Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Chris Hails
A new way to design, prioritise and apply defence in depth efforts using traditional situational crime prevention strategies. The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber enabled crimes including phishing, social engineering, malware and online scams and fraud – that could be applied by the average home internet user to help break the causal chain to prevent cybercrime occurring.
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
New Zealand is a country of small businesses. 97% of enterprises – almost half a million according to MBIE data - have fewer than 20 employees but contribute more than a quarter of the country’s GDP.
Almost a quarter of New Zealand small businesses have been hit by cyber crime according to Symantec’s latest SMB Cyber Security Survey with the average financial loss sitting at $16,000.
Many of these small businesses will be operating on the proverbial “smell of an oily rag” with cyber security far down the list of priorities for owners focused on keeping the lights on and the cash flowing.
It’s in this environment that many small businesses will find themselves operating below the ‘security poverty line’, the point below which a company cannot effectively protect itself from cyber security threats.
Many small companies believe that IT security is too expensive and that they lack the knowledge on how to combat common cyber threats. At the October (ISC)2 Auckland Chapter event, 25 individuals took part in group exercises designed to identify pragmatic security investments that offer the ‘most bang for the buck’.
If New Zealand business owners are seeking pragmatic and cost effective guidance focused on protecting their digital assets, they could review the outcomes of this (ISC)2 Auckland Chapter session for practical guidance. We suggest a customised scalable solution for tackling common cyber security threats like ransomware, intellectual property theft (internal and external), Business Email Compromise, phishing and malware infections.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Save yourself with the CSDF - ISACA Auckland - 16 June 2021Chris Hails
A new way to design, prioritise and apply defence in depth efforts using traditional situational crime prevention strategies. The Cyber Self Defence Framework (CSDF) proposes a set of situational security measures – tailored to common cyber enabled crimes including phishing, social engineering, malware and online scams and fraud – that could be applied by the average home internet user to help break the causal chain to prevent cybercrime occurring.
Auckland (ISC)2 Chapter - Building the ‘Bob Semple Cyber Tank'Chris Hails
New Zealand is a country of small businesses. 97% of enterprises – almost half a million according to MBIE data - have fewer than 20 employees but contribute more than a quarter of the country’s GDP.
Almost a quarter of New Zealand small businesses have been hit by cyber crime according to Symantec’s latest SMB Cyber Security Survey with the average financial loss sitting at $16,000.
Many of these small businesses will be operating on the proverbial “smell of an oily rag” with cyber security far down the list of priorities for owners focused on keeping the lights on and the cash flowing.
It’s in this environment that many small businesses will find themselves operating below the ‘security poverty line’, the point below which a company cannot effectively protect itself from cyber security threats.
Many small companies believe that IT security is too expensive and that they lack the knowledge on how to combat common cyber threats. At the October (ISC)2 Auckland Chapter event, 25 individuals took part in group exercises designed to identify pragmatic security investments that offer the ‘most bang for the buck’.
If New Zealand business owners are seeking pragmatic and cost effective guidance focused on protecting their digital assets, they could review the outcomes of this (ISC)2 Auckland Chapter session for practical guidance. We suggest a customised scalable solution for tackling common cyber security threats like ransomware, intellectual property theft (internal and external), Business Email Compromise, phishing and malware infections.
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
Cyber Resilience presented at the Malta Association of Risk Management (MARM) Cybercrime Seminar of 24 June 2013 by Mr Donald Tabone. Mr Tabone, Associate Director and Head of Information Protection and Business Resilience Services at KPMG Malta, presented a six-point action plan corporate entities can follow in order to reach a sustainable level of cyber resilience.
New York Department of Financial Services Cybersecurity RegulationsShawn Tuma
Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Given an outcome, we often exaggerate our ability to predict and therefore avoid the same fate. In cybersecurity, this misconception can lead to a false sense of corporate security, or worse, bury the true causes of incidents and lead to repeated data breaches or business-disrupting cyber incidents.
Case Study: The Role of Human Error in Information SecurityPECB
It has become an established fact that the human factor is the most important element to secure in any organization if security is to be maintained. This case study will take real-life examples (with no names used!) and examine some actual security incidents caused by human error and elaborate on the root cause and prevention tips resulting from these events.
Main points covered:
• Incident detection
• Incident reporting
• Incident triage
• Lessons learned
Presenter:
Our presenter for this webinar will be Anthony English, who is one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance. He sits on the Standards Council of Canada (SCC) IT Security Techniques committee (MC/ ISO/IEC/JTC 1/SC 27), the Disaster Recovery Institute Canada (DRIC) Certification Committee, Cloud Security Alliance committee on the security of health care data in the cloud and is an Exam Development Volunteer for ISC2. Anthony has worked in utilities, law enforcement, consulting, education, health care, lottery and gaming, auditing and the financial sector.
