Petit Déjeuner des PME. Crisis management and Attacks

Transcription

1 Petit Déjeuner des PME Crisis management and Attacks Nicolas Vernaz 27 April 2016

2 Agenda What is the scale of security incidents? Are companies prepared against cyber attacks? Behaviour during a Cyber Attack What is a crisis? Concrete Examples Crisis management? Complex vocabulary, norms and standards 10 fix the problem points Petits déjeuners des PME et start-up - Cybercriminalité 2

3 Security incidents are constantly on the rise - In today s business landscape, information security incidents are a question of when, not if Cybercrime is the 2nd most reported economic crime in It has always been in the top 5 since it first appeared in our Global Economic Crime Survey back in Top three most commonly reported types of economic crime in 2016 In 2015, Swiss organisations detected a 330% increase in security incidents. It is troubling that respondents who do not know the number of incidents has doubled compared to Average number of security incidents in Switzerland 64% 32% 24% Asset misappropriation Cybercrime Bribery and corruption Steady increase in the reporting of cybercrime since % 24% 32% CH % 7'247 CH-2014 CH '186 2'130 Don t know 7 % 10 % Rank 4th 4th 2nd Source: PwC s Global Economic Crime Survey 2016 February 2016 Source: PwC s Global State of Information Security Survey 2016 October 2015 Petits déjeuners des PME et start-up - Cybercriminalité 3

4 However, most organisations are still not adequately prepared against cyber-attacks Do organisations have Incident Response Plans to deal with cyber-attacks? 63% of organisations have not a fully operational incident response plan Astoundingly, 31% have no plan at all, and of these, more than half don t think they need one Should a cyber crisis arrive, only 40% of companies have personnel that are fully trained to act as first responders Source: PwC s Global Economic Crime Survey February 2016 Petits déjeuners des PME et start-up - Cybercriminalité 4

5 Cyber Attacks Cyber Crime focus Prepared Unprepared Ransomware Malware DDoS Trojans ZeroDay Phishing Virus And many more Pro-Active Re-Active Leads to a CRISIS Petits déjeuners des PME et start-up - Cybercriminalité 5

6 What is a crisis? A crisis is any event that is, or is expected to lead to, an unstable and dangerous situation with potential serious consequences, affecting an individual, group, or a whole company and for which habitual behaviors, procedures and process are not adapted. Origin of a crisis can be multiple Natural or Environmental (storm, flood, epidemic, fire, explosion.), Human (insider threat, human error.), Technology (IT issue, virus ) and for sure it can be the result of a Cyber Attack! It can come from the 3 dimensions : People, Process, Technology and affect Confidentiality, Integrity and Availability People Process Technology Petits déjeuners des PME et start-up - Cybercriminalité 6

7 Concrete Examples People Process Techno Company Cyber Crime Hyatt Hotels Leakage Process and Techno Boston Hospital Ransomware Techno Swiss Banks Digitec Migros Webshops Dyre Trojan or DDoS attacks DDoS People, Process and Techno Process and Techno Fribourg SME 1M CHF stolen Hacking/Trojan People Petits déjeuners des PME et start-up - Cybercriminalité 7

8 Crisis management? Preparation before the crisis Identification of critical assets and risks Creation of an Urgency toolkit and response plans Get prepared to crisis communications and people training Crisis management starts before the crisis happened Crisis management Situation analysis Evolution anticipation Action list Crisis has to be managed Post Crisis Back to normal Communication Lessons learned New normal New normal has to be accepted Petits déjeuners des PME et start-up - Cybercriminalité 8

9 Complex Vocabulary Norms and Standards DRP BCP IT Continuity Plan Incident Response team Incident Management System Crisis Management Incident Response Plan Petits déjeuners des PME et start-up - Cybercriminalité 9

10 There is no magic bullet for effective cybersecurity, it is a path that starts with the right mix of technologies, processes, and people skills. The Cyber Security Roadmap - 10 steps to fix the problem 1 Cyber Risk Assessment Perform internal and external risk assessments on security, availability, confidentiality, and privacy. 2 Roles & Responsibilities Have a CISO /CSO in charge of Security and obtain commitment from the Top 3 Information Security Program Define an information security program based on recognized security framework (e.g. NIST, ISO) 4 Crown jewels (e.g. health records, donors data, Intellectual property) - What are they? Where are they? Who owns them? 5 Fix the basics policies, standards, user access management, technology safeguards 6 People matters Personnel background checks, and employee security awareness training program 7 Third-Party risks Have security baselines for third parties and evaluate them periodically 8 Detection capabilities Conduct Threat assessments and internal / external penetration tests 9 Get ready for D-Day Define incident-management response process and exercise it through real live scenario 10 Join forces Collaborate with your peers to facilitate knowledge sharing and maintain a communication channel with authorities Petits déjeuners des PME et start-up - Cybercriminalité 10

11 Thanks

12 Nicolas Vernaz Qualification 2014 : Certification COBIT Foundation, ACE Palo Alto 2013 : Certification CISM 2011 : Certification CBCI 2009 : Certification Lead Auditor : MBA MSSI MAS MSSI (Information System Security Management) At IAE Aix en Provence (F) and HEG Geneva (CH) 2008 : Certification ITIL v3 foundations 2004 : Swiss Federal IT Certificate Senior Manager PricewaterhouseCoopers AG 50 avenue Giuseppe Motta 1202 Genève Office: Mobile: Nicolas.vernaz@ch.pwc.com Languages French (mother tongue), English (fluent) Career Development Nicolas has over 15 years of experience in IT, Cyber Security and management in a rapid growing and complex environment. He is specialized in Industry and SME and has delivered several international projects and had missions in many countries. During the past 12 years, he was leading the group infrastructure and security for an international oil and gas company. He acquired competencies in the implementation and in the management of Projects and Teams, IT Risk assessment, IT Audits, Technical architecture setup, IS Security Policy, IS Security Governance, IS Security roadmap, DRP and BCP Relevant Experience Nicolas has experience in leading and managing a team to run day to day Network, Infrastructure and Security, but also project teams, local or worldwide, from small to large teams (up to 30). He has lead the implementation of various Security components, such as Firewalls, IDS, Vpn, Mobile Security, Proxy, Antispam, Log Monitoring, Network segregation, Secured Wifi, User management and provisioning, Single sign on. He was responsible for a group wide risk assessment and definition of IS Security Policy, Mobile Security Policy and DRP/BCP policy and procedures. He was managing IT Security for an international company, that included dealing with auditors (SOX), but also defining IS Security roadmaps. Nicolas is member of the committee of the Clusis, the Swiss Security Association, and president of the ISMA, the alumni of the Geneva Security Masters. (HEG and Infosec) Petits déjeuners des PME et start-up - Cybercriminalité 12