Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity Risks for Businesses

147 views

Published on

Michael Johnson of the University of Minnesota shares the risks of cyber security and the measure you should be taking to ensure your company's safety.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cybersecurity Risks for Businesses

  1. 1. Cybersecurity Risks for Small and Mid-Sized Businesses Mike Johnson Renier Chair/Director of Graduate Studies, Security Technologies Technological Leadership Institute University of Minnesota May 3rd, 2019 Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  2. 2. • Master of Science in Security Technologies (MSST) Director of Graduate Studies and Senior Fellow, UMN Technological Leadership Institute • Honeywell James J. Renier endowed chair in Security Technologies • TLI Faculty – Cyber Security and Cyber Risk Management • 26+ Years security and risk management experience • Chief Information Security Officer/Operations Risk Director – Bremer Bank • IT Director & Compliance Officer – DFS, and an FDIC Bank Examiner • Fairview Health, UMSA, InfraGard, and Cybersecurity Summit BOD • MSST Class of 2011 Mike Johnson DirectorofGraduateStudies&Honeywell/JamesJ.RenierChair Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  3. 3. Risks Beyond Traditional Threats From Malware, Hackers and Online Fraudsters Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  4. 4. Cloud, Big Data, & Third Party Services • Cloud - SAAS, IAAS, PAAS, etc. • AWS and other hosts • Products like Salesforce, Workday, LogMeIn, Dropbox • Big Data – are you increasing your data collection? • Increased data = increased security requirements • Having multiple cloud products increases complexity and creates a larger attack surface • Do you use other third party services? • Do you provide services to other companies? • Do you use new and emerging technologies? Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  5. 5. Questions For Your Service Provider • Who is responsible for security at the vendor? • What do you do to secure the environment where my data/applications/systems are? • Do you have a security audit and/or penetration test from a third party? • How do you fix identified issues • How do you conduct ongoing monitoring activities • What security activities are you responsible for and what am I responsible for? Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  6. 6. Questions For Your Service Provider Contracts: • Breach notification requirement • Right to Audit • Independent assessment requirement • Required security expectations • What will they pay for after an incident • Establish Non-disclosure agreement • Data ownership and right to restrict movement Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  7. 7. Ponemon Cost of Data Breach Study • Cost per record breached includes cost of forensic experts, credit monitoring, customer hotline, future product discounts, in-house investigations, communications/notifications, and cost of lost customers (churn) • Industry and country play a big role in costs • Company activities before and during a breach also impact costs – Equifax? Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  8. 8. Ponemon - 2018 Cost of Data Breach Study Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.
  9. 9. Ponemon - 2018 Cost of Data Breach Study Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.
  10. 10. Ponemon - 2018 Cost of Data Breach Study Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.
  11. 11. Ponemon - 2018 Cost of Data Breach Study Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.
  12. 12. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. • 1,045 SMBs surveyed • Less than 100 to 1,000 employees • 67% reported a cyber attack, and 58% reported a breach of customer or employee information in the last 12 months 55% and 50% in 2016
  13. 13. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  14. 14. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  15. 15. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  16. 16. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  17. 17. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  18. 18. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  19. 19. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  20. 20. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  21. 21. Ponemon – SMB Cyber Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  22. 22. What Drives Security Efforts? • Doing the ”Right Thing” • Protecting Organization Viability • Civil Liability • Director Liability • National Security • Federal Laws • International Laws • Regulators Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  23. 23. Core Concepts Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  24. 24. , Next Gen , SIEM , Change Management Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  25. 25. Standards, Frameworks, and Best Practices? • Different than regulations like HIPAA or GLBA • A Roadmap to improved security posture Examples: • Payment Card Industry Data Security Standards (PCI DSS) • CIS Top 20 Controls • NIST Cybersecurity Framework • NIST Small Business Cybersecurity Guidance Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  26. 