Recorded Webinar: https://youtu.be/fWZd_wd3HOk
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
The digital age provides all organisations with opportunities to grow and innovate. But it also brings a new world of risk, especially to our most precious information. The information that’s critical to our future success. All organisations are at risk and cyber resilience is no longer a ‘nice to have’. But many organizations continue to struggle to define what good cyber resilience looks like.
Good starts with a strategy. A strategy built around your business objectives and knowing what the cyber risks are to those objectives. It’s about having the right people, skills, awareness and culture to deliver the strategy. It’s also about understanding that you will never be bullet-proof – to support your prevention and detection activities it’s now as important to know how you will effectively respond and recover to a cyber-attack.
In June 2015 AXELOS Global Best Practice are launching a new Cyber Resilience Best Practice portfolio. This webinar with Nick Wilding, Head of Cyber Resilience at AXELOS, outlines:
- what cyber resilience is and why it is so important to any organisation;
- why all of us are on the cyber front line and how we all have a role to play;
- why cyber resilience best practice is so vital to help define and manage what good looks like in your organisation;
- how you can get involved in the development and launch of this exciting new initiative from AXELOS.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches.
The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.
Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement.
Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York.
"Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“
Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true.
As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so.
While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.
Given an outcome, we often exaggerate our ability to predict and therefore avoid the same fate. In cybersecurity, this misconception can lead to a false sense of corporate security, or worse, bury the true causes of incidents and lead to repeated data breaches or business-disrupting cyber incidents.
Case Study: The Role of Human Error in Information SecurityPECB
It has become an established fact that the human factor is the most important element to secure in any organization if security is to be maintained. This case study will take real-life examples (with no names used!) and examine some actual security incidents caused by human error and elaborate on the root cause and prevention tips resulting from these events.
Main points covered:
• Incident detection
• Incident reporting
• Incident triage
• Lessons learned
Presenter:
Our presenter for this webinar will be Anthony English, who is one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance. He sits on the Standards Council of Canada (SCC) IT Security Techniques committee (MC/ ISO/IEC/JTC 1/SC 27), the Disaster Recovery Institute Canada (DRIC) Certification Committee, Cloud Security Alliance committee on the security of health care data in the cloud and is an Exam Development Volunteer for ISC2. Anthony has worked in utilities, law enforcement, consulting, education, health care, lottery and gaming, auditing and the financial sector.
Recorded Webinar: https://youtu.be/fWZd_wd3HOk
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
The New York State Department of Financial Services has been closely monitoring this ever-growing threat and has proposed regulations that would require financial services companies to adopt a cybersecurity program to protect their customers, employees, data and operations. Its proposed changes are expected to take effect on March 1, 2017. Financial services companies would have until Feb. 15, 2018, to submit a certificate of compliance with the program. Components of New York's proposed cybersecurity program are outlined in this article.
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
See how Adaptive Solutions is delivering leading cyber risk management solutions through its strategic alliance with Willis Towers Watson and Darklight Technologies.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
The digital age provides all organisations with opportunities to grow and innovate. But it also brings a new world of risk, especially to our most precious information. The information that’s critical to our future success. All organisations are at risk and cyber resilience is no longer a ‘nice to have’. But many organizations continue to struggle to define what good cyber resilience looks like.
Good starts with a strategy. A strategy built around your business objectives and knowing what the cyber risks are to those objectives. It’s about having the right people, skills, awareness and culture to deliver the strategy. It’s also about understanding that you will never be bullet-proof – to support your prevention and detection activities it’s now as important to know how you will effectively respond and recover to a cyber-attack.
In June 2015 AXELOS Global Best Practice are launching a new Cyber Resilience Best Practice portfolio. This webinar with Nick Wilding, Head of Cyber Resilience at AXELOS, outlines:
- what cyber resilience is and why it is so important to any organisation;
- why all of us are on the cyber front line and how we all have a role to play;
- why cyber resilience best practice is so vital to help define and manage what good looks like in your organisation;
- how you can get involved in the development and launch of this exciting new initiative from AXELOS.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
The New York Department of Financial Services (NYDFS) is expected to pass a proposed cybersecurity regulation in January 2017, called "Cybersecurity Requirements for Financial Services Companies".
In the light of the imminent regulatory update, most financial institutions, and insurance providers are preparing to comply with the fundamental requirements that the NYDFS will likely adopt.
