jfsc and sasig directors’ · integrating cybersecurity into the employment lifecycle martin smith...

JFSC and SASIG Directors’Cyber Security Masterclass

Introduction Martin Smith, Chairman & FounderThe SASIG

Where did it come from?

What do we do?

How do we do it?

Where are we going?

Our SASIG Supporters

SASIG themes…

2015 – communication

2016 – leadership

2017 - collaboration

Financial Services Sector Nuclear Sector

Legal Services Sector Retail Sector

Manufacturing Sector Regulators’ SASIG

Managing security in the supply chain The Internet of Things

Recovering from a major cyber attack Directors’ Masterclasses

Metrics & measurement of security Cyber economics

Cyber insurance Countdown to GDPR

Strengthening the security of health & care information

SASIG Annual Gala Dinner & Networking Gala Luncheon

SASIG workstreams in 2017

Eugene Kaspersky, CEOKaspersky Lab

• Expert Training

• Awareness Program

• Kaspersky Lab Enterprise

Security Solutions

AND FIGHT

AS YOU TRAIN

TRAIN AS

YOU FIGHT

PREVENT

DETECT

• Targeted Attack Discovery

• Kaspersky Managed

Protection

• Kaspersky Anti Targeted

Attack Platform

RESPOND

• Incident Response

ServicesCLOTHE THEE

IN WAR

ARM THEE IN

PEACE

PREDICT

• Security Assessment

• APT Intelligence Reports

• Tailored Threat Intelligence

KNOW

THYSELF

KNOW

THINE ENEMY

SI VI PACEM

PARA BELUM

• Kaspersky Managed Protection

Denis Philippe Head of ICT, JFSC

Cyber Security: What Executives Need to Know

› What happens to the JFSC

› Cyber and the Boardroom

› Key cyber risks

› Strategy

› Training

› Certification

› Scope and scale

› Review

› Agenda

“Commission held information1, in all its forms, written, recorded electronically or printed, will be protected from accidental or intentional unauthorized access, modification, or destruction throughout its life cycle”

1 This includes all information created or owned by the Commission as well as information collected by or provided to the Commission by external parties for the execution of the Commission’s activities

› Cyber-Security Mission Statement

› Subjected to approximately 3,800 network security attack attempts DAILY

› Process over 5,000 emails per day with up to 34% of inbound traffic being rejected due to identified threats

› Website screening prevents access to high risk content (< 0.1% traffic)

› What happens to the JFSC

› Cyber and the Boardroom

32% of Boards do not receive information security updates

45% of Boards do not believe it is important

› Fire Metaphor

FIRE

Opportunistic Threat

Indiscriminate

Exploits vulnerability

Owns everything

› What is important to your business?

› Open or outstanding High Risks

› Incident summary and impact

› Incidents affecting competitors/peers

› Steps to prevent reoccurrence of previous incidents

› What information should you get?

› Key Cyber Risks

› Definitions of what we protect:

› Private & personal information ›Legal definition versus what people actually value

› What?

GapExtended

Reputational Risk

› People

› Vigilant

› More complex

› Vulnerable

50% of people take some form of confidential information with them when they leave an organisation

› Complex interconnected systems

› Up-to-date patching

› Effective change control

› Understand where your data is and how it is being used

› Malware / Zero day protecting/detection

› Ensure good, well tested backups

› Offline backup’s (Ransomware)

› Systems

› Why?

› Mitigate Risk – “Data is a commodity of interest to many”

› Extensive investment in providing an interconnected and online mode of stakeholder engagement is being balanced with a significant effort and investment in our security to protect the systems and data we are collecting and holding

› Trust, but verify

› Vetting requirements

› Consider contractors etc.

› Don’t forget the cleaners…

› Suppliers

› Strategy

› Do you have a cyber strategy

› Who owns your cyber strategy?

› Is it aligned with the business strategy?

› Is it realistic?

› Is it being monitored?

› Governance

› What if something happens?

› Not all about Detect and Protect

› Ensure that tested incident response plans are in place

› Ensure that people are aware of their responsibilities

› Cyber insurance

› Plan for external support

› Communications plan – Media, Law Enforcement, Regulator

› Training & Awareness

› Training

› Who is being trained?› User› Board members› Suppliers› Contractors

› How are you training?

› Training lifespan!

› Awareness

› Testing2 Weeks Length of time people

retain information after training!

› Awareness

› Vigilance›Phishing / Whaling

›Social engineering

› Sub conscious›Small bite sized chunks of information to supplement training

›Posters

›Screen savers

› Balanced message›Don’t overload people to the point they stop listening

› Community

› Building walls is not enough

› Flexibility and collaboration are key

› Improved intelligence will improve detection

› Understand the landscape threats

› Certification

› Cyber Essentials

› ISO

› NIST

› Blended?

› Organisation

5 Pillars based on a blend of NIST and ISO27001

Identify Protect Detect Respond Recover

This blend of NIST and ISO allows us to speak to other regulators and registries in security terms they understand

› Staff training and certification

› Certified Information Systems Security Professional (CISSP)

› Certified Information Security Manager (CISM)

› ISO 27001 Lead auditor

› BCS Certificate in Information Security Management Principles

› Staff

› Ensuring suppliers are certified ISO/NIST (or aligned)

› Seek the right to audit as part of contracts

› Add security questions to tender documents

› Vetting of staff and own suppliers

› Suppliers

› Scope and scale

› Set reasonable objective

› Focus on what is important to you and your customers

› Focus on doing things well

› Cyber hygiene basics

› Don’t boil the ocean

› What about you?

