Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Similar documents
Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

The Role of the Data Protection Officer

Data Breaches and the EU GDPR

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Cyber fraud and its impact on the NHS: How organisations can manage the risk

EU General Data Protection Regulation (GDPR) Achieving compliance

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Cyber Insurance: What is your bank doing to manage risk? presented by

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

What every IT professional needs to know about penetration tests

Data Sheet The PCI DSS

10 FOCUS AREAS FOR BREACH PREVENTION

Nine Steps to Smart Security for Small Businesses

Cybersecurity The Evolving Landscape

Addressing penetration testing and vulnerabilities, and adding verification measures

External Supplier Control Obligations. Cyber Security

June 2 nd, 2016 Security Awareness

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Cybersecurity and Nonprofit

GDPR Update and ENISA guidelines

Internet of Things Toolkit for Small and Medium Businesses

locuz.com SOC Services

Information Security Controls Policy

Unified Communications Phase 2 Presentation to IT Services Users Group

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

falanx Cyber ISO 27001: How and why your organisation should get certified

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Sage Data Security Services Directory

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

We Make IT Simple. IT Support and Security Specialists.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Gujarat Forensic Sciences University

Cybersecurity Auditing in an Unsecure World

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

Cyber Attack: Is Your Business at Risk?

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Service Provider View of Cyber Security. July 2017

Cyber-Threats and Countermeasures in Financial Sector

Best Practices in Securing a Multicloud World

General Data Protection Regulation (GDPR)

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

BHConsulting. Your trusted cybersecurity partner

How will cyber risk management affect tomorrow's business?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Review Sample report

Information Security Controls Policy

CYBERAID + The Cyber Solution for UK SMEs THBGROUP.COM

Security Awareness Training Courses

A practical guide to IT security

Certified Cyber Security Specialist

Jeff Wilbur VP Marketing Iconix

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Unit 3 Cyber security

Information Security Risk Strategies. By

Data Breach Notification Policy

Defense in Depth Security in the Enterprise

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Altitude Software. Data Protection Heading 2018

Data Protection and GDPR

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Minimize litigation risk Discuss security best practices Review security tools and techniques Identify seven cybersecurity must-do s

Cyber Security. Building and assuring defence in depth

Manchester Metropolitan University Information Security Strategy

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Embedding GDPR into the SDLC

A company built on security

From Russia With Love

CCISO Blueprint v1. EC-Council

Business continuity management and cyber resiliency

GDPR Compliance. Clauses

Exposing The Misuse of The Foundation of Online Security

Preparing for a Breach October 14, 2016

Secure Product Design Lifecycle for Connected Vehicles

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Governance Ideas Exchange

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

INFORMATION SECURITY & ISO 27001

Onapsis: The CISO Imperative Taking Control of SAP

Using international standards to improve US cybersecurity

Global Security Consulting Services, compliancy and risk asessment services

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Cyber Fraud What can you do about it?

Combating Cyber Risk in the Supply Chain

Cybersecurity and Communications Based Train Control

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

Information Technology General Control Review

T-SURE VIGILANCE CYBER SECURITY OPERATIONS CENTRE

Cyber and data security How prepared is your charity?

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Transcription:

Q3 2016 Security Matters Forum Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide Alan Calder Founder & Executive Chair IT Governance Ltd July 2016 www.itgovernance.co.uk

Introduction Alan Calder Founder IT Governance Ltd IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6 th Edition (Open University textbook) www.itgovernance.co.uk/shop/p-772-it-governance-an-international-guideto-data-security-and-iso27001iso27002.aspx 2

IT Governance Ltd: GRC One-Stop-Shop www.itgovernance.co.uk 3

Agenda Today s cyber threat environment EU GDPR Cyber Assurance 4

What s Really Going On? 5

Massive data breaches www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Cyber Risks for all Digital Information is at the heart of cyber crime Key assets at risk: High Value Research eg energy technology, biotechnology, advanced engineering Politically/commercially sensitive data eg product development, climate modelling, testing data Sensitive internal information: eg PII (customers and staff), financial data (eg bank accounts, payment card data, identity theft) Key challenges: Balancing openness with security Devolved data management responsibilities Multiple, mobile and remote access connection requirements Complex data lifecycles Rapid technology evolution 7

Security breach levels are rising Security breach levels continue to rise. Last year in the UK: 90% of large organisations reported suffering a security breach, up from 81% a year before. 74% of small businesses had a security breach, up from 60% a year before. Source: BIS/PwC 2015 Information Security Breaches Survey 8

Cost of cyber crime is rising The average cost of a data breach for businesses in the UK is 2.37 million. Source: IBM/Ponemon Institute 2015 Cost of Data Breach Study: United Kingdom 9

