ScottMadden, Inc., profile picture
Uploaded byScottMadden, Inc.
PDF, PPTX1,964 views

Cybersecurity in Shared Services Organizations

The document discusses the importance of cybersecurity in shared services organizations (SSOs), emphasizing the risks associated with handling sensitive data and the need for robust cybersecurity programs. It outlines common types of cyber threats, the rising prevalence of such attacks, and key factors contributing to vulnerabilities within SSOs. The document also provides strategies for building effective cybersecurity frameworks, including data security, employee education, and governance practices.

Education
Related topics:
Cyber Attacks

Embed presentation

Download as PDF, PPTX
Copyright © 2016 ScottMadden, Inc. All rights reserved. Cybersecurity in Shared Services Organizations June 2016
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Contents ■ Introduction to Shared Services Cybersecurity ■ What’s at Risk? ■ Cyber Attack Trends ■ Key Shared Services Organization (SSO) Risk Factors ■ Building Blocks of an SSO Cybersecurity Program • Data Security • Education and Awareness • Governance and Compliance ■ SSO Cybersecurity Leading Practices ■ How ScottMadden Can Help 1
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Introduction to Shared Services Cybersecurity Shared Service Organizations (SSOs) control much of an organization’s confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers. Cyber threats can materialize in a number of ways but can be broken down into two main types: 2 Type Description Examples External ■ Cyber criminals use offensive maneuvers with the intent of stealing, altering, or destroying data, networks, infrastructure assets, and/or personal devices ■ Denial of service attacks designed to make network resources unavailable to its users ■ Unauthorized users gaining physical access to a computer and downloading sensitive data ■ Attempts to acquire usernames, passwords, and credit card details directly from users (e.g., phishing) Internal ■ Employees unintentionally compromise sensitive data or systems, potentially exposing the organization to cyber attacks ■ Employees maliciously circumvent data security protocols and/or willingly aid cyber criminals ■ Sending documents containing sensitive information via standard email rather than through secure email programs ■ Purposefully opening email attachments from external senders known to contain malicious code Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Personal Data/PII Business/Organization Examples of Confidential Information  Name  Email address  Physical address  Phone number  Job title  Work experience  Evaluations  Gender  Marital status  Age  M&A or transactional activity  Ongoing lawsuits  Internal investigations  Proprietary content  Advance SEC filings  Press releases  Emails  Internal memos  Company presentations Examples of Restricted Information  SSN  Passport  Driver’s license  Ethnicity  Nationality  Sexual orientation  Medical history  Salary/compensation  Bank account information  Background checks  Credit reports  Criminal history  Strategic plans  Budgets  Reports  Legal materials  Audits and assessments  P-card numbers What’s At Risk? Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy. 3
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Cyber Attack Trends The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1: ■ VTech (children’s technology maker) – personal data compromised for 5 million parents and 6 million children ■ Kaspersky Lab (security vendor) – 13 million account records exposed ■ Experian (credit service provider) – personal data compromised for 15 million customers ■ US Office of Personnel Management (federal government) – PII and restricted data exposed for 21.5 million federal employees ■ Anthem Blue Cross Blue Shield (health insurer) – PII and restricted data exposed for 80 million patients and employees 4 0.0 0.5 1.0 1.5 2.0 2.5 3.0 $0.0 $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 $16.0 $18.0 2010 2011 2012 2013 2014 2015 AttacksperWeek AverageRemediation Cost($millions) 2015 Cyber Attack Trends2 Annual Cost of Attacks per Company No. of Attacks per Week 42% 36% 19% 2% 1% 2015 Cyber Attack Cost Breakdown2 Information Loss Business Disruption Revenue Loss Other Costs Equipment Damages Highest Reported Remediation Costs $51.9M $36.5M $46.2M $58.1M $60.5M $65.0M 2. Source: 2015 Cost of Cyber Crime Study, Ponemon Institute 1. CRN, 10 Biggest Data Breaches of 2015 In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc. Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels ■ Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO ■ Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands ■ Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives ■ These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service. Key SSO Risk Factors 5 SSO Risk Factors Complexity of an HR SSO Information Ecosystem SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Building Blocks of SSO Cybersecurity Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data. SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data. 6 Building Block Key Questions Potential Vulnerabilities Data Security ■ Do you know where your confidential and restricted data is stored and for how long? ■ What controls are in place to ensure data safely reaches its intended destination? ■ Do you have secure methods for handling and collaborating with restricted data? ■ Who has access to confidential and restricted data? ■ It is not clear how many systems, applications, servers, etc. house PII ■ Old databases and files are left on shared drives “as is” after they are no longer needed ■ Some employees save files containing PII to their local drives ■ Third-party support vendors have access to applications that process/contain PII Education and Awareness ■ What information security training do SSO employees receive? ■ How often is the material refreshed and presented? ■ Employees receive minimal, ineffective training ■ Training documentation is not up to date with current trends and leading practices Security Governance and Compliance ■ Are there clear roles and responsibilities between the SSO, IT, and InfoSec? ■ Are you in compliance with enterprise data security standards and policies? ■ Lack of an overall governance structure that clearly outlines roles and accountabilities ■ Enterprise data retention policies require file deletion before statutory paystub regulations
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Time and Attendance System Payroll Audit Check Print Database and System HR and Payroll System SSO Data Security SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories: ■ Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc. ■ Data in motion: Data in transit (“on a wire”) between applications, systems, individuals, etc. via email, web, or other Internet protocols ■ Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc. The graphic below depicts a sample flow of data through an SSO’s payroll process: 7 Data in Use The payroll audit team uses computers and shared drives to audit payroll files prior to releasing for final printing. Key concerns include:  Frequency that drives and computers are wiped for sensitive information  Access restrictions to shared drives  Standards for sharing sensitive data Data in Motion Key concerns:  Level of encryption on data as it moves  Encryption key management/policies Data at Rest Data is stored in multiple locations in this diagram – the T&A database, the cloud HR/payroll solution, and the check printing software database. Key concerns include:  Level of encryption (e.g., full disk, file level)  Consistent use of encryption  Access restrictions to databases and servers
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Mitigating Common SSO Data Security Challenges Many SSOs face similar data security challenges and risk points they must address: ■ Stale or outdated data maintained on servers and databases ■ Numerous locations and mechanisms for storing data ■ Necessity of cross-functional collaboration using sensitive data ■ Inconsistent use of encryption and secure file transfer protocols ■ Lack of clarity with regards to retention standards Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include: ■ What data will be stored, and for how long ■ Where data will be stored, both physically and electronically ■ Who can access data, including both applications and users ■ How often and where data should be backed up ■ When and how to destroy data 8 User Data Creation Data Storage Archive Data Backup Data Disposal Ability to Recall/Access Application Life Cycle of SSO Data
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Education and Awareness Cyber crimes are not the only sources of risk for SSOs—the action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information. 9 Source: PCI Security Standards Council Qualities of an effective and sustainable awareness program include: ■ Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave) ■ Information is delivered in different formats to affect change and is consistently reinforced and repeated ■ Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal) ■ Presentations are personal – “bring the message home,” “security is everyone’s job” ■ Information is relevant to current events and trends and is consistently updated with lessons learned
Copyright © 2016 by ScottMadden, Inc. All rights reserved. ■ Identify a clear set of roles and responsibilities for which each group is accountable ■ Leverage the insight of each group to determine risk points ■ Ensure communication between all groups is timely, efficient, and ongoing ■ Work together on policy creation to ensure the alignment on data security priorities and standards In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards. 10 Establish Enterprise Data Security Standards Foster Collaboration between the SSO, IT, Legal and InfoSec Governance and Compliance ■ Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps ■ Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations ■ Document policy and process documentation ■ Establish a process and standards audit cycle
Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices 11 Building Block Leading Practice Benefit Description Impact Implementation Level Data Security Secure sensitive information that is not encrypted ■ Reduces the likelihood of a successful breach ■ Enhances the defense in depth through multiple avenues of layered security ■ Supports secure business processes High Enterprise/SSO Enhance physical security practices ■ Protects employees, hardware, programs, network, data, and other assets from physical intrusions and events that could cause loss or damage to an organization or individual High SSO Develop information sharing standards ■ Provides clarity of expectations, increases accountability, and ensures the most effective tools at the organization’s disposal are being used ■ Ensures the applications and tools used to share information meet organizational security and business requirements High Enterprise/SSO Develop information storage standards ■ Determines how SSOs will comply with the organization’s data retention policy High SSO Inventory information at rest, in motion, and in use ■ Allows an organization to: • Create policies and standards aligned with business needs • Secure data via encryption or other appropriate methods • Develop an effective defense in depth strategy High Enterprise/SSO Isolate restricted information and confidential information ■ Creates and designates repositories for the storage of sensitive information ■ Allows the organization to better understand where its data resides ■ Ensures security solutions and resources are prioritized and aligned with protecting the organization’s most valuable information High Enterprise/SSO Education and Awareness Develop a security awareness program ■ Regularly reminds and reinforces the need to keep sensitive information secure ■ Continuously promotes awareness High Enterprise/SSO
Copyright © 2016 by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices (Cont’d) 12 Building Block Leading Practice Benefit Description Impact Implementation Level Governance and Compliance Develop a data retention policy ■ Helps organizations manage data, comply with laws and regulations, and prepare for business continuity in case of a disaster High Enterprise/SSO Define security governance ■ Creates a structure that enables the organization to operate with clear role definition and accountabilities High Enterprise Develop policy and process documentation ■ Allows senior leadership to communicate philosophies, strategy, and broad requirements to the organization ■ Allows leadership to define and standardize how the requirements set forth in the policies will be accomplished High Enterprise/SSO Measure process effectiveness ■ Allows an organization to assess the effectiveness of its security controls ■ Facilitates decision making, improves performance, and increases accountability Medium Enterprise/SSO Audit processes, protocols, and standards ■ Instills a sense of confidence that the business is functioning well and is prepared to meet potential challenges ■ Encourages continuous improvement Medium Enterprise/SSO Perform risk assessments ■ Highlights the cybersecurity risk to organizational operations, assets, and individuals ■ Serves as a foundation for prioritizing improvement efforts and decision making Medium Enterprise Develop system requirements ■ Describes functions which systems, applications, and other tools should fulfill to meet security and business requirements Low Enterprise Develop a formal data loss prevention program ■ Improves data classification schemes ■ Provides an understanding of the data life cycle ■ Enhances controls over access to sensitive data Low Enterprise
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Putting It All Together A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO- wide risks. 13 Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity program—more than technology or funding. In a formal cybersecurity program: ■ A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity ■ Priorities are risk informed ■ Project management and organizational change management enable a successful implementation ■ Monitoring of indicators drives corrective actions and continuous improvement Cybersecurity Policies and Controls Technology and Automation Capabilities Business Processes and Employee Behaviors Changes SSO Mission and Strategic Objectives SSO Risks Governance: Evaluate, Direct, MonitorManagement: Plan, Do, Check, Act Program and Organizational Change Management
Copyright © 2016 by ScottMadden, Inc. All rights reserved. How ScottMadden Can Help 14 ■ Strategic planning support ■ Security program management ■ Design and implementation ■ Security policy alignment ■ Program assessments ■ Sensitive data inventories ■ Transformation ■ Policy framework design ■ Business policy and process assessments ■ Data security standards creation ■ Cybersecurity metric design and implementation ■ Access management strategy development ■ OCM support of implementation efforts ■ Cybersecurity awareness plan – design and implementation ■ Process design ■ Implementation project management ■ Cybersecurity threat- based risk assessments ■ Vendor selection Cybersecurity Program Services Cybersecurity Governance Design and Implementation Cybersecurity Organizational Change Management (OCM) Cybersecurity Capability Design and Implementation
Copyright © 2016 by ScottMadden, Inc. All rights reserved. Jon Kerner Partner and Information Technology Practice Lead ScottMadden, Inc. 3495 Piedmont Road Building 10, Suite 805 Atlanta, GA 30305 jkerner@scottmadden.com O: 678-702-8346 To learn more about SSO Cybersecurity, contact us. Contact Us 15

