IIA South Event 16 th June 2015 Cyber, Social Media and IT Risks 1 st and 2 nd Line Perspective David Canham (BA) Hons, MIRM
Agenda This evening we ll cover the following: Who, why and what? Traditional information security versus cyber risk management Impact of social media Is the message heard? Who is in charge of the cyber agenda in your organisation? Cyber insurance - where does it fit in?
Points to Consider as we Talk Three challenges Protect the Brand (Franchise / Reputation) Protect Yourself (All of yourself) Insurance for cyber
Who, Why and When? Hacktivist Criminal Nation State Inside Job?
So where is the Cyber Threat coming from? 28 August 2013 New York Times and Twitter struggle after Syrian hack 13 August 2013 Dalai Lama's Chinese website hacked and infected 27 August 2013 The Chinese-language website of the Tibetan government-in-exile, whose spiritual head is the Dalai Lama, has been hacked and infected with viruses China hit by 'biggest ever' cyber-attack China has said it has suffered its "biggest ever" cyber-attack, causing many websites based in the country to go temporarily offline. Pro-Assad Syrian hackers launching cyberattacks on western media Syrian Electronic Army claims responsibility for attack on Guardian and other organisations 13th August 2013 China denies cyber attack allegations A secretive branch of China's military is probably one of the world's "most prolific cyber espionage groups", a US cyber security firm has said. Mandiant said Unit 61398 was believed to have "systematically stolen hundreds of terabytes of data" from at least 141 organisations around the world.
Cyber Case Studies
The thin blue line or governance? Four Cornerstones: Delegated Authorities what people can do Committees How oversight is provided Organisational Policies High level organisational principles Risk Management Informed decision making
Delegated Authorities Traditional Approach Complex sign off loops Elements of bureaucratic behaviour and / or practice Paper production hoops to achieving sign off Where responsibility for information security resides? 19% Cyber Requirement 10% 48% Real Time decision making Clear accountability and pace Extended enterprise delegation 23% CEO CIO COO Other Delay or inaction could be more damaging than the incident itself
Committees 53% of the CIM Survey had an information security committee Traditional Approach Usually periodic and in some cases static agenda Paper lead, discussion predominantly around lag indicators Lack of clear accountability for decision making, management by committee Cyber Requirement Where possible lead indicators to be developed (do you have them?) Use of threat intelligence and case studies Targeted War games for preparedness Oversight of technology alongside and integral in business process and strategy Cyber governance movement from review by committee to reaction
Organisational Policies 65% of the CIM Survey did not know if their organisation was accredited to a information security standard Traditional Approach Technical in nature Unlikely to be integrated with HR and Learning Development interventions Sign off annually via a CBT Cyber Requirement Understand the culture, the blur between professional and private life and the audience Develop engaging awareness programmes across different communication channels Ensure that policies are reviewed and updated in line with pace of the threat faced Policies are shelf ware without appropriate engagement
Risk Management Its what we do is it not? Traditional Approach Bridge the gap between technicians and business staff Bring external insight and challenge to existing thinking Assists business leaders in setting risk appetite and / or tolerance across the institution Cyber Requirement Translate and cut through the media hype to give a balanced view Help develop the lead MI and analyse the external intelligence to bring insight Balance the impact and probability to other risks within the institution Has the role or technique changed or has the expectation increased
Cyber Auditing High Level Planning Traditional review of the organisational Risk Data External factors, extended enterprise, business conditions, past cases Control and Remediation Creating a test plan that acknowledges different control types, preventative, corrective & detective Time and pace of remediation, six month programmes versus immediate action Being even more robust with management in outlining expectations Pace of Audit Traditional control testing can be routine but additionally; Forensic support in the event of an incident Internal Audit as a weapon at managements disposal? Has the role or technique changed or has the expectation increased
