Combined presentations from the inaugural Merseyside FD Network Event at the Knowsley Suites Hotel.
Nathan Douse (MHA Moore and Smalley) on Business Protection
Karen Hain (MHA Moore and Smalley) on Risk Management
Scott Burman (NCC Group) on Managing Cyber Risk in a Fake World
Karen Hain
4. It won’t happen to me
3 minutes
Every three minutes
someone in the UK dies
from CVD.
28%
CVD causes 28% of all
deaths in the UK.
170,000(approx)
deaths each year caused by
CVD - an average of 460 people
each day.
Cardiovascular Disease (CVD)
Life changing events are taking place every three minutes in the UK
Source: British Heart Foundation, CVD statistics UK factsheet – April 2019
5. It won’t happen to me
3 minutes
Every three minutes
someone in the UK dies
from CVD.
28%
CVD causes 28% of all
deaths in the UK.
170,000(approx)
deaths each year caused by
CVD - an average of 460 people
each day.
Cancer
Life changing events are taking place every four minutes in the UK
4minutes
Every four minutes
someone in the UK dies
from cancer.1
1 in 2 people
born after 1960 in the UK
will develop cancer at
some point in their
lifetime.2
363,000(approx)
new cases of cancer in the
UK every year - that’s more
than 990 every day.3
1
Cancer Research UK, Cancer mortality for all cancers combined, May 2019
2
Cancer Research UK, Lifetime risk of cancer, September 2018
3
Cancer Research UK, Cancer incidence for all cancers combined, August 2019
6. Risk Assessment – potential impact
Text
Impact
Probability
HighLow
HighLow
• Flood
• Health and safety issue
• Bad advice
• Computer crash
• Fire
• Public liability
• Employer’s liability
• Compliance disaster
7. Risk Assessment – potential impact
Text
Impact
Probability
HighLow
HighLow
• Flood
• Health and safety issue
• Bad advice
• Computer crash
• Fire
• Public liability
• Employer’s liability
• Compliance disaster
• Key employee leaves
• Key employee dies
• Key employee illness
• Director/Owner dies
• Director/Owner illness
8. Business protection made easy
Why do businesses need our help?
Family Business
Cash needed for
employee’s family
when they die.
Cash needed for
employee if they’re
unable to work due
to an accident or
illness.
Cash needed for:
• Loan repayments
• Loss of profits
• Recruitment
• Loan accounts
Cash needed to buy
the deceased or ill
owner’s share of the
business.
Tax-efficient life
protection
Tax-efficient
income protection
Continuity
planning
Succession
planning
Family Business
9. Risk to Profits – the issues
How long would a business survive if it lost a key person?How long would a business survive if it lost a key person?
10. Risk to Profits – the issues
How long would a business survive if it lost a key person?
52%of
businesses would
stop trading in under
a year.
52%of
businesses would
stop trading in under
a year.
53%of businesses would stop
trading in under a year
Not as long as you may think!
11. Business protection made easy
Why do businesses need our help?
Family Business
Cash needed for
employee’s family
when they die.
Cash needed for
employee if they’re
unable to work due
to an accident or
illness.
Cash needed for:
• Loan repayments
• Loss of profits
• Recruitment
• Loan accounts
Cash needed to buy
the deceased or ill
owner’s share of the
business.
Tax-efficient life
protection
Tax-efficient
income protection
Continuity
planning
Succession
planning
Family Business
15. Aspiration vs Reality
ABC Services Ltd has three
directors, each with an equal
share of the business.
A
33%
B C
33% 33%
16. Aspiration vs Reality
ABC Services Ltd has three
directors, each with an equal
share of the business.
A
33%
B C
33% 33%
17. Summary
Tax Efficient
Life Cover
Tax Efficient
Income
Protection
Lending
Director Loan
Accounts
Replacement
Cover
Loss of Profit
Shareholder
Protection
Peace of Mind
Personal
G
uarantee
Repayable
on
dem
and
22. Agenda
• What is Risk?
• What is Risk Management?
• Different types of Risk
• The Risk Management Cycle
• The Risk Register
• Identifying and evaluation a new risk
23. What is Risk?
• “The possibility of an event occurring that will have an impact
on the achievement of objectives.”
