Cyber Security. John Leek Chief Strategist

Similar documents
Internet threats: steps to security for your small business

A practical guide to IT security

10 Smart Ideas for. Keeping Data Safe. From Hackers

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

The SMB Cyber Security Survival Guide

Security and Privacy

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Why Encryption is Essential to the Safety of Your Business

A PROVEN THREAT A TRUSTED SOLUTION MCCANN CYBER SECURITY SOLUTIONS

Information Technology Security Review April 16, 2012

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

RETHINKING CYBER SECURITY Changing the Business Conversation

Cybersecurity. Are you prepared?

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

If you can't beat them - secure them

Mobile Security & BYOD Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

The Education Fellowship Finance Centralisation IT Security Strategy

Information Security for the Rest of Us

Secure Your Mobile Workplace

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Data Access Request Service

Data Breaches and Cyber Risks

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Security Overview. BlackBerry Corporate Infrastructure

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

State of Security Survey GLOBAL FINDINGS

EndUser Protection. Peter Skondro. Sophos

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Microsoft s cybersecurity commitment

Endpoint protection for physical and virtual desktops

Big Data, Big Risk, Big Rewards. Hussein Syed

HIPAA Compliance Evaluation Report

Symantec Mobile Security

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

F G F O A A N N U A L C O N F E R E N C E

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Cyber Security Metrics Dashboards & Analytics

Mobility Challenges & Trends The Financial Services Point Of View

overview Enterprise Security Solutions

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Top Ten Technology Risks Facing Colleges and Universities

Cyber Risks and Insurance Solutions Malaysia, November 2013

PCI Requirements Coverage Summary Table

A GUIDE TO SECURITY AND PRIVACY IN A HOSTED EXCHANGE ENVIRONMENT TECHNICAL DOCUMENT

How To Protect Your Data From Being Hacked

UF IT Risk Assessment Standard

Defending Against Data Beaches: Internal Controls for Cybersecurity

Supplier Information Security Addendum for GE Restricted Data

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Managing Web Security in an Increasingly Challenging Threat Landscape

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Five keys to a more secure data environment

Information Security It s Everyone s Responsibility

External Supplier Control Requirements

Cyber Security An Exercise in Predicting the Future

The Protection Mission a constant endeavor

Data Management Policies. Sage ERP Online

SECURITY RISK MANAGEMENT

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Security Best Practices for Mobile Devices

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Guideline on Safe BYOD Management

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Is your business secure in a hosted world?

NATIONAL CYBER SECURITY AWARENESS MONTH

Kaspersky Security for Mobile

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Securing mobile devices in the business environment

Global Corporate IT Security Risks: 2013

Top tips for improved network security

Cyber Self Assessment

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Transcription:

Cyber Security John Leek Chief Strategist

AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity program Identify risks to avoid, accept, mitigate or transfer through insurance and understand the plans with each approach

Changing Business and Technology Landscape

Cloud Based Applications ERP

Digitization is Disrupting Business Models

Companies are Evolving to Elastic Staffing Models Core business team Rapidly add resources with right skills/right time Many remote workers Collaboration tools Worker flexibility Dynamic workforce

Business in 2016 Task Workers Office Workers Remote Workers Cloud Workers Hosted Server-based Applications and Desktops Remote desktops Tablets Mobile Devices Line of Business Apps Dynamics CRM Dynamics GP, SL, AX, NAV Transportation Management Virtual Businesses Still must meet security requirements

Mobile Challenges For BYOD Support Multiple Mobile Devices Laptops Desktops Tablets and smartphones running ios, Android, Windows Phone, BlackBerry remote workers mobile workers Must keep devices up-to-date Corporate applications Compliance to corporate security policy Anti-Virus / Anti-Malware Encryption Adequate Passwords Web Filtering Separation of personal vs. business data Wipe Business Data Device Location Tracking Access Rights

Millennials Create New Challenges for Business

Cybercrime Overview

Sources of Cyber Risk Internal Systems 3 rd Party Apps 3 rd Party Providers Core Applications

Top 5 Industries: Cyber Crime Losses Motivation Opportunity Rationalization Source: Statista

Understanding Cybercrime Two Major Categories: 1. Those that target devices Viruses, malware, electronic attacks 2. Those that use applications or users as a means fraud identity theft through social engineering as well as cyber stalking or cyber warfare.

How Viruses / Malware Infect Computers* * Anti-Virus Products 82,000 new viruses are created and released everyday! Anti-virus product block KNOWN viruses. New viruses may not be recognized

Phishing

Organized Crime

Cyber Fraud

Understanding the Risk Source: Symantec

Are we really a Cyber Security Target? Is it Possible that my company will be attacked? Its Probable! How much does it cost to mitigate? Can we control cyber threats? How can we keep pace?

Targets are Changing: Criminals are Focused on low hanging fruit Source: Symantec

What Can You Do?

