Cyber Readiness ProgramPresented by: Henry Vido, Program Director, CRIMohamed Mahdy, Information Technology & Administration Director, IBAG

The Cyber Readiness Institute empowers small and medium-sized organizations with practical tools and resources to improve their cybersecurity.

Our first offering is the free, validated Cyber Readiness Program.

Our Co-Chairs and Members are cyber experts and business leaders – from across sectors and regions – who have come together to secure global value chains.

The Cyber Readiness Program

• A free, self-driven Cyber Readiness Program

• Enabling small and medium-sized companies to be more cyber resilient

• Addressing top issues – phishing, patching, authentication, and USBs – and providing guidance for incident response and going to the cloud

• Web-based guided program featuring content, resources, tools and metrics

The CRI Program focuses on four key issues.

AuthenticationA weak password is an easy access point to your most sensitive information and systems.

PatchingPatches are updates to your software and systems that contain important security remedies.

PhishingPhishing is an email-borne attack that attempts to use your email account to do something malicious.

USBsUSBs and removable media devices are easy gateways for malware to infect your computer.

The Program also provides guidance on moving to the Cloud.

The CRI Approach

• Preventive measures.

• Organizational culture of cyber readiness.

• Practical tools that can be customized for each organization.

• Self-guided, led by an internal Cyber Leader.

Cyber Readiness Program: 5 Stages• Get Started: prepare organization and select

Cyber Readiness Leader. Tips on being an effective Cyber Readiness Leader. Commitment letter between CEO and the Leader.

• Assess & Prioritize: learn about the four key issues: Authentication, Patching, Phishing, and USB use. Prioritize what to protect and what to move to the cloud and when. Establish baseline metrics.

• Agree & Commit: Access and modify policy templates so they are practical for organization. Develop incident response plan from template.

• Roll Out: Introduce the Cyber Readiness Program to workforce. Access training and communication kit. Workforce commitment letter.

• Measure Success: Re-do baseline metrics to measure impact. Obtain a certificate from the Cyber Readiness Institute.

Key Elements of the ProgramPrioritization Worksheet• This document allows the SMB to create a checklist of the information most critical to the organization.

Baseline Metrics• These metrics allow the SMB to gauge their level of cyber readiness by examining their current policies and procedures.

Incident Response Plan• This document allows the SMB to create a roadmap for what to do when responding to a security incident.

IBAG Prioritization Worksheet

What do we have?Network infrastructureWorkstations listServers listTypes of information

What is the most important?Network infrastructureWorkstations listServers listTypes of information

IBAG Baseline Metrics

Spot check• Meetings with

department managers• Short interviews

with some HQ employees

Results

• Some departments are Cyber ready

• Received some resistance against security measurements from some employees

Decision

We should run security awareness program (During and after the program)

IBAG IRP• Prepare

• Backup• IT training

• Respond • Identify the type of incident (CRI Policy )• Immediately get the device off the network• Call IT team

• Recover• Notification• Clean infected systems• Restore data

How to Manage the Risk of USBsDevelop a Policy• Control the use of USBs in your organization by developing a strong company policy either prohibiting USB use or at a minimum monitoring their use.

Educate Employees• Most people won’t know about the true dangers of unknown USBs. Train your workforce to make proper use a priority.

Provide Alternatives• Define appropriate alternatives to storing, transporting, and sharing information in your organization.

IBAG USB Policy• IBAG prohibits the use of USBs, except in defined circumstances as outlined below

• IT team is responsible for scanning USBs on a computer not connected to the network, to verify that there is no malware or malicious code present. This applies even to new USBs

• IT team is responsible for distributing USBs to employees who will routinely find themselves in situations where information needs to be shared with a trusted party and there is no access to a secure network

• After an employee uses a USB to share information with a trusted party, or receives a USB from a trusted party, the USB must be re-scanned on a computer not connected to the network by the Cyber Leader or designated IT person, to check for malware or malicious code

• Employees of IBAG must never accept or use a USB received from anyone other than a trusted party (i.e., received at a trade show, given to them by a vendor, picked up in a parking lot) or the Cyber Leader or designated IT person

Disable USB port using Domain GPO ( HQ & CSC)

Disable USB port remotely using Registry editor (

Branches)

How to Change a Culture of Weak PasswordsChange the Narrative• Educate your workforce to the dangers of weak passwords, both professionally and personally.

Reinforce the Message• Use visual resources, like posters, to remind your workforce of the importance of strong passwords.

Use Two-Factor Authentication• If an application or piece of software has two-factor authentication, make sure your employees are using it.

IBAG Authentication Policy• Use passwords or PINs on all devices, including your personal phone and tablet.

• Never use the same Password for business or personal purposes.

• Passwords must be changed if there has been a cyber incident.

• Never use or reuse the same Password on two (or more) systems at the same time.

• Never share accounts among multiple people.

• Always enable two-factor authentication if it is supported and offered on any application used on company devices or personal devices used for business.

• Password should have a minimum of 12 characters

• Password should contain Uppercase letters, Lowercase letters and numbers

• Access to our data and systems is limited to the people that need it to do their job.

• Long enough to be hard to guess

• Hard to guess by intuition—even by someone who knows the user well

• Easy to remember

Passphrases must be at least 64 characters in length. They do not need to include numerals, special characters, or a combination of lower

and upper case

IBAG Status• Authentication, USB, Patching and fishing policies were applied• Security training for IT staff has been done• Security awareness program for employees still under development• Security awareness posters are used in HQ, CSC and some branches• Incident response plan (Response processes will be updated after the

awareness program) • NOW WE ARE CYBER READY

Thank you!Henry Vido

hvido@cyberreadinessinstitute.orgSign up today at

www.cyberreadinessinstitute.org