More Related Content

PDF
Mobile Is Eating the World (2016)
bya16z
 
PPTX
Event Driven Programming Course Outline.pptx
byBekeleTsanga2
 
PPTX
2 - To bevaringslover
byMissingWaldo
 
PPTX
Cyber Fraud - The New Frontiers
byAlbert Hui
 
PDF
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
byDavid J Rosenthal
 
PPSX
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
byAlbert Hui
 
PPTX
Securing the Cloud
byGGV Capital
 
PDF
Awareness Security Session 2023 v1.0.pptx.pdf
byAbdullahKanash
 
Mobile Is Eating the World (2016)
bya16z
 
Event Driven Programming Course Outline.pptx
byBekeleTsanga2
 
2 - To bevaringslover
byMissingWaldo
 
Cyber Fraud - The New Frontiers
byAlbert Hui
 
Get Ahead of Cyber Attacks with Microsoft Enterprise Mobility + Security
byDavid J Rosenthal
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
byAlbert Hui
 
Securing the Cloud
byGGV Capital
 
Awareness Security Session 2023 v1.0.pptx.pdf
byAbdullahKanash
 

Similar to Cybersecurity in Shared Services Organizations

PDF
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
PPTX
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
DOCX
Module 02 Performance Risk-based Analytics With all the advancem
byIlonaThornburg83
 
PDF
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
PPTX
Cyber Security and Healthcare
byJonathon Coulter
 
PPTX
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
byFasoo
 
PDF
1. introduction to cyber security
byAnimesh Roy
 
PPTX
IT Security Essentials
bySkoda Minotti
 
PPTX
CS5300 class presentation on managing information systems
byzenhubris
 
PPTX
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
byParsons Behle & Latimer
 
PPTX
Too Small to Get Hacked? Think Again (Webinar)
byOnRamp
 
PPT
Chap5 2007 C I S A Review Course
byDesmond Devendran
 
PPT
Chap5 2007 Cisa Review Course
byDesmond Devendran
 
PPT
Information Security Seminar
byAcend Corporate Learning
 
PDF
InformationSecurity_11141
bysraina2
 
PPT
Eileen Presentation
byjc06442n
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
PDF
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
PPT
Cobit 2
bySecurelogy
 
PPT
Main Menu
bySecurelogy
 
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
Module 02 Performance Risk-based Analytics With all the advancem
byIlonaThornburg83
 
Data+Security+Masterclass Presentation.pdf
byckurt9676
 
Cyber Security and Healthcare
byJonathon Coulter
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
byFasoo
 
1. introduction to cyber security
byAnimesh Roy
 
IT Security Essentials
bySkoda Minotti
 
CS5300 class presentation on managing information systems
byzenhubris
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
byParsons Behle & Latimer
 
Too Small to Get Hacked? Think Again (Webinar)
byOnRamp
 
Chap5 2007 C I S A Review Course
byDesmond Devendran
 
Chap5 2007 Cisa Review Course
byDesmond Devendran
 
Information Security Seminar
byAcend Corporate Learning
 
InformationSecurity_11141
bysraina2
 
Eileen Presentation
byjc06442n
 
Cybersecurity solution-guide
byAdilsonSuende
 
Foley-Cybersecurity-White-Paper_3.9.15
byJames Fisher
 
Cobit 2
bySecurelogy
 
Main Menu
bySecurelogy
 

More from ScottMadden, Inc.

PDF
Creating IT Value-A Better Way to Make IT Investment Decisions
byScottMadden, Inc.
 
PDF
Benchmarking for Natural Gas LDCs
byScottMadden, Inc.
 
PDF
Benchmarking for Natural Gas LDCs
byScottMadden, Inc.
 
PPTX
ScottMadden Fossil Benchmarking Analysis
byScottMadden, Inc.
 
PPTX
Overcoming the Challenges of Large Capital Programs/Projects
byScottMadden, Inc.
 
PDF
ScottMadden HR Shared Services Benchmarking Study Highlights 2019
byScottMadden, Inc.
 
PDF
ScottMadden Fossil Benchmarking Analysis
byScottMadden, Inc.
 
PDF
ScottMadden Finance Shared Services Benchmark Highlights 2020
byScottMadden, Inc.
 
PDF
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
byScottMadden, Inc.
 
PDF
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
byScottMadden, Inc.
 
PDF
Energy Industry Update Webcast: Don't Stop Believin'
byScottMadden, Inc.
 
PDF
Combined Cycles
byScottMadden, Inc.
 
PDF
Technology for HR Shared Services
byScottMadden, Inc.
 
PDF
Building a Business Case for Shared Services
byScottMadden, Inc.
 
PDF
Fundamentals of Designing, Building, & Implementing a Service Delivery Center
byScottMadden, Inc.
 
PDF
Next Generation Shared Services Centers
byScottMadden, Inc.
 
PDF
California’s Combined Cycle Costs in the Age of the Duck Curve
byScottMadden, Inc.
 
PDF
Capital Program Assessment Overview
byScottMadden, Inc.
 
PDF
Value of Strategic Direction
byScottMadden, Inc.
 
PDF
Generation Trends: What are the Impacts on Transmission?
byScottMadden, Inc.
 
Creating IT Value-A Better Way to Make IT Investment Decisions
byScottMadden, Inc.
 
Benchmarking for Natural Gas LDCs
byScottMadden, Inc.
 
Benchmarking for Natural Gas LDCs
byScottMadden, Inc.
 
ScottMadden Fossil Benchmarking Analysis
byScottMadden, Inc.
 