Risk Management Process Risk Matrix Developing Mitigating Controls Deploy Controls Vulnerability Scans Penetration Testing Social Engineering Testing Physical Phishing Strategic Planning Vendor Management Board of Directors Review Security Policies Internal/3rd Party Audit Training Policies AntiPhishing Controls Anti-Virus/anti-malware Mobile Device Management Web Filtering (reputation, pattern, context) Application Delivery Controllers Firewalls Intrusion Prevention SEIM Security Monitoring Denial of Service Protection 22

Risk Management Process Risk Matrix Develop Mitigating Controls Deploy Controls 1. Identify Issues, Set Context 2. Assess Key Risk Areas 3. Measuring Likelihood 4. Ranking Risks System Name Supporting Systems Email System Information Sensitivity (H/M/L) Likelihood L=1,M=2,H=3 Impact L=1,M=2,H=3 Risk Level L=1,M=2,H= 3 L/M 2 Safeguards in Place Policies, Procedures, Controls Administrative and Organization Informal acceptable use policies Business Associate Agreement in place Physical Rely on infrastructure safeguards Technical Rely on infrastructure safeguards Emails Spam Filter (Barracuda) Residual Risk L=1,M=2, H=3 Residual Risk Acceptable? (Y/N) 1 Y Evaluation (Audit) Cycle Enhance Safeguards Safeguards Recommendations In Order of Priority per Asset Administrative and Organization 1. Implement Email Security Policies to address email acceptable use, malware and phishing email response, encryption needs to be refined to meet users requirements. Schedule a training session with all employees by 6/30/2015 and obtain signed acknowledgments to adhere to the policy. Physical -- Review e-mail vendor's SSAE16 to ensure appropriate controls are in place. Technical 3. Barracuda anti-spam and DLP in place. Mobile Devices (BYOD and company supplied) L/M 1 Administrative and Organization Informal accetable use policies Physical Rely on infrastructure safeguards Technical Rely on infrastructure safeguards 1 Y Enhance Safeguards Administrative and Organization Implement MDM Security Policies to address acceptable use, malware, encryption and right to wipe/destroy corporate data maintained on BYOD devices. Only compliant devices allowed to connect. Physical -- Review and select produt that will enforce policies. Technical Hosted e-mail provider can wipe devices if needed in the interim if devices are lost, stolen or someone leaves Miller group. NetStandard will pursue testing of MDM with multi-tenant hosted Exchange. Network Shares H 3 Administrative and Organization Physical Rely on infrastructure safeguards Technical Rely on infrastructure safeguards 3 N Enhance Safeguards Administrative and Organization 1. Implement Access Control Policies and Procedures to enforce least privilege and need to know requirements for ephi, PHI, PII. Implement Information Classification and Handling Policies and Procedures to address define access and storage requirements. Implement Information Retention and Destruction Policies and Procedures to restrict the amount and location of ephi/pii/phi on systems and in work areas. Implement Security Incident Response Policies and Procedures so that breach of ephi/pii can be reported and contained timely. Physical 2. Rely on server room and offices safeguard recommendations below Technical 3. Rely on rely on server, border device, Active Directory safeguard recommendations below

Developing Mitigating Controls Risk Matrix Develop Mitigating Controls Deploy Controls Identify Objective Assess Options Assess Internal Capabilities Determine Scope Establish Key Success Factors Design Process Identify Roles Identify Steps Identify Metrics Implement Control Check Evaluate Residual Risk Verify Success Factors Refine Process as Needed

Developing Mitigating Controls Risk Matrix Develop Mitigating Controls Deploy Controls Top 20 Security Controls http://www.sans.org/critical-security-controls/

Developing Mitigating Controls Risk Matrix Develop Mitigating Controls Deploy Controls Example: Cloud-based Rights Management

Testing IT Controls Vulnerability Scans Penetration Testing Social Engineering Testing Physical Phishing

Testing IT Controls Vulnerability Scans Penetration Testing Social Engineering Testing Physical Phishing

Testing IT Controls Vulnerability Scans Penetration Testing Social Engineering Testing Physical Phishing

Implementing Controls Protect Anti-Virus/anti-malware Mobile Device Management Web Filtering (reputation, pattern, context) Application Delivery Controllers Firewalls Intrusion Prevention SEIM Security Monitoring Denial of Service Protection Firewall Remote VPN to Corp Assets Web Filter Multi-Factor Auth Vulnerability Scanning Encryption Anti-Virus Anti-malware

Implementing Controls Risk Matrix Develop Mitigating Controls Deploy Controls Example: File Sharing Controls Establish formal policies around use of file sharing services Educate users Establish controls 1. Use tools to enforce file rights management 2. Devices Controlled by AD set group policy to allow access to only approved file sharing services 3. Use web filtering to block access to unapproved file sharing services 4. Use MDM tools to block use of unauthorized services 5. Limit access to corporate resource to only approved resources

ESTABLISHING EFFECTIVE CYBER RISK GOVERNANCE PROGRAM 32

IT Governance Governance Strategic Planning Vendor Management Board of Directors Review Security Policies Audit Training 9. Periodic Plan Review 1. State the Mission 2. Define Current State 8. Detail Implementation Plan NetStandard Strategic Planning Process 3. SWOT 7. Define Strategic 3 Year Plan 6. Establish Critical Success Factors 5. Define Future State 4. Define Business Objectives

IT Governance: Organization Structure Governance Strategic Planning Vendor Management Board of Directors Review Security Policies Audit Training

Employee Training Process: make sure everyone understands controls. Metrics: Foster an environment of continuous improvement by gathering relevant metrics and reporting on them. Experience: Train users by giving them practice (i.e. e-mail phishing tests)

Addressing Residual Risk Insurance

Insurance -- Average cost of a data breach $880,334 Cover Residual Risks with Insurance First-Party Cyber Liability Insurance can pay for the costs of a breach on YOUR network Cyber Liability Insurance may cover data security incidents including: Malware attacks DDOS attacks Ransomware Phishing schemes Insider data breaches Malfunctions leading to accidental disclosure Breaches caused by employee error

Did We Cover These Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue Understand the legal implications of cyber risks Access cybersecurity expertise, and discuss during board meetings Provide adequate staffing and budget Identify risks to avoid, accept, mitigate or transfer through insurance and understand the plans with each approach

Thank You! John Leek, NetStandard 30 year career working at companies in the insurance, financial, and transportation industries 10 years working with small to medium businesses Email: jleek@netstandard.com www.linkedin.com/johnleek/ Twitter: @john_leek

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information