Hacking the Human Phishing, Spear Phishing And Whaling? 10

Cryptolocker & Ransom-ware Cost of Decryption Key: 300 or 2 Bitcoins GameOverZeuS steals online banking passwords $100 million of income 11 Self-installs - Phishing emails - Compromised websites - Existing malware Can Encrypt: shared network drives, USB drives, external hard drives, network file shares, some cloud storage drives Cryptolocker 240,000 infected computers since Oct 2013 16 million in ransoms

Small Businesses are Popular with Hackers Many small businesses are on shared servers. This multiplies the potential access points for a hacker to exploit. Small to mid-size businesses usually don t have an IT department that keeps server hardware and software up-to-date. Website versions and plug-ins are often out-of-date and easily hacked. Small to mid-size companies usually don t have internal security practices, so passwords and access are easily compromised. Small business websites are often built on common, open-source frameworks. These frameworks are popular to hackers because there are so many and the same weaknesses can be exploited across all of them. (Executionists Blog) 12

The Stakes Are High! The potential impacts of cyber attack to a business: Direct financial loss from theft or fraud. Indirect loss from recovery & remediation costs Loss of customer information or Intellectual Property. Possible fines from legal and regulatory bodies (e.g. FSA, Information Commissioner). Loss of reputation through word of mouth and adverse press coverage. Survival of the organisation itself. Demands for assurance 74% of respondents say their customers prefer dealing with suppliers with proven cyber security credentials, while 50% say their company has been asked about its information security measures by customers in the past 12 months. 13

Cyber Security Strategy Devolved cyber risk model, with appropriate board oversight Clear, centrally-defined security policies With monitoring and oversight And budgets Segmented networks Risk-based approach to mobile and remote access options Risk-based approach to technology deployments Good cyber security practices Access control policies and technology infrastructure Cyber security awareness training Rapid vulnerability patching Perimeter and end-point security Integrated security and compliance management systems Data breach response capability tried and tested 14

What can you do to stay safe: Cyber Essentials Scheme 1. Boundary Firewalls & Internet Gateways 2. Secure Configuration 3. Access Control 4. Malware Protection 5. Patch Management These are the five basic controls that any organization should implement to mitigate the risk from common internet-borne threats. 15

Cyber Essentials vs Cyber Essentials Plus Cyber Essentials: Self Assessment Questionnaire Attestation of Compliance External vulnerability scan Cyber Essentials Plus As for Cyber Essentials, plus Onsite test of device configurations Independent Certification CREST-accredited 16

Cyber Essentials Benefits Increase your resistance to cyber threats Focus on core business objectives, knowing that you're protected from the vast majority of common cyber attacks Drive business efficiency, save money and improve productivity through the streamlining of processes Reduce insurance premiums Demonstrate to clients, insurers, investors and other interested parties that you have taken the precautions necessary to reduce common cyber risks Work within supply chain information security risk management expectations Meet UK Government requirements that involve the handling of personal and sensitive information 17

EU GDPR Complete overhaul of data protection framework Covers all forms of PII, including biometric, genetic and location data Applies across all member states of the EU In force from May 2018 18

GDPR Data Breaches Mandatory data breach reporting within 72 hours Describe actions being taken to º Address the breach º Mitigate the consequences Data subjects contacted without undue delay º Unnecessary if appropriate protection is already in place º Consider encryption for all mobile devices, for all databases, and for email Penetration testing to identify potential attack vectors should be standard Failure to report within 72 hours must be explained 19

Cyber Security Assurance GDPR requirement - data controllers must implement: appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation. Must include appropriate data protection policies Organizations may use adherence to approved codes of conduct or management system certifications as an element by which to demonstrate compliance with their obligations ISO 27001 already meets the appropriate technical and organizational measures requirement It provides assurance to the board that data security is being managed in accordance with the regulation It helps manage ALL information assets and all information security within the organization protecting against ALL threats 20

Cyber Security Support Options You deliver the project independently You resource the project, calling on specialist tools and courses to aid efficiency and accelerate Standards Standards Standards Books, s/ware Books, s/ware & training & training You resource the project, use tools and courses and benefit from the expert s know-how mentor + coach project manager You provide input IT Governance removes all the pain, delivering a working management system 21

IT Governance: One-Stop-Shop Cyber Essentials Cyber Essentials certification packages: DIY, Get a Little Help, Get a Lot of Help Cyber Health Check GDPR Pocket Guide and implementation manual Documentation Toolkits Certified Foundation & DPO training managers and DPOs, & online awareness Consultancy Transition, data audits and DPIAs Penetration Testing Internal, external, wireless security ISO 27001 Packages fixed price and bespoke, All accessible via www.itgovernance.co.uk 22

Questions? acalder@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback