Introduction to managing internal cyber threats
-
Upload
mosoco-ltd -
Category
Documents
-
view
239 -
download
0
Transcript of Introduction to managing internal cyber threats
Managing internal cyber threats
What your organisation needs to know
1. Introducing internal cyber threats
What are cyber threats?
27 : 74 : 95The data
: 70
Money
Operationalefficiency
Strategic
information
Morale
People
Machinery
Personaldata
Reputation+
What gets lost?
What goes wrong?
Letting people in
Letting assets out
How does it happen?
Accidental• Leaking information• Social engineering• Losing objects
Deliberate• IT sabotage• Fraud and theft of money• IP theft
Why do things go wrong?
o External threatso Lack of knowledgeo Hard-to-use systemso Pressure of work o Egoism and “Munchhausen syndrome”o Social pressures o Carelessnesso Career focuso Maliciousness and greed Increasing employee fault
Greed is most common motive
05
101520253035404550
Motive
Financial gainIdeologyLoyalty to friendsDesire for recognitionRevenge
CPNI
Insider attack: greed
o Insiders at insurance company Aviva sold details of people who had car accidents to personal injury claims companies
o This was the second publicised incident in 2 yearso Bad press will have harmed the brand and its
reputation for trustworthiness
Internal risk: revenge attack
o Morrisons staff at risk from fraudsters after bank account details were stolen and published online
o Information about 100,000 employees were posted on the internet by a malicious insider with access to the pay roll data
o This resulted in considerable employee anger and reduced morale
o Morrisons staff at risk from fraudsters after bank account details were stolen and published online
o Information about 100,000 employees were posted on the internet by a malicious insider with access to the pay roll data
o This resulted in considerable employee anger and reduced morale
3rd party risk
o US retailer Target were hacked via a suppliero The direct cost of the hack was $250 million o In addition, reputational damage meant that
revenues were $2.5 billion lower that quarter
Process risk
o Ubiquity networks lost $47 million in a simple invoice fraud
o The problem: internal processes combined with employee awareness
2. Helping people keep safe
Cornerstones of internal security
Assets
Knowledge Ability
Awareness Attitude
Technology
People and processes
Knowledge
o Training and reference materialo How to use company security systemso How to behave to keep personally safeo What to do in a crisis
Ability
o Design of user centred design of security systemso Intuitive to useo Simple to remembero Minimal effect on ability to do a job efficiently
Awareness
o Programme to generate awareness of the presence and changing nature of cyber risko Constant reminders o Reminders at the point of risk
Attitude
o Cultural change programme to “socialise” cyber safety into an organisation
3. Looking out for trouble
Recognising the threat
o Poor work attitudeo Signs of being stressed o Exploitable/vulnerable lifestyle o Exploitable work profile o Recent negative life events
Source: CPNI
Typical behaviours
o Unusual copying activity o Unusual IT activity o Unauthorised handling of sensitive material o Security violations
What makes it worse…o People
o Poor security cultureo Lack of risk awareness at senior levelo Poor management practice
o Processo Lack of role-based security assessmento Lack of pre-employment vettingo Poor communication between business areas
o Technologyo Inadequate auditing and monitoringo Lack of protective controls
4. Managing the risk
Technology
ProcessesPeople
Assets at risk
often not covered sufficiently by IT security
Where the requirement is
1. Identify appetite for cyber risk 2. Review cyber security culture 3. Identify main internal threats 4. Develop usable policies and processes5. Deliver engaging training6. Ensure constant awareness 7. Measure behaviour
Working with IT security
Holistic approach needed
Ensuringusable systems
Persuasive communications
Tools to manage threats
Understanding cyber threats
Jeremy Swinfen Green
Appendix
Threats, risks and assets
o An asset is something we value - data, money, people or reputation
the thing we are trying to protecto A threat is something or someone that can damage an asset –
it could be a person, an Act of God or a technical failurewhat we are trying to protect against
o A vulnerability is a something that makes our asset vulnerable to a threat
a weakness in what we are trying to protecto A risk is the effect that a threat could have on an asset
the intersection of asset, threat and vulnerability