Downloaded 19 times
Uploaded byMosoco Ltd
Digital transformation: introduction to cyber risk
This document discusses managing cyber risks. It begins by defining cyber risk as risks to efficiency, revenue, profitability or existence of an organization from digital technology. It notes that cyber risks are growing and must be managed holistically, involving the IT department, information, and the entire organization. Risks can come from outsiders, insiders, and "inside outers." The document provides tips for understanding different types of risky behaviors and developing an effective cyber risk management plan that identifies risks, manages risks, plans for incidents, and identifies benefits of managing risks. It emphasizes key concepts like taking a holistic, appropriate, agile, and engaging approach led effectively.
More Related Content
Similar to Digital transformation: introduction to cyber risk
Digital transformation: introduction to cyber risk
- 1. DIGITAL TRANSFORMATION Managing cyberrisk Jeremy Swinfen Green, Charlotte Childs 07855 341 589 hello@mosoco.co.uk
- 2.
- 3. The risk fromdigital (computer) technology to efficiency, revenue, profitability or existence of an organisation Managing cyber risks What is cyber risk? Cyber risk Information risk
- 5.
- 6. The IT department Justinformation Your organisation Managing cyber risks A holistic approach • The IT department • Just information • Your organisation
- 7. Outsiders Insiders Inside outers Managing cyberrisks Who cause the risks? • Outsiders: the traditional enemy • Insiders: the new enemy) • Inside outers: the hidden enemy
- 8. *Fines of upto 5% of global turnover? Managing cyber risks You can’t stop the hackers… • So just protect the crown jewels* oPersonal data oCredit card data oStrategic information
- 9. Managing cyber risks Insiders– the biggest risk • Losing devices that contain corporate information • Leaking strategic information accidentally • Stealing data for personal gain • Foolishly compromising log-in details
- 10. Managing cyber risks Whydo people show risky behaviour? • Ignorance of the risk • Hard to use systems • Social pressure • Habit • Transferring responsibility • Belief • Personal
- 11. • Empower yourcommunications oMultiple platforms oPersonalisation oIncentives (and sanctions) oChanges to the rules Managing cyber risks Awareness is not enough
- 12. • Lack ofknowledge • Lack of belief • Personal gain • Cognitive overload Managing cyber risks Understanding motives
- 13. • Experience ofcyber risk • Roles • Age • Gender Managing cyber risks Dealing with difference
- 14. • Social oroutside pressure • Fun and immediate gratification • Delegation – not my problem • I’m in control • Trusting other people • It won’t affect me (it never has before) • No one will know it is me so why should I worry Managing cyber risks “Irrational” people
- 15. • Nudging • Anchoring •Present bias • Authority figures • Community action • Loss aversion Managing cyber risks Dealing with irrational people
- 16.
- 17. • Bring yourown device • Bring your own cloud • Internet of Things • Connecting outside the office • Disposing of devices • Social media risk Managing cyber risks Think beyond the network
- 18. • Identify knownrisks; imagine unknown risks • Prioritise • Identify existential risks • Document • Review Managing cyber risks Identify the risks
- 19. • Avoid • Transfer •Mitigate • Accept Managing cyber risks Manage the risks
- 20. • Prepare responses •Monitor for attacks • Educate staff • Test plans • Plan for after the incident Managing cyber risks Plan for the inevitable
- 21. • Detect andverify • Assess and report • Respond • Iterate Managing cyber risks Respond to incidents
- 22. • Insurance costs •New business opportunities • Reputation • Employee morale • Avoidance of costs associated with risk events Managing cyber risks Identify the payback – but avoid FUD* *Fear, uncertainty and doubt as a way of persuading people
- 23. • Holistic • Appropriate •Agile • Engaging • Led effectively Managing cyber risks Key management concepts
- 24. THANK YOU Jeremy Swinfen-Green,Charlotte Childs hello@mosoco.co.uk 07855 341 589
Editor's Notes
- #3 Tier 1 threats are “high impact, high likelihood” HM Government regards cyber attacks as a tier 1 threat along with Terrorism An international military crisis A natural disaster such as an influenza pandemic More of a threat than: An attack on the UK or its Overseas Territories by another state or proxy using chemical, biological, radiological or nuclear (CBRN) weapons (Tier 2) A major release of radioactive material from a civil nuclear site within the UK which affects one or more regions (Tier 3)
- #4 Cyber risk is not the same as information risk: can be a risk to physical assets, monetary assets, personnel and reputation as well as information
- #5 Damage can be direct, indirect or reputational Direct (Money) Theft of money Being “locked out” of computer systems and having to pay a ransom Inability to process online sales caused by “denial of service” attacks Lost sales because of identity theft for the purposes of selling counterfeit goods Loss of personal data leading to fines for compliance failure Legal suits for cyber bullying or discrimination Indirect (Efficiency) Damage to computers that drive systems e.g. deletion of files Leakage of strategic information such as design blueprints Loss of IP protection of designs and trademarks Lowered staff morale Reduced efficiency of working practices and business processes Accidentally entering into contracts or varying existing contracts Consequential damage Reputational damage that can affect credibility with suppliers, financial markets, banks, regulators and customers The cost of “clearing up” any damage caused and preventing it from happening in the future
- #6 Why are cyber risks growing? More organizations are operating online and so becoming more reliant on the internet More devices are connecting to the internet (security cameras, air conditioning systems…) increasing the chance of systems being disrupted More people are bringing smart-phones to their workplaces and using them to access work information Companies are increasing the amount of data they create and store online Computer programmers including hackers and criminals are getting more sophisticated and building on previous cyber crime tools More and more “DIY” cyber crime tools are being offered online, for prices as low as $50