• Risk is measured in terms of likelihood and severity
24. What is Risk
Management?
• The process of identifying risks pertinent to your
business
• Analysis of the risk factor (likelihood x severity) -
grading
• Consideration of controls in place – do they work?
• Are there mitigating factors?
• Developing an action plan
26. Inherent Risk Residual Risk
ID
Description of
Risk
Area
Risk
Owner
Likelihoo
d
Severity Impact Control
Financial
Impact
Likelihoo
d
Severity Impact Assurance
ABC1
Failure to comply
with GDPR results
in significant
financial penalties ,
loss of clients and
reputational
damage
Compliance
Head
Compliance 3 3 9
GDPR Plan at
Board level
Budget
allowance
increased
DPO Appointed
Employee
awareness
programme
4% of
worldwide
annual
turnover
2 2 4
Compliance
Monitoring
Plan
Monthly
reporting
Risk Register - Example
27. Control categories
Accounting
(records
accurate)
Administration
(achieve
objectives)
Prevent
(avoid errors
before occur)
Detect
(identify errors
that happen)
Recording
transactions;
responsibilities
for books and
assets
Reporting
responsibilities;
communication
channels
Check delivery
notes, invoices to
order; security
awareness
Stock controls;
bank
reconciliation;
intruder alarms;
anti-malware
Correct
(resolving the
consequences
of the error)
Back up
procedures,
data retrieval
and restoration
28. Control procedures
Physical
Authorisation
and approval
Segregation
of duties
Management
Building
access; swipe
cards;
passwords;
bolt-ins
Purchase order
limits; online
banking limits;
senior sign off
Cash handling
risky so
separate cash
receipts from
cash
reconciliations
Variance
analysis – actual
vs plan; staff
performance &
supervision
Arithmetic
and
accounting
Reconciliatio
ns; trial
balances;
control
accounts
HR
References;
qualifications
; criminal
records
29. Easy win checks
Physical
Authorisation
and approval
Segregation
of duties
Management
Early morning
late night walk
around; IT
password
policy -2FA?
Review bank £
limits, 2FA; look at
invoices>£ for
approval
Follow the cash
trail; stock count
by separate
team
Org plan with
responsibilities;
board meet
agenda
Arithmetic
and
accounting
Does
everything
balance;
postings up
to date;
check
journals
HR
New starter
file review
32. Contact details
Karen Hain
Partner and Head of Professional Practices
T: 0151 318 9201 / 01772 821021
E: karen.hain@mooreandsmalley.co.uk
33. Managing Cyber Risk in a Fake World
Scott Burman, Executive Principal – Risk Management and Governance
February 2020
Intro Music by AIVA – The Artificial Intelligence composing emotional soundtrack music - https://www.aiva.ai/
34. Agenda
• What are DeepFakes?
• Threats (and opportunities) with DeepFake AI capabilities
• What should we be doing in organisational Cyber Security to mitigate the
threats?
35. The Inversion Point
• More than 50% YouTube traffic is “bots masquerading as people”
• The CEO of TwitterAudit says – “we’ve analyzed tens of millions of Twitter users over
the past six years. We’ve tuned our algorithm to recognize bot patterns distinguish
fake accounts from real accounts. Based on our data we would estimate that 40-
60% of Twitter accounts represent real people. About 50% are not real then”
• It is known from various studies that less than 60 per cent of web traffic on the
internet is human – the point of inversion has almost arrived here as well.
• Source: https://truepublica.org.uk/global/fake-world-the-era-of-inversion-arrives/
(Jan 2019)
36. What are Deepfakes?
“Deep” relates to the “deep learning”
technology used to produce the media.
Fake video and audio footage of
individuals, that are meant to make
them look like they have said and
done things which, in fact, they
haven’t.
38. Fakes are old hat for cyber
• Business Email Compromise – fake invoices etc.
• Phishing – fake websites
But we have never solved the issue…
…and now its getting harder
40. "This one works almost
good enough to use as
a general artificial
intelligence for text
generation - almost."
