SlideShare a Scribd company logo

Credit Union Cyber Security

S
Stacy Willis

Credit Union Cyber Security programs

Technology
1 of 42
Download to read offline
Protection Beyond Compliance: Effective Cyber Security Risk Management
Speaking with you today Vikas Bhatia – CEO & ERA Vikas is the founder, CEO and Executive Risk Adviser at Kalki. He has 18+ years’ experience, obtained serving local, regional & global clients in the outsourcing, consulting, and regulatory domains, enabling him to enhance any organizations Information Security Management System (ISMS). He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Information Privacy Professional (CIPP).
Risk = Likelihood x Impact
How is everything connected?
Where are we least prepared?
Finding 1: It took the Target breach to get the board’s attention. What brings your attention to cybersecurity? What influences the way you feel about cybersecurity?
Target Attack Timeline
Finding 2: Board members may be overly confident about the effectiveness of their cybersecurity governance practices and often rate the effectiveness of these programs much higher than IT security professionals do. Lets talk about how you feel about this finding and how this relates to you and your role within VFCU.
Perceived Effectiveness of Cybersecurity Governance Practices
Finding 3: Board members admit their knowledge about cybersecurity is limited. How can we work to improve your understanding of cybersecurity issues and risk levels?
Perceived Knowledge about Cybersecurity
Incident Classification Patterns
Finding 4: Board members may not be receiving information and briefings about cyber attacks and data breaches affecting their organization. Do you feel you are receiving enough information on data security and data breaches to help grow your knowledge and understanding of cyber threats?
Board Knowledge of Breaches
Breach Discovery Methods
Finding 5: IT security professionals are skeptical of their board’s understanding about cybersecurity risks. Technology and strategic management often have trouble seeing eye-to-eye on cybersecurity readiness and needs. How can we get everyone speaking the same language?
Board vs. IT Perceptions
Survey Who from your organization is responsible for handling technology outages? CEO or IT Team How confident are you in that person’s ability to respond to those outages? Somewhat - Very Confident How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident Who from your organization is responsible for handling and responding to unauthorized disclosure of information or a breach? CEO How confident are you in that person’s ability to respond to such an unauthorized disclosure? Somewhat - Very Confident How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident Technology Outages Handling a Breach
What’s important to Credit Unions? Serving the member Reputation Service Stability Trust Innovation Engagement Dedication Value Growth
Strategic Drivers A Credit Union’s revenue is driven by the trust of its members. The loss of even a small percentage of membership due to loss of trust would result in significant financial loss. Revenue The day-to-day operations of branches is vital. Members expect 24x7 access to funds and rely on branches to be operational. Operational downtime incurs significant costs including productivity costs, costs of restoration of service or funds and costs due to lost membership. Operations Credit Unions pride themselves on their reputation among members and rely on that reputation to retain and grow their membership. The impact of a breach on that reputation would be detrimental. A focus on SecurITy will provides a key differentiator to improve member trust and build reputation. Reputation The NCUA compliance framework was designed in 2006, provides very little guidance and represents a minimum standard. Outdated compliance standards do not keep pace with current threats and are not sufficient to protect member data. Compliance Mission: to best serve members.
What’s important to your Credit Union?
Do we walk the walk? Ranking Area 1 2 3 4 Reputation 6 2 3 1 Revenue 1 1 2 8 Operations 2 5 4 1 Compliance 4 4 3 1 Sample priority ranking by a previous Credit Union client. Does this look familiar? An over-focus on compliance may not support the objective of serving the member community.
What are we protecting? … Our Members!
Technical SecurITy Physical SecurITy Protection is not:
SecurITy Direction Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy Organization of SecurITy Human SecurITy Asset Management How do we protect it?
How are we measuring what we’re doing? The Capability Maturity Model Integration (CMMI) will be used to measure our journey. Maturity Level Name Definition 0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed. 1 Initial / Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized. 2 Repeatable but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy SecurITy Direction Human SecurITy Sample Client: What are they doing now? Operations SecurITy
Incident Management (2) Business Continuity (3) Technical SecurITy (1) Compliance (3) Access Control (3) Physical SecurITy (3) SecurITy Policies (1) Human SecurITy (2) Sample Client: How are well are they doing the things they are doing? Operations SecurITy (1)
Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy SecurITy Direction Human SecurITy Sample Client: What’s the bigger picture? Operations SecurITy
So What…
Scenario A: Breach Remediation Costs Total Number of records X $154 per record* Additional Impact • Reputational impact • Additional productivity impacts • Cost of remediation *Ponemon institute: average cost of breach remediation is $145 per record Example: 15,000 members X $154 per record* = $2,310,000
Cyber Insurance: Incident Response Responsibilities Do you know which stages of the incident response process your company is responsible for handling vs. your insurance company? Do you have a written, tested and functional incident response process in place?
Cyber Insurance: Internal Security Controls Did you know that your insurance provider can refuse to pay out if you aren’t taking preventative measures? Do you know all the cyber security program elements you are expected to have in place?
Cyber Insurance: Payout and Expectations What are your policy’s max and average payouts? Does either one of those numbers cover the cost of the breach estimated earlier? Do you know what you are expected to provide and when to provide it when notifying your cyber insurance of a problem? Do you have these expectations built in to your company's internal processes? $$$
Scenario B: Downtime due to system outage Productivity Costs $ amount per day in Salary costs Additional Impact • Reputational impact • Additional productivity impacts • Cost of remediation
Scenario C: Malware outbreak Numbers and costs based on actual malware incidents at 150 employee financial firm in NY. Incident 1: Pre-SecurITy (June 2014) 100% of firm’s users affected Lost productivity totaled approx. 3,600 hours Approx. 145 hours combined (internal IT team and vendors) spent on clean-up Total outbreak cost: Approx. $325,000 Incident 2: Mid-SecurITy Implementation (June 2015) 5% of firm’s users affected Lost productivity totaled approx. 255 hours Approx. 96 hours combined (internal IT team and vendors) spent on clean-up Total outbreak cost: Approx. $25,000 Difference 95% 3,345 hours 49 hours $300,000
Opportunities
Where should we start?
Education: Target your weakest links ASAP! TEST Regularly test your employees to see how they behave! Run regular 3rd party Phishing & Social Engineering Testing to practice the real thing and see how they respond. Conduct a recurring Security Awareness Survey to measure the culture around security and gauge the level of employee knowledge. TEACH Provide interactive training on security that’s geared toward educating even the non-technical employees at your company. Use a variety of instructor-led and digital methods. Make sure your trainers are ready to teach employees WHY they should care and how to protect both themselves and the company. TRACK Measure your success and adjust accordingly. Track key metrics including participation. Use the methods in the TEST section to regularly benchmark where your employees fall and measure improvements in the results. Make adjustments and improvements over time to mature your education program.
DIY Resources Beginner’s Guide to Data Classification SecurITy Checklist for Executives Project Initiation Form Template Risk Register Template
Questions?
protected@kalkiconsulting.com www.kalkiconsulting.com 1.855.GO.KALKI

