the security director's practical guide to cyber security
TRANSCRIPT
www.CyberRescue.co.uk
Barrie MillettAdvisory Board30th Nov – 1st Dec 2016
Security Director’s Practical Guide to Cyber Security
Barrie Millett The UK Security Expo
Why are we here? Topics
www.CyberRescue.co.uk
1. What the CEO needs their Security Director to do,to protect against Cyber Threats
2. How the Security Director can spot vulnerabilities the IT team are most likely to have missed
3. What the Security Director should know about Cyber Insurance
4. Surprises your CEO may suffer during the response to a major Cyber Attack
5. Why Security Directors must be ready to lead Recovery from major Cyber Attack
Who are you? Typical Security Director Role
www.CyberRescue.co.uk
1. Protect assets, staff & reputation
2. Assess risk, vulnerabilities & issues
3. Define goals to mitigate risk
4. Promote security by design & security culture
5. Respond to Security Incidents
Kevin Duffey – Managing DirectorExpert in commercial response to major cyber attacks•CEO Asia and UK Board Member at FTSE 100 company •Group GM at International SOS, global crisis management firm •Helped organisations respond to cyber attacks in 25 countries.
Barrie Millett – International AdvisorAward winning leader in risk mitigation and business continuity•Led security teams at blue-chip firms including E.ON and GE•Chair of Joint Risk Audit & Assurance Panel, Leicestershire Police•Expert in resilience for National Critical Infrastructure
Who are we?Facilitators for this Workshop
a personal journey
Leading terrorism response
Severe weather events
Investigating criminal activity
transferable skills
FBI data storage in 1942 = 10 million sets of fingerprints,
plus 23 million paper cards = 680 Gigabytes
Digital transformationof assets
Digital transformationof assets
£600 storage device in 2016 a “memory stick” from HyperX,
stores 1,000 Gigabytes
Exponential Risk to AssetsCyber Threats Annual Growth
125% Zero Day
71% DDoS
55% Spear Phish
29% Malware
21% SQLi
38% growth in reported crime
Insurance: 52% of British CEOs think their company is insured for cyber risks. Just 2% of large businesses actually have stand alone cyber insurance in UK (March ‘15)
“The market for cyber insurance isn’t sustainable” (Sept ‘15)
Why businesses say they don’t have insurance (Nov ‘15) “Premiums too expensive” (52%) “Too many exclusions” (44%)
Companies with cyber insurance but not claimed = 81% (Mar ‘16)
£1m cyber policy costs £5k - 25k for “average” company (Apr ‘16)
Consider Cyber Insurance
Risks vary by Sector
Agree Goals with IT Director
Staff Risks:•78% of staff don't obey info policy•63% of breaches involve passwords•41% of staff install apps on work PC•30% of phishing messages are opened•12% of staff download malicious s/ware
Supply Chain Risks:•41% of breaches affecting healthcare are caused by Third Parties•17% of breaches investigated by Kroll caused by Third Parties•AT&T, Home Depot, TalkTalk, and Target all suffered breaches via 3rd parties
Assess Risks beyond IT
Staff Systems Suppliers
Work with HR, IT & Procurementto take a Hacker’s Eye View
Example: daily Security Scorecardon vulnerabilities at key suppliers
What to focus on in 2017?Typical Security Director Role
www.CyberRescue.co.uk
1. Protects cyber assets, staff & reputation
2. Assesses cyber risk, vulnerabilities & issues
3. Defines cyber goals to mitigate risk
4. Promotes cyber security culture
5. Responds to cyber Security Incidents
What to focus on in 2017?Typical Security Director Role
www.CyberRescue.co.uk
1. Protects cyber assets, staff & reputation
2. Assesses cyber risk, vulnerabilities & issues
3. Defines cyber goals to mitigate risk
4. Promotes cyber security culture
5. Responds to cyber Security Incidents
support CEOs to lead
www.CyberRescue.co.uk
Teams will be unnerved Many will never have tested a cyber attack responseInternal and external relationships will need to be managed
Why are we here? Topics
www.CyberRescue.co.uk
1. What the CEO needs their Security Director to do,to protect against Cyber Threats
2. How the Security Director can spot vulnerabilities the IT team are most likely to have missed
3. What the Security Director should know about Cyber Insurance
4. Surprises your CEO may suffer during the response to a major Cyber Attack
5. Why Security Directors must be ready to lead Recovery from major Cyber Attack
Part 2: Simulation (for attendees only): We will now simulate a Breach
www.CyberRescue.co.uk
For similar material, follow Cyber Rescue on LinkedIn here.
Former Head of Resilience E.ON UKInternational Advisory Board Member Cyber Rescue [email protected]+ 44 7913 371249
Barrie Millett