Overcoming the Challenges of Large Capital Programs/Projects
byScottMadden, Inc.
 
ScottMadden HR Shared Services Benchmarking Study Highlights 2019
byScottMadden, Inc.
 
ScottMadden Fossil Benchmarking Analysis
byScottMadden, Inc.
 
ScottMadden Finance Shared Services Benchmark Highlights 2020
byScottMadden, Inc.
 
The ScottMadden Energy Industry Update Webcast: Everything Counts ... In Larg...
byScottMadden, Inc.
 
ScottMadden's Energy Industry Update for the 2019 Utility Supply Chain Confer...
byScottMadden, Inc.
 
Energy Industry Update Webcast: Don't Stop Believin'
byScottMadden, Inc.
 
Combined Cycles
byScottMadden, Inc.
 
Technology for HR Shared Services
byScottMadden, Inc.
 
Building a Business Case for Shared Services
byScottMadden, Inc.
 
Fundamentals of Designing, Building, & Implementing a Service Delivery Center
byScottMadden, Inc.
 
Next Generation Shared Services Centers
byScottMadden, Inc.
 
California’s Combined Cycle Costs in the Age of the Duck Curve
byScottMadden, Inc.
 
Capital Program Assessment Overview
byScottMadden, Inc.
 
Value of Strategic Direction
byScottMadden, Inc.
 
Generation Trends: What are the Impacts on Transmission?
byScottMadden, Inc.
 

Recently uploaded

PPTX
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
PPTX
extracting significant information to formulate sound judgement
byMarichelle2
 
PDF
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PPTX
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PDF
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PDF
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PPTX
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
PPTX
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
PDF
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
How to use search_read method in Odoo 18
byCeline George
 
How to Manage Package Reservation in Odoo 18 Inventory
byCeline George
 
extracting significant information to formulate sound judgement
byMarichelle2
 
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Analyzing the data of your initial survey
byThelma Villaflores
 
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
FAMILY ASSESSMENT FORMAT - CHN practical
byDr. Sudhadevi Sadanandan
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
Cost of Capital - Cost of Equity, Cost of debenture, Cost of Preference share...
bySundar B N
 
Projecte de la porta de primer B: L'antic Egipte
byeduardrubio1
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
How to use search_read method in Odoo 18
byCeline George
 

