The Cybersecurity Shift

Making Security Central To The Organization

Heather Stratford

CEO of Stronger International - An International Cyber Security Training and Consulting Firm.

Has 20 years of experience in Leadership and Business Development.

Worked in All areas of Business - Fortune 500 to Start-ups

Entrepreneur - started and taken over national companies

Gravitated to Technology and Cyber Security because she saw a growing market that was essential for all businesses.

Lectures around the country

Why is Cyber Security Important?

Would you Lock your business door?

What’s changed in the last few years?

Compromised Credentials

Cloud Security verses private

networks?

History of Hacking1983 - Six Milwaukee teens, the “414s,” are detained by the FBI for breaking into over 60 computer networks. This was one of the first high-profile hacking arrests.

1986 - Congress passes the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, making it criminal to hack computer systems.

1991 - During the Gulf War, the DoD network was breached. Sensitive military information including development plans for weapon systems was accessed.

1994 - Two teenage hackers break into NASA and the Korean Atomic Research Institute.

History of Hacking

1995 – Vladimir Levin steals millions from CitiBank and Kevin Mitnick takes 20,000 valid credit card numbers and personal information records.

1998 – The Pentagon is successfully hacked, and US Atty Janet Reno forms the National Infrastructure Protection Center.

2000 – A new virus hits the internet every hour. The “I Love You” virus debuts.

2001 – Microsoft’s sites in 4 countries are taken down by a DDoS attack. In 2002, Bill Gates announces security features will be added to Windows products.

History of Hacking

2003 – Anonymous is formed

2006 – KamaSutra replaces files with “garbage” - 3rd of the month.

2007 – Spear-phishing success at the Office of the Secretary of Defense

2013 – Tumblr is hacked – 65,469,298 emails are stolen

2015 – Target and Home Depot attacks

2016 – DNC emails leaked on WikiLeaks

2017 – Petya, NotPetya, and WannaCry

What is the chance of catching a hacker

behind a breach and putting him/her

behind bars?

A. Depends on how soon you start looking

B. Extremely low

C. 50/50

D. Depends on who is looking for the hacker

Hacking Timeline

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

“The methods that will most effectively minimize

the ability of intruders to compromise information

security are comprehensive user training and

education.

Enacting policies and procedures simply won't

suffice. Even with oversight the policies and

procedures may not be effective.

My access to Motorola, Nokia, AT&T, and Sun

depended upon the willingness of people to

bypass policies and procedures that were in

place for years before I compromised them

successfully”

- Kevin Minnick

Source: breachlevelindex.com. Data represented on this slide changes frequently, live, and was captured for display on 2017-04-19.

Data Breach Statistics

,

Only 4% of breaches were “Secure Breaches” where encryption was used and the stolen

data was rendered useless.

DATA RECORDS HAVE BEEN LOST OR STOLEN SINCE 2013

7 0 9 4 2 19 2 60, ,

EVERY

DAY

4,521,939RECORDS

EVERY HOUR

188,414RECORDS

EVERY MINUTE

3,140RECORDS

EVERY

SECOND

52RECORDS

No matter how safe you think you are…

Phishing is now the #1 delivery vehicle for

ransomware and other malware.

Between 10-30% of Phishing emails get opened.

1 in 3 companies have fallen victim to CEO fraud

phishing emails.

Costs related to phishing attacks more than

doubled over the course of four years.

Source: resources.infosecinstitute.com

Where are we Now?

Current Threat Landscape

Growing number of vulnerabilities discovered each week/day

The emergence of new techniques

The continued rise of blended threats

The shrinking time between vulnerability discovery and exploitation development

Increasingly aggressive and evasive malware

How much is a medical record

worth on the black market today?

A. $0.20

B. $2

C. $10

D. $200

How much is a credit card worth

on the black market today?

A. $200

B. $20

C. $2

D. $0.20

3 Areas that must Change

1. Simplify the system.

2. Change the Dialog

3. Establish a Security

Minded Culture

Technology Increases

Security 'Sprawl' Not Sustainable

The most common approach to safeguarding digital

assets is “defense in depth," adding more and more

layers—and products—to effectively build bigger

walls and patch holes in on-premise security.

In an October of 2015, Morgan Stanley survey of CIOs,

most said they had bought or planned to buy more

than 15 different security technologies.