Recommended

10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research ReportHewlett Packard Enterprise Business Value Exchange
 
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...Citrin Cooperman
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Service now vulnerability patching_move
Service now vulnerability patching_moveService now vulnerability patching_move
Service now vulnerability patching_moveSubrat Kumar Dash
 

Recommended

10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk ManagementDeepak Bansal, CPA CISSP
 
2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research Report2014 Executive Breach Preparedness Research Report
2014 Executive Breach Preparedness Research ReportHewlett Packard Enterprise Business Value Exchange
 
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...
MasterSnacks: Cybersecurity - Disaster Recovery: Hoping for the Best but Plan...Citrin Cooperman
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Service now vulnerability patching_move
Service now vulnerability patching_moveService now vulnerability patching_move
Service now vulnerability patching_moveSubrat Kumar Dash
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 
Mc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesMc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesLinkedInLeo
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC RockBob Fishman
 
Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)Continuity and Resilience
 
Managing Risk
Managing RiskManaging Risk
Managing RiskSkoda Minotti
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT Continuity and Resilience
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
Cyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM PractitionersCyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM PractitionersContinuity and Resilience
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSolarWinds
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityGlobal Knowledge Training
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Enterprise Management Associates
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...CORE Consulting
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-managementasundaram1
 
It42015 slides
It42015 slidesIt42015 slides
It42015 slidesJim Kaplan CIA CFE
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 

More Related Content

What's hot

Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 
Mc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesMc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesLinkedInLeo
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC RockBob Fishman
 
Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)Continuity and Resilience
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochureguest8a430d
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?centralohioissa
 
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT Continuity and Resilience
 
Cyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM PractitionersCyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM PractitionersContinuity and Resilience
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSolarWinds
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityGlobal Knowledge Training
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionRamón Gómez de Olea y Bustinza
 
Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...CORE Consulting
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-managementasundaram1
 

What's hot (20)

Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk Reduction
 
Mc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesMc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions Services
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC Rock
 
Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)Renewed focus of Business and Practitioners on BCM (in Asia)
Renewed focus of Business and Practitioners on BCM (in Asia)
 
Managing Risk
Managing RiskManaging Risk
Managing Risk
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
 
