Cybersecurity Risks for Businesses

Cybersecurity Risks for Small and
Mid-Sized Businesses
Mike Johnson
Renier Chair/Director of Graduate Studies, Security Technologies
Technological Leadership Institute
University of Minnesota
May 3rd, 2019
Copyright © 2017 No part of this presentation may be reproduced in any
form without prior authorization.
Copyright 2019 TLI. No part of this presentation may be
reproduced in any form without prior authorization.

• Master of Science in Security Technologies (MSST) Director of Graduate
Studies and Senior Fellow, UMN Technological Leadership Institute
• Honeywell James J. Renier endowed chair in Security Technologies
• TLI Faculty – Cyber Security and Cyber Risk Management
• 26+ Years security and risk management experience
• Chief Information Security Officer/Operations Risk Director – Bremer Bank
• IT Director & Compliance Officer – DFS, and an FDIC Bank Examiner
• Fairview Health, UMSA, InfraGard, and Cybersecurity Summit BOD
• MSST Class of 2011
Mike Johnson
DirectorofGraduateStudies&Honeywell/JamesJ.RenierChair

Risks Beyond
Traditional Threats
From Malware,
Hackers and Online
Fraudsters

Cloud, Big Data, & Third Party Services
• Cloud - SAAS, IAAS, PAAS, etc.
• AWS and other hosts
• Products like Salesforce, Workday, LogMeIn, Dropbox
• Big Data – are you increasing your data collection?
• Increased data = increased security requirements
• Having multiple cloud products increases
complexity and creates a larger attack surface
• Do you use other third party services?
• Do you provide services to other companies?
• Do you use new and emerging technologies?

Questions For Your Service Provider
• Who is responsible for security at the vendor?
• What do you do to secure the environment where
my data/applications/systems are?
• Do you have a security audit and/or penetration
test from a third party?
• How do you fix identified issues
• How do you conduct ongoing monitoring activities
• What security activities are you responsible for
and what am I responsible for?

Questions For Your Service Provider
Contracts:
• Breach notification requirement
• Right to Audit
• Independent assessment requirement
• Required security expectations
• What will they pay for after an incident
• Establish Non-disclosure agreement
• Data ownership and right to restrict movement

Ponemon
Cost of Data Breach Study
• Cost per record breached includes
cost of forensic experts, credit
monitoring, customer hotline, future
product discounts, in-house
investigations,
communications/notifications, and
cost of lost customers (churn)
• Industry and country play a big role in
costs
• Company activities before and during
a breach also impact costs – Equifax?

Ponemon - 2018 Cost of Data Breach Study

• 1,045 SMBs surveyed
• Less than 100 to 1,000
employees
• 67% reported a cyber attack, and
58% reported a breach of
customer or employee
information in the last 12 months
55% and 50% in 2016

Ponemon – SMB Cyber Security

What Drives Security Efforts?
• Doing the ”Right Thing”
• Protecting Organization Viability
• Civil Liability
• Director Liability
• National Security
• Federal Laws
• International Laws
• Regulators

Core Concepts

, Next Gen
, SIEM
, Change Management

Standards, Frameworks, and Best Practices?
• Different than regulations like HIPAA or GLBA
• A Roadmap to improved security posture
Examples:
• Payment Card Industry Data Security Standards (PCI
DSS)
• CIS Top 20 Controls
• NIST Cybersecurity Framework
• NIST Small Business Cybersecurity Guidance

Center For Internet Security
https://www.cisecurity.org/white-papers/cis-controls-
implementation-guide-for-industrial-control-systems/