› Become part of the solution and show you understand

› Soft targets = weak link in the chain. Bigger prizes at the top

› Cultural evolution through training and secure behaviours

› Lead from the front

People Skills KnowledgeHumanware

2.0

› 40% of daily actions are driven without thinking:› Changing gear› Tying shoe laces› Locking the front door

› Bad habits include:› Writing down passwords› Leaving computers/devices unlocked› Clicking on emails and links without knowing what they are or where they go

› “Evidence has shown that a large number of cyber hygiene issues have become bad habits.” Bikash Barai

› Habits

› IP theft or sabotage for their own benefit or that of others

› Have a training and awareness plan

› Malicious Users

of those who steal data do so in their last month of work

of those who steal data do so two months before leaving

50%

70%

Ref: Dawn Cappelli

› Review

› Things to spend time on

Ensure you are receiving updates

Support your security team and get trained

Support your strategy

› Useful links

› https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/385009/bis-14-1277-cyber-security-balancing-risk-and-reward-with-confidence-guidance-for-non-executive-directors.pdf

› https://www.nccgroup.trust/globalassets/resources/uk/ebooks/ebook_cyber-risk-security-guidance-for-non-exec-directorspdf/

Follow us at @JerseyFSC

Like us at Jersey Financial Services Commission

Follow us at Jersey Financial Services Commission Head of ICT Denis Philippe

D.Philippe@jerseyfsc.org

Martin Smith, Chairman & FounderTHE SASIG

The Human FactorIntegrating cybersecurity into the employment lifecycle

Martin Smith MBE FSyI

Chairman and Founder

The Security Company (International) Ltd

The Security Awareness Special Interest Group

Who am I?

Some of our clients…

We need to work the problem

Our secure systems are built to perfection but are being

subjected to massive external attack.

Cybercrime is rapidly increasing, data breaches are

reported in the Press on a daily basis, and IP is at grave risk.

Privacy is considered as “something of the past”.

National infrastructures are under direct threat of attack

from other nation states.

Examine the evidence

The vast majority of breaches and security events occur at the most basic levels of our

defences.

Most attacks succeed by subverting physical security, by exploiting sloppy housekeeping

and errors in systems operations and patching, and by directly targeting people.

Social media makes social engineering easy.

BYOD is emasculating our technical defences.

Human error and ignorance amongst our workforces present an enormous gap in our

fortification.

Our supply chains are massive.

Old crimes, new tricks…?

We all believe what we are told

Security should influence every stage of

your employment lifecycle

1. Recruitment and the interview process

2. Pre-employment screening, vetting, contracts of employment

3. On-boarding, induction, socialisation, probationary periods

4. Performance management, supervision and staff appraisals

5. Internal movement, promotion and career development

6. Security awareness, training and incentives (the “carrot”)

7. Disciplinary policies and procedures (the “stick”)

8. Termination of employment, exit strategies

9. The integrity of suppliers, contractors and other third parties

Actually, people want to help…

There is an enormous willingness amongst any supply chain to follow good

cyber security practice.

The vast majority of any workforce, including those of our suppliers, is

intelligent, honest, hardworking and sensible.

To win our suppliers’ support, we just need to tell them what it is we want

them to do and why, in language they can understand.

We must explain the benefits of good cyber security management - “What’s

in it for me?”

The impact we fear the most

How big is your security and fraud prevention team?

The elephant in the room…

The “Mark 1 Human Being” remains the greatest and continuing weakness in the entire security regime, but at the same time can be our greatest supporter.

Often it is the breach of trust that we must fear, not the breach of security.

“Problems are never solved at the same level of awareness that created them…”

Albert Einstein

Questions?

Contact me:

martin@thesecurityco.com

@MartinSmith_TSC

+44 (0) 1234 708456

www.thesecurityco.com

www.thesasig.com

Panel and Q&A SessionFacilitated by Martin Smith, Chairman, The SASIG› Eugene Kaspersky, CEO, Kaspersky Lab› Ian Bishop-Laggett, Internal Security Controls Manager, Schroders › Denis Philippe, Head of ICT, JFSC

Final AddressJohn Harris, Director GeneralJersey Financial Services Commission

In summary› Directors to ensure that cyber is a priority throughout their

organisations› JFSC is building Island-wide awareness of regulatory

responsibility for cyber security › Cyber security needs to be a collective responsibility and

success for the Island

Jersey is committed to cyber security (dedicated government strategy)

Cyber no longer just about technology -PEOPLE

Core business issues

Leave today with heightened awareness

The current regulatory approach

› Not a traditional “us and them” relationship – all in this together

› Questionnaire based on ISO and NIST standards – what vulnerabilities and responses?

› Meant to be used as a self-assessment tool. Thought provoking

› No right answers – but seeking proportionality

The current regulatory approach

› Sample approach – mandatory for those requested / but available to all regulated firms

› Issued end of March› Aggregate report will be compiled

and published – using anonymisedinformation

› Will inform next steps

Closing RemarksMartin Smith, Chairman & FounderThe SASIG

Thank you