Techserv Brochure
Techserv BrochureTechserv Brochure
Techserv Brochure
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Cyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM PractitionersCyber Security Developments for BCM Practitioners
Cyber Security Developments for BCM Practitioners
 
Survey: Security Analytics and Intelligence
Survey: Security Analytics and IntelligenceSurvey: Security Analytics and Intelligence
Survey: Security Analytics and Intelligence
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business Cybersecurity
 
Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know Avoiding Data Breaches in 2016: What You Need to Know
Avoiding Data Breaches in 2016: What You Need to Know
 
Cyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attentionCyber security: Five leadership issues worthy of board and executive attention
Cyber security: Five leadership issues worthy of board and executive attention
 
Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...Crisis Communications, Social Media and Notification Systems Webinar - Core C...
Crisis Communications, Social Media and Notification Systems Webinar - Core C...
 
Priming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive eraPriming your digital immune system: Cybersecurity in the cognitive era
Priming your digital immune system: Cybersecurity in the cognitive era
 
2005 issa journal-risk-management
2005 issa journal-risk-management2005 issa journal-risk-management
2005 issa journal-risk-management
 
It42015 slides
It42015 slidesIt42015 slides
It42015 slides
 

Similar to Credit Union Cyber Security

2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Accounting_Whitepapers
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1dGene Kim
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterprisePerficient, Inc.
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A ProjectChristina Valadez
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and responseZyrellLalaguna
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 

Similar to Credit Union Cyber Security (20)

2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Websense
WebsenseWebsense
Websense
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Strategic Cybersecurity
Strategic CybersecurityStrategic Cybersecurity
Strategic Cybersecurity
 
2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d2010 06 gartner avoiding audit fatigue in nine steps 1d
2010 06 gartner avoiding audit fatigue in nine steps 1d
 
Identity Management: Risk Across The Enterprise
Identity Management: Risk Across The EnterpriseIdentity Management: Risk Across The Enterprise
Identity Management: Risk Across The Enterprise
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A Project
 
Risk monitoring and response
Risk monitoring and responseRisk monitoring and response
Risk monitoring and response
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Credit Union Cyber Security

