Cyber criminals have huge technical know-how. Far superior to most legitimate businesses. Businesses are often oblivious to the threat that results from their lack of cyber security.
PKF Francis Clark invite you to a briefing where you will receive up to date information relating to the threats that all businesses face from cyber criminals.
As well as our own Head of Cyber Services you will hear from a specialist insurer.
With the new General Data Protection Regulations (GDPR) imminently upon us we will also have an expert available to demonstrate who you may achieve compliance.
13. ⢠Date/Who/DPO
⢠Process Name/Purpose
⢠Legal Basis
⢠Data Source/Locations
⢠Who is impacted?
⢠Description
⢠How is data deleted?
⢠What risks/mitigations
⢠Date of review
Data Protection Impact Assessment (DPIA)
14.
15. What does Gydeline do?
⢠Checks for compliance against every word of the regulation
⢠Enables proof of accountability
⢠Changes as the regulation changes
⢠Identifies specific actions
⢠Makes GDPR simpler to understand
20. 20
Why PKF Francis Clark
⢠Trusted advisers â experienced auditors
⢠We offer assurance not consultancy
ď Offer assurance to set well known standards
approved by Government and NCSC
ď Cyber Essentials and IASME are constantly
updated and monitored for quality control
⢠Some additional services can be offered
21. www.website.com
General Data Protection Regulations
2018
⢠GDPR has 2 main sides to it
⢠The two main areas of GDPR that
organisations need to look at
ď Data subject rights and the need for
âinformed consentâ
ď Good standards of information security
⢠Cyber Essentials is a great first step
⢠IASME demonstrates a wider governance
system for data controls
22. Cyber Essentials
⢠Self-assessment questionnaire for the company to complete
⢠Covers 5 key areas/71 questions
⢠We provide upfront assistance (1 days needed) to support
how to complete and progress
⢠It is submitted via a secure portal for us to assess
⢠Basic vulnerability scan performed
⢠Assessor feedback provided
⢠Once successful can use the Cyber Essentials logo for 12m
⢠Limited insurance provided/can help reduce further cyber
insurance
23. Cyber Essentials PLUS
⢠We audit and test the 5 key control areas
⢠Includes detailed vulnerability and limited penetration
testing
⢠A report is then issued
⢠Once successful can use the Cyber Essentials PLUS
logo for 12m
⢠Can help to reduce cyber insurance further
24. IASME (Information Assurance for Small and Medium Enterprises)
⢠IASME â two levels standard and gold
⢠180 questions (including those in Cyber Essentials)
⢠Includes GDPR specific questions
⢠Akin to ISO27001
⢠A report is then issued
⢠Once successful can use the IASME logo for 12m
25. 25
Next steps
⢠See brochure in pack
⢠Complete form
⢠Chat with us after this event
⢠Contact your PKF Francis Clark adviser or e-
mail: cyber@pkf-francislark.co.uk
26. Disclaimer & copyright
c) copyright PKF Francis Clark, 2017
You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or otherwise
circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided by PKF Francis
Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.
To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without limitation, the
conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark.
These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark.
The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours to
ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the materials and
/or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF Francis Clark are up-
to-date or error or omission-free.
Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current law and
related regulations on the re-use of Crown copyright extracts in England and Wales.
These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a copy
of which is available on request.
Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential loss
or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or otherwise,
including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for fraud, for death
or personal injury caused by our negligence, or for any other liability is not excluded or limited.
PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with registered
number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is available for
inspection and at www.pkf-francisclark.co.uk. The term âPartnerâ is used to refer to a member of Francis Clark LLP or to an employee. Registered to carry on
audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal activity of non-contentious
probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency practitioners are licensed in the
UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative Receiver acts only as agent of the
insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does
not accept responsibility or liability for the actions or inactions on the part of any other individual member firm or firms.
28. ď§ Insurance Cover â Cyber &/or Crime
ď§ The Threats
ď§ Why Do Businesses Need Cyber Insurance?
ď§ Claims
ď§ Reducing risk
ď§ Q&A
29. Cyber &/or Crime
Cyber Liability Insurance provides
businesses with protection against financial
loss resulting from the loss of personal
and/or corporate data.
Cover addresses the first and third-party
risks ranging from the loss of a single laptop
or file to the hacking of a companies
website or network.
Security
Breach
Data
Breach
Operational
failure
Main policy triggers:
Crime Insurance provides businesses with protection against financial loss
resulting from criminal or fraudulent taking, obtaining or appropriation of money,
securities, funds or property.
