Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NCVO/Zurich webinar: Beyond cyber essentials

108 views

Published on

Slides from a webinar broadcast on 8 October 2020

Watch the full recording: https://youtu.be/eEoVk_Pzdp0

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

NCVO/Zurich webinar: Beyond cyber essentials

  1. 1. The live event will begin shortly ________________ All attendees will be muted and cameras disabled. Should you wish to ask a question, please use the Q&A functionality which is available for you to submit questions now. NCVO Risk Webinar Series in partnership with Zurich
  2. 2. Beyond Cyber Essentials ________________ Arunava Banerjee Cyber Risk Consultant Zurich Workforce Strategies This deck is the property of Zurich and should not be reproduced or copied. NCVO Risk Webinar Series in partnership with Zurich
  3. 3. ©Zurich INTERNAL USE ONLY 3 “Nothing vast enters the life of mortals without a curse.” ― Sophocles
  4. 4. ©Zurich INTERNAL USE ONLY 01 Cyber Risk 02 Cyber Risk Mitigation 03 Cyber Essentials 04 Beyond Cyber Essentials 05 Role of Senior Management 06 Q&A and Discussion 4 NCVO Risk Webinar Series: Data and Security Agenda
  5. 5. ©Zurich INTERNAL USE ONLY 5 01 Cyber Risks In 2019, Departmentfor Digital, Culture, Media and Sport’s (DCMS) found out that over 44% of charities aren’t protecting themselves from cyber attacks because they simply don’t see themselves at being at risk. DCMS Cyber Security Breaches Survey 2019 58% of charities think cybercrime is a major risk to the charity sector PreventingCharity Cybercrime Insights + Action 2019 by Charity Commission for Englandand Wales This year, 26% of charities reported a cyber breach. DCMC Cyber Security Breach Survey 2020 Perception and Reality “Charities are not immune to cyber crime. Perpetrators do not distinguish between their victims and charities are as likely to be targeted as private firms or the general public.” Helen Stephenson Chief Executive, Charity Commission for England and Wales
  6. 6. ©Zurich INTERNAL USE ONLY 6 01 2019 Cyber Incidents for Charities
  7. 7. ©Zurich INTERNAL USE ONLY 7 01 Takeaway Question 1 1. Are you giving enough attention to identify cyber risks for your charity? 61% of charities have taken at least some action to identify cyber risks. DCMS, Cyber Breach Report 2020
  8. 8. ©Zurich INTERNAL USE ONLY 8 01 Why and Who? Threat Vectors Why? Fund Data: Personal, Financial, Commercial Intellectual Properties Who? Cyber Criminals Insider(Malicious & Honest) Nation State
  9. 9. ©Zurich INTERNAL USE ONLY 9 01 How? Cyber Threats Phishing Business Email Compromise DDoS Malware/ Ransomware Insider Threats Fake Charities, Websites, Rating Supply Chain Attack
  10. 10. ©Zurich INTERNAL USE ONLY 10 01 Takeaway Question 2 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity?
  11. 11. ©Zurich INTERNAL USE ONLY 11 02 Cyber Risk Mitigation Controls: Take a proportionate approach Systematic approach to apply controls is by using cyber framework • NCSC Small Charity Guide • NCSC 10 Steps to Cyber Security • NCSC Cyber AssessmentFramework • NIST Cybersecurity Framework • ISO 27001: 2013 • SANS Top 20 Some Independent Review & Certification • ISO 27001: 2013 • NIST • Cyber Essentials • Cyber Essentials Plus
  12. 12. ©Zurich INTERNAL USE ONLY 12 02 Takeaway Question 3 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? Only 13% of charities are aware of Cyber Essentials and only 16% have heard of Small charity guide DCMS, Cyber Breach Report 2020
  13. 13. ©Zurich INTERNAL USE ONLY 13 03 • Help organisations protect themselves against common internetborn cyber threats. • Launched in June 2014 and suitable for all organisations of any size and in any sector. Assessmentcover 5 technical control themes 1. Boundary firewalls and Internet Gateway 2. Secure Configuration 3. User Access Control 4. Malware Protection 5. Patch Management Two level of certification 1. Cyber Essential : Self-Assessment 2. Cyber Essential Plus : Self-Assessment and hands-on technical verification(Vulnerability Scans) of internet facing infrastructure/systems Cyber Essentials A basic cyber maturity certification backed by HM Government
  14. 14. ©Zurich INTERNAL USE ONLY 14 03 • Helps protect against common internet-born cyber attacks • Demonstrate good cyber security practice • Provide re-assurance to customers, donors, volunteers, vendors, trustees, insurance supplierand other stakeholders • Attracts new donors • Enables you to bid for government contracts • A UK-domiciled organisations with turnovers of less than £20 million, achieving either certificationnow automatically gets entitled forcyber liability insurance cover of £25,000 limit. Cyber Essentials Benefits First step in the right direction Cyber Insurance Details: https://iasme.co.uk/cyber-essentials/cyber-liability-insurance/
  15. 15. ©Zurich INTERNAL USE ONLY 15 03 Takeaway Question 4 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insurance option with CE Certification? However, before considering any cyber insurance, you can help protect your organisation by ensuring you have fundamental cyber security safeguards in place, such as those certified by Cyber Essentials, or Cyber Essentials Plus. NCSC Cyber Insurance Guidance
  16. 16. ©Zurich INTERNAL USE ONLY 16 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Is it enough, if not then what's next? CE is not a destination, but the beginning of a journey Tech Talk
  17. 17. ©Zurich INTERNAL USE ONLY 17 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Identify and Backup Crown Jewels Identify critical assets: Crown Jewels • Sensitive Data • Fund • Official Website • Business Applications • Intellectual Properties Apply regular backup Test your backup restoration Ensure backup is in a separate location from the main asset
  18. 18. ©Zurich INTERNAL USE ONLY 18 04 Takeaway Question 5 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insurance option with CE Certification? 5. What are the top 3 systems which can be considered as your crown jewels?