In this webinar, we covered:
- Explanations of the regulation’s key legal requirements;
- How the regulation interacts with other data security laws;
- Industry best practices for securing data;
- The value of online compliance training.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
This presentation covers:
Social Engineering
Targets, Costs, Frequency
Real Life Examples
Mitigating Risks
Internal Programs
Data Security & Privacy Liability
Cyber Liability
Cyber Insurance
Financial Impact
Key Coverage Components
Checklist for Assessing your Level of Cyber Risk
Fully understand how GDPR affects the life of millions of EU citizens by having in mind the 10 simple facts exposed by Dr. Karsten Kinast
The presentation gives a short glimpse in to the motivation of GDPR, the key changes it brings, and the ongoing compliance on information lifecycle it presumes.
Every business is vulnerable to cyber threats and increasingly small and mid-size companies (SMBs) are targets. Yet most know little about what or how to communicate if faced with a breach. This slide presentation addresses the reputation risks for SMBs in today's digital landscape and resources to deal with the threat.
Similar to Crossing the streams: How security professionals can leverage the NZ Privacy Act 2020 to build a stronger security culture (20)
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Crossing the streams: How security professionals can leverage the NZ Privacy Act 2020 to build a stronger security culture
1. Crossing the Streams: How security professionals can leverage
New Zealand's new Privacy Act to build a stronger security culture
PRIVACY
SECURITY
DATA
BREACHES
2.
3. WHOAMI
• Membership Chair at
(ISC)2 Auckland Chapter
• Researching the Security
Quotient risk profiling
model
• Developing LEGO-based
CISO The Board Game
• Creator of the Cyber Self
Defence Framework
using situational crime
prevention strategies
• Starting to dabble in
privacy…
7. The ‘double intangibility’ of security
Potential consumers are faced with:
1. the intangibility of risk - knowing precisely
how at risk they are and from what sources
2. the intangibility of protection - knowing
whether the good or service on offer can or will
mitigate that risk
WE ARE SELLERS OF THE IDEA
OF BUYING SECURITY…
8. “Underspending on
security, and letting
society pay the
eventual price, is far
more profitable. I
don’t blame the tech
companies... Fixing
this requires
changes in the law,
not changes in the
hearts of the
company’s leaders”
BRUCE SCHNEIER, CRYPTOGRAPHER
15. WHAT’S CHANGING?
1. Mandatory privacy breach notification regime - ASAP
2. Criminal offences – fail to notify OPC/mislead/destroy
3. Compliance notices – do/stop doing
4. Enforceable access directions – release
5. Disclosing information overseas – new IPP12, not providers
6. Extraterritorial effect – Facebook
7. Potential for class actions:
“The updated Act will allow the Human Rights Review
Tribunal to award up to $350,000 to each member of a
class action”
16.
17.
18. “One of the key reforms in the Privacy Bill is a
new requirement for agencies to report privacy
breaches. A privacy breach is any unauthorised
access to or disclosure, loss, or destruction of
personal information. It can also include a
ransomware attack. Privacy breaches that pose
a risk of harm to people must be notified to
affected individuals and to the Privacy
Commissioner”
HON ANDREW LITTLE, 2018
19.
20. “Damages for privacy
and related litigation
cases have been
growing in recent
years – with minor
breaches fetching up
to $20,000, medium tier
cases in the range of
$20,000-$50,000, and
serious breaches over
$50,000… class
actions pose
significant risk to
organisations in
breach of Privacy Act”
RUSSELL MCVEAGH, 2019
21. “complainants may
view money as the
most appropriate way
to redress perceived
breaches of their
privacy… agencies
trying to see what risks
may arise from breach
of the Privacy Act look
to the quantum of
damages awarded by
the HRRT as a guide to
the level of risk”
HRRT QUANTUM OF
DAMAGES?
Damages Awarded by the Human Rights
Review Tribunal under Privacy Act 1993,
s88(1)(c) – damages for emotional harm:
8 years / 21 cases / $320,400
22. “We’re also behind
many other
countries in how we
treat data protection.
We have a shiny new
Privacy Act but
there’s no ability for
the Privacy
Commissioner to
take meaningful
enforcement action
against companies
misusing our data”
JON DUFFY, CONSUMER CEO
27. PRIVACY HARMS
“People and organisations are becoming
more aware of the individual and group harms
caused by misuse of data and data breaches”
28.
29. “Once described as
‘the right to be let
alone’, privacy is
now best described
as the ability to
control data we
cannot stop
generating, giving
rise to inferences we
can’t predict”
ANDREW BURT, LAWYER
33. “Over 320,000 adults (7.9%) experienced
420,000 fraud or cybercrime incidents
over last 12 months.”
