Spring 2014 issue of Horizons

THE TOP 5 CYBERCRIMES

The top 5 cybercrimes discussed include:

∙ Tax-refund fraud

∙ Corporate account takeover

∙ Identity theft

∙ Theft of sensitive data

∙ Theft of intellectual property

TOP 5 CYBERCRIMES

While no precautions can provide absolute protection, you can begin to protect yourself and your organization from cybercrime by taking some or all of the following actions:

October 2013

Abroad range of reports and authoritative sourceswere analyzed to separate vectors and tools from the actual cybercrimes. The sources include theAICPA,CybersourceCorporation, 8 InternetCrimeComplaint Center (IC3), 9 IBM, 10 SANS, 11 Computer Emergency Response Team (CERT), 12 Computer Security Institute (CSI), 13 Ponemon Institute, 14 Microsoft,Verizon and Secure Florida. 15

1

Tax-refund Fraud

2

Corporate Account Takeover

Once the cybercrimeswere identified, theywere ranked in the following orderby relevance toCPAs inpublicpractice andbusiness and industry.

3

Identity Theft

4

Theft of Sensitive Data

∙ Institute an internal audit function in your organization

GENERAL REMEDIATION STRATEGIES FOR THE TOP 5 CYBERCRIMES

5

Theft of Intellectual Property

CPAs need tomake timely, informeddecisions about the effective controls that canprevent cybercrimes from occurring, anddetect, at its earliest stage, a crime that already has occurred. Equally important is CPAs’ adeptness at responding to and correcting a securitybreach and cybercrime that has occurred. SECURITYAUDITSANDCONTROLS AComputer Security Institute (CSI) survey ranked internal cybersecurity audits as the strongestweapon inpreventing anddetecting cybersecurity vulnerabilities.An effective internal security audit identifies cybersecurity risks and assesses the severity of each type of risk. For optimal results, clients should ask theirCPA to audit their privacy and securitypolicies and controls. Following the audit,preventive controls for themajor risks that were identified need tobe instituted. Three strategies that can help managementdevelop those controls are: Timely andproactivelypatching vulnerabilities, including vulnerable software. Using least-accessprivileges 29 andother sound logical access controls to help remediate crimesperpetrated internally. For external threats, soundperimeter controls such as firewalls and IntrusionDetection Systems (IDS) are critical toprotection. Monitoring systems, technologies and access, such as various logs createdby technologies for those activities,with associated controls varyingbased on the threat level (also adetection strategy). BUSINESS INSURANCE In an age of financiallymotivated cybercrimes, every entity should have sufficientbusiness insurance coverage to recover any financial losses. Executivemanagement teammembers, especially theCFO,must evaluate the entity’s insurance coverage to ensure that it could recover estimated losses from any cybercrime. Reviewing coverage shouldbedoneon a reasonableperiodicbasis. Leaders alsomight consider enlisting serviceprovid rs thatoffer cleanup and restore functions after certain crimes havebeen committed.

87 %

∙ Conduct risk management sessions to identify and rank the risks affecting you

8 CybersourceCorporation isaworldwideeCommercepayment-managementcompany. Itpublishesannual, statistics-basedonline fraud reports.At cybersource.com . 9 IC3 is the InternetCrimeComplaintCenter, sponsoredby theNationalWhiteCollarCrimeCenter, theBureauof JusticeAssistance and theFBI. It accepts complaints from thepublic regarding Internet-related crimes and scams.At ic3.gov . 10 IBMpublishes a security report titledTrend andRiskReport.TheMarch 2012 reportwasused as a source for thispaper. 11 SANShasaglobal scope,witha focuson information security (InfoSec). Ithasacertification,Global InformationAssuranceCertification (GIAC), related to InfoSec.SANS’s services and resources aregenerally free to thepublic. 12 ComputerEmergencyResponseTeam (CERT) is apartnershipbetweenHomelandSecurity andpublic andprivate sectorswith theobjectiveof coordinating responses to security threats.At cert.org . 13 ComputerSecurity Institute (CSI), for information securityprofessionals,providesanannual surveyofcybercrime,CSIComputerCrime&SecuritySurvey, sinceabout1999.At gocsi.com . 14 Ponemon Institute conducts independent researchonprivacy,dataprotection and information securitypolicy. Ithasoneof thebest cybercrime studies, its annualCostofCyberCrimeStudy.The second studywaspublished inAugust 2011.At ponemon.org . 15 The stateofFloridahas adepartment,SecureFlorida, that focuseson cybersecurity. ItpublishedFloridaCyber-SecurityManual in2007.TheFlorida Departmentof LawEnforcement,FloridaCybersecurity Institute andSecureFlorida contributed to themanual.At secureflorida.org .

AVerizon study of 600 incidents of security breaches over a five-yearperiod reveals

∙ Audit your privacy and security policies and controls

that in87percentof cases, investigators concluded that breaches could have been avoided if reasonable security controls had been in place at the time of the incident.

INCIDENT RESPONSE PLAN One useful “correction” remediation, although not preventive, is todevelop an incident responseplan. The planwould require employeeswith the necessary level of knowledge, and serving in keypositionswithin the entity, to answer the followingquestions relating to the top five cybercrimes identified in thiswhitepaper:

THE TOP 5 CYBERCRIMES | 5

Which of these crimes are potential risks?

∙ Use data analytics to identify unusual transactions in your records

What riskswould follow from each crime?

How shouldwe respond to each of these crimes?

Howwouldwe fully recover from each of these crimes?

Themanner inwhich an entity responds to a cybercrime provides valuable insight into itspossible vulnerabilities andpreventive steps that could havebeen takenbefore the crime occurred. AVerizon study of 600 incidents of securitybreaches over a five-yearperiod reveals that in 87percent of cases, investigators concluded thatbreaches could havebeen avoided if reasonable security controls hadbeen inplace at the timeof the incident.Thus, agoodplace to start BEFORE abreachoccurs is reasonable security controls asdefinedby the information securityprofession asbest practicesorprinciples. 30 Remediationmeasures and controls that apply to one cybercrime often apply equallywell to others,which results inmultiple cybercrimesbeing addressedwith a single countermeasure. This further supports theposition thatmeasures and controls takenby entities once a cybercrime occurs are the samemeasures and controls that should havebeen inplacebefore thebreach. THE TOP 5 CYBERCRIMES | 11

∙ Consider the value of cyber security insurance coverage to recover financial losses that might arise from cybercrime We hope you find the articles in this issue of Horizons , written by our practice leaders, to be useful as you contemplate the range of cyber risks facing your organization. Of course, please consider us a resource as you explore the opportunities to protect yourself from these 21st century risks.

29 “Least-accessprivileges” is a security concept thatgrants aperson the least amountof access to systems, technologies anddataneeded toperformhis/her dutiesor that firstgrants apersonno accessbut then addsprivileges toprovide accessonly toneeded information.

30 Verizon’s 2009DataBreach InvestigationsReport.At securityblog.verizonbusiness.com .

THE TOP 5 CYBERCRIMES | 12

You may view AICPA’s paper at www.RubinBrown.com/cybercrimes

For information about proactively addressing cybercrime, contact Audrey Katcher at 314.290.3420 or audrey.katcher@rubinbrown.com .

www.RubinBrown.com | page 7