Function and
Unique
Identifier
Category and Unique Identifier Subcategory Informative References
IDENTIFY
(ID)
Asset Management (AM): Identify
and manage the personnel, devices,
systems, and facilities that enable the
organization to achieve business
purposes, including their relative
importance to business objectives, in
support of effective risk decisions.
ID.AM-1: Physical devices and
systems within the organization are
inventoried
 ISA 99.02.01 4.2.3.4
 COBIT BAI03.04, BAI09.01,
BAI09, BAI09.05
 ISO/IEC 27001 A.7.1.1, A.7.1.2
 NIST SP 800-53 Rev. 4 CM-8
CSC1
ID.AM-2: Software platforms and
applications within the organization
are inventoried
 ISA 99.02.01 4.2.3.4
 COBIT BAI03.04, BAI09.01,
BAI09, BAI09.05
 ISO/IEC 27001 A.7.1.1, A.7.1.2
 NIST SP 800-53 Rev. 4 CM-8
 CCS CSC 2
… …
… … …
PROTECT
(PR)
Awareness and Training (AT):
Ensure that organizational personnel
and partners are adequately trained to
carry out their assigned information
security-related duties and
responsibilities through awareness
and training activities.
PR.AT-1: General users are
informed and trained
 ISA 99.02.01 4.3.2.4.2
 COBIT APO07.03, BAI05.07
 ISO/IEC 27001 A.8.2.2
 NIST SP 800-53 Rev. 4 AT-2
 CCS CSC 9
… …
… … …
DETECT
(DE)
Detection Processes (DP): Ensure
timely and adequate awareness of
anomalous events through tested and
implemented detection processes and
procedures.
DE.DP-1: Roles and responsibilities
for detection are well defined to
ensure accountability
 ISA 99.02.01 4.4.3.1
 COBIT DSS05.01
 NIST SP 800-53 Rev 4 IR-2,
IR-4, IR-8
 CCS CSC 5
… …
… … …
RESPOND
(RS)
Mitigation (MI): Conduct activities
to prevent expansion of an event,
mitigate its effects, and eradicate the
incident.
RS.MI-1: Incidents are contained  ISO/IEC 27001 A.3.6, A.13.2.3
 ISA 99.02.01 4.3.4.5.6
 NIST SP 800-53 Rev. 4 IR-4
… …
… … …
RECOVER
(RC)
Recovery Planning (RP): Execute
Recovery Plan activities to achieve
restoration of services or functions
RC.RP-1: Recovery plan is executed  COBIT DSS02.05, DSS03.04
 ISO/IEC 27001 A.14.1.3,
A.14.1.4, A.14.1.5
NIST Cybersecurity Framework

NIST - Small Business Information Security:
The Fundamentals
Understand your risk
Safeguard your information

The Fundamentals
Safeguard your information

The Fundamentals

NIST - Small Business Information Security

Assessing your cybersecurity capabilities
• Identify cybersecurity-related activities that are critical to
business strategy and the delivery of critical services;
• Prioritize investments in managing cybersecurity risk;
• Assess the effectiveness and efficiency in using
cybersecurity standards, guidelines and practices;
• Evaluate their cybersecurity results; and
• Identify priorities for improvement.

Assessing Your Cybersecurity Maturity
Krebsonsecurity.com
- Who is accountable for your security program?
- Who takes action on security requirements?

Copyright © 2017 No part of this presentation
ISACA.ORG
may be reproduced in any

Assessing your cybersecurity capabilities
ISACA.ORG

NIST Draft Cybersecurity Self-Assessment Tool

SBA Top Ten Cybersecurity Tips
1. Protect against viruses, spyware, and other malicious code
Make sure each of your business’s computers are equipped with antivirus
software and antispyware and update regularly. Such software is readily
available online from a variety of vendors. All software vendors regularly
provide patches and updates to their products to correct security problems
and improve functionality. Configure all software to install updates
automatically.
2. Secure your networks
Safeguard your Internet connection by using a firewall and encrypting
information. If you have a Wi-Fi network, make sure it is secure and hidden.
To hide your Wi-Fi network, set up your wireless access point or router so it
does not broadcast the network name, known as the Service Set Identifier
(SSID). Password protect access to the router.

3. Establish security practices and policies to protect sensitive
information
Establish policies on how employees should handle and protect personally
identifiable information and other sensitive data. Clearly outline the
consequences of violating your business’s cybersecurity policies.
4. Educate employees about cyberthreats and hold them
accountable
Educate your employees about online threats and how to protect your
business’s data, including safe use of social networking sites. Depending on
the nature of your business, employees might be introducing competitors to
sensitive details about your firm’s internal business. Employees should be
informed about how to post online in a way that does not reveal any trade
secrets to the public or competing businesses. Hold employees accountable
to the business’s Internet security policies and procedures.

5. Require employees to use strong passwords and to change
them often
Consider implementing multifactor authentication that requires additional
information beyond a password to gain entry. Check with your vendors that
handle sensitive data, especially financial institutions, to see if they offer
multifactor authentication for your account.
6. Employ best practices on payment cards
Work with your banks or card processors to ensure the most trusted and
validated tools and anti-fraud services are being used. You may also have
additional security obligations related to agreements with your bank or
processor. Isolate payment systems from other, less secure programs and do
not use the same computer to process payments and surf the Internet.

