Post on 25-Dec-2015
Your cybersecurity breach will happen!Here’s what to do to mitigate your risk
Thursday, 25 September 2014
Overview of this presentation
• International & local public & private entities that have had incidents.
Examples of cybersecurity breaches: Act now!
• A brief overview of legislation you should be familiar with.
Legislation to consider: Consequences if you don’t!
• Preparing for a cybersecurity breach• A breach has happened: first steps & considerations• Sharing information in your industry: strength in numbers• After the cybersecurity breach: fixing and fighting back
A cybersecurity breach game-plan: Mitigating risk!
Breaches: It happened to them, it will happen to you!• Estimated annual cost of cybercrime to global economy –
US$400 million – McAfee, June 2014;• Estimated value of cybercrime in SA – 0.14% of GDP,
McAfee, June 2014• Sony Corporation PlayStation breach – US$171 million so
far, 12% off share price – Booz & Co, 2014• Target breach – US$148 million in costs, CEO resignation
– Forbes, September 2014 • South African Police Service website – Cost unknown,
major reputational damage• Payment Association of South Africa, card hack – cost
unknown, major reputational damage
Why bother with cybersecurity…surely it’s something for the geeky IT guys to deal with?
• MFM Act• Companies Act• POPI Act• ECT Act• RIC Act• King III Report• South Africa Connect: The National Broadband Policy• The National Integrated ICT Policy Green Paper• The White Papers on Transforming Public Service
Delivery• The Minimum Information Standards Policy• The Minimum Interoperability Standards Policy• Free and Open Source Software Policy
Organisation leaders: it’s
no longer just the IT guys’ problem, its
your responsibility
!
A basic guideline for cybersecurity: condition 7 of POPI
• A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent• loss of, damage to or unauthorised
destruction of personal information; and• unlawful access to or processing of
personal information
Condition 7: Security safeguards – Part 1
Chapter 3: Conditions for lawful processing of personal information
• A responsible party must take reasonable measures to:• identify all reasonably foreseeable internal and
external risks to personal information in its possession or under its control;
• establish and maintain appropriate safeguards against the risks identified;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Condition 7: Security safeguards – Part 2
Chapter 3: Conditions for lawful processing of personal information
• Where the responsible party appoints an operator:• This must be under proper authority
and respect confidentiality;• Must be governed by a contract
which enforces confidentiality and security.
• Where security breaches occur, data subject and Regulator must be notified.
Condition 7: Security safeguards – Part 3
Preparing for a cybersecurity breach
• Categorise data & define access• Use smart network design• Protect super-sensitive data• Audit and test your network
Be aware of: your network & data and implement protection procedures
• Cybersecurity breach management plans• Get consents to use of your network
Have best practice policies & procedures
• Supply chain matters• Client and customer matters• Be aware of and evaluate cyber threats
Be aware of cybersecurity risks of business relations
A breach has happened! First steps and considerations
• Directors, lawyers, IT and PR
Internal processes & governance after breach
• Considerations whilst conducting an investigation
Conduct an extensive internal investigation
• Statutory reporting obligations• Contractual reporting obligations• Shareholder / stakeholder reporting obligations
Should all breaches be investigated: investigation thresholds & reporting
Sharing information in your industry: strength in numbers
Why sharing may be good
Competition law considerations
After the cybersecurity breach: fixing and fighting back
Effective breach response methods
Exercising patience may help
Don’t overreact or break the law – liability concerns
Practical tips & recommendations
• Read the legislation. Consider POPI’s Condition 7 as a minimum;• Do your operations warrant information security awareness
training for staff.• Put procedures in place to limit who can access certain information
on your organisation's computer system. • Ensure that laptops and other mobile devices have passwords and
similar security and are preferably encrypted. • Physical security of the premises where you store sensitive
information. • Put proper contracts in place that compel your service providers to
give you assurances that they will comply with some sort of cybersecurity standard.
• Consider whether securing cyber insurance is necessary. Your current "generic" insurance not likely to provide cover.
• Have a technical and legal information/cyber security gap analysis done…it will make shareholders or the Auditor-General happy!
Develop a comprehensive strategy, but consider these now
Any questions?
Follow us on: