Uploaded byOnRamp
PPTX, PDF136 views

Too Small to Get Hacked? Think Again (Webinar)

The document outlines strategies for small to medium-sized businesses (SMBs) to protect against cyber threats, emphasizing the prevalence of attacks targeting these businesses. It covers common types of cyberattacks and preventative measures, including risk management, employee training, and the implementation of security technologies. The importance of vendor assessment and understanding third-party risks is highlighted, alongside real-world case studies demonstrating the consequences of ineffective cybersecurity.

Embed presentation

Download to read offline
Too Small to Get Hacked? Think Again. Actionable Strategies to Protect your SMB
Agenda • Introductions • The Current Security Landscape • Most Common Types of Threats & Cyberattacks • How to Prevent the Most Common Types of Threats (at any budget) • Why and How Engage with Vendors • Q&A
Meet the Speakers Nikola Todev Head of Info Sec OnRamp Nemi George Sr. Director of Info Sec & Service Operations, Pacific Dental Services Terry McDaniel Vice President of IT & Executive Source Power and Gas
About OnRamp OnRamp, a LightEdge company, offers HITRUST-certified data center services with a focus on delivering highly available and secure hybrid hosting. The combination of OnRamp and LightEdge creates the strongest compliance and security solutions portfolio on the market. Together, they operate 7 enterprise-class data centers to deploy cloud computing, colocation, disaster recovery and managed services.
About Source Power & Gas Source Power & Gas is a Texas-based retail energy provider with retail operations in the Texas, Illinois, Ohio, Maryland and New Jersey markets. We pride ourselves on providing both competitive rates and exceptional customer service to all our customers - from residential consumers to the largest commercial and industrial clients. More at www.spgenergy.com
About Pacific Dental Services Founded in 1994, Pacific Dental Services® (PDS®) is one of the country’s leading dental support organizations, providing supported autonomy that enables dentists to concentrate on clinical excellence and the highest levels of cost-effective comprehensive patient care. PDS originated the PRIVATE PRACTICE+® model to enable dentists to focus on their passion: serving patients. More at www.pacificdentalservices.com
POLL
58% all cyberattacks target small businesses 2018 Verizon Data Breach Investigations Report (DBIR) 2018 Cost of a Data Breach Study by Ponemon The average total cost of a data breach reached $3.86 million in 2018 27.9% $4M 2018 Likelihood of a recurring material breach over the next two years: The Current Landscape
What is a Cyberthreat? • External Threats – I.e. Social Engineering • Insider Threats – I.e. Employee maliciously sells login credentials to access valuable info Types of Cyberthreats The possibility of a malicious attempt to damage or disrupt a computer network or system with the intention to access files or steal data.
Most Common Types of Cyberattacks 1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks 2. Man-in-the-middle (MitM) attack 3. Phishing and spear phishing attacks 4. Drive-by attack 5. Password attack 6. SQL injection attack 7. Cross-site scripting (XSS) attack 8. Eavesdropping attack 9. Birthday attack 10. Malware attack netwrix.com 2018 thebestvpn.com 1 in 131 emails contains a malware
POLL
How Can You Protect Your Business? • Perform analysis of the value of your assets. Which assets are worth protecting? • Understand how your business services interact with the customers • Develop goals for managing risks, security and compliance • Implement an Information Security Management Program and Governance • Determine what resources are available to achieve goals. Will you need the assistance of outside vendors?
Classification of Assets How data is used and/or accessed determines the level of risk you’re willing to accept and the time, effort, and money it takes to secure assets based on their value. What is the impact of these assets to your operations? (financial implications, reputational damage, loss of business opportunities, or legal consequences) Image Source: securefirstsolutions.com
