1 / 33

Franchise Hacked: What Now?

Learn how to protect your franchise from cybercrime, prevent future incidents, and navigate insurance considerations. Presented by BDO Canada and Insurance Portfolio Inc.

lalexander
Download Presentation

Franchise Hacked: What Now?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SO YOUR Franchise HAS BEEN HACKED…NOW WHAT? PRESENTED BY: BDO Canada & Insurance Portfolio Inc. DATE: September 26, 2019

  2. Introduction VIVEK GUPTA BDO Canada LLP National Cybersecurity Leader vgupta@bdo.ca 416-369-7867 JENNIFER TYRWHITT GORY Insurance Portfolio Inc. President __ jennifert@insuranceportfolio.com 416-754-3910

  3. Cyber crime is a big threat to franchises and Retail Organizations Franchises & Retailers have what hackers want! HOW CAN I ENSURE MY APPLICATIONS ARE NOT VULNERABLE? HOW CAN I SUPPORT & MAINTAIN MY ON-PREM / CLOUD INFRASTRUCTURE HOW CAN I TAKE ADVANTAGE OF CLOUD SECURITY? I HAVE RECENTLY BEEN HACKED. HELP! Organizations HOW CAN I MONITOR THE SECURITY OF MY NETWORK? HOW CAN I GET SOME IT HELP ON THE GROUND AT OUR OFFICES? HOW CAN I MAKE SURE END USERS ARE SECURE? HOW CAN I ENSURE MY DATA IS SECURE

  4. Agenda 1 2 3 4 So you’ve been hacked Insurance considerations Preventing future incidents Questions

  5. 1. SO You've BEEN HACKED… VIVEK GUPTA, BDO CANADA LLP

  6. Introduction Different types of incidents • Unauthorised/accidental disclosure of critical information • User password compromise • Theft/loss of equipment/documents • Malware • Ransomware • Phishing Attacks • SQL Injection Attacks • Cross-Site Scripting • Denial of Service Attacks • Session Hijacks Information Security Cybersecurity Data Breaches Information Technology • Breach of personal information • Breach of data on move/during transfer • Employee errors/negligence/improper disposal • Physical theft Operational • Service tickets for fixing company assets • Interruptions in network operations • Unauthorised download of software • Unauthorised upload/sharing of documents on personal drives • Fire incidents • Medical incidents • Natural disasters • Frauds

  7. Indications that you have been hacked Types of Cybersecurity incidents Malware Ransomware Phishing attacks SQL Injection Attacks • Phishing refers to use of deceptive email means to trick individuals into disclosing sensitive personal information • An attack where a hacker inserts malicious codes inside the victim’s system without their knowledge • An attack where systems are hacked and user access is only regained once a ransom is paid as demanded by the hacker • The hacker manipulated a SQL query to exploit non-validated input vulnerabilities in a database

  8. Indications that you have been hacked Types of Cybersecurity incidents Cross Site Scripting Session hacks Password attacks Denial of service attacks • Attacks interrupting operations due to exploitation of a computer session to gain unauthorized access to systems. • XSS enables hackers to inject their scripts into web pages allowing them to retrieve all information of the users • Attacks such as Brute Force attacks where the hackers try to crack passwords • Attacks where services are made unavailable to the intended users by penetrating into the network

  9. Indications that you have been hacked What happens during an incident? • Loss of confidential/critical information Data Loss • Interruption of network services/system services/business operations Operational Loss Financial Loss • Loss of financial data of the organization • Loss of personal information (employees/customers) Reputational Loss • Costs of reconstitution and/or restoration of software Software Loss • Loss of value of intellectual property assets Financial Loss • Regulatory and legal costs for compensation occurred due to theftof information Regulatory Loss

  10. Indications that you have been hacked Determination of what type of data has been breached Confidential information (Intellectual Property) Organization Information Types of information lost during cyber attacks Personal Information Credentials System Configuration Information Financial Information

  11. JENNIFER TYRWHITT GORY, INSURANCE PORTFOLIO.INC 2. Insurance Considerations

  12. Cyber Risk Liability Private & confidential client information being leaked out from your business (hacked). Business interruption Potential lawsuits Cost tocontact clients PR issues

  13. Cyber Risk Liability First party coverage and third party coverage: • First party coverage is seen from some insurance companies as similar to property coverage – it reimburses from a loss to your own property • For example, a hack or something similar that destroys your digital assets, the policy would pay to restore them. Consideration also has to be given to business interruption. • Third party coverage is liability cover – it will defend and indemnify the insured for sums that they are legally obligated to pay.

  14. Cyber Risk Liability In the U.S. in 2017, average cyber breach claim for a large company was The faster the breach can be identified & contained, the lower the costs. In Canada in 2017, average time to identify a breach was $3.62 million down from $3.79 million in 2016, but up from $2.9 million in 2014. 191 days (down from 201 in 2016) and time to contain decreased from In Canada in 2017 average cyber breach claim for a large company was 70 to 66 days $5.78 million down from $6.08 million in 2016

  15. Cyber Risk Liability In 2017, 48%of data breaches were caused by malicious or criminal attacks 22%of breaches were caused by system glitches, and 30%caused by human error In 2014, companies with less than $50 million U.S. in revenues accounted for 23% of claims Average number of records lost: 2.4 million 41% of breaches Personally identifiable information was most frequently exposed data

  16. Cyber Risk Liability Average cost for crisis services (forensics, notification, legal guidance and other) was Average cost for legal settlement was $558,520 (U.S.) $366,797 (U.S.)

