jfsc and sasig directors’ · integrating cybersecurity into the employment lifecycle martin smith...
TRANSCRIPT
JFSC and SASIG Directors’Cyber Security Masterclass
Introduction Martin Smith, Chairman & FounderThe SASIG
Where did it come from?
What do we do?
How do we do it?
Where are we going?
Our SASIG Supporters
SASIG themes…
2015 – communication
2016 – leadership
2017 - collaboration
Financial Services Sector Nuclear Sector
Legal Services Sector Retail Sector
Manufacturing Sector Regulators’ SASIG
Managing security in the supply chain The Internet of Things
Recovering from a major cyber attack Directors’ Masterclasses
Metrics & measurement of security Cyber economics
Cyber insurance Countdown to GDPR
Strengthening the security of health & care information
SASIG Annual Gala Dinner & Networking Gala Luncheon
SASIG workstreams in 2017
Eugene Kaspersky, CEOKaspersky Lab
• Expert Training
• Awareness Program
• Kaspersky Lab Enterprise
Security Solutions
AND FIGHT
AS YOU TRAIN
TRAIN AS
YOU FIGHT
PREVENT
DETECT
• Targeted Attack Discovery
• Kaspersky Managed
Protection
• Kaspersky Anti Targeted
Attack Platform
RESPOND
• Incident Response
ServicesCLOTHE THEE
IN WAR
ARM THEE IN
PEACE
PREDICT
• Security Assessment
• APT Intelligence Reports
• Tailored Threat Intelligence
KNOW
THYSELF
KNOW
THINE ENEMY
SI VI PACEM
PARA BELUM
• Kaspersky Managed Protection
Denis Philippe Head of ICT, JFSC
Cyber Security: What Executives Need to Know
› What happens to the JFSC
› Cyber and the Boardroom
› Key cyber risks
› Strategy
› Training
› Certification
› Scope and scale
› Review
› Agenda
“Commission held information1, in all its forms, written, recorded electronically or printed, will be protected from accidental or intentional unauthorized access, modification, or destruction throughout its life cycle”
1 This includes all information created or owned by the Commission as well as information collected by or provided to the Commission by external parties for the execution of the Commission’s activities
› Cyber-Security Mission Statement
› Subjected to approximately 3,800 network security attack attempts DAILY
› Process over 5,000 emails per day with up to 34% of inbound traffic being rejected due to identified threats
› Website screening prevents access to high risk content (< 0.1% traffic)
› What happens to the JFSC
› Cyber and the Boardroom
32% of Boards do not receive information security updates
45% of Boards do not believe it is important
› Fire Metaphor
FIRE
Opportunistic Threat
Indiscriminate
Exploits vulnerability
Owns everything
› What is important to your business?
› Open or outstanding High Risks
› Incident summary and impact
› Incidents affecting competitors/peers
› Steps to prevent reoccurrence of previous incidents
› What information should you get?
› Key Cyber Risks
› Definitions of what we protect:
› Private & personal information ›Legal definition versus what people actually value
› What?
GapExtended
Reputational Risk
› People
› Vigilant
› More complex
› Vulnerable
50% of people take some form of confidential information with them when they leave an organisation
› Complex interconnected systems
› Up-to-date patching
› Effective change control
› Understand where your data is and how it is being used
› Malware / Zero day protecting/detection
› Ensure good, well tested backups
› Offline backup’s (Ransomware)
› Systems
› Why?
› Mitigate Risk – “Data is a commodity of interest to many”
› Extensive investment in providing an interconnected and online mode of stakeholder engagement is being balanced with a significant effort and investment in our security to protect the systems and data we are collecting and holding
› Trust, but verify
› Vetting requirements
› Consider contractors etc.
› Don’t forget the cleaners…
› Suppliers
› Strategy
› Do you have a cyber strategy
› Who owns your cyber strategy?
› Is it aligned with the business strategy?
› Is it realistic?
› Is it being monitored?
› Governance
› What if something happens?
› Not all about Detect and Protect
› Ensure that tested incident response plans are in place
› Ensure that people are aware of their responsibilities
› Cyber insurance
› Plan for external support
› Communications plan – Media, Law Enforcement, Regulator
› Training & Awareness
› Training
› Who is being trained?› User› Board members› Suppliers› Contractors
› How are you training?
› Training lifespan!
› Awareness
› Testing2 Weeks Length of time people
retain information after training!
› Awareness
› Vigilance›Phishing / Whaling
›Social engineering
› Sub conscious›Small bite sized chunks of information to supplement training
›Posters
›Screen savers
› Balanced message›Don’t overload people to the point they stop listening
› Community
› Building walls is not enough
› Flexibility and collaboration are key
› Improved intelligence will improve detection
› Understand the landscape threats
› Certification
› Cyber Essentials
› ISO
› NIST
› Blended?
› Organisation
5 Pillars based on a blend of NIST and ISO27001
Identify Protect Detect Respond Recover
This blend of NIST and ISO allows us to speak to other regulators and registries in security terms they understand
› Staff training and certification
› Certified Information Systems Security Professional (CISSP)
› Certified Information Security Manager (CISM)
› ISO 27001 Lead auditor
› BCS Certificate in Information Security Management Principles
› Staff
› Ensuring suppliers are certified ISO/NIST (or aligned)
› Seek the right to audit as part of contracts
› Add security questions to tender documents
› Vetting of staff and own suppliers
› Suppliers
› Scope and scale
› Set reasonable objective
› Focus on what is important to you and your customers
› Focus on doing things well
› Cyber hygiene basics
› Don’t boil the ocean
› What about you?
