CYBER SECURITY MANAGEMENT: THE NEW C-SUITE RESPONSIBILITY

Transcription

1 CYBER SECURITY MANAGEMENT: THE NEW C-SUITE RESPONSIBILITY 8 Critical Factors for Managing Productivity and Performance in 2013 April 19, 2013 Stan Stahl, Ph.D. President Citadel Information Group Phone: Stan@Citadel-Information.com Copyright Citadel Information Group, Inc. All Rights Reserved.

2 Risk Management Questions the C-Suite Needs to Ask 1. How serious is cybercrime and why should I care? 2. How vulnerable am I, really? 3. What do I need to do about it?

3 Annual Cost of Online Bank Fraud: $1,000,000,000 Bloomberg, Aug 4, 2011:

4 Financial Fraud and Identity Theft Continue to Climb 607,472,154 Financial Records Reported Breached January 10, 2005 April 5, 2013 These count only reported breaches. They count neither (1) discovered but unreported breaches nor (2) undiscovered breaches.

5 Average Cost of Data Breach $194 Per Compromised Record $5.5 Million Per Event California Civil Code Section $1,000 nominal damages for disclosure of medical information

6 State-Sponsored Intellectual Property Theft: Death by a Thousand Cuts

7 Small Business Cybercrime Risk is Significant More than ¾ of small businesses believe their companies are safe from hackers 20% of all cyberattacks hit small businesses with 250 or fewer employees 60% of small businesses close within 6 months of being victimized by cybercrime.

8 Executive Management Required to Comply with Cyber Security Laws & Regs Information security requires CEO attention in their individual companies Business Roundtable, 2004

9 Carnegie Mellon CyLab: Boards Risk Lawsuits From Inadequate Oversight Governance of Enterprise Security: CyLab 2012 Report The truth of the matter is that security programs will not get better until management begins to treat cybersecurity as an enterprise risk that must be governed. May 16, 2012 Boards of Directors are not yet adequately involved in cyber security governance. Despite holding extensive troves of digital assets and bearing an explicit fiduciary duty to protect those assets boards and senior management are not exercising appropriate governance over the privacy and security of their digital assets. GOVERNANCE-RPT-2012-FINAL.pdf

10 CyberSecurity Need vs Reality

11 Anti-Virus Catches Only 10% of Most Prevalent Attack: 30 Days Last June July 31:

12 12 60% of Zeus Attacks Get Through Anti-Virus programs March 2013 July

13 Users Unwittingly Open the Door to CyberCrime com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/

14 Cyber Security Management Strategy Proactively manage information security just as you proactively manage sales, operations, finance and other critical business functions. 1. Implement formal risk-driven information security policies and standards in accordance with legal, contractual, competitive and fiduciary needs. 2. Identify, document and control sensitive information for which you are responsible. 3. Train and educate personnel. 4. Ensure that the IT Infrastructure is effectively managed from an information security point of view.

15 Specific Actions to Protect Against Online Bank Fraud Use Separate Workstation for On- Line Banking Keep Patched Use Only for On-Line Banking No No web browsing Isolate from Corporate Network Out-Of-Band Confirmation Daily Reconciliation Manage Authorization Positive Pay

16 Proactively Manage All Three Elements of Information Risk Information Security Management

17 Management Imperative: It Takes the Village to Secure the Village SM It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles, If you do not know your enemies but do know yourself, you will win one and lose one, If you do not know your enemies nor yourself, you will be imperiled in every single battle.

18 For More Information Stan Stahl LinkedIn: Stan Stahl Citadel Information Group: Information Security Resource Library Citadel Guides Cyber Security News Weekly Patch and Vulnerability Report CitadelOnSecurity Awareness Training and Education ISSA-LA: Technical Meetings: 3 rd Wednesday of Month 5 th Annual Information Security Summit: May 21, 2013

19 Thank You! CYBER SECURITY MANAGEMENT: THE NEW C-SUITE RESPONSIBILITY Stan Stahl, Ph.D. President Citadel Information Group Phone: Copyright Citadel Information Group, Inc. All Rights Reserved.