revenue while providing a
positive consumer shopping experience.
23 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile Application Users
Source: TextBoard, InternetRetaiier, InternetRetailer
• Google’s new Nexus S Android smartphone, which has an NFC chip built in, is just one example of a
coming wave of Android smartphones that can be used to: find a consumer’s location, give him or her
nearby store recommendations, report discounts or coupons available for every retailer or product,
show product availability at each nearby store, and let the consumer purchase the item with just his or
her cell phone.
• Apple’s reported Near Field Communication plans of building NFC chips into the next generation of
iPhone smartphones could definitely make mobile payments much more popular.
• Tying NFC into the company’s cash cow, iTunes, could dramatically transform Apple into the biggest
company in the world, in fact.
• Amazon has 500,000 customers transacting with it through mobile devices. They access Amazon on
87 different kinds of devices, most of which have the Amazon application
• Mobile devices are also useful in sending customers alerts about order status, sales and promotions or
to send coupons, especially coupons tied to a location.
• Amazon uses a voice recognition system that allows customers to search, browse and buy and check
on order status.
• Walmart has added an in-store aisle location feature to its app, telling store shoppers the aisle where
they can find each item on their shopping list.
• Wal-Mart also added a tool to its app that lets consumers select the store they visit most often and
create a shopping list at home by scanning, typing, or speaking items to buy.
24 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile Payment Trends 2013
Source: CyberSource
MCommerce Merchants Should Take Steps to Preserve Customer Experience
Vigilance Required to Monitor MCommerce Fraud
• Because mobile is so new, MCommerce merchants are
more likely to reject orders — by up to 24% more
versus all eCommerce merchants.
• This may limit growth at a time that is critical to
establishing an MCommerce presence.
• As a result, merchants should carefully evaluate the
performance of their existing fraud system and test new
fraud screening configurations to ensure a positive
customer experience across all sales channels.
• While merchants are focused on ensuring a good
customer experience with MCommerce, they must also
focus on security and monitor for fraudulent activities.
• While MCommerce fraud tends to be higher in general,
fraud rates vary across industries.
• However, orders coming from mobile devices provide
additional data that merchants can use to screen
effectively for fraud. IP address, device type, operating
system, and app data can all be used to identify
fraudulent purchase patterns.
Fraud Risks
25 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Case of Starbucks
Source: Mobile Payments Today, Mobile Payments Today, Appthority
Background:
Security Breach:
Status today:
• Starbucks launched it’s mobile payment app in 2009.
• Through the closed loop mobile app, smartphone users display a barcode on their device screen and the barista scans
it at the point of sale.
• The payment is deducted from funds linked to the user's Starbucks Card account, which can be topped up through the
app
• Mobile and gift card payments now represent more than 30 percent of total U.S. payments for Starbucks.
• About 10 million customers now pay through the mobile app, with nearly 5 million mobile payments per week.
• In mid-January, security researcher Daniel Wood discovered that the Starbucks Mobile Payment App stores passwords,
user names and email addresses in plain/clear text.
• It stored credentials in such a way that anyone with access to the phone can see the credential information and a list of
geolocation tracking points of the account by connecting the phone to a PC, regardless of whether or not it is PIN-
protected.
• This was possible because the app used the convenient “save credentials” feature that allowed users to save their
information. As a result, users wouldn’t have to re-enter their username and password with every use.
• On January 17, 2014, the Seattle-based coffee chain reported that it has released a new app that adds more protection.
And well, Daniel Wood has been hired as a security consultant at Starbucks.
26 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Mobile App Risks – Examples
Study by Security arm of HP Fortify
HP Fortify (the enterprise security arm of HP) conducted tests on 2107 applications published by 601 companies on the
Forbes Global 2000, which indicated that 90% of these mobile apps have at least one security vulnerability.
In particular:
• 86% apps lacked binary hardening protection
• 75% of the apps did not encrypt data before storing it on the device
• 18% transmitted data over the network without using SSL encryption.
Only iOS apps were tested, but HP believes that the same problems exist in any Android counterparts.
Source: ZDNet, DarkReading
Study by Security Firm Praetorian
In December 2013, Security firm Praetorian tested 275 Apple iOS- and Android-based mobile banking apps from 50 major
financial institutions, 50 large regional banks, and 50 large U.S. credit unions.
• Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software
development.
• Among the big-name banks whose mobile apps were tested include Bank of America, Citigroup, Wells Fargo,
Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks.
The two firms given below conducted studies on a number of apps to test their risk level and
found the following results:
27 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
NIST Cyber Security
Framework
28 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Cybersecurity Facts
Malware Remains The Most
Dominant Cyber Threat
Internet Access In Least
Developed Countries Has
Increased Significantly
Cybercrime Goes
Mobile and Social
Number Of Cybercrime victims
Increases Steadily
US Tops Malicious URL Volume
By Country
Source: ITU
29 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Cyber Security Facts
The United States loses $100 billion annually as a result of cyber crime, which targets over 556
million victims per year.
Source: Florida Tech Online, Forbes, ITU
Source: Pandasecurity
• In the first quarter of 2013 alone, more than six and a half
million new malware samples were created, following the trend
of increasingly prevalent malware statistics of previous years.
• Trojans continue to dominate the threat landscape,
representing nearly three out of every four new malware
samples in circulation.
Desktop and laptop users,
specially Apple users need to
pay close attention to their
computer security. The 2013
Flashback Attack, during
which cyber criminals took
control of 600,000 Macs is
testimony to this fact. Only
2.5% of all threats in 2012
were targeted towards Macs,
but this number is expected
to grow as Apple continues to
grow within the market.
30 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Cybersecurity and Business
Wyndham Hotels: were sued by the
US Federal Government after
sensitive customer data, including
credit card numbers and personal
information, allegedly were stolen
three times in less than two years.
Source: CNN, NBC, CSO Online
2008
AOL: Data on more than 20
million web inquiries, from
more than 650,000 users,
including shopping and
banking data were posted
publicly on a web site.
2006 2005
Google/other Silicon
Valley companies:
Stolen intellectual
property
2009
VeriSign:
Undisclosed
information stolen
2010
Sony's PlayStation Network:
77 million PlayStation
Network accounts hacked;
Sony is said to have lost
millions while the site was
down for a month.
2011
Monster.com:
Confidential
information of 1.3
million job seekers
stolen and used in a
phishing scam.
2007
2013
Target and Neiman
Marcus Credit and
Debit Card data
breach!!
CardSystems Solutions: 40
million credit card accounts
exposed. CSS, one of the
top payment processors
for Visa, MasterCard,
American Express is
ultimately forced into
acquisition
“Some of the more obvious results of IS failures include reputational damage,
placing the organization at a competitive disadvantage, and contractual
noncompliance. These impacts should not be underestimated.”
― The IIA Research Foundation
31 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Case of Target
Target sent out a press release revealing that a major data breach took place between November 27 and December 15,
2013 potentially involving millions of customer credit and debit card records. Upto 70 million consumer credit and debit
card account information, including debit card PIN data was compromised. Target disclosed that the names, mailing
addresses, phone numbers or email addresses of up to 70 million additional people had also been stolen, bringing the
possible number of customers affected up to 110 million.
Event
December 19, 2013
Hacker Involved
According to TIME Magazine, a 17-year-old Russian teen was suspected to be the author of the Point of Sale (POS)
malware program, "BlackPOS", which was used by others to attack unpatched Windows computers used at Target. Later,
a 23-year-old Russian, Rinat Shabayev, claimed to be the malware author.
• Target reported total transactions for the same time last year were down 3-4%, as of December 23, 2013.
• An estimated loss of $17 billion in sales revenue was reported during the holiday season.
• Target plans to close eight U.S. stores on May 3, 2014.
• Loss of revenue due to apology discount of 10% on all products.
• Loss of guest confidence in the Company’s ability to protect their information because of the data breach, and the
adverse impact such loss of confidence may have on sales
• The outcome of the pending and ongoing investigation, including discovery of additional information relating to the data
breach and guests’ and other stakeholders’ reactions to that additional information
• Costs related to the investigation and resulting liabilities
One of the Largest Retail Cyber Attack in History
Impact on Target
Major Risks
32 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Case of Neiman Marcus
January 02, 2014
The company is a recent victim of criminal cyber-security intrusion involving data breach of over 1.1 million credit cards. It
exposed payment card information from transactions at 77 of 85 stores between July and October of last year. However,
key personal data such as social security numbers and birth dates were not compromised. According to sources, Neiman
Marcus was hit by hackers in mid-July 2013 but the company notified its customers in January 2014.
