Your organization is at risk of cyber threats according to cyber security experts presenting at a conference. They recommend upgrading IT security and governance by implementing frameworks like COBIT 5 and ISO 27001 to address increasing risks from incidents like data breaches, malware attacks, and vulnerabilities in connected devices. National computer emergency response teams can also help organizations respond to IT security incidents.
Upgrade IT Security & Governance to Reduce Cyber Risks
1. Your organizationis at risk! Upgrade your IT security & IT governance now.
Cyril Soeri MA RA CISA -Tjong A Hung Consulting N.V.
Gregory Tai-Apin CISA, ISO 27001 ISMS Certified Lead Implementer, COBIT 5 Foundation Graduate -BNETS
Jai UditBSc –Telecom AuthoriteitSuriname
1
2. Programma
•Cyber risks: a clear and present danger;
•Incidents and financial impacts;
•Personnelidentifiedas weaklinks at IT security incidents;
•Solutions to cyber threats?
•National solutions to IT incidents.
2
4. Awareness of your IT environment
•Do you have your company’s e-mail accounts on your privately owned smartphone?
•Consider a Bring Your Own Device policy (BYOD);
•Do you use open WIFI networks to contact your employer and clients?
•Consider Virtual Private Network connection (VPN) and encryption techniques;
•Do you share your company’s work files on your smartphone or dropboxaccount?
•Consider access controls and information classification;
•Do you use your tablet, smartphone to read your clients’ data?
•Consider a BYOD policy;
•Do you have confidential and work related conversations using VOIP?
•Consider encryption techniques;
•Are you aware of the ICT security policy plan of your company?
•ICT awareness –People, Policy & Technology (PPT).
4
5. Cyber risks: a clear and present danger
Source: Global State of Information Security Survey 2015, PwC, 30 September 2014
www.pwc.com/gsiss2015
5
6. Known cyber attacks and risks (1)
Stock exchanges also have become routine targets
A survey of 46 global securities exchanges conducted by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges Office found that more than half (53%)had experienced a cyber attack.
Consumer data
Huge heists of consumer data were also reported in South Korea, where 105 million payment card accounts were exposed in a security breach. And in Verden, Germany, city officials announced the theft of 18 millione-mail addresses, passwords, and other information.
Banks & ATM accounts
Cyber thieves plundered more than $45 millionfrom worldwide ATM accounts of two banksin the Middle East.
6
7. Known cyber attacks and risks (2)
Government surveillance & cyber attacks
•The revelations of cyber surveillance of individuals, businesses, and nations has also prompted many international businesses and governments to reconsider purchase of products and services from companies that may be affiliated with government entities.
•Other examples of state-sponsored espionage were uncovered by security firm Symantec, which discovered attacks against major European governments that has been under way for at least four years. Because of the chosen targets and sophisticated malware employed, Symantec believes a state-sponsored group is coordinating the attacks.
•Geopolitical discord, most notably between Russia and Ukraine, resulted in a volley of cyber attacks between the two nations that took down and defaced government websites on both sides of the conflict, as well as spread malware to the computers of embassies.
7
8. Known cyber attacks and risks (3)
Heartbleed defect
•One of the year’s most far-reaching incidents was the Heartbleed defect, which impacted almost two-thirds of web servers around the world, including some of the most popular e-mail and social networking sites.
•It is believed to have compromised millions of websites, online shopping destinations, and security applications, as well as software like instant messaging, remote access tools, and networking devices.
•In the first intrusion attributed to the Heartbleed defect, a US hospital chain reported theft of 4.5 million patient records in August.
8
9. Known cyber attacks and risks (4)
Internet of things
•We also saw increases in attacks on connected consumer devices—such as baby monitors, home thermostats, and televisions—that comprise the Internet of Things, a nascent ecosystem of devices that interconnect information, operational, and consumer technologies. These Internet- connected devices are vulnerable to attack because they lack fundamental security safeguards, a point verified by a recent HP Fortify on Demand study.
•HP reviewed 10 of the most commonly used connected devices and found that 70% contain serious vulnerabilities.
9
11. IT Security compliance or penalties
Regulators around the world are more proactively addressing cyber risks
•In an indicator of how the regulatory landscape is evolving, the US Securities and Exchange Commission (SEC Office of Compliance Inspections and Examinations (OCIE) recently announced that it plans to examine the cybersecurity preparedness of more than 50 registered broker-dealers and investment advisers.
•In Asia, the Singapore Personal Data Protection Act establishes new standards for the collection, use, and disclosure of personal data. Organizations that do not comply with the act are subject to financial penalties of up to $1 million (SGD) or $788,995 (USD).
•The new guidance highlights several unique requirements, such as suggesting that organizations have cyber insurance and be able to produce a comprehensive inventory of all security incidents and breaches. SEC guidance also requires that businesses implement risk-assessment processes, as well as more effectively assess vendor risks and due diligence.
11
23. COBIT 5 Framework
•Simply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.
•COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
•The COBIT 5 principlesand enablersare generic and useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.
23
24. •COBIT 5 brings together the five principlesthat allow the enterprise to build an effective governanceand managementframework based on a holistic set of seven enablersthat optimises informationand technologyinvestment and use for the benefit of stakeholders.
•COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.
COBIT 5 provides a comprehensive framework that assists enterprises to achieve their goals and deliver value through effective governance and management of enterprise IT.
24
32. ISO27001
•ISO 27001is a specification for an information security management system (ISMS)
•14 control objectives, 114 controls (mentioned in the Annex A of the Standard)
32