CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

Transcription

1 October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant 1

2 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete group attendance form with Title & date of live webinar Your company name Your printed name, signature & address All group attendance sheets must be submitted to training@bkd.com within 24 hours of live webinar Answer polls when they are provided If all eligibility requirements are met, each participant will be ed their CPE certificates within 15 business days of live webinar TODAY S AGENDA Introduction Formally Defining Cybersecurity Top Strategies for Reducing a Data Breach Industry Expectations Questions 2

3 DEFINING CYBERSECURITY In recent security discussions, there are references to both cybersecurity & information security. The terms are often used interchangeably, but in reality, cybersecurity is a part of information security Note: Interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities. All of these factors have influenced shift from information security to cybersecurity DEFINING CYBERSECURITY Information security deals with protecting information, regardless of its format: documents, digital & intellectual property in people s minds & verbal or visual communications Cybersecurity is concerned with protecting digital assets everything from networks to hardware & information processed, stored or transported by internetworked information systems 3

4 DEFINING CYBERSECURITY NIST defines Cybersecurity as The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Identifying attacks Employee training & customer awareness are key 4

5 DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Defending against attacks is in design & operation of network & application environment DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Responding to attacks refers to incident response plans your company has 5

6 DEFINING CYBERSECURITY The process of managing cyber threats & vulnerabilities & for protecting information & information systems by identifying, defending against, responding to & recovering from attacks Recovering from attacks should be covered by your Disaster Recovery/Business Continuity Plan GOOD GUYS VS. BAD GUYS White Hat A security consultant during the day Black Hat A hacker after midnight Grey Hat A security consultant during the day; a hacker after midnight 6

7 WHAT KEEPS YOU UP AT NIGHT Malware Denial of Service Data Breach Loss of money Examples: Target, Home Depot, TJ Max, JP Morgan, Goodwill, CHS, etc. TOP AREAS OF VULNERABILITY Accounting department Wires, ACH, checks, etc. Point of sale terminals Checkout, gas, etc. Outdated systems Windows or applications Vendors & third parties Gas pumps, pharmacy, Western Union, etc. 7

8 CYBERSECURITY CONCEPTS Objective of cybersecurity is threefold, involving critical components of confidentiality, integrity & availability Confidentiality Integrity Availability NIST CYBERSECURITY FRAMEWORK In February 2013, President issued Executive Order 13636: Improving Critical Infrastructure over Cybersecurity. Order calls for development of a voluntary, risk-based cybersecurity framework a set of existing standards, guidelines & practices to help organizations manage cyber risks 8

9 NIST FRAMEWORK OVERVIEW 17 TOP 1O COST-EFFECTIVE BEST PRACTICES TO REDUCE RISK OF A DATA BREACH 9

10 #1 KNOW WHERE YOUR DATA IS STORED Document & maintain accurate information asset inventories, including all relevant assets that store or transmit sensitive data (Devices & software use software like Track-It) Conduct, document & maintain current data flow analysis to understand location of your data, data interchange & interfaces, as well as applications, operating systems, databases & supporting technologies that support & impact your data. (Use white board to create flow charts to document processes, etc.) Locate & consolidate all valuable data into most singular storage possible; by reducing footprint of your data, you create fewer potential vulnerabilities, as well as minimize effort of monitoring & tracking access to that data 19 #2 TAKE ADVANTAGE OF SECURITY CONTROLS Establish, implement & actively manage security configuration settings for all hardware & software for servers, workstations, laptops, mobile devices, firewalls, routers, etc. Firewalls, IDS/IPS, etc. Anti-virus System/device hardening Strong password security Limit administrative privileges Grant only minimum required access to perform job functions 20 10

11 #3 KNOW WHO CAN ACCESS YOUR DATA Align logical & physical access authorization, establishment, modification & termination procedures applicable to networks, operating systems, applications & databases Screen employees prior to employment Document modifications with standard change management Timely removal of terminated employees Limit vendor remote access 21 #4 IMPLEMENT DATA LOSS PREVENTION CONTROLS Organizations must limit access to removable media, CD ROMs, & file transfer websites Leverage group policies & existing software such as content filtering, filters, etc. Companies should write clear, well-planned policy that encompasses device use & disposal of information When devices are no longer in use, data should be wiped & then physically destroyed 22 11

