–CYBERSECURITY, A Business Solution –Intro ...

www.getair.us – CYBERSECURITY, A Business Solution – Intro Webinar –

I’m glad you are joining us for this seminar. It is based on a webinar series aimed at business executives. If you would like a more in-depth study, please contact me about joining the webinar series.

Our goal is to help answer questions and give you a stable platform to build a robust cybersecurity business plan.

The webinar is broken up into three webinars over three weeks. Each will be less than an hour long and will cover two chapters from our book study.

www.getair.us – CYBERSECURITY, A Business Solution – Webinar #1 –

Each company represented will receive a book:“CYBERSECURITY, A Business Solution” by Rob Arnold

We created a bookmark with the primary diagram the author refers to throughout the book.

I have also put together a cheat sheet with key information that you can use as you work through your own Cybersecurity Business Plan.

If you have not received these please let me know and I’ll get you a set right away.

Each week you will receive an email that contains the workbook you can use during the upcoming webinar and a link to the previous week’s webinar.

These are for your own private use and should not be distributed or shared except within a company represented.


We are looking at two functional areas that form the basis of all reliable computer protection plans.

A lot of people are taking a shot in the dark. They intuitively know that they need to protect the computer from viruses, filter the network/browser traffic and think they probably need other security options in place.

But how do you prioritize where to start and how much money to spend?

By doing even a basic risk assessment, you will gain confidence that you are, one, addressing the right concerns and, two, being a good steward of your finances.

After you know what you want to work on, how much of your budget should go to each and when does is the cost more than the benefit of protection you receive?

We will give you clear steps to think through these two areas today.


The industry is continuously changing. We are dealing with a moving target that constantly disrupts regular business.

There was a time when anti-virus software meant a computer was secure. Then we focused on network firewalls. Now we need artificial intelligence-driven behavior analysis protection. Buzzwords, next-gen technology and more will suck up your finances or cause you to give up and hope for the best.

We trust God for protection, but He has called us to be good stewards. So taking the time to get educated on the basics is a moral responsibility for those of us in leadership positions.


Let’s talk about “management” in “Risk Management”.

We know that if we do not proactively manage our budget, daily schedules, and projects they will quickly become dragons pulling us in multiple directions.

So our goal is to gain visibility that allows us to create a plan with proactive improvement.

Our goal is to get to a place where we have confidence that we are addressing the critical challenges and know what we plan to do next.

Negligence is ignoring our responsibilities and just hoping for the best.


Our first objective is to identify the data that needs to be protected.

I like to think of these as buckets that contain information. I’m storing information in these buckets that I get from many different activities. I need to be able to access that information again later, but I don’t want it to fall into the wrong hands and get destroyed, lost or stolen.

Every business has strategic objectives. They exist to accomplish something. Church and schools typically exist to strengthen and improve the lives of those who attend. For the ministry to complete these objectives, they store data.

Think about the data you use daily. Do you have specific activities you do each week to prepare for a weekend event? Do you have particular exercises you do each month, quarter, year? Do you have seasonal events? Do you have fund-raising events? Are you working with financial records or keeping track of your attendance?

* You should take a notepad and brainstorm your normal business activities to identify specific information you need to store at any given time.(Use the list on the next page to get you started.)


I imagine that you probably deal with something similar to these categories in your regular business activities.

Imagine working with a cloud-based online giving system, downloading those financial records into QuickBooks or some local accounting software. Exporting some of that data to monthly reports for board meetings. And, I imagine, several other activities regularly require you to work with financial data.

You probably also have an online membership system. You may pull that data into Constant Contact or some other email list system to send monthly newsletters. At times, you need to look up parishioner contact information so you can schedule them for a volunteer position.

As you think through those activities, certain types of data will be recognized as important and sensitive.


If we are going to protect the data we just identified, then we need to know where it is stored or accessed.

For each category of data identified before, think about where you access that data, where you save that data and what tools may receive or temporarily pass that data along. (Think about computers, servers, networks, software, etc.)

*You should take your notepad and now think back through your normal business activities to identify WHERE your data is accessed.(Use the list on the next page to help you get started.)


You will probably come up with a generic list like the left column. Some specific locations might include applications like those in the right column.


This may be a bit more difficult for you. Our goal is to think about where and at what

point in accessing our data could the data be attacked?

For instance, if you are working on your Constant Contact Newsletter while sitting in a

coffee shop, could someone be intercepting that traffic and getting a list of emails to

phish?

The most common is going to be stolen credentials, and typically those are stolen

through:

• Interception over your network (WIFI, Connect to a wall outlet in an unused

office).

• Phishing campaign to get an insider (staff member) to make a mistake and click on

a malicious attachment or link in an email.

• Website hijacked or compromised to collect your credentials when you attempt to

access it. (https://www.grahamcluley.com/automated-phishing-attack-tool-

bypasses-2fa-protection/)

Some attackers are scanning the internet to find systems that have the default or

weak passwords. They set up programs to automatically try credentials until they

break into your data storage.

* Make a list of the attacks you think specifically relate to how your data is accessed.


You are now armed with the key information you need to start thinking about risk.

