My presentation for GRC summit in London 11 November 2016 (http://www.grcassembly.com/index.htm)

2. 1.Criminal liability – it’s no longer just an IT problem (Data
Security is on the CEO & COO agenda)
2. Severity – it’s no longer child's play, now the damage can
be real (Clinton emails, Sony Hack, Dyn attack…etc.)
3. Compliance – would you pass compliance requirements if
your company data is unsecure? (really?)
4.Brand damage – why invest in a brand if its value can be
wiped out overnight? (Will you stay / become a TALKTALK
customer?)

3. The TALKTALK hack cost £42 million CEO says

4. TalkTalk hack: Teen in court on hacking and blackmail
charges.
19-year-old from Wales allegedly demanded 596 bitcoins

5. TalkTalk share price plunged twice as deep as Sony,
Carphone Warehouse, Barclays and EBay after cyber
attacks

6. 1. Compliance is not just about regulations – compliance must work hand in
hand with IT, Enterprise Architecture, and Security teams.
2. An Architect is not a Developer – companies “save” money by hiring a
Developer / Architect (means there is no control over the code). This has
to stop!
3. Security is not SI responsibility – companies think hiring a System
Integrator will solve all problems. It won’t, because they will leave.
4. Beware of Cloud & IoT – don’t believe in myths, if you “save” money on
“cheap” cloud & IoT you will be unpleasantly surprised. Very surprised.

7. On Friday (21 Oct), one of the largest
DDoS attacks ever created widespread
internet outage affecting services such as
Twitter, AWS, Reddit, Netflix, Spotify, CNN,
Paypal, NY Times, WSJ, and others.
The attack was directed at Dyn, a domain
name service provider, whose servers
interpret internet addresses, directing web
traffic to the affected companies.
10s of millions of IP addresses and
customers of affected sites were unable to
access web services for about two hours.

8. Security firm Flashpoint said it had confirmed that the attack used
"botnets" infected with the "Mirai" malware. Many of the devices
involved come from Chinese manufacturers, with easy-to-guess
usernames and passwords that cannot be changed by the user - a
vulnerability that the malware exploited

9. 1. Cloud is secure if done right – if done in the manner of “hey we’ve done
something like this before,” then your risk is very high
2. Don’t believe your AE – many IT deals are done between Sales people
(from the vendor and the business). Don’t exclude IT and Security! Ever!
3. API is the doorway to your company – code means danger. Use cloud
middleware, don’t use on-premise middleware ”just because you have it”
4. Encryption – if you want to be sure, encrypt. Don’t forget that encryption
has three stages
(at rest, in transit, in use). Be certain of what you have.

13. 1.Don’t trust – think of your data as the key to your office.
Would you allow anyone to get in?
2.Don’t save money – saving money on IT security is equal
to not wearing a seat belt.
3. Don’t experiment – you are not Microsoft or Oracle, don’t
try to outsmart them by doing it “cheaper your way”
4.Don’t be naive – there is a war out there. You are a target,
you just don’t know it yet.

14. Linkedin: https://www.linkedin.com/in/jirikram
Twitter: @jiri_kram