Se ha denunciado esta presentación.

Cybersecurity for Real Estate & Construction

1

Compartir

Cargando en…3
×
1 de 25
1 de 25

Cybersecurity for Real Estate & Construction

1

Compartir

Descargar para leer sin conexión

Descripción

Aronson’s Tech Risk Partner Payal Vadhani and Construction & Real Estate Partner Tim Cummins spoke at the AICPA’s Construction and Real Estate Conference on December 8-9, 2016 at the Wynn in Las Vegas, NV. Their presentation focuses on how construction contractors and real estate organizations can develop a scalable multi-year cybersecurity strategy. In order for a security culture to be present and truly effective, security awareness and engagement is required at every level of your organization. Payal and Tim’s multi-tiered foundational block approach coupled with governance and culture will provide you and your organization with a roadmap for success and a customized cybersecurity program based on the industry, business needs, regulatory requirements, and specific business and cyber risks.

Transcripción

  1. 1. www.aronsonllc.com/blogs/PLACE BLOG HERE Tim Cummins and PayalVadhani Cybersecurity for Real Estate & Construction
  2. 2. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Our Agenda 1 Trends in the Real Estate & Construction (REC) Industry 2 3 4 5 Cybersecurity Implications for Technology Industry Frameworks Scalable Cybersecurity Strategy Operational Considerations 2
  3. 3. Trends in the Real Estate & Construction (REC) Industry 3
  4. 4. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | RECTechnologies A building management system (BMS) is a control system capable of monitoring & managing mechanical, electrical, and electromechanical facility services (TechTarget). Services can include the following: • Heating,Ventilation, &Air Conditioning (HVAC) • Utilities (e.g., lighting) • Elevators • PhysicalAccess Control Intelligent buildings have a suite of IT systems which provide a productive and cost-effective environment through optimization of its four basic elements, i.e., structure, systems, services, and management (Intelligent Building Institute USA). 4
  5. 5. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Expanded REC Interconnected Networks Communication Infrastructure Tenant’s Systems Vendor’s Systems 5
  6. 6. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | BMS Market Forecast Commercial buildings sector forecasted to have largest share of BMS market Asia-Pacific (APAC) region companies expected to grow rapidly Security & access control systems are BMS market leaders 6 Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
  7. 7. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | BMS Market Forecast (Cont.) $49.37 B $100.60 B 2015 2022 Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets 7
  8. 8. Cybersecurity Implications 8
  9. 9. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Horror Stories Credentials provided access to aTarget-hosted web application for vendors Target - HVAC vendor credentials were compromised HVAC system was a key stepping stone to executing the data breach Real Estate InvestmentTrust (REIT) - discovered in September 2014 that systems containing Personally Identifiable Information (PII) and sensitive corporate information were compromised Breach occurred prior to April 2014 $2.8 million spent on incident management, which included: • investigative fees and • identity protection services 1 2 9
  10. 10. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Technology & Risks Business &Technology Drivers Risk Building management systems (BMS) are integrated into IT networks and are Internet accessible • Unauthorized access • Data compromise and integrity BMS continue to be designed for functionality and innovation to enhance convenience • Appropriate security architecture may not be incorporated into the BMS • Security controls and considerations are not included in the design process BMS are not managed by traditional ITTeams • Personnel who manage the BMS may not have the required IT & Security skills 10