Ho

w M

any

Laye

rs o

f P

rod

uct

s an

d

Secu

rity

do

es y

ou

r o

rgan

izat

ion

Hav

e?

Security

Security

Security

Legacy Security

Legacy Security

Security

Partner Security

Sister Company Security

Security

Security

Adding more makes more complexity

“The status quo

is not sustainable." Keith Weiss, head of U.S. software coverage for Morgan Stanley.

While companies spend more on security, losses related to cybercrime have nearly doubled

in the last five years.

More is Not Necessarily Better

The current strategy of most

organizations —layering on many

different technologies —is not only

proving ineffective, it is overly

complex and expensive.

You’re Only

as Strong as

Your Weakest Link

Don’t manage the device, manage the data.

Hotel California Model

Problem: Tidal wave of consumer devices

Potential Solution: Data-centric security models.

“The “green screen” is back in vogue and Citrix has become everyone’s best

friend, as companies herd data away from the endpoints to protected areas.”

You can check out, but never leave.

Growing Security Spending

Cyber Security Attacks and

increasing

Organizations of all sizes are

spending more money to shore

up their digital defenses.

Evolving Threat Landscape

Internet of Things (IoT)

Point of Sale (PoS) malware

Within a few years we will have 30 Billion

Connected Devices.

20 years ago cars contained 1 million lines of code.

Today they contain about 100 million lines of code

with defects appearing at least every 50 lines of

code.

How many people, in your Organization,

are on the Security Team?

The Lucy Lesson

What do we learn

from this video?

Complex and Struggling

Cyber-security threats have suddenly become so complex, sophisticated, and transnational, companies

are struggling to stay current.

“When a data breach hits the headlines, there is an instinctive reaction that somebody screwed up and left a door unlocked. This only further fuels the fire that breached companies must redouble fortification and detection. That might be true, but the reality is that companies, above all else, should pivot their attention and focus to data breach response.” David Fontaine, CEO of Corporate Risk Holdings (parent company of Kroll

What’s Needed in the Future

More automation and greater visibility across enterprises. For a

better Cyber Security Future we need integrated solutions that can

detect and abate breaches more efficiently and cost-effectively.

More AutomationGreater Visibility

Across EnterprisesIntegrated Solutions

How to Change the

Cyber Security Discussion?

Geek Speak

•Analyzed 1,452,134 logs

•Detected 423,132 viruses

•Blocked 2,028,438 connections

•Closed 3,095 Incident Tickets

•Patched 30,000 Systems

VS

Prevented 2 Cyber-Crime Attack s

• Linked to ABC Criminal Organization

• Targeting POS Systems

• Prevented theft of 10M Customer Credit Cards

• Avoided $78M Loss:

• Cleanup, Notification,

• Brand Reputation & Revenue• Shareholder Lawsuit & Stock Drop

Business Impact

Security belongs to everyone

“Many organizations have the opinion that the

security department is responsible for security.”

How do you change that idea?

Operations

Marketing/Sales

Finance

ITHR/Training

Facilities /Maintenance

Security

Operations

Marketing/Sales

Finance

ITHR/Training

Facilities /Maintenance

Security

How to Develop a Security Culture

1. Ensure executive support. Culture starts at the top

2. Make it fun and engaging. People learn differently.

3. Focus on changing behavior, in and out of the office.

4. Measure and repeat.

Creating a positive Cyber Security Culture takes time.

Uber – An Example

“At Uber, we are trying to change our employees'security stories. By creating programs catered toregion, department, and role, our peopleunderstand that security is part of their story andour culture.”Samantha Davison, security program manager at Uber

Integrate Security into the culture … security belongs to everyone.

… bake it into everything in the organization.

Uber’s Culture under attack,

But not for their Security

“Security can be so much more than PowerPoints and videos. Pick a fun theme and parody it—we did Game of Thrones. Give gamification a try. Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.” Davison, Uber.

Fun? Change the Paradigm

“For far too long people have associated security with boring training or someone saying no all the

time.”

To engage your organization, do not be afraid to laugh and goof around some.

Security Trivia with a different security category each month. Hackers in the movies one month and security news in another.

How many people, in your Organization,

are on the Security Team?

How to Create A Security Culture with

Different Generations of Employees

Generational Differences

Millennials are here, and gaining influence.

“People entering the work force today are accustomed to working on a variety of mobile platforms and to storing and sharing data using cloud-based systems and social networking sites. They have a more permissive view of information-sharing than older workers, and they expect to work on their own schedules, with devices of their choosing, often from remote locations.”

1. All of these behaviors enhance risk

2. These behaviors are increasing

3. These behaviors will become more difficult to curtail

How to Develop an “All-In” Mentality

1. Incorporate security at the highest levels into your vision and

mission.

2. Speak about the importance of security from the highest levels.

This does not mean just the people who have security in their

title (CISO, CSO), but also from other C-level execs all the way down

to individual managers.

3. Don’t Hide it Under the Rug. Teachable Moments.

An Example of Everyone “All-In”

Application Security

knowledge.

When was the last time all

developers and engineers had

hands-on OWASP Top 10

training?

Put your money where your

mouth is.

If you say security is important,

prove it by providing growth

potential for those with a

passion for security.

What’s Your Password?

A little old, but still… What??

What is the weakest link in security?

A. Passwords

B. Laptops

C. People

D. Open-source software

The 8th Layer

The 8th Layer

Why does an organization need a security culture?

In any system, people are always the weakest leak.

Security culture is for the people, not for the computers.

The challenge is with the people, who click on phishing emails and fall to tricks

based on social behavior. People need a framework to understand what the right

thing is for security.

In general, people within your organization want to do the right thing—they just

need to be taught.

8th Layer Errors

95 percent of information security incidents involve human error.

Human error is the most important factor in Security. IBM Security Services Cyber Security Intelligence Index

System Misconfiguration

Poor Patch Management

Use of Default usernames and passwords

Lost devices

Disclosure of information via incorrect email address

Clicking on an unsafe URL or attachment

Sharing Passwords with others

Leaving computers unattended when outside the workplace

Using personally owned mobile devices that connect to the organization’s network

When an Organization

Creates a Security Culture…

They will retain

more IT and Security Staff.

Retention is Better than Recruitment

Turnover is costly. According to Right Management, a talent and career management consulting firm, it costs nearly 3-times an employee’s salary to replace someone, which includes recruitment, severance, lost productivity, and lost opportunities. Recruiting new staff is expensive, stressful and time-consuming. Once you have good

staff it pays to make sure they stay

Think of retention as re-recruiting your workforce.

Recognize that what attracts a candidate to a particular job is often different from what keeps that person there.

Effective Retention Methods

Training. Training employees reinforces their sense of value. Through training, employers help employees achieve goals and ensure they have a solid understanding of their job requirements.

Mentoring. With a mentoring program, an organization pairs someone more experienced in a discipline with someone less experienced in a similar area.

Instill a positive culture. An organization company should establish a series of values as the basis for culture such as honesty, excellence, attitude, respect, and teamwork.

Use communication to build credibility. Show appreciation via compensation and benefits.

Recruit from within.

Provide growth opportunities. According to Right Management, employees are more likely to stay engaged in their jobs and committed to an organization that makes investments in them and their career development.

Make employees feel valued. Employees will go the extra mile if they feel responsible for the results of their work, have a sense of worth in their jobs.

Lower stress from overworking and create work/life balance.

Paradigm Shift is Required

Steps to Creating a Stronger Security Culture

STEP 1 STEP 2 STEP 3 STEP 4 STEP 5

ASSESS

Assess the needs

and vulnerability of

the organization

SET GOALS

Set goals for

improvement

and key evaluation

metrics

DEVELOP

Develop a

definitive plan for

consulting,

training and

monitoring

IMPLEMENT

Implement plan and

survey and review

after completion

MEASURE

Measure the

effectiveness

of the program and

optimize

Sources

https://www.morganstanley.com/ideas/cybersecurity-needs-new-paradigm

https://www.complianceweek.com/blogs/john-reed-stark/transforming-the-cyber-security-paradigm#.WV71UdPyuCQ

https://techbeacon.com/6-ways-develop-security-culture-top-bottom

https://www.helpnetsecurity.com/2017/05/08/build-security-culture/

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html

http://exec.tuck.dartmouth.edu/downloads/623/human_behavior_and_security_culture_ciso_workshop_overview.pdf

http://re-generations.org/generations-in-america/

Thank You

Heather Stratford

Stronger International, Inc.

heather@stronger.tech

Office: 509-290-6598