30. The ThreatsTHREATS
NEGLIGENT EMPLOEE
Send wrong data
Loss of hardware (mobile theft)
Victim of Phishing, Vishing
OUTSIDERS
Denial of Service
Theft of Data
Hactivism
Crime Syndicate
Denial of Service
Theft of Data
Government Agencies Industrial Espionage
Denial of Service
Malware
Extortion
Shut Down Infrastructure
Advanced Persistent Threats
Credit / Banking details
Government ID
Personally Identifiable Info
Protected Health Info
Corporate Information
SOCIAL NETWORKING
Twitter
Facebook
LinkedIn
ROGUE EMPLOYEE
Physical Theft
Steal Data
Competitive advantage
Sell to criminals
Extortion
VENDORS
Cloud
Data Centers
Outside Providers
Network Interruption
Theft of Data due to Security Failures
Unauthorized Access of Data
Loss of Data
Network Interruption
Physical Theft of Servers
Theft of Data due to Security Failure
Network Interruption
Backdoor Intrusion
Employees
Negligent Employees
Rogue Employees
31. Itâs all about Balance Sheet ProtectionâŚ.
⢠First Response Costs
⢠TP Liability
⢠Fines
⢠Loss of Revenue
⢠Brand / Reputational Damage
⢠Loss of Intellectual Property
⢠Contractual Liability
⢠Share Price
32. Cyber claims received by AIG EMEA (2013-
2016)
By industry
* Construction, Food & Beverage, Information Services, Other Services, Transportation,
Agriculture & Fisheries, Energy and Real Estate
34. Claims Examples
Cloud Service
provider accidentally
de commissioned live
server (PI claim?)
Confidential Waste
Bins stolen
Older server
handed to bogus
courier
Legal papers
(EPL issues) sent
to wrong person
Details of delayed
products and refund
option sent to 250
people in error
IT consultant
providing HR
services
attempted hack
Insurance brokers
Krypto locked
35. Claims Examples
A fraudster hacked into the companyâs email system to gain information
about its organisational structure. During telephone calls with a member
of staff in the finance department the fraudster mimicked the voice of the
company CEO. It was strongly suspected that the fraudsters listened to
his voice on a webcast and had practiced it to perfection.
The requested payments were supposedly for a confidential acquisition
that only senior management knew about and the fraudster provided
forged invoices containing forged signatures to the member of staff
contacted.
Hacking & Impersonation
36. Reducing the risk to your business
⢠Ensure your software is up to date and that you have the latest anti-virus software
installed as updates are released frequently to help combat the most recent cyber
threats.
⢠Staff training is essential. Educate your employees on how to recognise suspicious
emails and browse the internet safely. Cyber awareness should be included in part of
your induction process and revisited in regular refresher sessions.
⢠Ensure you have an incident response plan in place which you can call upon in the
event of a breach or interruption. This should include technical measures that enable
the recovery of systems, operations and data, and a communication strategy if
necessary.
⢠If you are looking for additional advice and guidance on prevention, we would
recommend the Cyber Essentials website, a government-backed cyber security
certification scheme that sets out a good baseline of security suitable for all
organisations across all sectors.
Reducing Risk
Identify Analyse Control Transfer
Organisations need to realise that GDPR is here and waiting is not longer an option. The key message is to get started.
GDPR applies to most organisations and the approach to it needs thinking about. So get started.
A first step is to assess where you are.
Take action, whether on security, consent or breach. Get started.
Take action and follow advice of the regulator. Having effective documentation is a good start.
We have heard about the threats from hackers and the challenges presented by GDPR. There are many consultants about and choosing a good consultant can pose significant challenges. (I can mention C3IA here to keep them happy)
Choosing the assurance route allows boards to measure the organisations security and compliance against set standards which are well recognised. In fact these are mandatory for most Government contracts.
These standards are regularly updated to ensure that the latest threats and best practice are taken into account.
Later I will briefly detail the 3 standards but we can also offer additional âbolt onâ services such as training and vulnerability scanning.
GDPR is due in May 2018 which does not leave a lot of time for business to put the required controls in place.
Everyone who collects data is required to be compliant. This applies to both controllers and processors who, under the new rules, have much the same responsibilities.
The rights of the data subjects are significantly enhanced and you will need a data retention policy as well as privacy statements and data privacy impact assessments. A lawyer is best placed to advise in the remit.
Other areas for a lawyer are those revolving around explicit permission from data subjects with regard to receiving marketing information.
GDPR also mandates good data security revolving around Confidentiality, Integrity and Availability.
Confidentiality No one should have access to data they do not need to see in the course of their normal job. Data should be adequately protected from being breached by outsiders.
Integrity. You should be able to show that the data is correct and has not been unlawfully manipulated in any way.
Availability. Your systems need to be robust to ensure that the data is available when required.
Cyber Essentials is a good first step and starts to address data security. It can help mitigate fines from the ICO should you suffer a breach.
The IASME governance standard adds a number of topics to Cyber Essentials which will be required for GDPR compliance, such as assessing business risks, training staff, dealing with incidents and handling operational issues.