How Can You Protect Your Business (Cont.) Take a holistic approach: • People • Program Development • Processes, Policies, and Procedures • Technology Risk Management Process Communicate
People • Conduct Employee Training (at least once per year) • General Training • Group-Specific Training • Manage roles and identities • Use gamification of security awareness to develop a culture of security Your employees are either your greatest asset or weakest link! 47% of data breaches are caused by employee negligence. For example, weak, stolen or reused passwords cause 81% of breaches. SecuirtyMagazine.com InfoSecurityMagazine.com
Develop an Information Security Management Program • System with built in maturity assessment and measurement of control effectiveness. SANS top 20, ISO 27001, are a good place to start. • Creates a minimum bench mark for operation and also sets a target for compliance and remediation. The program must be backed up with a minimum technology security baseline program. • Create a security score card
Processes, Policies, & Procedures Focus on user centric security and audit operational and business processes. Be sure to enforce policies once they’re developed: • I.e. Data Classification Policy, DLP, Acceptable Use Policy, Change Management Policy, Remote Access Policy, Remote Access Policy, Password Policy • Implement controls that prevent issues before they occur: • I.e. Network Segmentation, Access Control • Perform periodic security assessments/audits with penetration testing • Be prepared for incidents: Conduct simulations, including incident response
Technology Choose tools that assist in managing the risks of your business services - defense, monitoring, threat awareness, visibility and automation. Detection Response Prevention Redundancy is also key. Use data backups and implement a disaster recovery plan •Data encryption in transit and at rest •Firewalls •Identity and access management •Multi-factor authentication •Cloud encryption •Audit logs showing access to data •Vulnerability scanning, intrusion detection/prevention •Hardware and OS patching •Security Audits •Security Information & Event Management (SIEM)
SMB Case Studies Code Spaces: a former SaaS provider Attacked via DDoS through its Amazon Cloud control panel. Hackers erased data, backups, offsite backups, & configurations before extorting the business by claiming a fee to resolve their issues. Code Spaces was unable to resolve the issue and repay customers. Code Spaces was unable to continue operations and closed. Medium-sized Retail Organization Organization had a very robust Cyber-security plan with a tested DR plan. A key vendor of the organization, while going through integration work, was successfully attacked with ransomware. The security posturing of ABC Company prevented the attack from entering ABC’s systems, the vendor attack took out operations for over two weeks. The final cost to the vendor is still being determined but ABC company lost close to half a million dollars because of the impact to the day to day operations Nearly 60% of small businesses that fail within six months of being hacked.
Vendor Assessment Security Understands Your Business Goals Credentials & Certifications Service Level Agreements (SLAs) Meets Your BAA Requirements (If applicable) Expertise in Your Industry Availability & Scalability
Beware of 3rd Party Risk Indicators • Turnover of the vendor’s key personnel • IT glitches, operational failures and stoppages • Outdated IT systems and equipment • History of frequent data breach incidents • Legal actions against the vendor • Poorly written security and privacy policies and procedures
Thank you! Questions?
Contact Us Nikola Todev Head of Info Sec OnRamp Ntodev@lightedge.com Nemi George Sr. Director of Info Sec & Service Operations, Pacific Dental Services Nemi.George@pacden. com Terry McDaniel Vice President of IT & Executive Source Power and Gas tmcdaniel@spgenergy.com