Event
Hacker Involved
According to a report by IntelCrawler, a cyber intelligence group, a 17-year-old Russian teen with username ‘ree4’, appear
to be the author of point-of-sale malware used for Neiman Marcus hack. Ree4 doesn’t seem to have personally taken part
in the hack beyond writing and selling the malware.
• Neiman Marcus notified the customers very late about the data breach. This has resulted in loss of confidence and trust
in the brand.
• Since banks want the company to bear the cost of data breaches, this would increase the cost and losses incurred by
the firm.
• Fall in sales and profits due to loss of customers’ confidence.
• Major impact on firm’s subsidiaries- Bergdorf Goodman, Horchow, Cusp and Last Call
• This could put some consumers at risk for identity theft, thus, impacting their credit reports and credit scores.
• Costs related to the investigation and resulting liabilities
Impact on Neiman Marcus
Major Risks
33 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Case of Michaels
January 25, 2014
Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently
had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.
Event
Hacker Involved
It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity.
But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit
and debit card information from point-0f-sale registers at those stores.
• Last year the Irving, Texas-based retailer settled a class-action consumer lawsuit related to the matter, without admitting
to any wrongdoing. In a high-profile 2011 attack, hackers replaced some 84 PIN pads on payment-card terminals at a
small number of Michaels stores, resulting in the theft of about 94,000 payment card numbers.
• Michaels disclosed the 2011 attack in an S-1 registration statement that it filed with the Securities and Exchange in
March of last year.
• As the company plans for an IPO these event could harm the image of the company and it may face fall in sale and loss
of customers’ confidence.
• This could put some consumers at risk for identity theft, thus, impacting their credit reports and credit scores.
• Costs related to the investigation and resulting liabilities
Impact on Michaels
Major Risks
34 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
NIST Cybersecurity Framework
It is the policy of the United States to enhance the
security and resilience of the Nation’s critical
infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic
prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties
This Cybersecurity Framework is being developed in an open
manner with input from stakeholders in industry, academia, and
government, including a public review and comment process,
workshops, and other means of engagement.
NIST is directed to work with stakeholders to develop a voluntary
framework for reducing cyber risks to critical infrastructure
The US Department of Commerce's National Institute of Standards and Technology (NIST) has,
after months of planning and feedback-gathering, released its Preliminary Cybersecurity
Framework in October 2013
35 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Risk Management and the Cybersecurity Framework
While not a risk management process itself, the Framework enables the integration of
Cybersecurity risk management into the organization’s overall risk management process.
Source: Enisa
The Framework Fosters:
Cybersecurity risk management approaches that take into account the interaction of multiple risks
Cybersecurity risk management approaches that address both traditional information technology and
operational technology (industrial control systems)
Cybersecurity risk management practices that encompass the entire organization, exposing
dependencies that often exist within large, mature, and/or diverse entities, and with the interaction
between the entities and their partners, vendors, suppliers, and others
Cybersecurity risk management practices that are internalized by the organization to ensure decision-
making is conducted by a risk-informed process of continuous improvement.
Cybersecurity standards that can be used to support risk management activities
36 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Framework Core: Functions
The five Framework Core Functions provide the highest level of structure:
Source: Enisa
NIST Cybersecurity Framework
Identify
Develop the
institutional
understanding of
which organizational
systems, assets,
data, and capabilities
need to be protected,
determine priority in
light of organizational
mission, and
establish processes
to achieve risk
management goals.
Protect
Develop and
implement the
appropriate
safeguards,
prioritized through
the organization’s
risk management
process, to ensure
delivery of critical
infrastructure
services.
Detect
Develop and
implement the
appropriate activities
to identify the
occurrence of a
cybersecurity event.
Respond
Develop and
implement the
appropriate activities,
prioritized through
the organization’s
risk management
process (including
effective planning), to
take action
regarding a detected
cybersecurity event.
