JFSC and SASIG Directors' Cyber Security Masterclass - Jersey ...

JFSC and SASIG Directors’
Cyber Security Masterclass

Introduction
Martin Smith, Chairman & Founder
The SASIG

   Where did it come from?
   What do we do?
   How do we do it?
   Where are we going?

Our SASIG Supporters

SASIG themes…

2015 – communication

2016 – leadership

2017 - collaboration

SASIG workstreams in 2017
Financial Services Sector                   Nuclear Sector

Legal Services Sector                       Retail Sector

Manufacturing Sector                        Regulators’ SASIG

Managing security in the supply chain       The Internet of Things

Recovering from a major cyber attack        Directors’ Masterclasses

Metrics & measurement of security           Cyber economics

Cyber insurance                             Countdown to GDPR

Strengthening the security of health & care information

SASIG Annual Gala Dinner & Networking Gala Luncheon

Eugene Kaspersky, CEO
Kaspersky Lab

PREDICT                                        PREVENT
                                               TRAIN AS        • Awareness Program
KNOW          • Security Assessment
THYSELF                                        YOU FIGHT       • Kaspersky Lab Enterprise
                                                                 Security Solutions
KNOW          • APT Intelligence Reports
THINE ENEMY   • Tailored Threat Intelligence
                                               AND FIGHT       • Expert Training
                                               AS YOU TRAIN

RESPOND                                        DETECT

CLOTHE THEE   • Incident Response              SI VI PACEM    • Targeted Attack Discovery
IN WAR          Services                                      • Kaspersky Managed
                                                                Protection
ARM THEE IN   • Kaspersky Managed Protection
PEACE                                          PARA BELUM • Kaspersky Anti Targeted
                                                            Attack Platform

Denis Philippe
Head of ICT, JFSC

Cyber Security: What Executives Need to Know

› Agenda

›   What happens to the JFSC
›   Cyber and the Boardroom
›   Key cyber risks
›   Strategy
›   Training
›   Certification
›   Scope and scale
›   Review

› Cyber-Security Mission Statement

“Commission held information1, in all its forms,
written, recorded electronically or printed, will be
protected from accidental or intentional
unauthorized access, modification, or destruction
throughout its life cycle”
1This includes all information created or owned by the Commission as well as information collected by or
provided to the Commission by external parties for the execution of the Commission’s activities

› What happens to the JFSC

› Subjected to approximately 3,800
  network security attack attempts DAILY

› Process over 5,000 emails per day with
  up to 34% of inbound traffic being
  rejected due to identified threats

› Website screening prevents access to
  high risk content (< 0.1% traffic)

› Cyber and the Boardroom

      of Boards do not
32%   receive information
      security updates

                            45%   of Boards do not
                                  believe it is important

› Fire Metaphor                Opportunistic
                                  Threat

                    Owns
                  everything     FIRE          Indiscriminate

                                 Exploits
                               vulnerability

› What information should you get?

›   What is important to your business?
›   Open or outstanding High Risks
›   Incident summary and impact
›   Incidents affecting competitors/peers
›   Steps to prevent reoccurrence of previous incidents

› Key Cyber Risks

› What?

› Definitions of what we protect:
› Private & personal information
 › Legal definition versus what people actually value

                                             Extended
                     Gap                    Reputational
                                                Risk

› People

› Vigilant
› More complex
› Vulnerable

                       of people take some form of
                 50%   confidential information with them
                       when they leave an organisation

› Systems

›   Complex interconnected systems
›   Up-to-date patching
›   Effective change control
›   Understand where your data is and how it is being used
›   Malware / Zero day protecting/detection
›   Ensure good, well tested backups
›   Offline backup’s (Ransomware)

› Why?

› Mitigate Risk – “Data is a commodity of interest to many”

› Extensive investment in providing an interconnected and
  online mode of stakeholder engagement is being balanced
  with a significant effort and investment in our security to
  protect the systems and data we are collecting and holding

› Suppliers

›   Trust, but verify
›   Vetting requirements
›   Consider contractors etc.
›   Don’t forget the cleaners…

› Strategy

› Do you have a cyber strategy

›   Who owns your cyber strategy?
›   Is it aligned with the business strategy?
›   Is it realistic?
›   Is it being monitored?

› Governance

› What if something happens?

›   Not all about Detect and Protect
›   Ensure that tested incident response plans are in place
›   Ensure that people are aware of their responsibilities
›   Cyber insurance
›   Plan for external support
›   Communications plan – Media, Law Enforcement,
    Regulator

› Training & Awareness

› Training
› Who is being trained?
    ›    User
    ›    Board members
    ›    Suppliers
    ›    Contractors
›       How are you training?
›       Training lifespan!
›       Awareness               2 Weeks Length of time people
›       Testing                          retain information
                                         after training!

› Awareness
› Vigilance
 › Phishing / Whaling
 › Social engineering
› Sub conscious
 › Small bite sized chunks of information to supplement training
 › Posters
 › Screen savers
› Balanced message
 › Don’t overload people to the point they stop listening

› Community
› Building walls is not enough
› Flexibility and collaboration are key
› Improved intelligence will improve
  detection
› Understand the landscape threats

› Certification

› Organisation

› Cyber Essentials
› ISO
                        5 Pillars based on a blend of NIST and ISO27001
› NIST
› Blended?           Identify     Protect       Detect      Respond Recover

                     This blend of NIST and ISO allows us to speak to other regulators
                     and registries in security terms they understand

› Staff

› Staff training and certification
 › Certified Information Systems Security Professional (CISSP)
 › Certified Information Security Manager (CISM)
 › ISO 27001 Lead auditor
 › BCS Certificate in Information Security Management Principles

› Suppliers

› Ensuring suppliers are certified ISO/NIST (or aligned)
› Seek the right to audit as part of contracts
› Add security questions to tender documents
› Vetting of staff and own suppliers

› Scope and scale

› Don’t boil the ocean

›   Set reasonable objective
›   Focus on what is important to you and your customers
›   Focus on doing things well
›   Cyber hygiene basics

› What about you?

