Cyber - it's all now a matter of time!
-
Upload
gloucestershire-professionals -
Category
Business
-
view
67 -
download
3
Transcript of Cyber - it's all now a matter of time!
Growing Gloucestershire
Business Cyber / Digital Threats
21st June 2017
Mark Godsland MSyIMG Total Security Risk Associates Ltd
Presenting on behalf of CIMA
“It’s all now a question of TIME!”
Agenda
• Introduction
• “Time”
• Current Cyber activity's, crime figures and cost to the County
• Typical Cyber Activities
• “Attack Vectors” to look out for
• “Cyber” Digital Risk Insurance
• GDPR 25th May 2018
• Where to get help and advice / NCSC / Cyber Essentials
• Gloucestershire Safer Cyber Forum
• What you can do for yourself
• What you can take away for your business
21/6/17
21/6/17
Your time is up!...... (Almost)
One Minute to Midnight
WANNACRY & Attack Types
21/6/17
Nationally:
One in four businesses reported a cyber-breach or attack in the past 12 months – Source Cyber Security Breaches Survey 2016, DCMSybercrevealed in
There were an estimated 3.6 million cases+ of fraud and two million computer misuse offences in a year.
– Source British Crime Survey: January 2017
Regionally:
74% of SME’s had a “Breach” valuing between £75-311k
– Source SW Regional Cyber Crime Unit: March 2017
In Gloucestershire:
“An average of £250,000+ worth of recorded financial loss per month from Gloucestershire, related specifically to cyber-crime”
– Source Gloucestershire Constabulary:
National, Regional and Local Cybercrime and Fraud
Cyber criminals are targeting British businesses by imitating nation state-style attacks, the NCA warns.
21/6/17
Source NCA / NCSC Report March 2017 (The Threat to UK Business 2016-17 ) + UK Cyber Security Strategy 2016
The Government will meet its responsibilities and lead the national response. But businesses, organisations and individual citizens have a responsibility to take reasonable steps to protect themselves online and ensure they are resilient and able to continue operating in the event of an incident.
Typical ‘Cyber’ Activities
21/6/17 8
“Attack Vectors” (Type of attack) to look out for
Phishing / Spear Phishing
Whaling (CEO Fraud)
Ransomware
D-DOS (Multiple Bots)
Malware
Cyber (Digital) impact on Business and the “need” for Insurance
What cyber related issues are likely to impact a business?
• Virus or hacking attacks which stop customer transactions• Corruption or damage of data• Ransomware or similar extortion via their IT platforms or website• Loss of customer, supplier or critical process data• Consequent liability to a third party, including associated litigation, fines, costs, awards and damages• Subsequent damage to reputation as a result of the attack• Loss of gross profit or gross revenue
Insurance is a key resource businesses can use to help manage their own risk.
However, SME decision-makers often don’t realise the need to take out additional cover for the major risks they face.
Too many businesses – 43% – have not reviewed their business insurance for over a year.
Underinsurance is considered a concern among SMEs, according to almost nine out of 10 brokers.
What can happen to a company without sufficient cyber security insurance?
Around 40% of SMEs in the South West would go out of business if faced with an uninsured £50,000 claim, versus a national average of 28%.
What should an SME do today to make sure it has the best protection against cyber threats?
1. SMEs must ensure they review their insurance annually.
2. Speak to a broker as part of their review to discuss any emerging risks that they should be aware of. Broker advice is free for SMEs and BIBA provides a useful directory to help them find a suitable broker here: www.biba.org.uk/find-insurance/
3. Strongly consider the impact of technological risk to their business, notably cyber cover. Many SMEs will have no cover.
Source: SMEWEB 8/5/17
General Data Protection Regulation (GDPR) – 25th May 2018
Ultimately, the arrival of GDPR will put the
control of personal data back into the hands
of the individual, allowing a number of rights
including access to their data and the ability
to withdraw it.
It also means that organisations cannot
simply gather data without good reason and
must prove that they are doing all they can to
protect the data they do hold.
GDPR also specifies that organisations have
to appoint a specific data protection officer,
who is distinct from a risk officer and all IT
functions that currently exist. It’s a role that
has to sit outside of IT and outside of the
boardroom to have the independence to
ensure the business adheres to the
regulation.
It is vital businesses understand the
importance and the responsibility tied to
these new regulations.
Source Independent May 2017
Where to get Help / Report
Where to get Help & Advice
• Cyber Essentials
• British Retail Consortium (Cyber Security Tool Kit)
• National Cyber Security Centre (10 Steps to Cyber Security)
• Get Safe On Line or Cyber Aware
• Gloucestershire Safer Cyber Forum
Reporting
• To your local Police on 999(If in action) or 101 if historical.
• Action Fraud http://www.actionfraud.police.uk/report_fraud
• Gloucestershire Safer Cyber Forum – Anonymous
GDPR
• Information Commissioners Office
21/6/16
Cyber Essentials
When questioned about the single worst breach suffered, half of all organisations attributed the cause to
inadvertent human error.
What to do?
21/6/17
If the information to the left is to complicated, do this as a bare minimum to protect your business as recommended by the NCSC.
• Install the latest software and app updates
• Use strong and separate passwords for your key accounts
• Provide staff training with access to simple, freely-available cyber security training
• Back-up essential data at regular intervals(several)
• Conduct a cyber security risk assessment for your business
• Seek accreditation through the Government – endorsed “Cyber Essentials Scheme”
• Never disclose security details such as passwords or PIN’s
• Don’t assume an email, text or call is authentic
Gloucestershire Safer Cyber Forum
What to do for yourselves – Basic Digital Hygiene & “Take 5”
You
• PIN protect your Phone / Tablet
• If you have to use public Wi-Fi, use a VPN or use 4G signal
• Turn off the Phones Wi-Fi and Bluetooth unless required
• Use strong passwords to protect your information
Your Home
• Don’t log on as an Administrator – use the limited / standard accounts
• Change the Router name , Admin password and Router PIN( Don’t give it to everyone who visits, use the WPS key)
• Ensure automatic updating of Operating Systems
Social Media
• Do you really need to share “EVERYTHING”
• Don’t post personal information, especially, DOB, National Insurance # , Passport, Address, where you are on holiday etc.
21/6/17
What to “Take Away” from this presentation for your business
Businesses, organisations and individual citizens have a responsibility to take reasonable steps to protect themselves online and ensure they are resilient and able to continue operating in the event of an incident.
What you loose:
Product DataIPCRMEmployee informationFinancial RecordsCard Data
What you risk:
DisruptionContinuityReputationTrustComplianceCommercial advantage
Thanks for listening / questions?
Mark Godsland MSyI: Ad Cert ED & CP
Independent Crime and Digital Risk Resilience Advisor
Director
MG Total Security Risk Associates Ltd
@MGTSRAssoc
(+44) 07484 193447
+ Community and Business Engagement Officer for the London Digital Security Centre
G First LEP Ambassador