cyber security a critical business risk · •government and military depend on cyber systems •...

TM

© IT Governance Ltd 2012

Cyber SecurityA Critical Business Risk

TM


Alan CalderChief Executive Officer

IT Governance Ltd

TM


UK National Strategy

The UK’s 2010 National Security Strategy identified the four highest priority (Tier 1) risks as:

• International Terrorism• Cyber Attack• International Military Crises• Major Accidents or Natural Hazards

TM


Why is Cyber Attack a Tier 1 Risk?

• Government and Military depend on cyber systems• Information on which our responses to any national

incident depend is stored electronically• Critical National Infrastructure (CNI) increasingly

dependent on computers, ICS and SCADA systems, • Advanced Persistent Threats posed by state level

entities • International conflict likely to include cyberattack:

• Stuxnet worm - US/Iran – June 2010• Titan Rain – China on US, multi-year from 2003• Cyber attacks on Estonia Russia – 2007 (Web War 1)• Georgia cyber attack – 2008 South Ossetia

TM


21st Century Chinese Cyberwarfare

• Doctrine of War Without Limits, Unrestricted Warfare• Various cyber attacks: GhostNet, Night Dragon, Aurora,

ShadyRAT

• US, UK and other industrial countries are military and commercial targets

• www.itgovernance.co.uk/products/3697

http://www.itgovernance.co.uk/products/3697

TM


UK Cyber Security Strategy

• UK National Cyber Security Strategy 2011• Four Key Objectives for UK:

1. One of the Most Secure Places to do Business.2. Resilient to Cyber Attacks.3. Open, Stable, Vibrant Cyberspace.4. Cross-cutting Skills, Knowledge, Competence to Underpin

Cyber Security Activity.

TM


Advanced Persistent Threat

Co-ordinated cyber activities of state-level entities and criminals, usually with unofficial state protection, targeted on large corporations and foreign governments with the objective of stealing information or compromising information systems.

– Advanced: sophisticated, combining multiple targeting methods, an advanced range of tools, technologies and techniques, and a wide range of channels

– Persistent: stealthy, continuing, multi-targeted– Threat: stealing information, compromising systems and

defences

TM


Serious Organised Crime

“Serious organised crime groups are increasingly multi–commodity and poly-criminal in their activities, with extensive, diverse portfolios of business interests and significant collaborative activity” -EuropolCyber crime is:• Lower level and more widespread than APTs• Initially automated and indiscriminate, looking for vulnerabilities• Sophisticated, multi-vectored• Extra-territorial, extra-judicial

PWC ISBS Breaches Survey 2010 confirms‘Cybercrime losses double in two years’

TM


Cyber Insecurity

Cyberspace is almost completely unregulatedAnd yes, cybercops only exist in the films …

• Cyber attacks come from anywhere• All organisations who use the Internet are at risk• Attackers seek application and connection vulnerabilities• Technical security measures on their own are insufficient

• Inadequate processes create instability• Phishing, pharming, direct malware• Social engineering exploits ‘human weaknesses’• Individual error, stupidity

TM


The Fragmented Workforce

Mobile, fragmented workforce greatly increases risk:

• Yesterday’s network was monolithic, with a static, protectable workforce.

• Today’s employee uses laptops, mobile phones, USB sticks – the network perimeter is porous (even before BYOD).

• Applications/data delivered from the cloud, wirelessly or across the Internet.

Cloud services, easy connectivity and social media usage condition users to be less security aware…..

TM


The Stakes Are High!

The potential impacts of cyber attack to a business

• Financial loss from theft or fraud.• Loss of customer information or Intellectual Property.• Possible fines from legal and regulatory bodies (e.g.

FSA, Information Commissioner).• Loss of reputation through ‘word of mouth’ and adverse

press coverage.• Survival of the organisation itself.

TM


Cyber Breach Costs

Forrester Research 2011 ReportAverage breach cost per record between $9 - $305

PwC ISBS Breaches UK Survey 2011Average cost of breach for large UK company is between £280k and £690k

TM


Your Business Plan – Risk & Reward

In any business, it is management’s responsibility to:• Maximise all business opportunities• Ensure Return on Investment (ROI)• Minimise all risks

The appropriate balance of cyber risk and reward must be an essential part of any business plan.

RSA Washington DC APT Summit 2011‘plan and act as though you’ve already been breached’

TM


Cyber Resilience

Effective cyber resilience depends on co-ordinated, integrated preparations for rebuffing, responding to and recovering from a wide range of possible attacks.

• A strategy is essential.• A management system is fundamental.• Defence, continuity, and recovery must each be

provided for.• No single stand-alone solution is sufficient.

• Money will be required

TM


Investment required

• Average company spends 6% of IT budget on IT security• The benchmark: 13% • 2010 Cyber Security Watch Survey – CSO Magazine, US Secret Service, CERT, Deloitte’s Security

Centre– Increase in number of incidents but decline in severity

º 42% increase in IT security spendingº 86% increase in corporate/physical security spending

• ESG Survey 2011– APTs will cause increases in security expenditure of between 6%

and more than 10%.

TM


ISO27001 The Cyber Security Standard

ISO/IEC 27001, together with the international code of practice, ISO/IEC 27002, provide a globally recognised standard and best-practice framework for addressing the entire range of cyber risks

TM


ISO27001 The Cyber Security Standard

ISO27001 is the basis for all UK infosec standards • Government Codes of Connection (CoCo)• NHS Connecting to N3• DWP Baseline & Security Plan• Gambling Commission Compliance

Used as the basis for supplier audits and as common reference point for laws and regulations.

Certification to ISO27001 provides internationally recognised proof that an organisation has a Cyber security strategy.

TM


Cyber Resilience Standards

Resilience and business continuity planning for IT systems are fundamental to surviving a cyber attack.

Security defences WILL BE BREACHED, so prepare!

• ISO/IEC 27035 - Information Security Incident Management

• ISO/IEC 27031 - Guidelines for information and communication technology readiness for business continuity

• BS2599 (ISO22301) – Business Continuity Management

Cyber resilience should form part of a wider business resilience strategy and should fit within an organisation’s enterprise risk management framework.

TM


7 – Step Cyber Security Strategy

1. Secure the cyber perimeter2. Secure mobile devices beyond the perimeter3. Secure inward and outbound comms channels4. Secure the internal network5. Train all staff – skills, competence, awareness6. Develop and test a security incident response plan7. Adopt and integrate IS027001, ISO27031 and BS25999

as standards for implementing a cyber resilience management system

TM


In Summary

• Threat of cyber attack is pervasive and affects all organisations who use the Internet

• APT’s may not affect you but Serious Organised Crime will..

• A Cyber Security Strategy is essential and should be a key part of any business plan

• Use ISO27001 and related standards to implement a Cyber resilience management systems

TM


Further Information

Please download a free Whitepaper:

CyberSecurity – A Critical Business RiskAlan Calder. IT Governance 2011

www.itgovernance.co.uk/cybersecurity-standards.aspx

Includes full list of references for Standards, Reports and Textbooks

http://www.itgovernance.co.uk/cybersecurity-standards.aspx

TM


Cyber SecurityA Critical Business Risk

cyber security a critical business risk · •government and military depend on cyber systems •...

Documents