Cybersecurity in Shared Services Organizations

  • 1.
    Copyright © 2016ScottMadden, Inc. All rights reserved. Cybersecurity in Shared Services Organizations June 2016
  • 2.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Contents ■ Introduction to Shared Services Cybersecurity ■ What’s at Risk? ■ Cyber Attack Trends ■ Key Shared Services Organization (SSO) Risk Factors ■ Building Blocks of an SSO Cybersecurity Program • Data Security • Education and Awareness • Governance and Compliance ■ SSO Cybersecurity Leading Practices ■ How ScottMadden Can Help 1
  • 3.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Introduction to Shared Services Cybersecurity Shared Service Organizations (SSOs) control much of an organization’s confidential and restricted personal information. While handling and using this data is routine for SSOs, it is exactly the kind of information that is highly prized by cyber criminals. A robust cybersecurity program is imperative to protect the organization, employees, and customers. Cyber threats can materialize in a number of ways but can be broken down into two main types: 2 Type Description Examples External ■ Cyber criminals use offensive maneuvers with the intent of stealing, altering, or destroying data, networks, infrastructure assets, and/or personal devices ■ Denial of service attacks designed to make network resources unavailable to its users ■ Unauthorized users gaining physical access to a computer and downloading sensitive data ■ Attempts to acquire usernames, passwords, and credit card details directly from users (e.g., phishing) Internal ■ Employees unintentionally compromise sensitive data or systems, potentially exposing the organization to cyber attacks ■ Employees maliciously circumvent data security protocols and/or willingly aid cyber criminals ■ Sending documents containing sensitive information via standard email rather than through secure email programs ■ Purposefully opening email attachments from external senders known to contain malicious code Many organizations have dedicated Information Security (InfoSec) groups that manage security programs enterprise wide. However, accountability for protecting sensitive shared services and employee information ultimately falls to the SSO.
  • 4.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Personal Data/PII Business/Organization Examples of Confidential Information  Name  Email address  Physical address  Phone number  Job title  Work experience  Evaluations  Gender  Marital status  Age  M&A or transactional activity  Ongoing lawsuits  Internal investigations  Proprietary content  Advance SEC filings  Press releases  Emails  Internal memos  Company presentations Examples of Restricted Information  SSN  Passport  Driver’s license  Ethnicity  Nationality  Sexual orientation  Medical history  Salary/compensation  Bank account information  Background checks  Credit reports  Criminal history  Strategic plans  Budgets  Reports  Legal materials  Audits and assessments  P-card numbers What’s At Risk? Confidential Information refers to data/information for which unauthorized access or disclosure could result in an adverse effect on the organization, an individual, or both. This information could either be personally identifiable information (PII) or confidential business information. Restricted Information includes the most sensitive Confidential Information and is typically protected by law or policy. 3
  • 5.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Cyber Attack Trends The number of cyber attacks against organizations continues to grow in complexity, frequency, and severity. Significant data breaches in 2015 included1: ■ VTech (children’s technology maker) – personal data compromised for 5 million parents and 6 million children ■ Kaspersky Lab (security vendor) – 13 million account records exposed ■ Experian (credit service provider) – personal data compromised for 15 million customers ■ US Office of Personnel Management (federal government) – PII and restricted data exposed for 21.5 million federal employees ■ Anthem Blue Cross Blue Shield (health insurer) – PII and restricted data exposed for 80 million patients and employees 4 0.0 0.5 1.0 1.5 2.0 2.5 3.0 $0.0 $2.0 $4.0 $6.0 $8.0 $10.0 $12.0 $14.0 $16.0 $18.0 2010 2011 2012 2013 2014 2015 AttacksperWeek AverageRemediation Cost($millions) 2015 Cyber Attack Trends2 Annual Cost of Attacks per Company No. of Attacks per Week 42% 36% 19% 2% 1% 2015 Cyber Attack Cost Breakdown2 Information Loss Business Disruption Revenue Loss Other Costs Equipment Damages Highest Reported Remediation Costs $51.9M $36.5M $46.2M $58.1M $60.5M $65.0M 2. Source: 2015 Cost of Cyber Crime Study, Ponemon Institute 1. CRN, 10 Biggest Data Breaches of 2015 In 2015, the average organization spent more than $15 million remediating the effects of cyber attacks. To mitigate potential costs, SSOs must take action to understand and protect the flow of their sensitive information.
  • 6.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. ■ SSOs enhance their efficacy by integrating their primary systems with third-party systems for benefits management, time and attendance, etc. Each of these integrations typically transmits sensitive data over myriad secured and unsecured channels ■ Business process complexities, policies, and exceptions increase along with the amount of sensitive data flowing through the SSO ■ Email, chat, and open service tickets are common modes of sending communications in and out of SSOs. These regularly include sensitive information that can inadvertently fall into the wrong hands ■ Some SSO departments (e.g., workforce administration, call centers) can experience low employee engagement, especially for data security initiatives ■ These departments can also experience high turnover, opening the SSO up further to potential malicious insider activity The volume of sensitive data makes SSOs a target. While a high volume of data tends to correlate to increased operational efficiency, it also increases the risk that this data may be compromised. Despite this, data security is often overlooked in favor of gains in operational efficiency and customer service. Key SSO Risk Factors 5 SSO Risk Factors Complexity of an HR SSO Information Ecosystem SSO data is constantly moving through countless systems, applications, and individuals. Only a robust cybersecurity program can mitigate the complexities of the information ecosystem.