  • 1. Protection Beyond Compliance: Effective Cyber Security Risk Management
  • 2. Speaking with you today Vikas Bhatia – CEO & ERA Vikas is the founder, CEO and Executive Risk Adviser at Kalki. He has 18+ years’ experience, obtained serving local, regional & global clients in the outsourcing, consulting, and regulatory domains, enabling him to enhance any organizations Information Security Management System (ISMS). He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Information Privacy Professional (CIPP).
  • 3. Risk = Likelihood x Impact
  • 4. How is everything connected?
  • 5. Where are we least prepared?
  • 6. Finding 1: It took the Target breach to get the board’s attention. What brings your attention to cybersecurity? What influences the way you feel about cybersecurity?
  • 8. Finding 2: Board members may be overly confident about the effectiveness of their cybersecurity governance practices and often rate the effectiveness of these programs much higher than IT security professionals do. Lets talk about how you feel about this finding and how this relates to you and your role within VFCU.
  • 9. Perceived Effectiveness of Cybersecurity Governance Practices
  • 10. Finding 3: Board members admit their knowledge about cybersecurity is limited. How can we work to improve your understanding of cybersecurity issues and risk levels?
  • 11. Perceived Knowledge about Cybersecurity
  • 13. Finding 4: Board members may not be receiving information and briefings about cyber attacks and data breaches affecting their organization. Do you feel you are receiving enough information on data security and data breaches to help grow your knowledge and understanding of cyber threats?
  • 14. Board Knowledge of Breaches
  • 16. Finding 5: IT security professionals are skeptical of their board’s understanding about cybersecurity risks. Technology and strategic management often have trouble seeing eye-to-eye on cybersecurity readiness and needs. How can we get everyone speaking the same language?
  • 17. Board vs. IT Perceptions
  • 18. Survey Who from your organization is responsible for handling technology outages? CEO or IT Team How confident are you in that person’s ability to respond to those outages? Somewhat - Very Confident How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident Who from your organization is responsible for handling and responding to unauthorized disclosure of information or a breach? CEO How confident are you in that person’s ability to respond to such an unauthorized disclosure? Somewhat - Very Confident How confident are you in your company’s ability to recover from such an incident? Somewhat - Very Confident Technology Outages Handling a Breach
  • 19. What’s important to Credit Unions? Serving the member Reputation Service Stability Trust Innovation Engagement Dedication Value Growth
  • 20. Strategic Drivers A Credit Union’s revenue is driven by the trust of its members. The loss of even a small percentage of membership due to loss of trust would result in significant financial loss. Revenue The day-to-day operations of branches is vital. Members expect 24x7 access to funds and rely on branches to be operational. Operational downtime incurs significant costs including productivity costs, costs of restoration of service or funds and costs due to lost membership. Operations Credit Unions pride themselves on their reputation among members and rely on that reputation to retain and grow their membership. The impact of a breach on that reputation would be detrimental. A focus on SecurITy will provides a key differentiator to improve member trust and build reputation. Reputation The NCUA compliance framework was designed in 2006, provides very little guidance and represents a minimum standard. Outdated compliance standards do not keep pace with current threats and are not sufficient to protect member data. Compliance Mission: to best serve members.
  • 21. What’s important to your Credit Union?
  • 22. Do we walk the walk? Ranking Area 1 2 3 4 Reputation 6 2 3 1 Revenue 1 1 2 8 Operations 2 5 4 1 Compliance 4 4 3 1 Sample priority ranking by a previous Credit Union client. Does this look familiar? An over-focus on compliance may not support the objective of serving the member community.
  • 23. What are we protecting? … Our Members!
  • 25. SecurITy Direction Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy Operations SecurITy 3rd Party SecurITy Organization of SecurITy Human SecurITy Asset Management How do we protect it?
  • 26. How are we measuring what we’re doing? The Capability Maturity Model Integration (CMMI) will be used to measure our journey. Maturity Level Name Definition 0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed. 1 Initial / Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized. 2 Repeatable but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
  • 27. Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy SecurITy Direction Human SecurITy Sample Client: What are they doing now? Operations SecurITy
  • 28. Incident Management (2) Business Continuity (3) Technical SecurITy (1) Compliance (3) Access Control (3) Physical SecurITy (3) SecurITy Policies (1) Human SecurITy (2) Sample Client: How are well are they doing the things they are doing? Operations SecurITy (1)
  • 29. Incident Management Business Continuity Technical SecurITy Compliance Access Control Physical SecurITy SecurITy Direction Human SecurITy Sample Client: What’s the bigger picture? Operations SecurITy
  • 31. Scenario A: Breach Remediation Costs Total Number of records X $154 per record* Additional Impact • Reputational impact • Additional productivity impacts • Cost of remediation *Ponemon institute: average cost of breach remediation is $145 per record Example: 15,000 members X $154 per record* = $2,310,000
  • 32. Cyber Insurance: Incident Response Responsibilities Do you know which stages of the incident response process your company is responsible for handling vs. your insurance company? Do you have a written, tested and functional incident response process in place?
  • 33. Cyber Insurance: Internal Security Controls Did you know that your insurance provider can refuse to pay out if you aren’t taking preventative measures? Do you know all the cyber security program elements you are expected to have in place?
  • 34. Cyber Insurance: Payout and Expectations What are your policy’s max and average payouts? Does either one of those numbers cover the cost of the breach estimated earlier? Do you know what you are expected to provide and when to provide it when notifying your cyber insurance of a problem? Do you have these expectations built in to your company's internal processes? $$$
  • 35. Scenario B: Downtime due to system outage Productivity Costs $ amount per day in Salary costs Additional Impact • Reputational impact • Additional productivity impacts • Cost of remediation
  • 36. Scenario C: Malware outbreak Numbers and costs based on actual malware incidents at 150 employee financial firm in NY. Incident 1: Pre-SecurITy (June 2014) 100% of firm’s users affected Lost productivity totaled approx. 3,600 hours Approx. 145 hours combined (internal IT team and vendors) spent on clean-up Total outbreak cost: Approx. $325,000 Incident 2: Mid-SecurITy Implementation (June 2015) 5% of firm’s users affected Lost productivity totaled approx. 255 hours Approx. 96 hours combined (internal IT team and vendors) spent on clean-up Total outbreak cost: Approx. $25,000 Difference 95% 3,345 hours 49 hours $300,000
  • 38. Where should we start?
  • 39. Education: Target your weakest links ASAP! TEST Regularly test your employees to see how they behave! Run regular 3rd party Phishing & Social Engineering Testing to practice the real thing and see how they respond. Conduct a recurring Security Awareness Survey to measure the culture around security and gauge the level of employee knowledge. TEACH Provide interactive training on security that’s geared toward educating even the non-technical employees at your company. Use a variety of instructor-led and digital methods. Make sure your trainers are ready to teach employees WHY they should care and how to protect both themselves and the company. TRACK Measure your success and adjust accordingly. Track key metrics including participation. Use the methods in the TEST section to regularly benchmark where your employees fall and measure improvements in the results. Make adjustments and improvements over time to mature your education program.
  • 40. DIY Resources Beginner’s Guide to Data Classification SecurITy Checklist for Executives Project Initiation Form Template Risk Register Template