- #7 It should be treated holistically The IT department The whole organisation – process, people, technology Just information People, equipment, contracts as well as information Your organisation Anyone/anything your organisation interacts with
- #8 Outsiders: people who want to damage your organisation – hackers, thieves and hacktivists (the traditional enemy) Insiders: your staff and the process and technology they use – at work and at home (the new enemy) Inside outers: people who have access to your information and systems – agencies, suppliers, contractors, ex-employees (the hidden enemy)
- #9 You can’t protect everything so understand why you might be at risk: Theft Industrial espionage Hacktivism Mischief Prioritise your key data: Personal data Credit card data Strategic information And protect it wherever it is – not just within your IT networks
- #10 Insiders are often the biggest risk The Sales Director leaving a laptop with an unencrypted list of customers’ personal data on a train The FD losing their personal smartphone which automatically connects to their office email account The CEO leaking strategically important information by mistake on social media The legal department failing to spot a website selling counterfeit copies of the handbags you produce The teenage son of the Marketing Director using the MD’s iPad to access the company’s Twitter account and posting some “amusing” tweets A sales exec mistakenly promising something to a client in a response on social media
- #11 Why do people show risky behaviour? Ignorance of the risk: I didn’t know; I thought I was doing the right thing Cost of compliance: It’s too difficult; it’s inconvenient; I don’t want to risk my connection; it’s too expensive Social pressure: Everyone else does it; I don’t want to be impolite; he seems like such a nice chap; I don’t want people to think I am stupid; I am frightened Habit: I always do it that way; I didn’t notice the warning Transferring responsibility: I used the default settings; he must know what he is doing; IT will sort it out if it goes wrong; it’s not my job to think about that Belief: It won’t do any good; it’s not important; I’m too important; it won’t happen here Personal: It’s fun; I need that data for my next job; it’s my right to do that; I had too much to think about (“cognitive overload”)
- #12 Awareness is not enough and needs to be strengthened through the right communications Many platforms – email, posters, screen messages etc Personalised information Communication and training of incentives and sanctions – clear policies Regular small rule changes
- #13 Lack of knowledge – need to educate Don’t appreciate risk –e.g. security behaviour habit that applies to fixed pcs may not transfer to mobile devices Lack of belief/different experience – need to persuade I’m too important It never works I am doing the right thing Personal gain – need to threaten Revenge Personal “insurance” and knowledge Threats from third parties Cognitive overload – need to resource Too much pressure Too inconvenient
- #14 Different experience – recent experience makes you more likely to be receptive Different roles – IT security people may not appreciate some human information leakage risks because they focus on networks and files Age: in young people the immediate mindset may mean that risks that are far off are not appreciated as being important Gender: males more risky than females especially when competing with other males
- #15 Social or outside pressure – from peers and criminals Fun and immediate gratification Delegation – not my problem, IT will sort it out I’m in control – I am stronger than other people so it doesn’t apply to me Trusting other people It won’t affect me (it never has before) No one will know it is me so why should I worry An understanding of “irrational people” and behavioural eco Anchoring: create expectations by referencing existing good practice Framing: tell stories and describe scenarios Relevance: ensure people realise that cyber is about people not machines Nudging: encourage people to move in small steps away from habitual behaviour Present bias: provide immediate feedback Social pressure: implement peer policing Authority: use “white coats” for credible messages e.g. about default options Loss aversion: emphasise personal loss (not gain) e.g. money, connectivity Fear of missing out: make the gains from secure behaviour “hard” to attain Choice: reduce to choice in systems to 3 or 4 options at any one point Ethics: simply remind people of the importance of not cheating Over confidence: challenge people’s mental positioning about their competence Downplay risk/Optimistic about outcome especially in social environment; for instance phishing may be accepted as a risk in email but may not be appreciated as such in a trusted social media environment
- #16 An understanding of “irrational people” and behavioural eco Anchoring: create expectations by referencing existing good practice Framing: tell stories and describe scenarios Relevance: ensure people realise that cyber is about people not machines Nudging: encourage people to move in small steps away from habitual behaviour Present bias: provide immediate feedback Social pressure: implement peer policing Authority: use “white coats” for credible messages e.g. about default options Loss aversion: emphasise personal loss (not gain) e.g. money, connectivity Fear of missing out: make the gains from secure behaviour “hard” to attain Choice: reduce to choice in systems to 3 or 4 options at any one point Ethics: simply remind people of the importance of not cheating Over confidence: challenge people’s mental positioning about their competence Downplay risk/Optimistic about outcome especially in social environment; for instance phishing may be accepted as a risk in email but may not be appreciated as such in a trusted social media environment
- #17 Inside outers: Managing 3rd parties Who can access your systems? People you deal with every day, their colleagues, temps, interns? Do they ever share your passwords with their colleagues (e.g. during holidays)? What sort of security precautions and training do they take when recruiting staff who might have access to your information systems? Are their cyber risk management processes and policies adequate? How physically secure are their offices? How much data can they access and is this appropriate? Do they let employees access your data via home computers or mobile devices? Have they had any previous instances of cyber damage? How did they respond? Are they insured against cyber risk, and if they are would this give you any protection?
