Cyber Security for Small BusinessDr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A
Information & Cyber Security Risk
Information & Cyber Security Risk
Agenda
Industry and Competitation
Leadership and Organizational Culture
Identification
Current Trends in Information and Cyber Risk
The Role of the CISO
Current Trends in Business Leadership
Training and Awareness
✓
6
5
4
3
2
1
Conclusion & Questions
7
8
✓✓
✓✓✓✓✓
Identification “Cyber” is the new buzz word…….
Information & Cyber Security Risk
Identify Critical PersonnelIdentify Critical Data & Information
What resources are critical to keeping your business running?
Power & Other Utilities Supplies Materials Production Facilities
Be sure to have alternative ways to address shortfalls.
Tech Power Alternate supply vendors Futures Alternate transportation
methods
Identify Critical Resources
321
These people have special knowledge or skills that are crucial to your business.
R&D Engineers Payroll Systems/Network Admins Different by Industry
Who can do the job if you lose someone?
Cross train skill sets Alternate positions Have continuity artifacts Have primary & secondary
What is your business? What information keeps you competitive in your industry?
R&D for products Recipes & formulas Metrics Data Production efficiencies Marketing strategies Business Intelligence
This is where you should focus most of your resources.
Restrict access Protect data & information Do systems need to be
connected to the network that is connected to the internet?
Current & Most Trending Information and Cyber Risks Today
All software should be assessed Commercial off the Shelf In house developed 3rd Party developed Open Source Software as a service
What you should look at Assess supply or development change for
vendors Assessment of product Read contracts and maintenance agreements Vulnerability management
Software Assurance
Malicious Insider Disgruntled Employees Financial Hardship Competitors Want to do harm Want to steal for profit
Accidental Insider Exhibits Bad Habits Phishing Opens malware and bad links Poor password practices
Change Culture Training AUPs Assessment
Insider Threat 1 2
Information & Cyber Security Risk
Questions to ask
What is being stored in the cloud?
What does the security look like?
Who owns the data? Who is responsible for a
breach? Review contractual language
and SLAs. VMs – How are the sessions
protected?
Cloud & VM 3 Internet of Things (IoT) BYOD4 5
Current & Most Trending Information and Cyber Risks TodayInformation & Cyber Security Risk
Questions to ask What framework are you
using to manage environment?
What devices are connected and manageed?
Who has visibility inside and outside your business?
Have you assessed for vulnerabilities?
NOTE: 2.8 Mobile devices exist for every person on the planet!This number will double by 2020!
Questions to ask
What is the device connection and approval process?
Do you have a baseline configuration & security baseline?
Do you parse the business data from the personal data?
What are the rules for end of life and upgrades?
What is the incident response and breach notification process for lost or stolen data or the device itself?
Operations and Sustainment• Defense in Depth (hardware, software)• Vulnerability Management
Malware categories have increased – very complex Patches should be texted before being deployed
• Configuration and Change Management• Sound CERT and Incident Response capability• System Engineering Projects • Continuity & Disaster Recovery
Information & Cyber Security RiskCurrent & Most Trending Information and Cyber Risks Today
Information and Cyber Security Culture– Needs to be supported by executive leaders– Middle managers should understand
executive strategy related to security risks– All leaders should participate and let
employees see it– All employees should understand the culture
Information & Cyber Security RiskLeadership and Organizational Culture
Your Logo
Current Trends in Business LeadershipChief Operations Officer (COO)
- Number 1 C-level position cut in large business
Executive VPs and Business Unit Managers picking up more responsibilities
Chief Information Officer (CIO)- Number 2 C-level position cut in
large business Being replaced or combined by CSO/CISO
Information & Cyber Security Risk
The Role of the CISOInformation & Cyber Security Risk
• Responsible for Information and Cyber Security Guides the organizational security culture
Works with all business unitsWorks with HR, Legal, Public Affairs and Physical SecurityAdvises C level leaders and Board of Directors
Understands the risks based on their industryOperational security risksAdministrative security risksCommunicates technical requirements into business terms
Expected to be very knowledgeable Regulatory compliance (State, Federal, International)Trends and OpportunitiesSecurity & Risk frameworks
ISO 27000 & 31000, COBIT 5, NIST 800-37, ITIL
Training and Awareness
Information & Cyber Security Risk
NOTE: It is very important to relate some of the training and awareness toward real world examples that are specific to your industry for better effectiveness.
All employees should attend initial and periodic information & cyber security awareness training. All privileged users should be identified and trained in their specialty as well as their computing environment. All managers should attend security awareness training geared towards the organization as a whole Specialty training and certification should be identified for specific roles to reduce risky behaviors
Training is Geared Towards Audience
Face to Face Computer Based External training providers (classes, conferences, or hired training professionals) On the job or mentoring
Training Methods
Develop methods to make employees aware of information and cyber security risks. Internal phishing campaigns Posters in common or public areas (change them periodically) News letters and announcements – be creative!
Awareness
1
2
3
Industry and Competitation
Information & Cyber Security Risk
Look at procurement strategies and trusted vendor relationships.
Communicate with other business units to ensure consistency in security risk management
Information and cyber security should be represented and managed in all projects.
What are your competitors
doing?
Align security risks to business
strategy!
Learn from someone elses
mistakes!
• Information and Cyber Security Has never been as important as it is todayNew technologies like IoT & Cloud Computing & VMs
are driving innovation for business and adding riskCSOs & CISOs are steering culture and managing riskTraining and Awareness as part of the cultureUnderstand how to align & balance Information & Cyber
Security to your businesses overall business strategy
Information & Cyber Security RiskConclusion
THANK YOU!Questions?