“Only 10% of fraud or cybercrime
incidents were reported to the Police”
Ministry of Justice’s New Zealand Crime and Victims Survey (NZCVS)
results, Cycle 2 - 2019
CURRENT STATE: NZP
36. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
Motivations to invest:
• Comply with US laws and regulations
• Reduce privacy harms such as identity theft, cybercrime
• Satisfy security requirements when collecting data
• Discharge director obligations
• Demonstrate due diligence
• Prioritise security spending on highest risks
37. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
Top Recommendations:
• Focus on information handling – limit access, encrypt
data at rest, dispose promptly (54%)
• Improve processes – monitor systems and data, patch
systems, train staff (33%)
• Manage consumer expectations – ensure privacy notices
are accurate and consent is explict (13%)
38. 19 ACTIONS / 10 YEARS /
110 VULNERABILITIES
PHYSEC:
• Protect paper based
files
• Apply least privilege
• Secure offices* and
vehicles
• Validate identity at
entry
• Revalidate access
rights regularly
41. “it was anticipated that
the NDB scheme would
raise confidence
amongst consumers
about the entities that
they are dealing with,
and the increased
transparency would
provide consumers
with more information
to make informed
choices about whether
to transact with
particular entities”
42. OAIC NDB YEAR ONE
• Despite anonymity, “a sustained interest from the media in reporting… entities
that have experienced a data breach have been in the public eye”
• A growing awareness of privacy rights and issues amongst consumers
• Average time between a breach and misuse of credentials is 9.55 days
• Takes 90 days for an organisation to detect the initial data breach and 28.25
days more to notify individuals
TOP TIPS:
1. Understand your data holdings and secure PII
2. Test data breach response plans
3. Review contracts and document accountabilities for investigating breaches,
assessing harm and notifying individuals
4. Draft notifications and plan your comms strategy – don’t notify on a Friday!
5. Support individuals to mitigate the impact of a data breach.
43.
44. OAIC JULY 2020
“We are now regularly seeing ransomware attacks
that export or exfiltrate data from a network before
encrypting the data on the target network, which is
also of concern,” she said.
“It highlights the need for organisations to have a
clear understanding of how and where personal
information is stored on their network, and to
consider additional measures such as network
segmentation, robust access controls and
encryption.”
46. "This should not have
happened," State
Services Commissioner
Peter Hughes said.
"Some things are so
critical that they can
never be allowed to fail.
Security of the Budget
is one of these."
47.
48.
49. He had laid a
complaint with the
Privacy
Commissioner,
changed his email
address, passwords
for online accounts,
and froze his credit
reports to prevent
identity fraud.
"For the rest of my
life, I have to worry
about what they [the
unknown third party]
are going to do with
that information."
50. “30,000 files -
including passports
and driver licences -
were discovered
through a security
flaw on Lambton
Property
Management's
website, with experts
estimating the
information to be
worth $500,000 if it
was to be sold on the
dark web”
51. DO WE ID RISKS / HARM?
“System security measures should respond to the risks as
identified in the privacy impact report… Privacy enhancing
responses will involve security safeguards appropriate to the
sensitivity of the information and the particular data handling
practices.”
“Security levels, costs, measures, practices and procedures
should be appropriate and proportionate to the value of, and
degree of reliance on, the information systems and to the
severity, probability and extent of potential harm, as the
requirements for security vary depending upon the particular
information systems.”
53. APPLY INTERNATIONAL
LESSONS LEARNED AND…
• Review personal information assets and collection
• Create/update your privacy policy and raise
awareness of 01.12.20 with staff. Train them!
• Create/update breach response plan and
notification processes to OPC and individuals
• Define RACI for breach detection and response and
exercise against scenarios to build capability
• Inventory supply chain, review contracts and
security capabilities (including offshore)
• Check privacy statement is reflective of real data
flows/sharing arrangements
• Introduce Privacy by Design thinking - more, better,
earlier PIAs for mature orgs.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66. PbyD/SbyD: ESTABLISH NFRS
Example Non-Functional Requirements developed using the Volere method:
• Only direct managers can see the personnel records of their staff.
• Only holders of a current security clearance can enter the building.
• The product shall prevent incorrect data from being introduced.
• The product shall protect itself from intentional abuse.
• The product shall make its users aware of its information practices before collecting
data from them.
• The product shall notify customers of changes to its information policy.
• The product shall reveal private information only in compliance with the
organization’s information policy.
• The product shall protect private information in accordance with the relevant privacy
laws and the organization’s information policy.