- #18 Bring your own device Bring your own cloud Internet of Things Connecting outside the office network – at home; public wifi Disposing of (personal and corporate) devices Social media risk
- #19 Identify risks through organisation/industry history, scenarios, and reviews of how critical data or systems might be compromised Quantify risks: likelihood, impact Decide what to do in each circumstance e.g. terminate the activity, invest in mitigating the risk, tolerate the risk Terminate: Remove the risk through the elimination of the activity or situation that presents the risk Transfer: Load the risk onto a third party through insurance, leasing equipment, or contract wording – but don’t assume transferring the risk will leave you in the clear! Reduce: Minimise the likelihood or impact of the incident through training, processes, resources etc Retain: Accept that some risks are inevitable or not cost effective to manage Identify existential risks and decide whether to up-weight these even if they are very unlikely Document your risks in a register – and review this document regularly
- #20 Avoiding is difficult A ban on taking smartphones into offices: this prevents them being used to film or photograph secret information. This will cause irritation to your workforce A ban on connecting personal devices to corporate networks: this prevents corporate data being stored on personal devices and subsequently leaking if the device is lost. This can reduce flexibility of working and hence productivity A requirement that any files uploaded to corporate laptops are encrypted prior to upload: this prevents data leakage if laptops are lost. Decrypting every single file, including ones that are not secret, will cause irritation to employees A ban on the use of social media sites at work: this prevents a loss of employee productivity. This is likely to result in lower morale and in any case people are likely to work around it by using personal smartphones to access social media sites Transferring risk isn’t always possible Insure against cyber damage A growing market but will you be covered for everything you do? And the policy may not protect you from everything especially hard to value losses such as reputational damage Increasingly insurance companies won’t cover for cyber without seeing appropriate plans in place Write it into your contracts with third parties If a third party is compromised your only recourse may be to the law and it may be too late by then! In addition regulators may still hold you responsible
- #21 Prepare your response: escalation, communication Monitor for attacks (social media, customers, traffic measurement, threat intelligence) Educate staff – so they know what to watch out for, how to behave , and what to say to third parties Test your plans: simulate incidents such as phishing, hacking or physical security breaches; practice your response so people know what to do Plan for after the incident: documenting what happened and what went well/badly; reviewing risk registers and improving mitigations
- #22 Detect and verify: false positives; target example Assess and report: type of threat (critical immediate; critical long term; harmful; trivial). Stage (Reconnaissance; weaponisation eg malware bought; delivery e.g. phishing attack; exploitation eg malware installed; action ie harm; first two stages require expensive threat intelligence service Respond – manage incident: contain, repair, upgrade defences; communicate internally and externally; Reord Iterate – examine effectiveness of defences and plan; learn from incident
- #23 Lower insurance costs (and the ability to be insured!) New business opportunities (may sometimes be a roster requirement) Reputation enhancement Working efficiency and higher morale Like any insurance – the mitigation of potential loss
- #24 Holistic: involving all elements of an organization, not just the computer network Appropriate: defining where the most effort needs to be spent to defend against risks and where risks are acceptable Agile: constantly being revisited and updated in the face of a rapidly changing technological environment Engaging: communicated to the whole organization in such a way that everyone accepts their responsibility to be part of the cyber security solution Led effectively: sponsored by senior people who have a view of the whole business and not just one function