First, let’s consider the industry standard equation for risk.We can quantify risk as the cost of impact multiplied by the chance it will happen.

So we need to specify an Impact Factor and a Likelihood Factor.

Some of the ways we can be impacted are the direct loss of finances. But more often it is the loss of productivity, and the indirect costs of investigation, restoration, and notification to everyone affected. It may include intangible costs when people lose trust in you.

* Think about each threat applied to each category of data and consider what loss you would experience. On a scale of 1 to 5, how big of an impact would each have? If you can apply a monetary value or other objective value, you will gain even greater clarity.


Now let’s go through the same process but for how likely each attack might be.


The risk factor is to take each attack, apply it to a data category and calculate the risk factor.


To gain greater clarity, add a monetary and time-based descriptor to each risk identified.

Imagine approaching your board with a request to purchase a specific security product. You are typically relying upon the board's trust in your intuition and expertise. But with information like this, you could help show the real value of addressing these risks.

Don’t forget that some risks are likely to happen multiple times in a year. Numerous events multiply the impact so make sure you adjust as necessary.

* Calculate a Risk Factor for each risk identified.


Here is what we have all been waiting for! How can we lower the impact or likelihood of an attack?

You will probably need to build a team of tactical advisors to help.That team might include:• Lawyer• Public Relations Expert• Information Technology (Computer) Expert• Cybersecurity Insurance Agent• Financial Advisors

This team can help you consider ways of covering the cost of a loss, removing the damage, or otherwise taking steps to reduce your risk.

The cost of finding someone during a breach is much higher than if you already have negotiated a retainer.

* Who do you know that would volunteer to assist on your tactical team?* Who should you have on retainer?


There are five critical areas for risk reduction.If you think about securing your home, it is not very different.

1. Protect – You lock your doors and windows. You may evenuse a fence, etc.

2. Detect – We all know that if someone really wants to getinto your home, they will. So we also want to have anearly warning system. We may install a security alarmsystem or get a guard dog.

3. Respond – And if we are robbed, then we want to havea list of emergency numbers we can get to quickly. Wemay have a list of valuables that we can report to theinsurance company.

4. Policies – Most companies will also have policies about who has access to what. You may require that the last person who comes home at night locks all the doors and cuts off the lights.

5. Training – If you don’t teach your kids when they can answer the door, what to say on the phone, how to use your security system, and how to keep the housesafe – then all the rest is much less useful.

* Think about how you can address each risk identified starting with the highest.


So the first step was to identify the risks and ways you can decrease that risk. But now the question is how much should spend? Can you afford the risk reduction strategies you have identified?


If you have talked to a financial advisor about your investments, they will often discuss your risk appetite with you. Think of it as how risky are you comfortable with. Can you weather a large loss or do you need to keep loss to a minimal?

Depending upon your ministry, this can vary for each program. As a businessexecutive, these are decisions that you really need to make with your leadership team. Your tactical advisors may provide some advice but only you can really answer this.

Some of the tools you can use to help you recover from a loss include sources of funding, cyberinsurance, partner agencies, ability to sell off an asset, etc.

* Decide how you can continue in ministry if you experienced the impact of a loss predicted in your risk analysis.


AS you consider cybersecurity tools, proposals, etc. consider how much expected lossit is designed to address. Studies show that investment that is more than 37% of the expected loss does not provide any additional value.

* Think about risk reduction strategies you can apply to each risk. Determine how much that strategy will cost. If you have multiple options, keep in mind that the cost should not be more than 37% of the expected loss.


Your total cost to reduce risk will include any fixed security costs you face. For instance, companies under government regulations may be required to mitigate certain risks. These are not negotiable other than which vendor’s tool you choose to use. For instance, a school using the E-rate program must employ a CIPA compliant filtering application and have it properly configured. The cost of the software, configuration, and support is a fixed cost.

Your total cost also includes any optional strategies you choose to apply.

*Calculate the total cost for each risk.


If you have not been pro-active in reducing risk for many years, you may find that theamount of risk you carry is more than you can address.

If you take your Total Risk and subtract your Risk reduction it may be more than your risk appetite. When this happens you have residual risk. This is an amount that you have said you are not comfortable absorbing.

What do we do about this?

* Run your risk calculations to see if you have residual risk.


If you have a residual risk, then you have some tough choices to make.

I would suggest we start with prayer. This is beyond our ability to fix. But sometimes we can find creative solutions.

We might decide not to carry out a ministry activity so that the risk is removed.

We might evaluate contracts with vendors and find warranties or other ways to reduce loss.

We might be able to revise our insurance.

Keep in mind that each year, your risk reduction will have exponential value. Some efforts (like training) can be built on with a more significant return on investment. So if we can spread the risk out over a couple of years, we may remove residual risk.


Please contact me if I can be of any assistance to you!

Thomas FreemanClient Security Consultant, GCIH, GCWN, Security+AIR Technology Services

(262) 432-1638www.airtechnologyservices.com"We take care of your computer networks, so you can focus on your business!"


–CYBERSECURITY, A Business Solution –Intro ...

Documents

Transcript of –CYBERSECURITY, A Business Solution –Intro ...