26. Center For Internet Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. https://www.cisecurity.org/white-papers/cis-controls- implementation-guide-for-industrial-control-systems/ Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  27. 27. Center For Internet Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. https://www.cisecurity.org/white-papers/cis-controls- implementation-guide-for-industrial-control-systems/ Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  28. 28. Function and Unique Identifier Category and Unique Identifier Subcategory Informative References IDENTIFY (ID) Asset Management (AM): Identify and manage the personnel, devices, systems, and facilities that enable the organization to achieve business purposes, including their relative importance to business objectives, in support of effective risk decisions. ID.AM-1: Physical devices and systems within the organization are inventoried  ISA 99.02.01 4.2.3.4  COBIT BAI03.04, BAI09.01, BAI09, BAI09.05  ISO/IEC 27001 A.7.1.1, A.7.1.2  NIST SP 800-53 Rev. 4 CM-8 CSC1 ID.AM-2: Software platforms and applications within the organization are inventoried  ISA 99.02.01 4.2.3.4  COBIT BAI03.04, BAI09.01, BAI09, BAI09.05  ISO/IEC 27001 A.7.1.1, A.7.1.2  NIST SP 800-53 Rev. 4 CM-8  CCS CSC 2 … … … … … PROTECT (PR) Awareness and Training (AT): Ensure that organizational personnel and partners are adequately trained to carry out their assigned information security-related duties and responsibilities through awareness and training activities. PR.AT-1: General users are informed and trained  ISA 99.02.01 4.3.2.4.2  COBIT APO07.03, BAI05.07  ISO/IEC 27001 A.8.2.2  NIST SP 800-53 Rev. 4 AT-2  CCS CSC 9 … … … … … DETECT (DE) Detection Processes (DP): Ensure timely and adequate awareness of anomalous events through tested and implemented detection processes and procedures. DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability  ISA 99.02.01 4.4.3.1  COBIT DSS05.01  NIST SP 800-53 Rev 4 IR-2, IR-4, IR-8  CCS CSC 5 … … … … … RESPOND (RS) Mitigation (MI): Conduct activities to prevent expansion of an event, mitigate its effects, and eradicate the incident. RS.MI-1: Incidents are contained  ISO/IEC 27001 A.3.6, A.13.2.3  ISA 99.02.01 4.3.4.5.6  NIST SP 800-53 Rev. 4 IR-4 … … … … … RECOVER (RC) Recovery Planning (RP): Execute Recovery Plan activities to achieve restoration of services or functions RC.RP-1: Recovery plan is executed  COBIT DSS02.05, DSS03.04  ISO/IEC 27001 A.14.1.3, A.14.1.4, A.14.1.5 NIST Cybersecurity Framework Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  29. 29. NIST - Small Business Information Security: The Fundamentals Understand your risk Safeguard your information Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  30. 30. NIST - Small Business Information Security: The Fundamentals Safeguard your information Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  31. 31. NIST - Small Business Information Security: The Fundamentals Safeguard your information Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  32. 32. NIST - Small Business Information Security: The Fundamentals Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  33. 33. NIST - Small Business Information Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  34. 34. NIST - Small Business Information Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  35. 35. NIST - Small Business Information Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  36. 36. NIST - Small Business Information Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  37. 37. NIST - Small Business Information Security Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  38. 38. Assessing your cybersecurity capabilities • Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services; • Prioritize investments in managing cybersecurity risk; • Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices; • Evaluate their cybersecurity results; and • Identify priorities for improvement. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  39. 39. Assessing Your Cybersecurity Maturity Krebsonsecurity.com - Who is accountable for your security program? - Who takes action on security requirements? Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  40. 40. Copyright © 2017 No part of this presentation form without prior authorization. ISACA.ORG may be reproduced in any