7. Make backup copies of important business data and
information
Regularly backup the data on all computers. Critical data includes word
processing documents, electronic spreadsheets, databases, financial files,
human resources files, and accounts receivable/payable files. Backup data
automatically if possible, or at least weekly, and store the copies either
offsite or on the cloud.
8. Control physical access to computers and network
components
Prevent access or use of business computers by unauthorized individuals.
Laptops can be particularly easy targets for theft or can be lost, so lock them
up when unattended. Make sure a separate user account is created for each
employee and require strong passwords. Administrative privileges should
only be given to trusted IT staff and key personnel.

9. Create a mobile device action plan
Mobile devices can create significant security and management challenges,
especially if they hold confidential information or can access the corporate
network.. Require users to password protect their devices, encrypt their
data, and install security apps to prevent criminals from stealing information
while the phone is on public networks. Be sure to set reporting procedures
for lost or stolen equipment.
10. Protect all pages on your public-facing websites, not just the
checkout and sign-up pages

Leverage your relationships
• Service Providers and Partners
• Information Sharing
– Other similar entities
– Organizations like InfraGard or ISSA
– Formal Sharing organizations
– Your network of security minded peers
– Lists and bulletins from reputable sources
• Take advantage of training opportunities and make time
to share learnings – it’s an investment
• Insurance company – Cyber Insurance
• Consultants and Auditors

Balancing Resources for Security
• Security can’t trump service delivery
• How mature is your process
– Considerations for resource availability
– Projects designed to do it right the first time rather than fix it later
– Benchmarks and metrics to support resource needs
– New functionality is considered with security impact PRIOR to
implementation
• If you don’t have the expertise, consider outsourcing
– Managed services or consultants
– Cloud isn’t necessarily bad (anymore…)
• Build relationships with other similar organizations
– Conduct joint training exercises
– Share threat and incident information with your peers

• Plan for security from the beginning
– Design it in, don’t bolt it on
• Knowing what is important and where it is
– Inventories and prioritized controls
• Identify the threats and risks
– Who wants our “stuff” and how can they get it
• Is someone accountable for security?
– Do they have the tools and resources to be
effective?
Top Risks and Best Practices

• Ransomware
– Backups, AV/Malware protection and
education
• No perimeter
– Mobile devices, cloud apps, service providers
• Service providers
– Outsource where necessary but keep
accountability
• Is everyone aware?
– Phishing, malware, bad behaviors, etc.

• Email and Internet risks
– Phishing, malware downloads, bad behaviors
• Architecture design and systems
administration
– Plan for security and pay attention to the
important stuff
• Find a trusted partner/expert to help
– Focus on your core competencies, but get the
help you need

SMB Cybersecurity Resources
NIST Cybersecurity for Small Businesses
• http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
National Cyber Security Alliance – CyberSecure My Business
• https://staysafeonline.org/cybersecure-business/
• https://staysafeonline.org/event_category/cybersecure-my-business/
SBA Cybersecurity Page and Cybersecurity Online Training
• https://www.sba.gov/managing-business/cybersecurity
• https://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-
businesses
FCC Cybersecurity Page and Cyber Planner tool
• https://www.fcc.gov/general/cybersecurity-small-business
• https://www.fcc.gov/cyberplanner
Stop, Think, Connect for small businesses
• https://www.dhs.gov/publication/stopthinkconnect-small-business-resources
US-CERT Resources for Small and Midsized businesses
• https://www.us-cert.gov/ccubedvp/smb

WHO IS TLI -OUR STORY
• Establishedin1987withan
endowmentfromHoneywell
Foundation
• ThreeM.S.degreeprograms;
MDI,MOT&MSST
• Shortcourses&seminars
• 1300degreeprogram
graduates
• Fiveendowedchairs
• 60+faculty

OUR
MISSION
TLI’s mission is to develop local and global
leaders for technology-intensive enterprises,
and to empower executives and leaders in their
strategic vision to leverage technology to drive
business development.

MSSTBY DESIGN:BECOME ATHREATEXPERT
• Understandrisk
• Identifyrisk
• Mitigaterisk
• Integratetools
• Applytoolsandprocess
toaddresstherisk

Cybersecurity Risks for Businesses

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybersecurity Risks for Businesses

Similar to Cybersecurity Risks for Businesses (20)

More from Alex Rudie

More from Alex Rudie (20)

Recently uploaded

Recently uploaded (20)

Cybersecurity Risks for Businesses