Robert Annett @robert_annett
2015 A CyberSecurity Year
Why was 2015
special?
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Source: http://www.bloomberg.com/graphics/2014-data-breaches/
Note
• The data taken is not necessarily about the target breached
• Sensitivity for the client does not necessarily indicate effect on the data holder
• Number of records does not necessarily indicate sensitivity
• Number of records and sensitivity does not necessary indicate financial cost
Who has borne the
consequences?
What effect has this had?
F.U.D
Regulation
Regulation
Different per region e.g. EU Different per country/state Different per industry Can be contradictory
Many regulators are now introducing regulation to protect data. However…
Some UK Regulatory Authorities
• ICO • FCA • PRA • FRC • GMC • MHRA
• OFCOM • ONR • OFGEM • OFWAT • EA • …
This is NOT exhaustive!
Example recent Cybersecurity Regulation/Guidance (Mainly Financial Services)
• European Commission • EU Cybersecurity Strategy (Action 124)(2014) • Directive on network and information security (2014) • Policy on Critical Information Infrastructure Protection (CIIP) (2013)
• EBA (European Banking Authority) • Guidelines on the security of internet payments (December 2014)
• HMG Department of Business, Innovation and Skills (Cabinet Office) • Cyber Essentials Scheme (June 2014) • Guiding principles on cyber security (Dec 2013)
• CERT-UK National Computer Emergency Response Team, The National Cyber Security Strategy (2013) • BoE – CBEST Vulnerability Testing Framework (2013-2015) • FCA (Financial Conduct Authority)
• Handbook specifies best practices/NIST • Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (November 2015)
• AIMA (Alternative Investment Management Association) • Guide to sound practices for Cybersecurity (October 2015)
• HFSB (Hedge Fund Standards Board) - Cyber Security for Hedge Fund Managers (May 2015) • SEC (Security and Exchange Commission) Office of Compliance Inspections and Examinations
• Cybersecurity Examination Initiative(September 2015) • Division of Investment Management – Cybersecurity Guidance Update (April 2015)
• FINRA (Financial Industry Regulatory Authority) - Report on Cybersecurity Practices (Feb 2015) • NYSE - Navigating the Digital Age: Cybersecurity Guide (October 2015) A 355 page book!
This is NOT exhaustive!
Irony of the week!
Enforcement
• Serious Organised Crime Agency (SOCA) e-crime unit
• The Police Central e-crime Unit (PCeU)
• The Medicines and Healthcare products Regulatory Agency (MHRA)
• H.M. Revenue & Customs • Child Exploitation and
Online Protection (CEOP) • National Crime Agency NCA
• National Fraud Agency NFA • National Fraud Intelligence
Bureau (NFIB) • Office of Fair Trading
(OFT) • Cyber Security Operations
Centre (CSOC) • EuroPol Cybercrime Center
(EC3) • IntelPol • GCHQ
Who do you report cybercrime to?
This is NOT exhaustive!
Money
Products
There has been an
Explosion Of cybersecurity products and services
Products
• Virus Scanners • Malware scanner • Spam Filters • Phishing Filters • Email Link Rewriters • Malicious Website Detection • Cyber Security Training • Firewalls • Pentests • Intrusion detectors
• Mobile Device Managers • Authentication devices • Password storage • Behavioural Detectors • Data loss prevention systems • DarkWeb Monitoring • Risk Alerting • Tiger Team Reviews • Cyber Insurance
This is NOT exhaustive!
Some products and services
provide little value
Due Diligence
Do you know what your
vendors processes are?
Do you know who your
vendors really are?
Do your vendors
subcontract?
Where are they
located?Safe Harbour?
You may also be the
subject of a DDQ
Some Actions
Perform an
audit of your current equipment, data and processes
Identify your
‘crown jewels’
Identify if any
regulation applies
What are the relevant
best practices?
Do you have
Disaster Recovery Plan Business Continuity Plan Incident Response Plan Data Access Policies Data Protection Policies
“ ”60% of threats are
caused by ‘People Issues’ rather than technology
Verizon 2015 Data Breach Investigations Report
Consider the People as well
Security training (job relevant) Phishing Training Data loss training Incident Reporting Password choice