Professional Documents
Culture Documents
Does Your Cybersecurity Stack Up Against Todays Cyber Criminals - Final
Does Your Cybersecurity Stack Up Against Todays Cyber Criminals - Final
2
©2021 CliftonLarsonAllen LLP
IT & Cyber Security Services
Information Security offered as specialized service offering for
over 25 years
• Penetration Testing and Vulnerability Assessment
o Black Box, Red Team, Infrastructure, Applications, Social Engineering, and
Collaborative Assessments
• Incident response and forensics
• IT/Cyber risk, audit, readiness and compliance assessments
o HIPAA, GLBA, FFIEC, NIST, CMMC, CIS, etc…
3
©2021 CliftonLarsonAllen LLP
Our Panelists
4
©2021 CliftonLarsonAllen LLP
Agenda and Learning Objectives
Agenda
• Current Cybersecurity Trends
• Breach Case Study
• CMMC
Learning Objectives
Explain current cyber threats, including ransomware, data exfiltration, and
other attacks
Discuss business ramifications of a data breach
Identify the increasing costs of maintaining good cybersecurity
Explain how current legislation may affect your cybersecurity requirements
Describe how Cybersecurity Maturity Model Certification (CMMC) can enhance
business success
©2021 CliftonLarsonAllen LLP
Current Cybersecurity Landscape
7
©2021 CliftonLarsonAllen LLP
Cybersecurity – What we learned in 2020
• As companies continued to digitize and connect, they created an ecosystem
that requires a security architecture adequate to protect beyond its physical
buildings.
• A robust Information Governance Strategy is a key imperative – identify and
protect your Crown Jewels, and purge unneeded information.
• Leadership needs to be aware of and manage its supply chain and vendors
(Vendor Risk Management). A proactive Vendor Risk Management strategy is
critical to minimizing the disruption of a companies supply chain.
• Organizations must educate and inform your board of directors and senior
executives. They will be an important advocate in funding your cybersecurity
strategy.
8
©2021 CliftonLarsonAllen LLP
Cybersecurity Data Breach- Cost by the numbers
• IBM’s 2021 Cost of a Data Breach study conducted by the Ponemon
Institute noted:
o $9.05m Average cost of a data breach in the United States
o $5.33m Global average cost of breach enterprises > 25,000 employees
o $2.98m Global average cost of breach organizations < 500 employees
o +$1.07m Cost where remote workforce was a factor in causing the breach
o 44% Breaches that included records containing Customer PII
Average cost of $180 per record
o 38% Portion of breach costs due to lost business
9
©2021 CliftonLarsonAllen LLP
How Long
Does it Take
to Identify
and Contain?
10
©2021 CliftonLarsonAllen LLP
Behind the statistics
• Hackers can do a lot in AND to your network in 207 days (Global Average)
o Learn everything about your business
o Find your crown jewels and take them
o Disable backups and security systems
o Create numerous back doors
• Public portrayal of ransomware creates a false sense of security
o Ransomware is usually coupled with other acts – Ransomware is simply the
most visible part of the attack
o Current ransomware attacks are coupled with data exfiltration
o Resuming operations is just the first step
o Legal and business ramifications of a data breach can persist
11
©2021 CliftonLarsonAllen LLP
Current State of Affairs
50% of victims
recover money
17
©2021 CliftonLarsonAllen LLP
Ransomware
• Attack on the Availability of data
• Payments are often in Bitcoin
• Cyber criminals attempt to delete backups
• Newer variants also demand payment not to publish stolen
data (DOUBLE TAP)
2020 Sophos Study
• 51% of companies were hit with ransomware
• 26% paid the ransom
©2021 CliftonLarsonAllen LLP
Case Analysis
20
©2021 CliftonLarsonAllen LLP
Case Study
21
©2021 CliftonLarsonAllen LLP
Case Study
• Restoring operations
o After working with company’s IT, we were able to isolate all infected
systems
o Built new servers and systems
o Restored data from backup to the newly built systems
• Fallout
o One of the compromised systems contained protected data covered
under state reporting regulations
o Because the ransomware group is known to exfiltrate data and
company did not have anything monitoring outbound data, all
clients with protected information in the system needed to be
notified of the potential compromise
o Risk of litigation from clients
22
©2021 CliftonLarsonAllen LLP
What To Do:
Cybersecurity Maturity Model
Certification (CMMC)
• CMMC requires perpetual flow down provisions for supply chain entities that
provide other than "off the shelf" supplies/services to prime contractors and
other tiers of subcontractors
• Other Industries impacted by CMMC
o Higher Education Colleges/Universities maintain CUI information and need CMMC assessments
• Defense subcontractors may also require CMMC compliance for selected awards
• CMMC – Scales for different types of suppliers (down and up)
o Level 1 to Level 5
• CMMC has additional assessment domains and adds processes to the assessment
• CMMC has a greater focus on Cyber Threat Intelligence
• Some DoD contracts will require CMMC Level 1 initially
o CMMC certification will be required at time of contract award. If you aren’t compliant, you don’t get award
o By 2025 many companies will need to be at Level 3
26
27
**
**
CMMC – Overview
**
28
©2021 CliftonLarsonAllen LLP
CMMC – What To Do?
• Tone at the top – Cybersecurity needs to be considered at all times
o Not an after thought
29
©2021 CliftonLarsonAllen LLP
Cyber Security Can Make a Difference
31
©2021 CliftonLarsonAllen LLP
Properly Managing Cyber Risks makes a Difference
32
©2021 CliftonLarsonAllen LLP
Properly Managing Cyber Risks makes a Difference
• Technical tools are only as good as
the people behind them
33
©2021 CliftonLarsonAllen LLP
Questions
CLAconnect.com