Recover
Develop and
implement the
appropriate activities,
prioritized through
the organization’s
risk management
process, to restore
the appropriate
capabilities that were
impaired through a
cybersecurity event.
37 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
A Framework Profile:
A Framework Profile can be used to identify opportunities for improving cybersecurity by
comparing a “Current” Profile with a “Target” Profile hitherto supporting it with prioritization and
measurement of progress toward the Target Profile, while factoring in other business needs
including cost-effectiveness and innovation.
Source: NIST
Identifying the “gaps” between the Current Profile and the Target Profile allows the creation of a prioritized
roadmap that organizations will implement to reduce cybersecurity risk.
38 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Framework Implementation Tiers
The Framework Implementation Tiers (“Tiers”) describe how an organization manages its
cybersecurity risk. The Tier selection process considers an organization’s current risk
management practices, threat environment, legal and regulatory requirements, business/mission
objectives, and organizational constraints.
Source Enisa, NIST
Risk Management Process Integrated Program External Participation
Tier 1
• Informal organizational
cybersecurity risk management
practices
• Adhoc risk management
(sometimes reactive)
• Prioritization of cybersecurity
activities not directly informed by
organizational risk objectives, the
threat environment, or
business/mission requirements
• Limited awareness of cybersecurity risk at the
organizational level
• No organization-wide approach to managing
cybersecurity risk
• Irregular, case-by-case implementation of
cybersecurity risk management due to varied
experience or information gained from outside
sources
• May not have processes that enable cybersecurity
information sharing
• May not have processes
in place to participate in
coordination/collaboratio
n with other entities
Tier 2
• Risk management practices
approved by management but
may not be established as
organizational-wide policy
• Aware about cybersecurity risk at the
organizational level but no organization-wide
approach to managing cybersecurity risk
• Defined and implemented risk-informed,
management-approved processes and
procedures
• Staff has adequate resources to perform their
cybersecurity duties
• Informal sharing of cybersecurity information
within the organization
• Organization knows its
role in the larger
ecosystem, but no
formal capability to
interact and share
information externally.
39 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Framework Implementation Tiers (Contd.)
Risk Management Process Integrated Program External Participation
Tier 3
• Formally approved risk
management practices which are
expressed as policy
• Regularly updated cybersecurity
practices based on the application
of risk management processes to
a changing threat and technology
landscape
• Organization-wide approach to manage
cybersecurity risk
• Defined, implemented as intended, and validated
risk-informed policies, processes, and procedures
• Consistent methods in place to effectively
respond to changes in risk
• Personnel possess the knowledge and skills to
perform their appointed roles and
responsibilities
• Organization
understands its
dependencies and
partners and receives
information from these
partners enabling
collaboration and risk-
based management
decisions within the
organization in
response to events
Tier 4
• Cybersecurity practices adapted
based on lessons learned and
predictive indicators derived
from previous cybersecurity
activities
• Active adoption of continuously
evolving cybersecurity landscape
• Timely response to
emerging/evolving threats
• Organization-wide approach to managing
cybersecurity risk that uses risk-informed
policies, processes, and procedures to address
potential cybersecurity events
• Cybersecurity risk management is part of the
organizational culture and evolves from an
awareness of previous activities, information
shared by other sources, and continuous
awareness of activities on their systems and
networks
• Management of risk and
active sharing of
information with
partners to ensure
accurate, current
information being
distributed and
consumed to improve
cybersecurity before an
event occurs
Source: NIST
The Framework Implementation Tiers (“Tiers”) describe how an organization manages its
cybersecurity risk. The Tier selection process considers an organization’s current risk
management practices, threat environment, legal and regulatory requirements, business/mission
objectives, and organizational constraints.
40 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
What Are Our Clients Asking For Help With?
Is my current security program appropriate for my specific environment (knowing from above
what my “crown jewels” are)? How can I tell? How can I communicate that to myself and
others? Security Program
and Policy 2
Have I updated and communicated my organizations expectations of behavior to include new
technologies like cloud and social media?
What data do I have that are/should be considered my “crown jewels”? What should I focus on
protecting?
Data-Centric
Awareness 1 Where is that data stored? Am I sure? How can I be?
Am I sure that only the right people and applications have access to this information?
Am I already the victim of a breach?