12 #5 ENSURE ALL CRITICAL DATA IS ENCRYPTED Adoption of data encryption, for data in use, in transit & at rest, provides mitigation against data compromise Encrypt all hard drives on all portable devices, conducted in conjunction with #1 Data backup, retention & archival information should all be under protection of strong encryption to ensure such data that may fall into malicious hands cannot be interpreted &/or otherwise utilized Note In event you lose device, compliance mandates may require to prove device was encrypted 23 #6 EFFECTIVE PATCH MANAGEMENT Ensure all systems, regardless of function or impact, have recent operating systems, application patches applied & any business-critical applications are maintained at most current feasible level for your organization Evaluate & test critical patches in timely manner Apply patches for riskiest vulnerabilities first Use WSUS to manage Windows-related patches Third-party applications (Java, Adobe, Flash, etc.) must also be managed Be strategic & plan for end-of-life events (Windows XP & Server 2003) 24 12

13 #7 PERFORM RISK ASSESSMENTS Perform an information security risk assessment that is flexible & responds to changes in your environment. Specific focus should be on all protected information & protected health information (if applicable) Asset-based format Identify foreseeable threats Assign inherent risk rating Determine likelihood of occurrence Determine magnitude of impact Input mitigating controls Determine residual risk rating Update annually to adjust for new threats 25 #8 EDUCATE PERSONNEL & HOLD THEM ACCOUNTABLE Provide staff training on security best practices, internal policies & new threats. Focus on social engineering, phishing & physical security concerns Educate all personnel, at least annually, on your company's data security requirements Education can be as simple as reminders, brown bag lunch & learns, etc. Make sure new hire onboarding process includes this topic Accountability includes ALL personnel especially senior management who must lead by example 26 13

14 #9 AUDIT & ASSESS CONTROLS Conduct vulnerability scans & penetration tests to identify & evaluate security vulnerabilities in your environment Security controls provide most value when they are audited & monitored for compliance &/or maintenance Annual audits provide necessary insights into keeping security controls optimized & properly fitted to environments employed to protect #10 MINIMIZE IMPACT BY TAKING IMMEDIATE ACTION Management's ultimate goal should be to minimize damage to institution & its customers through containment of incident & proper restoration of information systems Conduct analysis of past incidents & applicable responses to determine successful & unsuccessful areas Use an incident response team to ensure immediate action is taken following security event to minimize impact on operations & loss of data Determine who will be responsible for declaring an incident & restoring affected computer systems once incident is resolved 28 14

15 CYBERSECURITY BEST PRACTICES Training Employee training Management training Education Awareness of security risks Third-party review External, independent view of organization Self assessment Review organization s internal security controls INDUSTRY EXPECTATIONS Incorporate cybersecurity into all existing security policies Perform risk assessments to identify & address cyber specific threats Enhance training efforts employees, ownership & customers Strengthen monitoring controls Strengthen incident response efforts 15

16 CONCLUSION Organizations have to be careful they aren't tempted to make their reviews for cyber-resilience a checkbox compliance exercise. Ensuring cyber-resilience of their internal networks & people, as well as networks of their third-party service providers & vendors, requires going beyond simply implementing recommendations in new guidelines CYBERSECURITY RESOURCES NIST Framework SANs Institute 16

17 QUESTIONS? CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars. 17

18 CPE CREDIT CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please the BKD Learning & Development Department at NGA Antitrust Statement The National Grocers Association is committed to complying with the antitrust laws. Therefore, to assure compliance the board of directors, members and staff must refrain from engaging in discussion that may result in antitrust violations such as agreements to fix prices or margins, allocate markets, engage in product, supplier or customer boycotts, and refusal to deal with industry members. NGA appreciates your compliance with the law as the Board and members engage in association Board meetings, education programs and other activities to advance your competitiveness in today s market. 18

19 THANK YOU! FOR MORE INFORMATION Cy Sturdivant