  • 7.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Building Blocks of SSO Cybersecurity Tiered SSO delivery models often include payroll and leave-of-absence specialists, AP clerks, and HRIS teams that have elevated privileges to sensitive data. SSOs need to provide employees the tools, awareness, and direction to properly handle, communicate, and use confidential and restricted data. 6 Building Block Key Questions Potential Vulnerabilities Data Security ■ Do you know where your confidential and restricted data is stored and for how long? ■ What controls are in place to ensure data safely reaches its intended destination? ■ Do you have secure methods for handling and collaborating with restricted data? ■ Who has access to confidential and restricted data? ■ It is not clear how many systems, applications, servers, etc. house PII ■ Old databases and files are left on shared drives “as is” after they are no longer needed ■ Some employees save files containing PII to their local drives ■ Third-party support vendors have access to applications that process/contain PII Education and Awareness ■ What information security training do SSO employees receive? ■ How often is the material refreshed and presented? ■ Employees receive minimal, ineffective training ■ Training documentation is not up to date with current trends and leading practices Security Governance and Compliance ■ Are there clear roles and responsibilities between the SSO, IT, and InfoSec? ■ Are you in compliance with enterprise data security standards and policies? ■ Lack of an overall governance structure that clearly outlines roles and accountabilities ■ Enterprise data retention policies require file deletion before statutory paystub regulations
  • 8.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Time and Attendance System Payroll Audit Check Print Database and System HR and Payroll System SSO Data Security SSO data is stored in and moves through countless on-premises and cloud applications and systems. Understanding where sensitive data is stored and how it is used and shared are essential to developing and implementing effective security controls. Data can be classified in three categories: ■ Data at rest: Anything that holds data in a static state, such as file shares, databases, servers, etc. ■ Data in motion: Data in transit (“on a wire”) between applications, systems, individuals, etc. via email, web, or other Internet protocols ■ Data in use: Data that resides on the end-user workstation and needs to be protected from being leaked through removable media devices like USBs, DVDs, CDs etc. The graphic below depicts a sample flow of data through an SSO’s payroll process: 7 Data in Use The payroll audit team uses computers and shared drives to audit payroll files prior to releasing for final printing. Key concerns include:  Frequency that drives and computers are wiped for sensitive information  Access restrictions to shared drives  Standards for sharing sensitive data Data in Motion Key concerns:  Level of encryption on data as it moves  Encryption key management/policies Data at Rest Data is stored in multiple locations in this diagram – the T&A database, the cloud HR/payroll solution, and the check printing software database. Key concerns include:  Level of encryption (e.g., full disk, file level)  Consistent use of encryption  Access restrictions to databases and servers
  • 9.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Mitigating Common SSO Data Security Challenges Many SSOs face similar data security challenges and risk points they must address: ■ Stale or outdated data maintained on servers and databases ■ Numerous locations and mechanisms for storing data ■ Necessity of cross-functional collaboration using sensitive data ■ Inconsistent use of encryption and secure file transfer protocols ■ Lack of clarity with regards to retention standards Formal data security standards can help mitigate these risks throughout the data life cycle. Key considerations include: ■ What data will be stored, and for how long ■ Where data will be stored, both physically and electronically ■ Who can access data, including both applications and users ■ How often and where data should be backed up ■ When and how to destroy data 8 User Data Creation Data Storage Archive Data Backup Data Disposal Ability to Recall/Access Application Life Cycle of SSO Data
  • 10.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Education and Awareness Cyber crimes are not the only sources of risk for SSOs—the action or inaction of employees can also lead to security incidents. It is vital SSOs maintain a security awareness program to ensure employees understand the importance of protecting sensitive information, how to handle it securely, and the risks of mishandling such information. 9 Source: PCI Security Standards Council Qualities of an effective and sustainable awareness program include: ■ Information is provided in a way that relates to the SSO culture (i.e., how employees think and behave) ■ Information is delivered in different formats to affect change and is consistently reinforced and repeated ■ Management is on-board and understands the holistic security risks (e.g., financial, reputational, legal) ■ Presentations are personal – “bring the message home,” “security is everyone’s job” ■ Information is relevant to current events and trends and is consistently updated with lessons learned
  • 11.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. ■ Identify a clear set of roles and responsibilities for which each group is accountable ■ Leverage the insight of each group to determine risk points ■ Ensure communication between all groups is timely, efficient, and ongoing ■ Work together on policy creation to ensure the alignment on data security priorities and standards In addition to securing sensitive data and educating employees, SSOs must work with other parts of the organization to clearly define security roles and responsibilities. Establishing a governance model creates a structure that enables the SSO to operate with clear role definition, fosters appropriate accountabilities, and ensures compliance with corporate standards. 10 Establish Enterprise Data Security Standards Foster Collaboration between the SSO, IT, Legal and InfoSec Governance and Compliance ■ Conduct analysis to understand where the SSO is in relation to existing enterprise data security policies and identify highest priority gaps ■ Collaborate to establish overall data security standards taking into account special SSO situations and laws/regulations ■ Document policy and process documentation ■ Establish a process and standards audit cycle