Security Operations 3
How do I best organize my people to assimilate the sensor data quickly and correctly and then
react with speed?
Do I have a response plan that can be executed; what should the plan include?
Incident Response 4
Who should the plan include; do I have the right people involved?
41 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Social Media Applications
42 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Types of Social Media
Source: Teachers&SocialMedia , OutthinkGroup
6. Micro
Blogging
5. Blogging 7. Image Sharing
3. Bookmarking
Sites 4. Video Sharing
1. Collaboration 2. Networking
8. Social News
43 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Top Social Media Sites
728 million people
log onto Facebook
daily, which
represents a 25%
increase from 2012.
36 million unique
visitors log into
Twitter every month
as of 2013
540 million+ users,
300 million of them
active and 190 million
using the stream.
Two new users join
LinkedIn every second
as of 2013.
60 hours of video are
uploaded every
minute and over 4
billion videos are
viewed a day.
Source: Social Bakers
44 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
According to a survey conducted by IDC, not only does Facebook have millions of users who
don't access it from a desktop or laptop, but mobile use generates 30% of Facebook's ad
revenue as well. This is a 7% increase from the end of 2012 already.
Source: Huffington Post
189 Million Of Facebook's Users Are ‘Mobile Only'
45 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
25% Of Facebook Users Don't Bother With ‘Privacy Settings’
We've seen a lot of news about social media companies and privacy. But despite these high-
profile cases of security-conscious users pushing back against social networks and web
services, Velocity Digital reports that 25% of Facebook users don't even look at their privacy
settings.
Source: Huffington Post
46 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Statistics Reveal Business can Leverage Social Media
• 79% of social media log ins by online retailers are with Facebook, compared to 12%
for Google+, and 4% for Twitter
• 47% of Americans say Facebook is their #1 influencer of purchases.
• 70% of marketers used Facebook to gain new customers.
• Twitter users send 400M tweets each day.
• 34% of marketers use Twitter to successfully generate leads.
• 69% of online business-to-consumer marketers use Twitter, compared to 80% for
business-to-business.
Source: TopDog, SocialMediaToday
• YouTube reaches more U.S. adults between 18-34 years old than any cable network.
• 99% of US online specialty retailers use YouTube, up from 93% in 2012.
• LinkedIn is 277% more effective for lead-generation than Facebook or Twitter.
• Over 10 million endorsements are given daily on LinkedIn.
• 43% of US marketers have found a customer through LinkedIn.
• 60% of LinkedIn users have clicked on an ad on the site.
47 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Growth in Number of Facebook Users Over Time
Facebook Users, 2004-2013 (in Millions)
* October 2007
** August 2008
CAGR:
103.03%
Source: Yahoo News, The Next Web
• As of Oct 2013, Facebook
passed 1.19 billion monthly
active users, 874 million
mobile users, and 728
million daily users.
So many things are unlocked on mobile. You don’t bring your computer to a restaurant or a party.
Dan Rose, Vice President, Facebook
48 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Predicting Users' Individual Attributes and Preferences
A study has demonstrated the degree to which relatively basic digital records of human
behavior can be used to automatically and accurately estimate a wide range of personal
attributes that people would typically assume to be private.
According to the study, Facebook “likes” could be used to accurately predict:
Race (African Americans vs. Caucasians) in 95% of the cases
Gender in 93% of the cases
Sexual orientation for males (88%) and females (75%)
Political party (Democrat vs. Republican) in 85% of the cases
Religion (Christian vs. Muslim) in 82% of the cases
Substance use 73% of the time
Relationship status 65% of the time
Source: CSOOnline
This kind of
information could
pose a threat to an
individual’s well-
being, freedom, or
even life, especially
in repressive
countries.
49 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Power of Push Notifications Global-marketing company Responsys, surveyed 1,200 adults and found that almost six in 10
adults have downloaded apps from their favorite brands and of those who have downloaded
apps, seven in 10 have enabled push notifications. Those percentages are higher when only the
younger set is surveyed.
50 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example – Unauthorized Use
Source: Huffington Post; moneymorning.com
On January 23, 2014, CNN's social media accounts and blogs were compromised. The affected
accounts included CNN's main Facebook account, CNN Politics' Facebook account and the
Twitter pages for CNN and CNN's Security Clearance. Blogs for Political Ticker, The Lead,
Security Clearance, The Situation Room and Crossfire were also hacked.
