Your organization is at risk! Upgrade your IT security & IT governance now.

Your organization is at risk! Upgrade your IT security & IT governance now.

Cyril Soeri MA RA CISA - Tjong A Hung Consulting N.V.Gregory Tai-Apin CISA, ISO 27001 ISMS Certified Lead Implementer, COBIT 5 Foundation Graduate - BNETSJai Udit BSc – Telecom Authoriteit Suriname

1

Programma

• Cyber risks: a clear and present danger;

• Incidents and financial impacts;

• Personnel identified as weak links at IT security incidents;

• Solutions to cyber threats?

• National solutions to IT incidents.

2

Introduction

3

Awareness of your IT environment

• Do you have your company’s e-mail accounts on your privately owned smartphone?• Consider a Bring Your Own Device policy (BYOD);

• Do you use open WIFI networks to contact your employer and clients?• Consider Virtual Private Network connection (VPN) and encryption techniques;

• Do you share your company’s work files on your smartphone or dropbox account?• Consider access controls and information classification;

• Do you use your tablet, smartphone to read your clients’ data?• Consider a BYOD policy;

• Do you have confidential and work related conversations using VOIP?• Consider encryption techniques;

• Are you aware of the ICT security policy plan of your company?• ICT awareness – People, Policy & Technology (PPT).

4

Cyber risks: a clear and present danger

Source: Global State of Information Security Survey 2015, PwC, 30 September 2014

www.pwc.com/gsiss2015

5

Known cyber attacks and risks (1)

Stock exchanges also have become routine targets

A survey of 46 global securities exchanges conducted by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges Office found that more than half (53%) had experienced a cyber attack.

Consumer data

Huge heists of consumer data were also reported in South Korea, where 105 million payment card accounts were exposed in a security breach. And in Verden, Germany, city officials announced the theft of 18 million e-mail addresses, passwords, and other information.

Banks & ATM accounts

Cyber thieves plundered more than $45 million from worldwide ATM accounts of two banks in the Middle East.

6

Known cyber attacks and risks (2)

Government surveillance & cyber attacks

• The revelations of cyber surveillance of individuals, businesses, and nations has also prompted many international businesses and governments to reconsider purchase of products and services from companies that may be affiliated with government entities.

• Other examples of state-sponsored espionage were uncovered by security firm Symantec, which discovered attacks against major European governments that has been under way for at least four years. Because of the chosen targets and sophisticated malware employed, Symantec believes a state-sponsored group is coordinating the attacks.

• Geopolitical discord, most notably between Russia and Ukraine, resulted in a volley of cyber attacks between the two nations that took down and defaced government websites on both sides of the conflict, as well as spread malware to the computers of embassies.

7

Known cyber attacks and risks (3)

Heartbleed defect

• One of the year’s most far-reaching incidents was the Heartbleed defect, which impacted almost two-thirds of web servers around the world, including some of the most popular e-mail and social networking sites.

• It is believed to have compromised millions of websites, online shopping destinations, and security applications, as well as software like instant messaging, remote access tools, and networking devices.

• In the first intrusion attributed to the Heartbleed defect, a US hospital chain reported theft of 4.5 million patient records in August.

8

Known cyber attacks and risks (4)

Internet of things

• We also saw increases in attacks on connected consumer devices— such as baby monitors, home thermostats, and televisions—that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet-connected devices are vulnerable to attack because they lack fundamental security safeguards, a point verified by a recent HP Fortify on Demand study.

• HP reviewed 10 of the most commonly used connected devices and found that 70% contain serious vulnerabilities.

9

Incidents and financial impacts

10

IT Security compliance or penalties

Regulators around the world are more proactively addressing cyber risks

• In an indicator of how the regulatory landscape is evolving, the US Securities and Exchange Commission (SEC Office of Compliance Inspections and Examinations (OCIE) recently announced that it plans to examine the cybersecurity preparedness of more than 50 registered broker-dealers and investment advisers.

• In Asia, the Singapore Personal Data Protection Act establishes new standards for the collection, use, and disclosure of personal data. Organizations that do not comply with the act are subject to financial penalties of up to $1 million (SGD) or $788,995 (USD).

• The new guidance highlights several unique requirements, such as suggesting that organizations have cyber insurance and be able to produce a comprehensive inventory of all security incidents and breaches. SEC guidance also requires that businesses implement risk-assessment processes, as well as more effectively assess vendor risks and due diligence.

11

Average incidents by company

12

Costs of incidents by company

13

Information Security Budget by company

14

Personnel identified as weak links at IT security incidents

15

Insiders versus outsiders

16

17

18

Solutions to cyber threatsBy Gregory Tai-Apin, CISA

19

20

What can you do?

21

First things first

• IT Governance framework

• Use of widely accepted standards

22

COBIT 5 Framework

• Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

• COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

• The COBIT 5 principles and enablers are generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

23

• COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.

• COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.

COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.

24

25

26

27

28

29

30

31

ISO27001

• ISO 27001 is a specification for an information security management system (ISMS)

• 14 control objectives, 114 controls (mentioned in the Annex A of the Standard)

32

33

Cyber essentials -minimum requirements for Cyber Security based on ISO27001

34

TEN steps to reduce your Cyber Risk

35

36

Useful Link

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73128/12-1120-10-steps-to-cyber-security-executive.pdf

37

National solutions to IT incidentsCERT – Computer Emergency Response Team

38

Q&AICT Associatie Suriname

www.ict-as.sr. [email protected]; [email protected]. Prins Hendrikstraat 18, Paramaribo.

Tjong A Hung Consulting N.V.www.tahconsulting.com. [email protected]. Flustraat 35, Paramaribo. Tel. nr: 5310330 / 7190047.

BNETSwww.bnets.sr. [email protected]. Hofstraat 1, PPS Gebouw, 3e etage, Paramaribo. Tel. nr.: 475994.

Telecom Authoriteit Surinamewww.tas.sr. [email protected]. Lalla Rookhweg 228, Paramaribo. 532523.

39