I'm terrified of GPT-2
because it represents
the kind of technology
that evil humans are
going to use to
manipulate the
population - and in my
opinion that makes it
more dangerous than
42. Fake Text & Information Threats to Cyber Security
• Disinformation affecting Threat Intelligence (TI) and actions – what’s real?
• Disinformation being misclassified as real, feeding AI-based systems
• Fake news used as a distraction or diversionary tactic during a cyber attack
• Malware learning context about a victim, and generating content to further an
attack (e.g. email inbox and email thread injection) – Emotet
• AI used to spear phish high profile individuals via deepfake text……
47. Fake Voice Threats to Cyber Security
• Fraud - voice fraud jumped 350% from 2013 to 2017 – with one in 638 calls
synthetically created*
• Voice biometrics spoofing (e.g. to bypass physical or logical access controls)
*https://www.pindrop.com/2018-voice-intelligence-report/
48. Fake Voice Mitigations
• Business process improvements to mitigate fraud, e.g.
• Mandate face-to-face/physical presence for critical operations or high-end transactions
• Two-person rule for critical operations or high-end transactions
• Always verify using trusted information
62. Fake Image/Video Threats to Cyber Security
• Fraud – particularly with real-time capability –
e.g. plugin to video conferencing such as Slack,
Zoom, Teams, Skype, …
• Use in remote worker job interviews? Who are you
really hiring?
• Extortion and manipulation – e.g. use of victim’s
imagery in offensive or obscene settings that
look real and convincing
63. Emerging Technical Approaches to Combating
Fake Imagery
• https://faculty.ai/research/ - We are working with the Alliance of Democracies to
mitigate this risk through the creation of a classifier that determines if a video is
fake
• https://ambervideo.co/ - software embedded in smartphone cameras to act as a
watermark, to verify a video’s authenticity. The technology works by creating a
fingerprint at the moment of a film’s recording. It then compares any “playback”
of the footage with the original fingerprint to check for a match and provides the
viewer with a score that indicates the likelihood of tampering.
67. Fake Chat Threats to Cyber Security
• Use in targeted social engineering (chat phishing – chishing?) – is more
interactive and life-like than a static email
• Use as a diversionary tactic when trying to exploit someone
• E.g. AI chat spun up with victim while real attacker is installing/backdooring their laptop
68. Threats with combined DeepFake approaches
• Social Engineering
• Adds (seemingly) more legitimacy to social engineering campaigns
• Adds interaction (through bots/chat), making phishing attempts seem less transactional and more
natural
• AI can learn from a target’s online presence to customise content
• AI and Natural Language Processing (NLP) for personality trait analysis
• Potential for full AI automation and execution of campaign
• Blackmail – threats to release fake content that appears real
• Potential biometric bypasses
• Fraud
• Impact on Threat Intelligence (TI) – what’s real vs. fake and impact on TI actions
• People with big online presence, e.g. public figures, celebrities, C-Suite are more at risk
69. Concluding Remarks
• DeepFakes and AI Fakery will have a growing impact on Cyber Security
• Indistinguishability of real vs. fake is a big problem
• Verification of data sources and their credibility is crucial
• Ethics, Legislation & Regulation
• This is happening which is great for curbing abuse by corporations; however
• attackers lack ethics and they break the law, so this is not a solution
• We may eventually need a complete redesign of how we create, use and share data
• Such as proposals from Solid, led by Prof. Tim Berners-Lee https://solid.mit.edu/
• Improved use and implementation of Root of Trust (RoT) intertwined with traceability of provenance
70. Some thoughts for the CFO/FD community
• Voice fraud, in particular, is Real and Present. Hollywood is here.
• Look at your current processes for high value financial transactions
• Revisit existing risks
• Mandate face-to-face/physical presence for critical operations or high-end transactions
• Two-person rule for critical operations or high-end transactions
• Always verify using trusted information – trust your intuition
• Put something in place – work closely with your information security teams (CISO/CIO)
• Don’t rule out perceived regression to counter the risks posed by the threat
• Manual v technical responses
• Improve organisational awareness and keep a focus on the evolving threat landscape
• Plan the response (and recovery)!