  11. 11. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Threats & Impacts Threats Impacts Ransomware • FBI reported $209M USD monetary losses from January – March 2016 1 • Average ransom demanded: $679 1 • # of new ransomware families detected in June 2016 (in one month)1 : 50 Phishing • 30% of phishing messages were opened and 12% of targets subsequently clicked on the malicious link/attachment based on 8M+ phishing test results in 2015 2 • Spear Phishing incident costs a company an averageof $1.6M 2 Distributed Denial of Service Service (DDOS) • 73% of companies worldwide experienced a DDOS attack 3 • 82% of corporations incurred repeat attacks with 43% hit 6+ times 3 • 8 out of 10 companies with Internet ofThings (IoT) devices were attacked and 43% of them experienced some form of theft 3 Data Breach • 725 breaches exposed 29M+ records in 2016 as of 10/4/16 4 • 89% of breaches had a financial or espionage motive in 2016 2 3 - Neustar 2016 DDOS Attacks and Protections Report 4 – Identity Theft Resource Center 2016 Data Breach Category Summary 11 1 - (Symantec Ransomware & Businesses Special Report 2016) 2 – Verizon Data Breach Investigations Report
  12. 12. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Potential Consequences Incidents • Unauthorized access to BMS & other network locations • Compromised HVAC settings • Ransomware encrypted files and data Consequences • Data loss/modification/theft • Inappropriate environmental conditions & functionality Impacts • Jeopardized personnel safety • Data breach notification & investigation • Extensive remediation efforts • Reputational damages 12
  13. 13. Industry Frameworks 13
  14. 14. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | REC Specific Industry Framework Mechanical Systems Electric Systems Enterprise Applications The Open Building Information Exchange (OBIX) TechnicalCommittee aims to create standard web services guidelines to facilitate the exchange of information between intelligent buildings and enterprise applications. • Simplify data transfer • Enhance data security • Optimize data availability & awareness 14
  15. 15. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Other Industry Frameworks International Organization for Standardization (ISO) 2700X ISO 27001 contains 114 controls that can be used to reduce security risk through management of assets and data. ISO 27002 defines guidelines for implementing controls in 27001. National Institute of Standards &Technology (NIST) Special Publication 800-53 NIST 800-53 is a catalog of security and privacy controls designed to protect entities from a variety of threats to public and private sector information. It includes the process for selecting and customizing controls as part of an enterprise-wide security and privacy risk management program. Framework for Improving Critical Infrastructure Cybersecurity The framework is designed to provide detailed guidance on managing cybersecurity risks for critical infrastructure (CI) services. The nation relies upon CI, which means operational requirements must be met and security safeguards must be in place. It provides principles and leading practices to facilitate enhanced CI security and resilience. Unified Compliance Framework An integration of all IT control requirements in a efficient and effective manner. Framework Description 15
  16. 16. Scalable Cybersecurity Strategy 16
  17. 17. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Principles & Objectives Security Principles Integrity AvailabilityConfidentiality It’s not a matter of IF, but WHEN a significant security breach / incident will occur Cybersecurity Program Objectives • Protect confidential data • Limit financial losses • Avoid reputational damage • Ensure resiliency of the business & IT environment 17