  41. 41. Assessing your cybersecurity capabilities ISACA.ORG Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  42. 42. NIST Draft Cybersecurity Self-Assessment Tool Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  43. 43. SBA Top Ten Cybersecurity Tips 1. Protect against viruses, spyware, and other malicious code Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. 2. Secure your networks Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  44. 44. SBA Top Ten Cybersecurity Tips 3. Establish security practices and policies to protect sensitive information Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies. 4. Educate employees about cyberthreats and hold them accountable Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  45. 45. SBA Top Ten Cybersecurity Tips 5. Require employees to use strong passwords and to change them often Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. 6. Employ best practices on payment cards Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  46. 46. SBA Top Ten Cybersecurity Tips 7. Make backup copies of important business data and information Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud. 8. Control physical access to computers and network components Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  47. 47. SBA Top Ten Cybersecurity Tips 9. Create a mobile device action plan Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network.. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment. 10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  48. 48. Leverage your relationships • Service Providers and Partners • Information Sharing – Other similar entities – Organizations like InfraGard or ISSA – Formal Sharing organizations – Your network of security minded peers – Lists and bulletins from reputable sources • Take advantage of training opportunities and make time to share learnings – it’s an investment • Insurance company – Cyber Insurance • Consultants and Auditors Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  49. 49. Balancing Resources for Security • Security can’t trump service delivery • How mature is your process – Considerations for resource availability – Projects designed to do it right the first time rather than fix it later – Benchmarks and metrics to support resource needs – New functionality is considered with security impact PRIOR to implementation • If you don’t have the expertise, consider outsourcing – Managed services or consultants – Cloud isn’t necessarily bad (anymore…) • Build relationships with other similar organizations – Conduct joint training exercises – Share threat and incident information with your peers Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  50. 50. • Plan for security from the beginning – Design it in, don’t bolt it on • Knowing what is important and where it is – Inventories and prioritized controls • Identify the threats and risks – Who wants our “stuff” and how can they get it • Is someone accountable for security? – Do they have the tools and resources to be effective? Top Risks and Best Practices Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  51. 51. • Ransomware – Backups, AV/Malware protection and education • No perimeter – Mobile devices, cloud apps, service providers • Service providers – Outsource where necessary but keep accountability • Is everyone aware? – Phishing, malware, bad behaviors, etc. Top Risks and Best Practices Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  52. 52. • Email and Internet risks – Phishing, malware downloads, bad behaviors • Architecture design and systems administration – Plan for security and pay attention to the important stuff • Find a trusted partner/expert to help – Focus on your core competencies, but get the help you need Top Risks and Best Practices Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  53. 53. SMB Cybersecurity Resources NIST Cybersecurity for Small Businesses • http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf National Cyber Security Alliance – CyberSecure My Business • https://staysafeonline.org/cybersecure-business/ • https://staysafeonline.org/event_category/cybersecure-my-business/ SBA Cybersecurity Page and Cybersecurity Online Training • https://www.sba.gov/managing-business/cybersecurity • https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small- businesses FCC Cybersecurity Page and Cyber Planner tool • https://www.fcc.gov/general/cybersecurity-small-business • https://www.fcc.gov/cyberplanner Stop, Think, Connect for small businesses • https://www.dhs.gov/publication/stopthinkconnect-small-business-resources US-CERT Resources for Small and Midsized businesses • https://www.us-cert.gov/ccubedvp/smb Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. Copyright 2019 TLI. No part of this presentation may be reproduced in any form without prior authorization.
  54. 54. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. WHO IS TLI -OUR STORY • Establishedin1987withan endowmentfromHoneywell Foundation • ThreeM.S.degreeprograms; MDI,MOT&MSST • Shortcourses&seminars • 1300degreeprogram graduates • Fiveendowedchairs • 60+faculty
  55. 55. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. OUR MISSION TLI’s mission is to develop local and global leaders for technology-intensive enterprises, and to empower executives and leaders in their strategic vision to leverage technology to drive business development.
  56. 56. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.
  57. 57. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization. MSSTBY DESIGN:BECOME ATHREATEXPERT • Understandrisk • Identifyrisk • Mitigaterisk • Integratetools • Applytoolsandprocess toaddresstherisk
  58. 58. Copyright © 2017 No part of this presentation may be reproduced in any form without prior authorization.

×