cyber security: understanding and mitigating the threats

Cyber Security: Understanding

and Mitigating the Threats

Facing Your OrganizationMike LeFever, ITC Secure Global AdvisorsWilliam Kilmer, ITC Secure

Agenda

• Introductions

•Why Cyber Security is So Bad

•A New Model for Cyber Security:

Investment and Leadership

• Top Things You Can Do for Little or No Money

Introductions

William Kilmer

• Executive Chairman and CEO, ITC Secure

• CEO two prior security companies

• Author of two books

• william.kilmer@ITCSecure.com

• www.william.kilmer.com

VADM Mike LeFever, USN (retired)

• ITC Global Advisors

• Chief Operating Officer for IOMAXIS, a US technology company specializing in cyber

• Member of the network of national security experts for “The Cipher Brief”

• 38 Years of Military Service with Command at every level, to include:

• Former Director for Strategic Operational Planning at

the National Counter Terrorism Center NCTC

• Commander, Office of Defense Representative

in Pakistan and Commander, Joint Task Force in

Pakistan, leading all US Armed Forces in Pakistan

between 2008-2011

We enable clients to react to ever-changing threats, and help to prevent brand damage that could impact their profitability

Established in 1995, ITC has capabilities in on-premise, cloud-based and hybrid security, and provides:

• Cyber advisory services

• Managed security services

• Global advisory services

• Secure network services

• Unique access to National Security-level experts

Survey

What do you think about

when you hear Cyber Security?

What keeps you awake at night

about security?

Why cyber security is so bad

• Cyber is the new battlefield

• Hostile actors are widening

• Financial services and government

most targeted, but not exclusive

• Issues will proliferate with digital

transformation

• Leaders are not prepared to lead in a

digitally transformed environment

How bad is the cyber

security problem?

• Russia, China, North Korea, and

Iran active state sponsors for

attacks on the West

• Similar techniques used by

nation states and criminals.

Nation States and

Criminals

• Intentional or unintentional misuse

of access to information accounts for

a growing number of cyber incidents

• Upwards of 41% of significant cyber

breaches are the result of human

error or non-compliance

Snowden : OPM Breach : Islamic State exploit

of CENTCOM : Walmart data breach

Insider threats are

still a problem

• Phishing costs $5 billion

per year

• Ransomware 40% of

cyber attacks

Basic attacks are

still working

2 million:Global shortage of cyber security

professionals

by 2019

53%Of organisations wait

6 month for qualified candidates

84%Believe half or fewer applicants

are qualified 3.5 million cyber security openings by 2021

The cyber security skills gap is widening

The skills gap

Average Security headcount

Enterprise size

(employees)

IT

FTE

IT security

FTE

500 29 2.0

999 58 3.9

• Weakest links are third-party

vendors with fewer security

controls

• Now represents 65% of

breaches

• BestBuy, Sears, Kmart, Delta,

Applebees, Chili’s—all this year

Third parties:

Your new weakest link

• States are increasingly developing or

buying capabilities against industrial

control systems

• Nation States targeting iconic US

brands as a result of sanctions

• At risk:

• Business operations continuity

• Intellectual property

• Private data

Threat surface

increasing: IOT and OT

• GDPR requires more care to data handing and protection

• Some companies adopting as global requirement

• Breach notifications mandatory

• Significant penalties: up to 4% revenue

• Boards must be aware of the risks and cannot opt not to meet them

• CCPA law in CA first major legislation protecting consumer data privacy

New data protection

requirements

A New Model for Cyber

Security: Investment and

Leadership

Digital business changing perspective

• An exponential increase in the number of things that must be protected

• An increasing number of external systems, users, infrastructure

• Increasing transactional and transient business interactions

• Challenges to conventional centralized security governance models

IDC FutureScape: Worldwide Digital Transformation 2018 Predictions

By 2020, 60% of enterprises worldwide will in process of a fully articulated, organization-wide digital transformation strategy.

Digital business increases risk

• Strategic vision addresses the new

challenges of digital business security

• Annual security strategy planning

process, turns vision into action

• Security risks that impact of digital

business, are being addressed

• Monitoring and adapting needs to

actively happen

The change to

investment perspective

Justifying security

spending to:

• Comply with data

regulations

• Align and enable

business objectives

• Reduce events

• Improve risk profile

• Enable digital

business

Moving from

compliance to protection

Source: IT Security Spending Trends, SANs, 2016

• No longer about building “stronger and

bigger,” such as firewalls and defense

in depth

• Recognizes the criticality of the human

factor and human ingenuity

• Requires a holistic approach to

successfully navigate an ever changing

and ambiguous environment

Leadership in a

digitally transformed

environment

It starts at the top

Leaders need to create the environment

that integrates cyber and cyber security

with culture, people, processes, business,

and mission

Ten things you can do for

little or no money

(Tell your CISO do these before they spend another $ on technology)

• What objectives do you have? Gaps?

• Ensure broad perspective

• Marginal dollar and marginal gain

• Benefits:

• Roadmap-based direction

• No shiny objects

• Uncover larger gains for lessor dollars

Define your security

objectives

• 41% of insider incidents from human error

• People forget

• Attack methods change

• Cyber training essential

• Online training is very affordable

• Benefits:• Lower incidents

• Much lower cost than clean up

Raise security awareness

• Develop a champion role

• Build and align program objectives

directly with company objectives

• Across divisions and geographies

• Integrate into performance plans

• Train the trainers

• Let champions to take creative

liberties with the content

Create security

champions

Leverage free material

• Asset discovery and management

• End device software updates

• Password policies

• BYOD policy enforcement

• Vulnerability detection

• Penetration testing

• Guest WiFi network

• Regular systems patching

• Limiting access

• Backing up data

Practice basic

cyber hygiene

Go phishing

• 75% of organizations

experienced attacks in 2017

• 92.4% of malware delivered

by email

• 16 phishing emails per month

• Simple Program:

• Train

• Notify

• Test

• Report

• Repeat

• Comprehensive, independent assessment

• You don’t know what you don’t know

• Technology, culture, governance,

and people

• Benefits:• Situational awareness

• Immediate threat detection

• Identifies root causes

• Improves integrity

This one costs $ but it’s worth it

Get an independent

security assessment

• Hold a regular shredding day

• Delete old files and back ups

• Seek out old equipment

• Ensure electronics are

centrally recycled

Shred and destroy

what you have

• Evaluation of vendor security necessary

• NIST and ISO-based questionnaires and

auditing

• Evaluate and set third party policies and

amend contracts

• Benefits:

• Identifies issues for remediation

• Highlights ongoing monitoring needs

• Strengthens your leverage

Evaluate third parties

Write your breach response and

communications plan—Now!

• Identify risks

• Accountability, roles,

processes decisions

• Communication

procedures:

• Employee

• Media

• Regulatory

• Run an exercise

Thank you.