  18. 18. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Scalable Strategy SecureVigilant Resilient 1. Security Risk Assessment 2. Penetration Tests & Vulnerability Scans 3. Network Segmentation 4. Security Monitoring 5. Data Loss Prevention 6. Mobile Device Security 1. Information Classification, Data Analysis and Cleanup 2. Business Continuity Plan 3. Disaster Recovery Testing 1. Policies & Standards 2. Operating Procedures 3. Security Awareness Training 4. Cyber Insurance 5. Controls Implementation 18
  19. 19. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Cybersecurity Controls 1. Understand your risks and threats landscape (P) 2. Assess, classify, and build extra protection around critical data (P) 3. Update policies, processes and procedures to address point in time and forward-looking risks and embed cybersecurity culture (P) 4. Assess/obtain cyber insurance coverage (P) 5. Conduct penetration tests and vulnerability scans (internal and external) on a reasonable frequency (D); remediate highest risk areas 6. Get up to date on patches and subscribe to security advisory mailing lists (P) 7. Set up an InsiderThreat Program, even bare bones will do as a starting place (P) 8. Conduct security awareness and training on a regular frequency (once a quarter) (P) 9. Manage vendor security through policies and processes (P) 10.Have contingency and incident response plans in place that include law enforcement, forensics (digital, human and physical), client, investor, legal, media and PR responses (P) 11. Implement technologies that complement your processes (P) Legend: P – Preventive controls D – DetectiveControls 19
  20. 20. Operational Considerations 20
  21. 21. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Roles & Responsibilities Role Responsibilities Board of Directors • Be well-informed regarding IT strategic plans, cyber risks, and IT initiatives • Continuously monitor risks and ensure alignment with business strategy through timely reporting Risk ManagementCommittee • Meet on a periodic basis to discuss and manage enterprise risks, which include IT and cyber risks • Oversee risk management solutions and remediation efforts Chief Information Officer (CIO) / Chief Information Security Officer (CISO) • Oversee the strategic and operational aspects of the cybersecurity program • Develop and discuss status reporting with leadership & stakeholders • Coordinate with the Board, Risk ManagementCommittee, andCFO to involve IT in strategic and risk management plans • Coordinate with the CFO on joint interest compliance programs and initiatives Chief Financial Officer (CFO) • Coordinate with the Board, Risk ManagementCommittee, andCIO/CISO to allocate sufficient current and future funds to support IT initiatives including cybersecurity • Identify, manage, and report operational risks Auditors • Include cyber in the IT audits • Engage in board level discussion on various risks including IT and cyber 21
  22. 22. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Culture, Governance & Compliance • The Board of Directors must get involved to set the tone at the top • A well-defined governance structure provides a good relationship and communication between the board, management, and employees • The governance structure must reasonably balance security with business needs while remaining vigilant • Cyber hygiene should be intrinsically woven into the culture of the organization • Cybersecurity policies shouldn’t become paperweights • Compliance activities should be carried out to ensure alignment with industry leading practices No matter how large or small, every organization has to have a process in place to govern policies and practices, measure risk and compliance, and instill a cyber-aware culture. 22
  23. 23. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | In Summary Trends indicate building management systems will increase in prevalence in the coming years REC companies must make cybersecurity a priority Implement a scalable cybersecurity strategy that matures over time Ensure key roles recognize the importance of cybersecurity and drive a cyber-aware culture Consider cyber insurance coverage Ensure cyber hygiene is practiced across all levels of the organization 23
  24. 24. THANKS !Any Questions? 24
  25. 25. 25

Descripción

Aronson’s Tech Risk Partner Payal Vadhani and Construction & Real Estate Partner Tim Cummins spoke at the AICPA’s Construction and Real Estate Conference on December 8-9, 2016 at the Wynn in Las Vegas, NV. Their presentation focuses on how construction contractors and real estate organizations can develop a scalable multi-year cybersecurity strategy. In order for a security culture to be present and truly effective, security awareness and engagement is required at every level of your organization. Payal and Tim’s multi-tiered foundational block approach coupled with governance and culture will provide you and your organization with a roadmap for success and a customized cybersecurity program based on the industry, business needs, regulatory requirements, and specific business and cyber risks.

Transcripción

  1. 1. www.aronsonllc.com/blogs/PLACE BLOG HERE Tim Cummins and PayalVadhani Cybersecurity for Real Estate & Construction
  2. 2. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Our Agenda 1 Trends in the Real Estate & Construction (REC) Industry 2 3 4 5 Cybersecurity Implications for Technology Industry Frameworks Scalable Cybersecurity Strategy Operational Considerations 2
  3. 3. Trends in the Real Estate & Construction (REC) Industry 3
  4. 4. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | RECTechnologies A building management system (BMS) is a control system capable of monitoring & managing mechanical, electrical, and electromechanical facility services (TechTarget). Services can include the following: • Heating,Ventilation, &Air Conditioning (HVAC) • Utilities (e.g., lighting) • Elevators • PhysicalAccess Control Intelligent buildings have a suite of IT systems which provide a productive and cost-effective environment through optimization of its four basic elements, i.e., structure, systems, services, and management (Intelligent Building Institute USA). 4
  5. 5. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Expanded REC Interconnected Networks Communication Infrastructure Tenant’s Systems Vendor’s Systems 5
  6. 6. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | BMS Market Forecast Commercial buildings sector forecasted to have largest share of BMS market Asia-Pacific (APAC) region companies expected to grow rapidly Security & access control systems are BMS market leaders 6 Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
  7. 7. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | BMS Market Forecast (Cont.) $49.37 B $100.60 B 2015 2022 Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets 7
  8. 8. Cybersecurity Implications 8
  9. 9. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Horror Stories Credentials provided access to aTarget-hosted web application for vendors Target - HVAC vendor credentials were compromised HVAC system was a key stepping stone to executing the data breach Real Estate InvestmentTrust (REIT) - discovered in September 2014 that systems containing Personally Identifiable Information (PII) and sensitive corporate information were compromised Breach occurred prior to April 2014 $2.8 million spent on incident management, which included: • investigative fees and • identity protection services 1 2 9
  10. 10. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Technology & Risks Business &Technology Drivers Risk Building management systems (BMS) are integrated into IT networks and are Internet accessible • Unauthorized access • Data compromise and integrity BMS continue to be designed for functionality and innovation to enhance convenience • Appropriate security architecture may not be incorporated into the BMS • Security controls and considerations are not included in the design process BMS are not managed by traditional ITTeams • Personnel who manage the BMS may not have the required IT & Security skills 10
  11. 11. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Threats & Impacts Threats Impacts Ransomware • FBI reported $209M USD monetary losses from January – March 2016 1 • Average ransom demanded: $679 1 • # of new ransomware families detected in June 2016 (in one month)1 : 50 Phishing • 30% of phishing messages were opened and 12% of targets subsequently clicked on the malicious link/attachment based on 8M+ phishing test results in 2015 2 • Spear Phishing incident costs a company an averageof $1.6M 2 Distributed Denial of Service Service (DDOS) • 73% of companies worldwide experienced a DDOS attack 3 • 82% of corporations incurred repeat attacks with 43% hit 6+ times 3 • 8 out of 10 companies with Internet ofThings (IoT) devices were attacked and 43% of them experienced some form of theft 3 Data Breach • 725 breaches exposed 29M+ records in 2016 as of 10/4/16 4 • 89% of breaches had a financial or espionage motive in 2016 2 3 - Neustar 2016 DDOS Attacks and Protections Report 4 – Identity Theft Resource Center 2016 Data Breach Category Summary 11 1 - (Symantec Ransomware & Businesses Special Report 2016) 2 – Verizon Data Breach Investigations Report
  12. 12. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Potential Consequences Incidents • Unauthorized access to BMS & other network locations • Compromised HVAC settings • Ransomware encrypted files and data Consequences • Data loss/modification/theft • Inappropriate environmental conditions & functionality Impacts • Jeopardized personnel safety • Data breach notification & investigation • Extensive remediation efforts • Reputational damages 12
  13. 13. Industry Frameworks 13
  14. 14. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | REC Specific Industry Framework Mechanical Systems Electric Systems Enterprise Applications The Open Building Information Exchange (OBIX) TechnicalCommittee aims to create standard web services guidelines to facilitate the exchange of information between intelligent buildings and enterprise applications. • Simplify data transfer • Enhance data security • Optimize data availability & awareness 14
  15. 15. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Other Industry Frameworks International Organization for Standardization (ISO) 2700X ISO 27001 contains 114 controls that can be used to reduce security risk through management of assets and data. ISO 27002 defines guidelines for implementing controls in 27001. National Institute of Standards &Technology (NIST) Special Publication 800-53 NIST 800-53 is a catalog of security and privacy controls designed to protect entities from a variety of threats to public and private sector information. It includes the process for selecting and customizing controls as part of an enterprise-wide security and privacy risk management program. Framework for Improving Critical Infrastructure Cybersecurity The framework is designed to provide detailed guidance on managing cybersecurity risks for critical infrastructure (CI) services. The nation relies upon CI, which means operational requirements must be met and security safeguards must be in place. It provides principles and leading practices to facilitate enhanced CI security and resilience. Unified Compliance Framework An integration of all IT control requirements in a efficient and effective manner. Framework Description 15
  16. 16. Scalable Cybersecurity Strategy 16
  17. 17. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Principles & Objectives Security Principles Integrity AvailabilityConfidentiality It’s not a matter of IF, but WHEN a significant security breach / incident will occur Cybersecurity Program Objectives • Protect confidential data • Limit financial losses • Avoid reputational damage • Ensure resiliency of the business & IT environment 17
  18. 18. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Scalable Strategy SecureVigilant Resilient 1. Security Risk Assessment 2. Penetration Tests & Vulnerability Scans 3. Network Segmentation 4. Security Monitoring 5. Data Loss Prevention 6. Mobile Device Security 1. Information Classification, Data Analysis and Cleanup 2. Business Continuity Plan 3. Disaster Recovery Testing 1. Policies & Standards 2. Operating Procedures 3. Security Awareness Training 4. Cyber Insurance 5. Controls Implementation 18
  19. 19. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Cybersecurity Controls 1. Understand your risks and threats landscape (P) 2. Assess, classify, and build extra protection around critical data (P) 3. Update policies, processes and procedures to address point in time and forward-looking risks and embed cybersecurity culture (P) 4. Assess/obtain cyber insurance coverage (P) 5. Conduct penetration tests and vulnerability scans (internal and external) on a reasonable frequency (D); remediate highest risk areas 6. Get up to date on patches and subscribe to security advisory mailing lists (P) 7. Set up an InsiderThreat Program, even bare bones will do as a starting place (P) 8. Conduct security awareness and training on a regular frequency (once a quarter) (P) 9. Manage vendor security through policies and processes (P) 10.Have contingency and incident response plans in place that include law enforcement, forensics (digital, human and physical), client, investor, legal, media and PR responses (P) 11. Implement technologies that complement your processes (P) Legend: P – Preventive controls D – DetectiveControls 19
  20. 20. Operational Considerations 20
  21. 21. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Roles & Responsibilities Role Responsibilities Board of Directors • Be well-informed regarding IT strategic plans, cyber risks, and IT initiatives • Continuously monitor risks and ensure alignment with business strategy through timely reporting Risk ManagementCommittee • Meet on a periodic basis to discuss and manage enterprise risks, which include IT and cyber risks • Oversee risk management solutions and remediation efforts Chief Information Officer (CIO) / Chief Information Security Officer (CISO) • Oversee the strategic and operational aspects of the cybersecurity program • Develop and discuss status reporting with leadership & stakeholders • Coordinate with the Board, Risk ManagementCommittee, andCFO to involve IT in strategic and risk management plans • Coordinate with the CFO on joint interest compliance programs and initiatives Chief Financial Officer (CFO) • Coordinate with the Board, Risk ManagementCommittee, andCIO/CISO to allocate sufficient current and future funds to support IT initiatives including cybersecurity • Identify, manage, and report operational risks Auditors • Include cyber in the IT audits • Engage in board level discussion on various risks including IT and cyber 21
  22. 22. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | Culture, Governance & Compliance • The Board of Directors must get involved to set the tone at the top • A well-defined governance structure provides a good relationship and communication between the board, management, and employees • The governance structure must reasonably balance security with business needs while remaining vigilant • Cyber hygiene should be intrinsically woven into the culture of the organization • Cybersecurity policies shouldn’t become paperweights • Compliance activities should be carried out to ensure alignment with industry leading practices No matter how large or small, every organization has to have a process in place to govern policies and practices, measure risk and compliance, and instill a cyber-aware culture. 22
  23. 23. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs | In Summary Trends indicate building management systems will increase in prevalence in the coming years REC companies must make cybersecurity a priority Implement a scalable cybersecurity strategy that matures over time Ensure key roles recognize the importance of cybersecurity and drive a cyber-aware culture Consider cyber insurance coverage Ensure cyber hygiene is practiced across all levels of the organization 23
  24. 24. THANKS !Any Questions? 24
  25. 25. 25

Más Contenido Relacionado

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

×