  17. Cyber Risk Liability Insights from The 2016 Global State Of Information Security Survey In 2015, there were 38% more security incidentsthan in 2014 Theft of “hard intellectual property” increased 56% in 2015 While employees remained the most cited source of compromise, incidents attributed to business partners rose22%

  18. Biggest Data Breaches Of 21st Century EBAYMay 2014 145 million accounts – hackers accessed data using credentials of 3 employees, & had complete access for 229 days YAHOO2013 - 2014 3 billion accounts – knocked $350m off of Yahoo’s sale price EQUIFAX JULY 2017 personal info (incl. social security numbers, birthdates, addresses) of 143 million users and credit cards for 209,000 exposed ADULT FRIEND FINDEROctober 2016 412.2 million accounts (20 years of data)

  19. Cyber Risk Claims – Quick Examples • A consulting firm is hired to help client secure a deal. The consultant is provided copies of the client’s confidential info, which he stores on his laptop. The laptop is stolen from the consultant’s car and the company’s data is compromised. The client is not awarded the deal and sues the consulting firm for losses. The consulting firm claims for legal costs. • An employee receives an email that looks like its from a client, but contains a “logic bomb” which erases all of the client agreements and proprietary software. Her employer claims for reimbursement to restore the software and obtain the missing contracts.

  20. Cyber Risk Claim #1 • A software developer was hired by a U.S. company to develop & install POS software. • The client commenced action against the insured for $1,200,000, alleging that the software didn’t work properly, leading to both lost sales and lost customers.

  21. Cyber Risk Claim #1 The insurance company retained a lawyer to defend the insured. The investigation revealed that the defective software was to blame for the client’s loss. A settlement was reached and the insurance company paid $120,000 in legal costs.

  22. Cyber Risk Claim #2 • A software developer sold defective software to a distributor, who in turn, sold it to their client. • The client sued the distributor for $500,000, for failure to properly design, implement and install the software, as well as for failure to properly train the client’s employees. • The distributor then sued the developer for $500,000.

  23. Cyber Risk Claim #2 The insurance company retained a lawyer to defend the developer. An investigation revealed that the software was in fact defective. A settlement was reached and the insurance company paid $100,000 in legal costs.

  24. Cyber Risk Claim #3 • The insured was a value added reseller of computer equipment, network sales, and installed financial and operational software. • The insured sued its client for non-payment of fees.

  25. Cyber Risk Claim #3 The client then counter sued for negligence, alleging that the consulting services were inadequate, the software was deficient, and the consultant misrepresented the capabilities of the software. The benefit of the first dollar defense coverage meant that the insured incurred no expense on this successfully defended claim.

  26. VIVEK GUPTA, BDO CANADA LLP 3.Preventing further incidents

  27. Preventing future incidents Monitoring incident logs Roll-out compliance program Strengthening access control mechanisms Incident classification Incident Preparation Monitoring of alerts Incident Detection Priority matrix for incidents Alerting mechanisms Incident Reporting Incident Management Policy Define call tree Incident Analysis Technical inspection Strategies to analyze Incident Response Incident response team Incident Prevention Incident response time Define incident playbook Security awareness

  28. Preventing future incidents Monitor vulnerabilities System Upgrade • It is necessary to keep all systems carrying confidential information upgraded with the latest patches to avoid introduction of various vulnerabilities • Increase in vulnerabilities lead to increase in potential threats resulting in cyber attacks Ensure and validate system upgradation Prioritize vulnerabilities Deploy patches to production Search relevant patches Implementpatches Test patches

  29. Preventing future incidents Risk/Cybersecurity Assessment A cybersecurity assessment provides an in-depth review of the current security controls in the organization along with their maturity to mitigate the potential risks VENDOR RISK MANAGEMENT Internal Security Assessment Cybersecurity Assessment BCP and Disaster Recovery process APPLICATION/DATABASE SECURITY ASSESSMENT Physical and environment security assessment NETWORK SECURITY ASSESSMENT

  30. Preventing future incidents Risk/Cybersecurity Assessment End result of an assessment SECURITY ANALYSIS RESULT ROADMAP FOR IMPROVEMENT PERTAINING RISKSAND IMPACT PREVENTIVEMEASURES • Identification of Security gaps (threats and vulnerabilities) • Compliance ratio • Identification of security controls that need improvement • Introduction of new Security controls • Residual risks and their impact • Inherent risks and their impact • Recommendations to prevent potential threats • Recommendations for mitigation of risks Current Maturity Levels Secure Framework Mitigation of risks Security enhancements

  31. Preventing future incidents Being more ready/being more proactive & focus spending on protecting key areas • How to mitigate risks for potential threats? 00 • PERIODIC ASSESSMENTS OF CURRENT SECURITY CONTROLS • REAL TIME MONITORING/ PROCESSES/ TOOLS • DETECTIVE AND PREVENTIVE MEASURES • RESPONSE • STRATEGIES • RISK ASSESSMENT PROGRAMS • Regular audits/ assessments to be conducted to improve current security framework/posture • Tools implemented to monitor and alert incidents on real time basis • Policies and processes defined around detective and preventive measures • Response strategies are designed to help the teams gain preparedness to potential incidents • Risk Assessment should be performed keeping in mind all critical business processes and assets

  32. Preventing future incidents Security Awareness Training for employees • Develop information security awareness trainings for incident reporting • Ensure every new/current employee has undergone the security awareness trainings • Perform incident awareness tests to ensure all individuals in the organization perform their actions with efficiency • Develop a call tree to allocate responsibilities to stakeholders who shall be contacted during an incident • Create posters, flyers, screensavers and other awareness material to market the importance of incident reporting • Communicate incident management policy and procedure to all employees along with a list of Do’s and Don’ts

  33. VIVEK GUPTA, BDO CANADA LLP JENNIFER TYRWHITT GORY, INSURANCE PORTFOLIO.INC 4.Questions?

More Related