  • 12.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices 11 Building Block Leading Practice Benefit Description Impact Implementation Level Data Security Secure sensitive information that is not encrypted ■ Reduces the likelihood of a successful breach ■ Enhances the defense in depth through multiple avenues of layered security ■ Supports secure business processes High Enterprise/SSO Enhance physical security practices ■ Protects employees, hardware, programs, network, data, and other assets from physical intrusions and events that could cause loss or damage to an organization or individual High SSO Develop information sharing standards ■ Provides clarity of expectations, increases accountability, and ensures the most effective tools at the organization’s disposal are being used ■ Ensures the applications and tools used to share information meet organizational security and business requirements High Enterprise/SSO Develop information storage standards ■ Determines how SSOs will comply with the organization’s data retention policy High SSO Inventory information at rest, in motion, and in use ■ Allows an organization to: • Create policies and standards aligned with business needs • Secure data via encryption or other appropriate methods • Develop an effective defense in depth strategy High Enterprise/SSO Isolate restricted information and confidential information ■ Creates and designates repositories for the storage of sensitive information ■ Allows the organization to better understand where its data resides ■ Ensures security solutions and resources are prioritized and aligned with protecting the organization’s most valuable information High Enterprise/SSO Education and Awareness Develop a security awareness program ■ Regularly reminds and reinforces the need to keep sensitive information secure ■ Continuously promotes awareness High Enterprise/SSO
  • 13.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. SSO Cybersecurity Leading Practices (Cont’d) 12 Building Block Leading Practice Benefit Description Impact Implementation Level Governance and Compliance Develop a data retention policy ■ Helps organizations manage data, comply with laws and regulations, and prepare for business continuity in case of a disaster High Enterprise/SSO Define security governance ■ Creates a structure that enables the organization to operate with clear role definition and accountabilities High Enterprise Develop policy and process documentation ■ Allows senior leadership to communicate philosophies, strategy, and broad requirements to the organization ■ Allows leadership to define and standardize how the requirements set forth in the policies will be accomplished High Enterprise/SSO Measure process effectiveness ■ Allows an organization to assess the effectiveness of its security controls ■ Facilitates decision making, improves performance, and increases accountability Medium Enterprise/SSO Audit processes, protocols, and standards ■ Instills a sense of confidence that the business is functioning well and is prepared to meet potential challenges ■ Encourages continuous improvement Medium Enterprise/SSO Perform risk assessments ■ Highlights the cybersecurity risk to organizational operations, assets, and individuals ■ Serves as a foundation for prioritizing improvement efforts and decision making Medium Enterprise Develop system requirements ■ Describes functions which systems, applications, and other tools should fulfill to meet security and business requirements Low Enterprise Develop a formal data loss prevention program ■ Improves data classification schemes ■ Provides an understanding of the data life cycle ■ Enhances controls over access to sensitive data Low Enterprise
  • 14.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Putting It All Together A programmatic approach is required to secure SSOs. Attempts to build and improve cybersecurity capabilities through individual or disjointed projects are expensive and ineffective. SSOs must pursue a programmatic approach that mitigates SSO- wide risks. 13 Engaging SSO leadership and stakeholders in cybersecurity decision making is the single most important factor in creating a successful cybersecurity program—more than technology or funding. In a formal cybersecurity program: ■ A roadmap is created to identify critical risks, take immediate action, and achieve long-term capabilities. Many leading practices can be implemented quickly with significant impact on SSO cybersecurity ■ Priorities are risk informed ■ Project management and organizational change management enable a successful implementation ■ Monitoring of indicators drives corrective actions and continuous improvement Cybersecurity Policies and Controls Technology and Automation Capabilities Business Processes and Employee Behaviors Changes SSO Mission and Strategic Objectives SSO Risks Governance: Evaluate, Direct, MonitorManagement: Plan, Do, Check, Act Program and Organizational Change Management
  • 15.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. How ScottMadden Can Help 14 ■ Strategic planning support ■ Security program management ■ Design and implementation ■ Security policy alignment ■ Program assessments ■ Sensitive data inventories ■ Transformation ■ Policy framework design ■ Business policy and process assessments ■ Data security standards creation ■ Cybersecurity metric design and implementation ■ Access management strategy development ■ OCM support of implementation efforts ■ Cybersecurity awareness plan – design and implementation ■ Process design ■ Implementation project management ■ Cybersecurity threat- based risk assessments ■ Vendor selection Cybersecurity Program Services Cybersecurity Governance Design and Implementation Cybersecurity Organizational Change Management (OCM) Cybersecurity Capability Design and Implementation
  • 16.
    Copyright © 2016by ScottMadden, Inc. All rights reserved. Jon Kerner Partner and Information Technology Practice Lead ScottMadden, Inc. 3495 Piedmont Road Building 10, Suite 805 Atlanta, GA 30305 jkerner@scottmadden.com O: 678-702-8346 To learn more about SSO Cybersecurity, contact us. Contact Us 15