  19. 19. ©Zurich INTERNAL USE ONLY 19 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Longer is stronger Apply Password/PIN to all devices and applications Apply a sensible password Enable MFA wherever available MFA for VPN/Remote Access Disable default passwords
  20. 20. ©Zurich INTERNAL USE ONLY 20 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Patching is closest to a silver bullet in cyber security Separate Admin and Standard Accounts. No email or internet foradmins Firewall with blocked defaultadmin account, unused ports Anti-malware in all systems scanning automatically and updating regularly Up-to-Date OS/Software Regular Patching Block USB
  21. 21. ©Zurich INTERNAL USE ONLY 21 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Smart Phones and Tablets are the new normal for business Apply Pin/Password/Fingerprint/facial Recognition Configure remote tracking Automatic updates No connection to public WIFI Encrypt data and device
  22. 22. ©Zurich INTERNAL USE ONLY 22 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Protect your sensitive data with encryption Encrypt mobile devices Encrypt data in transit, especially Emails with sensitive information Make sure your business website is encrypted
  23. 23. ©Zurich INTERNAL USE ONLY 23 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials 9 out of 10 data breach reported to ICO in 2019 are due to mistake of users Make users aware of: • Security Policies like Password, Email • HR Policies • Acceptable Use Policy Help users understand how to spot a phishing email Encourage then to report breach without promoting any blame culture Create a Cyber Aware workforce
  24. 24. ©Zurich INTERNAL USE ONLY 24 04 Takeaway Question 6 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insurance option with CE Certification? 5. What are the top 3 systems which can be considered as your crown jewels? 6. Are your users aware of what to do if they send an email with sensitive information to a wrong recipientby mistake?
  25. 25. ©Zurich INTERNAL USE ONLY 25 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Suppliers Risk Mitigation List your suppliers, vendors, service providers and anyone who has access to your systems and data Check how they access your environment Take measures to apply proportionate controls Check, if your supply chain are taking cyber and information governance seriously Ask for security certification
  26. 26. ©Zurich INTERNAL USE ONLY 26 04 Takeaway Question 7 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insurance option with CE Certification? 5. What are the top 3 systems which can be considered as your crown jewels? 6. Are your users aware of what to do if they send an email with sensitive information to a wrong recipientby mistake? 7. How many members of your supply chain have Cyber Essentials or similar cyber certification?
  27. 27. ©Zurich INTERNAL USE ONLY 27 04 Identify & Backup of Critical Asset Use sensible password policy Apply Technical Protective Controls Secure mobile devices Apply Encryption Cyber and Information Governance Awareness Mitigate Supply Chain Risk Have some response capability in place Beyond Cyber Essentials Not “weather” but “when” Have a Cyber Incident Response Plan in place Fire drills: Exercise those plans Lesson learnt
  28. 28. ©Zurich INTERNAL USE ONLY 28 04 Takeaway Question 8 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insurance option with CE Certification? 5. What are the top 3 systems which can be considered as your crown jewels? 6. Are your users aware of what to do if they send an email with sensitive information to a wrong recipientby mistake? 7. How many members of your supply chain have Cyber Essentials or similar cyber certification? 8. Do you know whom to get in touch with if tomorrow you face a ransomware attack?
  29. 29. ©Zurich INTERNAL USE ONLY 29 05 • At least one person responsible/answerable for cyber governance • Ensure cyber risks are capturedas part of business risk Role of Senior Management DCMS Cyber Security Breaches Survey 2020 • Ensure senior managementsupportand regular agenda in board discussion • Participate in incident response exercises.
  30. 30. ©Zurich INTERNAL USE ONLY 30 05 Takeaway Question 9 1. Are you giving enough attention to identify cyber risks for your charity? 2. Are you aware of all the key dependencies on your supply chain and their cyber maturity? 3. Are you aware of HM Government’s Cyber Essential Certification? 4. Were you aware of the free cyber insuranceoption with CE Certification? 5. What are the top 3 systems which can be considered as your crown jewels? 6. Are your users aware of what to do if they send an email with sensitive information to a wrong recipientby mistake? 7. How many members of your supply chain have Cyber Essentials or similar cyber certification? 8. Do you know whom to get in touch with if tomorrow you face a ransomware attack? 9. Is cyber high priority for your senior management?
  31. 31. ©Zurich INTERNAL USE ONLY 31 Q&A and Discussion Thank you for your time Arunava Banerjee Cyber Risk Consultant Zurich Insurance PLC Email: Arunava.Banerjee@uk.zurich.com Mobile: +44 (0) 7875885387
  32. 32. Please use the QR code or link to the right to select one of the two charities and Zurich Community Trust will donate £24,000, divided according to the number of tokens (or votes) each charity receives throughout our 2020 calendar of events. You decide! Vote Now!Which charity will you choose? Since 1973 Zurich Community Trust has donated over £90 million to charitable organisations across the UK and overseas. Who decides how the donations are split? Zurich Municipal continues to work with Zurich Community Trust, Zurich’s UK charitable arm in the UK, by supporting two charity partners Dementia UK and Place2Be. With Covid-19, the Trust has increased its support to help them through difficult times as demand for their services has increased whilst income is falling. Dementia UK provides specialist support for families through their Admiral Nurse service and children’s mental health charity, Place2Be, works in schools with pupils, their families and staff. Thank you for your support. bit.ly/3bX4CR6

×