More Related Content

PPTX
How Startups can leverage big data?
byRackspace
 
PPTX
Transform Your Business with Supply Chain AI and a Modern Infrastructure
byOnRamp
 
PDF
How to optimize the supply chain with ai
byGlobalTechCouncil
 
PDF
The Hive Think Tank: AI in The Enterprise by Venkat Srinivasan
byThe Hive
 
PPTX
Customer Experience: A Catalyst for Digital Transformation
byCloudera, Inc.
 
PPT
Big datacamp june14_alex_liu
byData Con LA
 
PPTX
A better business case for big data with Hadoop
byAptitude Software
 
PPTX
Cox Automotive: data sells cars
byCloudera, Inc.
 
How Startups can leverage big data?
byRackspace
 
Transform Your Business with Supply Chain AI and a Modern Infrastructure
byOnRamp
 
How to optimize the supply chain with ai
byGlobalTechCouncil
 
The Hive Think Tank: AI in The Enterprise by Venkat Srinivasan
byThe Hive
 
Customer Experience: A Catalyst for Digital Transformation
byCloudera, Inc.
 
Big datacamp june14_alex_liu
byData Con LA
 
A better business case for big data with Hadoop
byAptitude Software
 
Cox Automotive: data sells cars
byCloudera, Inc.
 

What's hot

PDF
Data Driven Decisions - Big Data Warehousing Meetup, FICO
byCaserta
 
PDF
Extending BI with Big Data Analytics
byDatameer
 
PPTX
Supply Chain Intelligence and Analytics Executive Guidelines for Success
byHalo BI
 
PPTX
Big Data in Financial Services: How to Improve Performance with Data-Driven D...
byPerficient, Inc.
 
PDF
Best Practices in Implementing Social and Mobile CX for Utilities
byCapgemini
 
PPTX
Machine Learning in Banking
byaccenture
 
PPTX
Big Data & Analytics Day
byIBM Innovation Center Silicon Valley
 
PPTX
Teaching organizations to fish in a data-rich future: Stories from data leaders
byAmanda Sirianni
 
PPT
Inside the mind of Generation D: What it means to be data-rich and analytica...
byDerek Franks
 
PPTX
The Big Picture: Real-time Data is Defining Intelligent Offers
byCloudera, Inc.
 
PDF
CRM is not enough
bySegment
 
PPTX
Hadoop: Revolutionizing Analytics AND Operations
byMapR Technologies
 
PDF
Credit Card Analytics on a Connected Data Platform
byHortonworks
 
PDF
It’s Not Enough to Just Collect Data
byTeradata
 
PPT
Introducing Gartner
bychrisforte43
 
PDF
IBM Big Data Analytics - Cognitive Computing and Watson - Findability Day 2014
byFindwise
 
PDF
TIBCO presentation at the Chief Analytics Officer Forum East Coast 2016 (#CAO...
byChief Analytics Officer Forum
 
PPT
Dubai Big Data in Finance, Intro to Hadoop 2-Apr-14 - Michael Segel
byMichael Segel
 
PDF
01 big dataoverview
byIBM_cloud_ecosystem_development_france
 
Data Driven Decisions - Big Data Warehousing Meetup, FICO
byCaserta
 
Extending BI with Big Data Analytics
byDatameer
 
Supply Chain Intelligence and Analytics Executive Guidelines for Success
byHalo BI
 
Big Data in Financial Services: How to Improve Performance with Data-Driven D...
byPerficient, Inc.
 
Best Practices in Implementing Social and Mobile CX for Utilities
byCapgemini
 
Machine Learning in Banking
byaccenture
 
Big Data & Analytics Day
byIBM Innovation Center Silicon Valley
 
Teaching organizations to fish in a data-rich future: Stories from data leaders
byAmanda Sirianni
 
Inside the mind of Generation D: What it means to be data-rich and analytica...
byDerek Franks
 
The Big Picture: Real-time Data is Defining Intelligent Offers
byCloudera, Inc.
 
CRM is not enough
bySegment
 
Hadoop: Revolutionizing Analytics AND Operations
byMapR Technologies
 
Credit Card Analytics on a Connected Data Platform
byHortonworks
 
It’s Not Enough to Just Collect Data
byTeradata
 
Introducing Gartner
bychrisforte43
 
IBM Big Data Analytics - Cognitive Computing and Watson - Findability Day 2014
byFindwise
 
TIBCO presentation at the Chief Analytics Officer Forum East Coast 2016 (#CAO...
byChief Analytics Officer Forum
 
Dubai Big Data in Finance, Intro to Hadoop 2-Apr-14 - Michael Segel
byMichael Segel
 
01 big dataoverview
byIBM_cloud_ecosystem_development_france
 

Similar to Too Small to Get Hacked? Think Again (Webinar)

PPTX
CyberCare Pro - Cybersecurity for SME's updated.pptx
bymargueritemcleod1
 
PPTX
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
PDF
Forthright Security Lunch and Learn - Ransomware Focus 2
byDavid Dubree
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
Protecting Your Business - All Covered Security Services
byAll Covered
 
PPTX
Information security for small business
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
nist_small_business_fundamentals_july_2019.pptx
byJkYt1
 