› Become part of the solution and show you understand
› Soft targets = weak link in the chain. Bigger prizes at the top
› Cultural evolution through training and secure behaviours
› Lead from the front
People Skills KnowledgeHumanware
2.0
› 40% of daily actions are driven without thinking:› Changing gear› Tying shoe laces› Locking the front door
› Bad habits include:› Writing down passwords› Leaving computers/devices unlocked› Clicking on emails and links without knowing what they are or where they go
› “Evidence has shown that a large number of cyber hygiene issues have become bad habits.” Bikash Barai
› Habits
› IP theft or sabotage for their own benefit or that of others
› Have a training and awareness plan
› Malicious Users
of those who steal data do so in their last month of work
of those who steal data do so two months before leaving
50%
70%
Ref: Dawn Cappelli
› Review
› Things to spend time on
Ensure you are receiving updates
Support your security team and get trained
Support your strategy
› Useful links
› https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/385009/bis-14-1277-cyber-security-balancing-risk-and-reward-with-confidence-guidance-for-non-executive-directors.pdf
› https://www.nccgroup.trust/globalassets/resources/uk/ebooks/ebook_cyber-risk-security-guidance-for-non-exec-directorspdf/
Follow us at @JerseyFSC
Like us at Jersey Financial Services Commission
Follow us at Jersey Financial Services Commission Head of ICT Denis Philippe
Martin Smith, Chairman & FounderTHE SASIG
The Human FactorIntegrating cybersecurity into the employment lifecycle
Martin Smith MBE FSyI
Chairman and Founder
The Security Company (International) Ltd
The Security Awareness Special Interest Group
Who am I?
Some of our clients…
We need to work the problem
Our secure systems are built to perfection but are being
subjected to massive external attack.
Cybercrime is rapidly increasing, data breaches are
reported in the Press on a daily basis, and IP is at grave risk.
Privacy is considered as “something of the past”.
National infrastructures are under direct threat of attack
from other nation states.
Examine the evidence
The vast majority of breaches and security events occur at the most basic levels of our
defences.
Most attacks succeed by subverting physical security, by exploiting sloppy housekeeping
and errors in systems operations and patching, and by directly targeting people.
Social media makes social engineering easy.
BYOD is emasculating our technical defences.
Human error and ignorance amongst our workforces present an enormous gap in our
fortification.
Our supply chains are massive.
Old crimes, new tricks…?
We all believe what we are told
Security should influence every stage of
your employment lifecycle
1. Recruitment and the interview process
2. Pre-employment screening, vetting, contracts of employment
3. On-boarding, induction, socialisation, probationary periods
4. Performance management, supervision and staff appraisals
5. Internal movement, promotion and career development
6. Security awareness, training and incentives (the “carrot”)
7. Disciplinary policies and procedures (the “stick”)
8. Termination of employment, exit strategies
9. The integrity of suppliers, contractors and other third parties
Actually, people want to help…
There is an enormous willingness amongst any supply chain to follow good
cyber security practice.
The vast majority of any workforce, including those of our suppliers, is
intelligent, honest, hardworking and sensible.
To win our suppliers’ support, we just need to tell them what it is we want
them to do and why, in language they can understand.
We must explain the benefits of good cyber security management - “What’s
in it for me?”
The impact we fear the most
How big is your security and fraud prevention team?
The elephant in the room…
The “Mark 1 Human Being” remains the greatest and continuing weakness in the entire security regime, but at the same time can be our greatest supporter.
Often it is the breach of trust that we must fear, not the breach of security.
“Problems are never solved at the same level of awareness that created them…”
Albert Einstein
Questions?
Contact me:
@MartinSmith_TSC
+44 (0) 1234 708456
www.thesecurityco.com
www.thesasig.com
Panel and Q&A SessionFacilitated by Martin Smith, Chairman, The SASIG› Eugene Kaspersky, CEO, Kaspersky Lab› Ian Bishop-Laggett, Internal Security Controls Manager, Schroders › Denis Philippe, Head of ICT, JFSC
Final AddressJohn Harris, Director GeneralJersey Financial Services Commission
In summary› Directors to ensure that cyber is a priority throughout their
organisations› JFSC is building Island-wide awareness of regulatory
responsibility for cyber security › Cyber security needs to be a collective responsibility and
success for the Island
Jersey is committed to cyber security (dedicated government strategy)
Cyber no longer just about technology -PEOPLE
Core business issues
Leave today with heightened awareness
The current regulatory approach
› Not a traditional “us and them” relationship – all in this together
› Questionnaire based on ISO and NIST standards – what vulnerabilities and responses?
› Meant to be used as a self-assessment tool. Thought provoking
› No right answers – but seeking proportionality
The current regulatory approach
› Sample approach – mandatory for those requested / but available to all regulated firms
› Issued end of March› Aggregate report will be compiled
and published – using anonymisedinformation
› Will inform next steps
Closing RemarksMartin Smith, Chairman & FounderThe SASIG
Thank you