Your organization is at risk! Upgrade your IT security & IT governance now . Cyril Soeri MA RA CISA - Tjong A Hung Consulting N.V. Gregory Tai-Apin CISA, ISO 27001 ISMS Certified Lead Implementer, COBIT 5 Foundation Graduate - BNETS Jai Udit BSc – Telecom Authoriteit Suriname 1
39
Embed
Your organization is at risk! Upgrade your IT security & IT governance now.
The ICT Association Suriname in collaboration with the Telecommunication Authority Suriname (TAS) presented a Cybersecurity awareness session for the members of the Chamber of Commerce. TAS presented the national response to IT incidents by explaining the implementation of the Computer Emergency Response Team (CERT).
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri MA RA CISA - Tjong A Hung Consulting N.V.Gregory Tai-Apin CISA, ISO 27001 ISMS Certified Lead Implementer, COBIT 5 Foundation Graduate - BNETSJai Udit BSc – Telecom Authoriteit Suriname
1
Programma
• Cyber risks: a clear and present danger;
• Incidents and financial impacts;
• Personnel identified as weak links at IT security incidents;
• Solutions to cyber threats?
• National solutions to IT incidents.
2
Introduction
3
Awareness of your IT environment
• Do you have your company’s e-mail accounts on your privately owned smartphone?• Consider a Bring Your Own Device policy (BYOD);
• Do you use open WIFI networks to contact your employer and clients?• Consider Virtual Private Network connection (VPN) and encryption techniques;
• Do you share your company’s work files on your smartphone or dropbox account?• Consider access controls and information classification;
• Do you use your tablet, smartphone to read your clients’ data?• Consider a BYOD policy;
• Do you have confidential and work related conversations using VOIP?• Consider encryption techniques;
• Are you aware of the ICT security policy plan of your company?• ICT awareness – People, Policy & Technology (PPT).
4
Cyber risks: a clear and present danger
Source: Global State of Information Security Survey 2015, PwC, 30 September 2014
www.pwc.com/gsiss2015
5
Known cyber attacks and risks (1)
Stock exchanges also have become routine targets
A survey of 46 global securities exchanges conducted by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges Office found that more than half (53%) had experienced a cyber attack.
Consumer data
Huge heists of consumer data were also reported in South Korea, where 105 million payment card accounts were exposed in a security breach. And in Verden, Germany, city officials announced the theft of 18 million e-mail addresses, passwords, and other information.
Banks & ATM accounts
Cyber thieves plundered more than $45 million from worldwide ATM accounts of two banks in the Middle East.
6
Known cyber attacks and risks (2)
Government surveillance & cyber attacks
• The revelations of cyber surveillance of individuals, businesses, and nations has also prompted many international businesses and governments to reconsider purchase of products and services from companies that may be affiliated with government entities.
• Other examples of state-sponsored espionage were uncovered by security firm Symantec, which discovered attacks against major European governments that has been under way for at least four years. Because of the chosen targets and sophisticated malware employed, Symantec believes a state-sponsored group is coordinating the attacks.
• Geopolitical discord, most notably between Russia and Ukraine, resulted in a volley of cyber attacks between the two nations that took down and defaced government websites on both sides of the conflict, as well as spread malware to the computers of embassies.
7
Known cyber attacks and risks (3)
Heartbleed defect
• One of the year’s most far-reaching incidents was the Heartbleed defect, which impacted almost two-thirds of web servers around the world, including some of the most popular e-mail and social networking sites.
• It is believed to have compromised millions of websites, online shopping destinations, and security applications, as well as software like instant messaging, remote access tools, and networking devices.
• In the first intrusion attributed to the Heartbleed defect, a US hospital chain reported theft of 4.5 million patient records in August.
8
Known cyber attacks and risks (4)
Internet of things
• We also saw increases in attacks on connected consumer devices— such as baby monitors, home thermostats, and televisions—that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet-connected devices are vulnerable to attack because they lack fundamental security safeguards, a point verified by a recent HP Fortify on Demand study.
• HP reviewed 10 of the most commonly used connected devices and found that 70% contain serious vulnerabilities.
9
Incidents and financial impacts
10
IT Security compliance or penalties
Regulators around the world are more proactively addressing cyber risks
• In an indicator of how the regulatory landscape is evolving, the US Securities and Exchange Commission (SEC Office of Compliance Inspections and Examinations (OCIE) recently announced that it plans to examine the cybersecurity preparedness of more than 50 registered broker-dealers and investment advisers.
• In Asia, the Singapore Personal Data Protection Act establishes new standards for the collection, use, and disclosure of personal data. Organizations that do not comply with the act are subject to financial penalties of up to $1 million (SGD) or $788,995 (USD).
• The new guidance highlights several unique requirements, such as suggesting that organizations have cyber insurance and be able to produce a comprehensive inventory of all security incidents and breaches. SEC guidance also requires that businesses implement risk-assessment processes, as well as more effectively assess vendor risks and due diligence.
11
Average incidents by company
12
Costs of incidents by company
13
Information Security Budget by company
14
Personnel identified as weak links at IT security incidents
15
Insiders versus outsiders
16
17
18
Solutions to cyber threatsBy Gregory Tai-Apin, CISA
19
20
What can you do?
21
First things first
• IT Governance framework
• Use of widely accepted standards
22
COBIT 5 Framework
• Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
23
• COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
• COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
24
25
26
27
28
29
30
31
ISO27001
• ISO 27001 is a specification for an information security management system (ISMS)
• 14 control objectives, 114 controls (mentioned in the Annex A of the Standard)
32
33
Cyber essentials -minimum requirements for Cyber Security based on ISO27001