PDF
Cyber security guide
byMark Bennett
 
PPTX
nist_small_business_fundamentals_july_2019 (2).pptx
bylblgofgwsnqoeqquvy
 
PDF
Cybersecurity a short business guide
bylarry1401
 
PPTX
Cybersecurity pres 05-19-final
byVivek Ahuja
 
PPTX
Security 101 for No- techies
byBrenton Johnson
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PDF
L123
byBtyy121
 
PDF
BEA Presentation
byGlenn E. Davis
 
PDF
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
byJohn Bambenek
 
PPTX
How to Protect your Business with Cyber Security
byBizSmart Select
 
PPT
Guard Era Security Overview Preso (Draft)
byGuardEra Access Solutions, Inc.
 
PDF
InformationSecurity_11141
bysraina2
 
PDF
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
byNet at Work
 
CyberCare Pro - Cybersecurity for SME's updated.pptx
bymargueritemcleod1
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
Forthright Security Lunch and Learn - Ransomware Focus 2
byDavid Dubree
 
The State of Data Security
byRazor Technology
 
Protecting Your Business - All Covered Security Services
byAll Covered
 
Information security for small business
byBDPA Charlotte - Information Technology Thought Leaders
 
nist_small_business_fundamentals_july_2019.pptx
byJkYt1
 
Cyber security guide
byMark Bennett
 
nist_small_business_fundamentals_july_2019 (2).pptx
bylblgofgwsnqoeqquvy
 
Cybersecurity a short business guide
bylarry1401
 
Cybersecurity pres 05-19-final
byVivek Ahuja
 
Security 101 for No- techies
byBrenton Johnson
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
L123
byBtyy121
 
BEA Presentation
byGlenn E. Davis
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
byJohn Bambenek
 
How to Protect your Business with Cyber Security
byBizSmart Select
 
Guard Era Security Overview Preso (Draft)
byGuardEra Access Solutions, Inc.
 
InformationSecurity_11141
bysraina2
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
byNet at Work
 

Recently uploaded

PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
API-First Architecture in Financial Systems
bycyy111112
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 

Too Small to Get Hacked? Think Again (Webinar)

