Post on 16-Dec-2015
Amadeus Cybersecurity: the essentials 12th November 2014
Alex van Someren
Family Office Forum12th November 2014, Zurich
Cybersecurity: the essentials
Amadeus Cybersecurity: the essentials 12th November 2014
AGENDA
1. Understanding cyber risks2. Cyber security market trends3. State of the art: threats & defenses4. Best practices in cyber security
Cybersecurity: the essentials
Amadeus Cybersecurity: the essentials 12th November 2014
1Understanding cyber risks
CYBERSECURITY: THE ESSENTIALS
Amadeus Cybersecurity: the essentials 12th November 2014
4UNDERSTANDING CYBER RISKS
• The External attacker usually wants to:– Get access to files stored on the computer, or the local network– Copy Usernames & Passwords from users– Run programs on the computer to make it a ‘bot’
• They can deliver some ‘Malware’ inside the computer to achieve this, by:– infecting it with a Virus,– getting the user to open an email attachment– persuading the user to click through to an infected web page
• We also consider Internal attackers, i.e. employees as a possible threat• Finally, disaster planning is also essential
What exactly is the threat?
1
Amadeus Cybersecurity: the essentials 12th November 2014
5UNDERSTANDING CYBER RISKS
• Email spam– Unwanted messages, also links & attachments
• Viruses/spyware/malware– Programs which can run on the receiving computer and do harm
• Email phishing– Targeted emails, particularly asking for credentials
• Network intrusion/hacking– External attackers or programs trying to enter machines/networks
• Denial of Service attacks– Preventing systems/websites from operating
What cybersecurity risks should be considered? - 1Software & network risks
1
Amadeus Cybersecurity: the essentials 12th November 2014
6UNDERSTANDING CYBER RISKS
• Theft of mobile devices– Both accidental, and targeted
• Theft of system hardware– Physical attacks on facilities
• Corporate espionage/whistleblowers– Data leakage & data theft
• Criminal damage– Not only physical, but also logical i.e. data deletion
What cybersecurity risks should be considered? - 2Physical & data loss risks
1
Amadeus Cybersecurity: the essentials 12th November 2014
2Cyber security market trends
CYBERSECURITY: THE ESSENTIALS
Amadeus Cybersecurity: the essentials 12th November 2014
1. External threats: who actually gets hit?2. External threats: causes of data losses3. Internal threats: causes of security breaches
Cyber security market trends
Amadeus Cybersecurity: the essentials 12th November 2014
External threats: who actually gets hit?
CYBER SECURITY MARKET TRENDS
Source: Kaspersky IT Risks Survey 2014 – n = 3,900
2
Amadeus Cybersecurity: the essentials 12th November 2014
10
External threats: causes of data losses
CYBER SECURITY MARKET TRENDS
Source: Kaspersky IT Risks Survey 2014
2
Amadeus Cybersecurity: the essentials 12th November 2014
11
Internal threats: causes of security breaches
CYBER SECURITY MARKET TRENDS
Source: Kaspersky IT Risks Survey 2014
2
Amadeus Cybersecurity: the essentials 12th November 2014
3State of the art: threats & defences
CYBERSECURITY: THE ESSENTIALS
Amadeus Cybersecurity: the essentials 12th November 2014
STATE OF THE ART: THREATS & DEFENCES
• There are three major goals of cyber security:– Confidentiality: Keep private information private
• Prevent data leakage, data loss– Integrity: Guarantee critical information is not altered/tampered
• Protect data – Availability: Ensure that critical information remains accessible
• Keep systems working, prevent internal attacks• So, the “C.I.A.” is your friend!
What are the goals of good cybersecurity?
3
Amadeus Cybersecurity: the essentials 12th November 2014
14STATE OF THE ART: THREATS & DEFENCES
• The primary goal is to prevent malware from getting into computers– Employees are the source of greatest risk
• They sometimes click on stupid stuff• They can sometimes be misled• They sometimes steal data
• So:– train employees in cybersecurity basics– employ adequate cybersecurity technology to prevent damage & loss
What are the risk mitigation strategies?
3
Amadeus Cybersecurity: the essentials 12th November 2014
15STATE OF THE ART: THREATS & DEFENCES
• Network Firewalls– Control the flow of Internet traffic and prevent intrusions
• Anti-Spam filters/services– Minimise the amount of potentially dangerous email arriving
• Anti-Virus software– Detect, search for & destroy malware on computers
• Data Loss Prevention– Detect and prevent the export of sensitive data
• Mobile Device Management– Allow mobile & ‘BYOD’ users to safely operate remotely
What kind of basic cybersecurity defences are needed?
3
Amadeus Cybersecurity: the essentials 12th November 2014
4Best practices in cyber security
CYBERSECURITY: THE ESSENTIALS
Amadeus Cybersecurity: the essentials 12th November 2014
17BEST PRACTICES IN CYBER SECURITY
1. Business managers must know where the most important data is held– On-site in desktops and servers, or in cloud services and mobile devices
2. Bad things happen to good businesses– Automate the secure data back-up process– How will business continue if the physical site becomes unavailable?
3. Train employees about the nature of today’s cyber-attacks– Cyber-criminals particularly target SMBs – Aiming to compromise the PCs used for online banking and payments
4. Deploy the security basics: – Firewalls for wireless and wired-based access points, – Anti-malware on endpoints and servers– Encrypt highly sensitive data at rest and in transit
Adapted from Messmer/InfoWorld Oct. 2014
Best practices - 1
4
Amadeus Cybersecurity: the essentials 12th November 2014
18BEST PRACTICES IN CYBER SECURITY
5. Define each individual’s access to data– Ideally use two-factor authentication– Systems administrators jobs give them huge power– Immediately de-provision access & credentials when an employee departs
6. Trust, but verify– Do background checks on prospective employees– Have SLAs for technology vendors/cloud service providers; visit data-centre
7. Remove & securely destroy hard disks – From all old computers – And any other devices that store data
Best practices - 2
4
Amadeus Cybersecurity: the essentials 12th November 2014
19BEST PRACTICES IN CYBER SECURITY
8. Smartphones require different security requirements than older PCs and laptops– ‘BYOD’ raises important legal questions– Business data no longer held on a device owned directly by the business
9. Use physical access controls to keep unauthorized individuals from IT resources– That includes the office cleaners– Train staff to challenge unexpected visitors in a polite, but determined, way
10. Have an employee acceptable-use policy – Defining behavior online, how data is to be shared and restricted– Have them read and sign it– Making it clear if there will be monitoring of online activities
– There should be possible penalties for non-compliance.
Best practices - 3
4
Amadeus Cybersecurity: the essentials 12th November 2014
Amadeus Capital Partners
Alex van Someren, Managing Partner, Early Stage Funds
alex.vansomeren@amadeuscapital.com
https://www.amadeuscapital.com/
Global Technology Investors