51 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example – Authorized Use, Poor Judgment
"Cisco just offered me a job! Now I have to weigh the utility of a fatty
paycheck against the daily commute to San Jose and hating the work."
52 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example – Immediate Unwanted Publicity
5
START
1 2 4 3
As the story began to circulate, many
Twitter users were at first flummoxed.
And it didn’t take long before confusion
turned to anger.
He tweeted it at 1:30, to immediate notice of
other reporters. Other members of the media
took notice, and began interacting with Sacco’s
Twitter account directly.
She had only about 200 followers, but
someone emailed it to Valleywag editor
Sam Biddle. He published a brief item
about three hours after it was sent.
At 10:19 a.m. on 21, December, Justine
Sacco, a PR director at InterActiveCorp
(IAC), posted this tweet shortly before an
11-hour flight from London to Cape
Town, South Africa.
Just before 5:30, a woman in Miami started the
hashtag #HasJustineLandedYet. Soon it was
trending worldwide.
The whole world waited for one person’s
plane to land so she could get back online
and respond to her critics.
#HasJustineLandedYet.
6
When Sacco’s plane landed about 11:20 p.m.
ET, she deleted the tweet and her Twitter,
Facebook, and Instagram accounts without
offering an apology.
7
On Saturday, IAC announced that it had
“parted ways” with Sacco, but asked that she
herself not be condemned.
8
Dec. 22, 8:51 a.m., Justine Sacco issued an
apology, first to a South African newspaper
and then to ABC News.
Since her tweet blew up, her name
was tweeted more than 30,000
times, and the hashtag almost
100,000.
Source: Buzzfeed
53 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Policy Risks
• Companies without adequate social media policies place themselves
at risk of security breaches and reputational damage, among other
issues.
• There are a growing number of cases where firms have vague or out-
of-date social media policies that are unenforceable if inappropriate
activity takes place.
• Companies should provide their employees real guidance regarding
the use of social media sites and should have very clear policies
targeted at issues specific to social networking.
• Companies should develop or update not only their social media
policies, but they should also review all their HR and IT policies as
many have become out-dated in the era of social networking.
Source: Protiviti; Medical Office
In May 2012, Huston-based fashion retailer Francesca's Holdings Corp. fired their CFO for improperly
communicating company information through social media. The CFO had multiple times mentioned
about the company’s board meetings, earnings calls and sale of shares on various social media
platforms.
An Example of Social Media Policy Breach
54 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Risk Management for Social Networking
• Social Networking Policy
─ States who can/cannot post information about your company and the objective of using
Social Networking sites
─ What types of information can be shared publicly
─ Are there any approvals required to post information
─ Should the information be publicly available or only to friends/subscribers
• Who has access to post authorized information about your company?
─ Should identify that user/account as the official representative for your company
• Identify what types of content are currently being shared that are not authorized and try to
mitigate and issues with it
─ Try to get in front of the postings/issues.
• Determine if social networking is working depending on number of subscribers/users
─ No reason to continue a program that is not providing value to the organization.
55 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Key Questions to Consider
• Can mobile commerce solutions be integrated effectively, efficiently and
securely with your overall IT infrastructure and existing management
tools?
• Does your IT function maintain and update clear mobile commerce and
social media policies that clearly convey the acceptable use and
security requirements of these capabilities to employees who engage in
mobile commerce and/or social media activities? How are these policies
monitored and audited?
• How robust are your information security measures? Are these
measures applied differently depending on the sensitivity or importance
of the data being processed and stored?
• Is your organization in compliance with all relevant industry standards
for security and privacy as well as applicable laws and regulations?
• Does your organization have efficient systems and processes for
monitoring the quality of compliance as well as processes for monitoring
ongoing regulatory issues and anticipating new rules and regulations?
56 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Thank You
Gordon Braun
Managing Director
Kansas City
913.661.7406
57 © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V.
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Confidentiality Statement and Restriction for Use
This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half ("RH"). RH is a publicly-traded company and as such,
the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to
your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not
be distributed to third parties.