  • 1.
    Too Small toGet Hacked? Think Again. Actionable Strategies to Protect your SMB
  • 2.
    Agenda • Introductions • TheCurrent Security Landscape • Most Common Types of Threats & Cyberattacks • How to Prevent the Most Common Types of Threats (at any budget) • Why and How Engage with Vendors • Q&A
  • 3.
    Meet the Speakers NikolaTodev Head of Info Sec OnRamp Nemi George Sr. Director of Info Sec & Service Operations, Pacific Dental Services Terry McDaniel Vice President of IT & Executive Source Power and Gas
  • 4.
    About OnRamp OnRamp, aLightEdge company, offers HITRUST-certified data center services with a focus on delivering highly available and secure hybrid hosting. The combination of OnRamp and LightEdge creates the strongest compliance and security solutions portfolio on the market. Together, they operate 7 enterprise-class data centers to deploy cloud computing, colocation, disaster recovery and managed services.
  • 5.
    About Source Power &Gas Source Power & Gas is a Texas-based retail energy provider with retail operations in the Texas, Illinois, Ohio, Maryland and New Jersey markets. We pride ourselves on providing both competitive rates and exceptional customer service to all our customers - from residential consumers to the largest commercial and industrial clients. More at www.spgenergy.com
  • 6.
    About Pacific Dental Services Foundedin 1994, Pacific Dental Services® (PDS®) is one of the country’s leading dental support organizations, providing supported autonomy that enables dentists to concentrate on clinical excellence and the highest levels of cost-effective comprehensive patient care. PDS originated the PRIVATE PRACTICE+® model to enable dentists to focus on their passion: serving patients. More at www.pacificdentalservices.com
  • 7.
  • 8.
    58% all cyberattackstarget small businesses 2018 Verizon Data Breach Investigations Report (DBIR) 2018 Cost of a Data Breach Study by Ponemon The average total cost of a data breach reached $3.86 million in 2018 27.9% $4M 2018 Likelihood of a recurring material breach over the next two years: The Current Landscape
  • 9.
    What is aCyberthreat? • External Threats – I.e. Social Engineering • Insider Threats – I.e. Employee maliciously sells login credentials to access valuable info Types of Cyberthreats The possibility of a malicious attempt to damage or disrupt a computer network or system with the intention to access files or steal data.
  • 10.
    Most Common Typesof Cyberattacks 1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks 2. Man-in-the-middle (MitM) attack 3. Phishing and spear phishing attacks 4. Drive-by attack 5. Password attack 6. SQL injection attack 7. Cross-site scripting (XSS) attack 8. Eavesdropping attack 9. Birthday attack 10. Malware attack netwrix.com 2018 thebestvpn.com 1 in 131 emails contains a malware
  • 11.
  • 12.
    How Can YouProtect Your Business? • Perform analysis of the value of your assets. Which assets are worth protecting? • Understand how your business services interact with the customers • Develop goals for managing risks, security and compliance • Implement an Information Security Management Program and Governance • Determine what resources are available to achieve goals. Will you need the assistance of outside vendors?
  • 13.
    Classification of Assets Howdata is used and/or accessed determines the level of risk you’re willing to accept and the time, effort, and money it takes to secure assets based on their value. What is the impact of these assets to your operations? (financial implications, reputational damage, loss of business opportunities, or legal consequences) Image Source: securefirstsolutions.com
  • 14.
    How Can YouProtect Your Business (Cont.) Take a holistic approach: • People • Program Development • Processes, Policies, and Procedures • Technology Risk Management Process Communicate
  • 15.
    People • Conduct EmployeeTraining (at least once per year) • General Training • Group-Specific Training • Manage roles and identities • Use gamification of security awareness to develop a culture of security Your employees are either your greatest asset or weakest link! 47% of data breaches are caused by employee negligence. For example, weak, stolen or reused passwords cause 81% of breaches. SecuirtyMagazine.com InfoSecurityMagazine.com
  • 16.
    Develop an InformationSecurity Management Program • System with built in maturity assessment and measurement of control effectiveness. SANS top 20, ISO 27001, are a good place to start. • Creates a minimum bench mark for operation and also sets a target for compliance and remediation. The program must be backed up with a minimum technology security baseline program. • Create a security score card
  • 17.
    Processes, Policies, & Procedures Focuson user centric security and audit operational and business processes. Be sure to enforce policies once they’re developed: • I.e. Data Classification Policy, DLP, Acceptable Use Policy, Change Management Policy, Remote Access Policy, Remote Access Policy, Password Policy • Implement controls that prevent issues before they occur: • I.e. Network Segmentation, Access Control • Perform periodic security assessments/audits with penetration testing • Be prepared for incidents: Conduct simulations, including incident response
  • 18.
    Technology Choose tools thatassist in managing the risks of your business services - defense, monitoring, threat awareness, visibility and automation. Detection Response Prevention Redundancy is also key. Use data backups and implement a disaster recovery plan •Data encryption in transit and at rest •Firewalls •Identity and access management •Multi-factor authentication •Cloud encryption •Audit logs showing access to data •Vulnerability scanning, intrusion detection/prevention •Hardware and OS patching •Security Audits •Security Information & Event Management (SIEM)
  • 19.
    SMB Case Studies CodeSpaces: a former SaaS provider Attacked via DDoS through its Amazon Cloud control panel. Hackers erased data, backups, offsite backups, & configurations before extorting the business by claiming a fee to resolve their issues. Code Spaces was unable to resolve the issue and repay customers. Code Spaces was unable to continue operations and closed. Medium-sized Retail Organization Organization had a very robust Cyber-security plan with a tested DR plan. A key vendor of the organization, while going through integration work, was successfully attacked with ransomware. The security posturing of ABC Company prevented the attack from entering ABC’s systems, the vendor attack took out operations for over two weeks. The final cost to the vendor is still being determined but ABC company lost close to half a million dollars because of the impact to the day to day operations Nearly 60% of small businesses that fail within six months of being hacked.
  • 20.
    Vendor Assessment Security Understands Your Business Goals Credentials& Certifications Service Level Agreements (SLAs) Meets Your BAA Requirements (If applicable) Expertise in Your Industry Availability & Scalability
  • 21.
    Beware of 3rdParty Risk Indicators • Turnover of the vendor’s key personnel • IT glitches, operational failures and stoppages • Outdated IT systems and equipment • History of frequent data breach incidents • Legal actions against the vendor • Poorly written security and privacy policies and procedures
  • 22.
  • 23.
    Contact Us Nikola Todev Headof Info Sec OnRamp Ntodev@lightedge.com Nemi George Sr. Director of Info Sec & Service Operations, Pacific Dental Services Nemi.George@pacden. com Terry McDaniel Vice President of IT & Executive Source Power and Gas tmcdaniel@spgenergy.com

