CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019
INTRODUCTION Cyber Security • The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorised use or modification, or exploitation (US Institute of Standards and Technologies - NIST). • Cyber security can be described as the digital or human measures you can take to reduce the risk and harm to your company's information and information based systems through theft, alteration or destruction. Cyber Risk and Fraud • Cyber risks arise from your company’s exposure to the rapidly increasing interconnectivity of information. The risks are indeed real, and it is perfectly sensible to assume these risks are emanating from people who have, or seek to have, access to your information or information-based systems both internally and externally with a view to committing fraud. 2 Date
WHEN THINGS GO WRONG Causes Hacker attack Data breach Virus transmission Cyber extortion Employee sabotage Network downtime Human error 3 Date
WHEN THINGS GO WRONG Effects British Airways: Suspect code that hacked fliers 'found‘ A cyber-security firm has said it found malicious code injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions. NHS 'could have prevented' WannaCry ransomware attack NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said. At least 6,900 NHS appointments were cancelled as a result of the attack. Butlin's says guest records may have been hacked Holiday camp firm Butlin's says up to 34,000 guests at its resorts may have had their personal information stolen by hackers. 4 Date
WHEN THINGS GO WRONG Impact Economic cost of cyber attack Reputational damage Legal consequences of cyber breach 5 Date
IN THE NEWS Cyber security threat to banks has grown in last decade • Bank of England Governor Mark Carney says: "The third class of risk that is new in the last decade is risk related to cyber security. "The defences have to be in place and we also have to have plans if a bank were to be knocked out because of a cyber attack - how to we keep a system functioning and service to customers functioning in that event.“. BBC Sept 2018 Tory app security breach reveals MPs' numbers • Boris Johnson was among those whose details could be accessed through the party's conference app. BBC Sept 2018 Rise in cyber-attacks on NI universities • Universities and further education colleges in NI suffered 16 serious cyber-attacks in 2017/18 compared to three the year before. BBC Sept 2018 UK cyber-centre thwarts hostile hackers • The National Cyber Security Centre has combated about 1,200 attacks since it was created, it reveals. BBC Oct 2018 UK accuses Russian spies of cyber-attacks • Alleged attacks include raids on the World Anti-Doping Agency, when athletes' data was published, and the US Democratic Party. BBC Oct 2018 6 Date
WHAT DO THE STATISTICS SAY? The Cyber Security Breaches Survey 2019 is an Official Statistic, measuring how organisations in the UK approach cyber security and the impact of breaches. 7 Date
DRIVERS FOR CHANGE 8 Date
AWARENESS OF GOVERNMENT CYBER SECURITY INITIATIVES AND ACCREDITATIONS 9 Date
WHAT ARE ORGANISATIONS DOING ABOUT IT? 10 Date
WHAT ARE ORGANISATIONS DOING ABOUT IT? 11 Date
AVERAGE INVESTMENT IN CYBER SECURITY IN LAST FINANCIAL YEAR 12 Date
WHAT ARE ORGANISATIONS DOING ABOUT IT? 13 Date
THINK ABOUT WHAT YOU HAVE 14 Date
SOME SPECIFIC CURRENT CYBER THREATS EXPERIENCED • Ransomware attacks • the attack encrypts the victim’s data and asks for money in exchange for the decryption key • Third parties being compromised • Cloud based services, third party data holders/processors • Phishing & Social Engineering attacks • CEO asking for an urgent payment to be made – or offering refund • A payment being asked to be processed to a different account than the one on file 15 Date
THREAT LIFECYCLE Harden and isolate Proactive risk PREDICT PREVENT systems analysis Divert Predict attacks attackers Mobile user attacks Cloud Computer Baseline Prevent issues attacks systems Denial of Service Geolocation Remediate/ Detect attacks Make change/Learn issues High profile target spoofing Design/ Confirm and Model prioritize risk change Investigate/ Contain RESPOND DETECT Forensics issues 16 Date
THREAT MONITORING-MANAGEMENT INTERACTION CONTINUOUS THREAT MONITORING Monitoring and Detection of Unauthorized Activities Monitoring the company’s network and physical environments, IDS/IPS Monitoring activity of third party service providers with access to network Monitoring network for presence of unauthorized users, devices, connections and software Using malicious code detection and data loss prevention software Maintaining written incident alert thresholds BOARD AND MANAGEMENT INTERACTION Normal routine updates from Management regarding the state of IT systems. Key performance indicators such as how many breach notifications notices have been filed and IT department trends. Updates on any initiates management such as employee training and outsourcing of key security functions. Employee access to the Board Whistleblower policy Employee/customer hotline 17
CYBERSECURITY TRAINING & TECHNOLOGY EMPLOYEE TRAINING Workforce Are cybersecurity roles and responsibilities assigned and communicated to work force? Regular training? Awareness of policy and reporting breaches Employees to practice computer security best practices ( e.g ., use passwords with a mix of upper case and lower case letters, numbers and symbols)? TECHNOLOGY UPGRADE Pace of Technology – Review and reassess data privacy and computer security policies and procedures • Are policies and procedures staying up to date with technological advances ( e.g ., do they address the plethora of mobile devices that are now available to employees)? • Are firewalls, anti-spam and anti-virus software updated regularly? • Are patches for the operating system and other software updated regularly? • Monitoring of computer system defenses to potential threats? 18
INCIDENT RESPONSE AND RECOVERY INCIDENT RESPONSE Review and reassess your data breach policy – Is it sufficiently detailed to provide guidance for what needs to be done immediately in the event of a security breach or a near miss? • Updated in light of GDPR? – Data breach investigation to discover and perform analysis? – Are key stakeholders represented on the team? – Data Breach team lead granted sufficient authority to quickly execute? – Lessons are learnt – Senior management and Board level awareness. RECOVERY PLAN Business Continuity Plan – Review and reassess business continuity and disaster recovery plans • Business continuity plan cover a cyber attack or other type of computer disruption in addition to more commonly covered business disruptions, such as natural disasters and fire? • Test and re-test computer networks and systems 19
CYBER SECURITY BEST PRACTICE BEST PRACTICES National Cyber Security Centre (NCSC) Expert, trusted, and independent guidance for UK industry, government departments, the critical national infrastructure and private SMEs. International Standardization Organization (ISO) 27000 and 27001 Standards Cyber Essentials Cyber Security Information Sharing Partnership (CiSP) run by the NCSC BEST PRACTICES – Key Areas Current environment practices should be measured against best practices in key areas: – Policy – Threat prevention • Perimeter, Insider and vendor. – Threat detection – Training and Awareness – Response 20
THIRD PARTY CYBER SECURITY RISK & RECOVERY PLAN THIRD PARTY RISK AVERSION Third Party Vendors Review and reassess the data privacy and computer security policies and procedures of third party service providers Obtain and review Statement on Controls (SOC) reports from key third parties that process information Review and reassess service contracts with third-party service provides to assure that privacy and computer security issues are adequately addressed Review and reassess policies segregating network resources from 3 rd party accessible resources Review and reassess policies regarding remote maintenance of network by 3 rd parties 21
Recommend
More recommend