› Lead from the front
› Become part of the solution and show you understand

› Soft targets = weak link in the chain. Bigger prizes at the top

                                                     Humanware
    People            Skills         Knowledge
                                                        2.0

› Cultural evolution through training and secure behaviours

› Habits
› 40% of daily actions are driven without thinking:
  › Changing gear
  › Tying shoe laces
  › Locking the front door

› Bad habits include:
  › Writing down passwords
  › Leaving computers/devices unlocked
  › Clicking on emails and links without knowing what they are or where they go

› “Evidence has shown that a large number of cyber hygiene issues have become bad
  habits.” Bikash Barai

› Malicious Users

› IP theft or sabotage for their own benefit or that of others

     50%   of those who steal data do so in their last month of work

     70%   of those who steal data do so two months before leaving

                                                      Ref: Dawn Cappelli
› Have a training and awareness plan

› Review

› Things to spend time on

     Ensure you are receiving updates

     Support your security team and get trained

     Support your strategy

› Useful links
›   https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/385009/bis-14-
    1277-cyber-security-balancing-risk-and-reward-with-confidence-guidance-for-non-executive-
    directors.pdf

›   https://www.nccgroup.trust/globalassets/resources/uk/ebooks/ebook_cyber-risk-security-
    guidance-for-non-exec-directorspdf/

Follow us at @JerseyFSC
Like us at Jersey Financial Services Commission
                                                    Head of ICT Denis Philippe
Follow us at Jersey Financial Services Commission    D.Philippe@jerseyfsc.org

Martin Smith, Chairman & Founder
THE SASIG

The Human Factor
Integrating cybersecurity into the employment lifecycle

               Martin Smith      MBE FSyI
                 Chairman and Founder
        The Security Company (International) Ltd
      The Security Awareness Special Interest Group

Who am I?

Some of our clients…

We need to work the problem
 Our secure systems are built to perfection but are being
  subjected to massive external attack.

 Cybercrime is rapidly increasing, data breaches are
  reported in the Press on a daily basis, and IP is at grave risk.

 Privacy is considered as “something of the past”.

 National infrastructures are under direct threat of attack
  from other nation states.

Examine the evidence
 The vast majority of breaches and security events occur at the most basic levels of our
  defences.

 Most attacks succeed by subverting physical security, by exploiting sloppy housekeeping
  and errors in systems operations and patching, and by directly targeting people.

 Social media makes social engineering easy.

 BYOD is emasculating our technical defences.

 Human error and ignorance amongst our workforces present an enormous gap in our
  fortification.

 Our supply chains are massive.

Old crimes, new tricks…?

We all believe what we are told

Security should influence every stage of
  your employment lifecycle

1. Recruitment and the interview process
2. Pre-employment screening, vetting, contracts of employment
3. On-boarding, induction, socialisation, probationary periods
4. Performance management, supervision and staff appraisals
5. Internal movement, promotion and career development
6. Security awareness, training and incentives (the “carrot”)
7. Disciplinary policies and procedures (the “stick”)
8. Termination of employment, exit strategies
9. The integrity of suppliers, contractors and other third parties

Actually, people want to help…

 There is an enormous willingness amongst any supply chain to follow good
  cyber security practice.

 The vast majority of any workforce, including those of our suppliers, is
  intelligent, honest, hardworking and sensible.

 To win our suppliers’ support, we just need to tell them what it is we want
  them to do and why, in language they can understand.

 We must explain the benefits of good cyber security management - “What’s
  in it for me?”

The impact we fear the most

How big is your security and fraud prevention team?

The elephant in the room…

 The “Mark 1 Human Being” remains the greatest and continuing weakness
  in the entire security regime, but at the same time can be our greatest
  supporter.

 Often it is the breach of trust that we must fear, not the breach of
  security.

“Problems are never
solved at the same level
of awareness that created
them…”

           Albert Einstein

Questions?

Contact me:

martin@thesecurityco.com

@MartinSmith_TSC

+44 (0) 1234 708456

www.thesecurityco.com
www.thesasig.com

Panel and Q&A Session
Facilitated by Martin Smith, Chairman, The SASIG
› Eugene Kaspersky, CEO, Kaspersky Lab
› Ian Bishop-Laggett, Internal Security Controls Manager, Schroders
› Denis Philippe, Head of ICT, JFSC

Final Address
John Harris, Director General
Jersey Financial Services Commission

In summary
› Directors to ensure that cyber is a priority throughout their
  organisations
› JFSC is building Island-wide awareness of regulatory
  responsibility for cyber security
› Cyber security needs to be a collective responsibility and
  success for the Island

Jersey is        Cyber no longer              Leave today
                                   Core
committed to     just about                   with
                                   business
cyber security   technology -                 heightened
                                   issues
(dedicated       PEOPLE                       awareness
government
strategy)

› Not a traditional “us and them”
                relationship – all in this together
              › Questionnaire based on ISO and NIST
The current     standards – what vulnerabilities and
regulatory      responses?
approach      › Meant to be used as a self-
                assessment tool. Thought provoking
              › No right answers – but seeking
                proportionality

› Sample approach – mandatory for
                those requested / but available to
                all regulated firms
The current   › Issued end of March
regulatory    › Aggregate report will be compiled
approach        and published – using anonymised
                information
              › Will inform next steps

Closing Remarks
Martin Smith, Chairman & Founder
The SASIG

Thank you