Editor's Notes

  • #8 Do you currently have a plan in place to mitigate and contain an attack?
  • #9 How much time have you spent thinking about or how much money have you spent on Cyber-security. How many have a plan in place if they were hacked today What would happen if they were fined $100k by the government (use any number here). How would it impact your operations or would it force your business to close?
  • #10 Discuss the different between incident vs breach External – Give Examples Examples: Mass emails to employees posing as trusted persons or companies User clicks on a link and the malicious code is in the system Social engineering Attacker calls posing as IT to get you to give your login information Thumb drives left in public places with malicious code installed that auto-runs when plugged in to a computer Insider - Give Examples Employee maliciously gives/sells login information Employee loads code into system
  • #11 Denial of Service Attacks are the most common types of attacks, largely as they are performed externally and most times organizations do not realize they are under attack and put performance hits down to slow speeds, congestion, or end point issues. They are also the hardest to prevent, although once in action, they are fairly easy to address with the right tools and personnel. Man in the Middle (MitM) attacks are the 2nd most common, when a hijacker inserts itself between client – server communication. Phishing & Spear Phishing is the 3rd most common, but the 2nd most difficult to prevent as it relies on employee and user behavior. Phishing and other social engineering attacks are still the easiest and least expensive way to attack most organizations, and it is especially effective due to its scatter gun approach especially when it is used to distribute malware. How often do these occur?
  • #12 What barriers are keeping you from protecting your business and its assets?
  • #13 What is the value of assets, what are the threats to those assets (value, ownership, availability) Terry regarding goals: Deciding what industry standard to implement like ISO 27001, NIST, etc. Our goals in the most basic terms were, 1. Plan, (decide standard) 2. Assessment, 3. Fix critical, 4. Identify data criticality, 5. Develop and implement DR plan, 6. Implement SIEM with automation. Nikola regarding goals: Sample goals for managing risks, security and compliance include: Definition of levels of criticality above which we must act with a sense of urgency, authorization for risks above certain levels etc. Ability to control access to different level of assets Ability to monitor access to and usage of assets Ability to exchange sensitive assets with partners in a secure and confidential manner Ability to dispose of sensitive assets in a safe, unrecoverable manner Compliance with requirements of specific frameworks to enable business with specific entities
  • #14 This goes back to poll – if you said yes, but haven’t identified and classified your assets, you have a faulty cybersecurity plan!
  • #16 Employee negligence is the main cause of data breaches, according to a state of the industry report by Shred-it, an information security company. The report found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization. Gamification: Running social campaigns such as USB drops, phishing simulation, are good practices to raise awareness and turn your greatest asset \ weakest link into security agents. Produce dashboards on outcomes of exercises – most phish prone department to least prone department; first 5 people to report phish mail, etc. reward with prices – can be a $25 voucher, a T Shirt, or just a mention in the weekly office memo / newsletter.
  • #18 Highlight a few of these policies
  • #21 Do you know where your data is being stored, processed or transmitted to? Who has access to your data? Do they work onshore / offshore? Is their organization regulated? Do they have logical and physical security controls? Do they have a named individual responsible for information security?, etc.
  • #22 Discuss the warning signs of a 3rd party that is struggling with their own security measures, and will likely put you at risk, too. It’s not impossible to determine like some organizations indicate across studies.