Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Security and the CEO


Published on

This is a presentation I gave for the UQ Business School (in conjunction with Stan Gallo of KPMG) at the Urbane Restaurant to a group of Queensland CEO/C-Suite people. These dinners are part of UQ's engagement with the business community - a relationship we value. This engagement ensures we don't get all locked up in our ivory tower.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Cyber Security and the CEO

  1. 1. UQ Business School Dr Micheal Axelsen Lecturer, UQ Business School WELCOME.
  3. 3. KEY MESSAGES Most cyber security incidents can be addressed with simple strategies. No matter what is done, there is always residual risk. Cyber security is a business problem that needs business solutions. Businesses need to think about the future.
  4. 4. WHO IS AT RISK OF CYBER ATTACK? • Some industries are targets (health sector, finance), and also people on a ‘sucker list’ (Everett 2016) • Those without strong IT practices using unpatched or out-of-support Windows, or no off-line data backups (Australian Signals Directorate 2017) • Consequently – low-budgets, few trained IT people, no strong backup approach • Also, no strong ‘Should I click on that?’ culture, and of course ineffective responsible use of email/internet use policies, no spam filtering
  5. 5. WE ALREADY KNOW WHAT TO DO We know what to do to prevent, limit, and recover from cyber security incidents. The ‘Top 4’ strategies alone mitigate over 85% of adversary techniques in targeted cyber intrusions We know what to do: We just don’t do it.
  6. 6. PREVENTING, LIMITING, & RECOVERING FROM CYBER SECURITY INCIDENTS (Rees 2017, Australian Signals Directorate 2017) Prevent Malware Delivery & Execution 1. Application Whitelisting 2. Patch Applications 3. Configure Microsoft Office macro settings 4. User application hardening These are the ‘Top 4’ strategies. Limiting Extent of Attack 5. Restrict Administrative Privileges 6. Patch operating systems 7. Multi-factor authentication Recovering data 8. Daily Backups, ‘disconnected’, restoration tested (15% of backups actually fail) (Amvrosiadis & Bhadkamkar, 2016)
  7. 7. WHAT HAPPENED? (Rees 2017; Australian Signals Directorate 2017) Detecting and monitoring for data breaches: • An ‘Excellent’ (but not essential) strategy to detect whether a cyber security incident has occurred is to maintain continuous incident detection and response teams • Important for larger organisations, and an important factor in selecting any cloud-based services.
  8. 8. CYBER INSURANCE Cyber insurance provides cyber extortion coverage - particularly in the case of ransomware (Simms, 2016): • May provide access to important resources (e.g. information security experts) (Tuttle 2016) • Cyber insurance comes in all sorts of flavours – different policies will have different terms & conditions • Be wary of exemptions – will they pay if the ransomware attack was successful due to poor processes? • For example, WannaCry used an exploit that had been patched for two months on modern operating systems – is that covered? This is the ‘last line of defence’ when prevention, detection, and correction don’t work – it’s not the ‘first slice’.
  9. 9. WHY DO ANYTHING? Business Interruption/Distraction Loss of Reputation No-one wants to be on a ‘sucker list’ Privacy Act 1988: • 13 Australian Privacy Principles ($1.8m fine for breach) • Mandatory Data Breach Notification from 22 February 2018 (Abrahams and Griffin 2017) • $1.8m fine for organisations not reporting an eligible breach In addition to civil liabilities and individual penalties ($360k) Futureproofing the organisation
  10. 10. A BUSINESS PROBLEM: KEEP IT SIMPLE A common theme to these solutions: • Inexpensive and relatively simple • Mostly to do with practices, attitudes, awareness and culture. Yet - these practices are often honoured in the breach! It’s not all about expensive systems and tools – they can create a false sense of security and don’t work if the foundations are not right. Discipline and process - IT governance - are needed, including monitoring. (De Haes & Van Grembergen 2015)
  11. 11. WHAT TO DO: SECURITY PROCESSES (Cyber Security Working Group, 2017) • Strong and secure passwords with multi-factor authentication • Rule of least access – only provide access where needed • Latest security updates for all devices (computers AND phones) • Do not use USB/external hard drives from an unfamiliar source • Have a spam filter for email, and don’t open unsolicited messages (phishing awareness) • Anti-virus software is a given • Secure wireless, be careful with public wifi • Be vigilant about what is shared on social media • Monitor bank accounts for unusual activity • Use a PO Box to ensure mail is secure • Use known legitimate programs • Do not leave information unattended – secure devices
  12. 12. WHAT TO DO: STRUCTURES AND RELATIONSHIPS • Governance structures with oversight • Accountability for monitoring – many of the breaches are due to poor monitoring of what has actually been done, and accountability for that. • Do decision-making structures change in a crisis? Should the ‘normal’ rules apply? • Decisions we make should be informed by security considerations. • External advisors: • IT Operational Audit • IT Security Audit • External monitoring, particularly phishing awareness • Who do we work with ‘in the cloud’? • In case of emergency: who comes when we have to press the ‘Big Red Button’ Structures Relationships
  13. 13. FORWARD THE FUTURE Why are you storing this data, and is it worth the headache? The trend is for higher need for strong data governance and need to protect (at least notify) about lost data Are these requirements likely to start going beyond ‘personal and sensitive’ data? Who ‘owns’ the data? Was it provided with ‘informed consent’? If data was ’lost’, do you know to whom it belongs?
  14. 14. RESOURCES/REFERENCES Abrahams, N., & Griffin, J. (2017). Privacy law: The end of a long road: Mandatory data breach notification becomes law. Law Society of NSW Journal(32), 2017- 2018. Amvrosiadis, G., & Bhadkamkar, M. (2016). Getting back up: Understanding how enterprise backups fail. USENIX Annual Technical Conference, 479-492. Australian Signals Directorate. (2017). Strategies to Mitigate Cyber Security Incidents. Retrieved from table.htm Cyber Security Working, G. (2017). Security tips for business. Retrieved from De Haes, S., & Van Grembergen, W. (2015). Enterprise Governance of IT (Chapter 2) (pp. 11-43): Springer. Everett, C. (2016). Ransomware: To pay or not to pay? Computer Fraud and Security, 2016(4), 8-12. doi:10.1016/S1361-3723(16)30036-7 Mansfield-Devine, S. (2016). Ransomware: taking businesses hostage. Network Security, 2016(10), 8-17. doi:10.1016/S1353-4858(16)30096-4 Rees, G. (2017). 8 cybersecurity strategies to protect you and your business. InTheBlack(April). Simms, C. (2016). A matter of survival. ITNOW, 58(4), 30-31. doi:10.1093/itnow/bww102 Tuttle, H. (2016). Ransomware Attacks Pose Growing Threat. Risk Management, 63(4), 4-7.