Governance Conclusions Commitment on the corporate agenda Is it clear who is responsible and sponsorship achieved? Is there a clear view on investment over security being an overhead? Is the balance between technical control and cultural defence understood? Corporate or Personal Education or Both In an increasingly interconnected world with blurred boundaries do institutions have a moral and corporate responsibility to raise awareness amongst the workforce? Compliance, Regulation and the Law Do institutions aim for the minimum to get through favouring chasing growth? Increase in interest from regulatory bodies e.g. FCA/PRA/HMT Cyber Questionnaire Pace of the threat and organisational governance Pace of decision making when a cyber intrusion is discovered Clear on who takes the lead and the accountability e.g. Incident Management framework
Social, Internet and Mobile Universe http://was-sg.wascdn.net/wp-content/uploads/2015/01/slide006.png
Some facts and figures from the turn of the year. An average FB user has 130 friends, and 25% do not bother with privacy controls 23% of FB users access there account more than 5 times a daily More than 25 billion pieces of FB content are shared monthly 100 million active users access FB on their mobile device Twitter gets more than 300,000 new users every day Twitter started as a simple text message service Over 60% of twitter users are outside of the US Linked in is the oldest of the mainstream sites, started in 2003 There are more 70m users of Linked in worldwide 80% of companies use Linked in as a recruitment tool 90% of Internet user know at least one social network
Protect Yourself - Social Media Case Study Emma Way, 21, tweeted in May: Definitely knocked a cyclist off earlier I have right of way he doesn t even pay road tax. Personal Accountability? Employer refuses to comment Lessons for an organisation? Lessons for an individual Guilty? BBC News Website: http://www.bbc.co.uk/news/uk-england-norfolk-22636230
Has the Message been Heard? 10 Steps EVERY board member should understand that can eliminate c.80% of Cyber threats 1. Home and mobile working 2. User education and awareness 3. Incident Management 4. Management of user privileges 5. Removable media controls 6. Monitoring 7. Secure configuration 8. Malware protection 9. Network Security 10. Information risk management regime Web address - http://www.bis.gov.uk/assets/biscore/business-sectors/docs/0-9/12-1120-10-steps-to-cyber-security-executive
Who is Listening to your Message? / Who needs to? Social Media followers With so many different stakeholders, an organisation regardless of public, private, local or multinational will be subject to different views on compliance and security for instance, the regulator maybe considered to be black and white, the individual maybe more relaxed, in particular if they are a social media user?
Could we define coherently the cyber risk in business terms to all Internal and External stakeholders?
Insurance for Cyber Traditional Policies or Something new? Benchmark for control in underwriting a risk? BIS Cyber Essentials CREST / CBEST NIST Framework ISO27001 Then of course there is the issue of data and historic losses. Question will regulation such as the EU Data Privacy act lead to more insurance products being further developed?
Closing Thoughts - Protect Yourself (All of yourself) What salary would have to be offered before you accepted your dream job from that HR Agency via Linked in? How many holidays have you told me about via Facebook? Have you been trained not to open that attachment / click that link? Does your personal risk and work risk look different? Like all industries does Financial Services invest purely in work education or with such a blur between private and professional lives is it now imperative to cover both to be seen as an employer of choice?
Closing Thoughts - Protect the Brand - Some basic specifics to think about The Crown Jewels What can the organisation not live without, where is it stored and how is it protected The process value chain The internal, the external, the distributor network, do they apply all the same logic as you do to security Risk appetite / tolerance Is it clear the minimum and the maximum your organisation is prepared to accept in terms of the security agenda and the trade offs required Focus Is there sufficient focus, it s a crowded organisational agenda, there s a lot of short term pressures versus a longer term difficult to quantify threat Innovation Is there suitable innovation in your approach to cyber its not all bad, where's the opportunties
Closing Statement Personal Thoughts Awareness and interest at board level has increased Lack of substantive data within the Financial Services arena continues to pose a problem Media is hyped Cyber war! Where does the investment profile lie in the organisation, still with the CIO / CISO With an interconnected world, increase in mobile devices and digital solutions and social media, Information Security Risk continues to evolve. It is the challenge of all industries to respond both internally, through the extended enterprise and with their people