Keynote address...2019/03/14 · AWS Shield Managed DDoS protection service that safeguards web...

Mitigating the Financial Impact of a Cyberattack

Keynote address

John FrostHead of Business Continuity, Marks & Spencer Group plc

Mitigating the Impact of a Cyber Attack

People

Property

Brand

Profit

Qubic Conference Thursday 14th March

BUSINESS RESILIENCE

SESSION OBJECTIVES

BUSINESS RESILIENCE

1. Group Business Continuity Programme Overview – How it aligns and assists Cyber Security • Group Incident Reporting • Group Crisis Management• Group Business Recovery • KHRE Procedures • IT Heatmapping

2. The need for Collaboration – “The Human Factor”• My Safety Channel• My Safety App• Exercising, Testing & Assurance – Global Minimum Standards

3. Measuring the Success – Winning Together • Reporting Metrics & ROI• Campaign Metrics

And finally, Success, Learnings & Opportunities, a chance to be honest about the things that went well and not so well along theway…

THE M&S RESILIENCE CHALLENGE

BUSINESS RESILIENCE

16 UK Distribution Centres 8 International Hubs10 Sourcing Offices 5 UK Offices 3 International Offices1000+ Stores Worldwide

46Operational Countries

75% Of all invocations are Cyber/Data related

THE INDUSTRY RESILIENCE CHALLENGE

BUSINESS RESILIENCE

BC Team Structure

Sept 2018

380,000 Customers

affected

May 2017

40 Hospitals affected across

24 trusts

June 2018

40,000 Customers

affected

April 2017

250,000 Customers affected

Jan 2017

Loss of 2.5m from 9,000 accounts

August 2017

Up to loss of $300 in revenue

Sept 2017

Parson green attempted bombing

May 2017

Manchester Arena Terrorist

Attack

March 2017

Westminster Bridge Terrorist

Attack

June 2017

London Bridge attack

CONDUCTORS OF RESILIENCE

BUSINESS RESILIENCE

Group Business Continuity Programme

People

Property

Brand

Profit


BUSINESS RESILIENCE

CRISIS MANAGEMENT VALUES

BUSINESS RESILIENCE

The need for Collaboration

People

Property

Brand

Profit

BUSINESS RESILIENCE


CONDUCTOR OF RESILIENCE

BUSINESS RESILIENCE

Background

• Perception - Boring, Dry, Grey

• Hard/Harsh message to deliver

• The island nobody really wants to visit

Purpose

• Soften the message

• Create an identifiable brand

• Tell a story

• Provide a service

Benefit

• Significant increase in engagement

• Stakeholder belief/buy in/integrity

• Brand identity/trust

• Protect the organisation

• Speed & agility

CONDUCTOR OF RESILIENCE

BUSINESS RESILIENCE

BUSINESS RESILIENCE

Paperless Resilience –The need to go Digital

People

Property

Brand

Profit

BUSINESS RESILIENCE


RESILIENCE PROGRAMME – SOCIETAL DEMANDS

BUSINESS RESILIENCE

BC Team StructureBC Team Structure

WHY CHANGE – BUSINESS DEMANDS

BUSINESS RESILIENCE

Questions that we could/should all consider:

• Readership/Version control o How many people printed the plan?o How many people read it?o Do they have the right version?o Who is required to carry a version? o How do we measure that they are doing it? o The car boot analogy

• Which page is it on…• Which section is it in…• The data stick approach…

• Just tell me what to do…• I left it on a train, plane or at the hotel

URIM APP

BUSINESS RESILIENCE

Measuring Programme Success

People

Property

Brand

Profit

BUSINESS RESILIENCE


CHALLENGES/THINGS TO CONSIDER

BUSINESS RESILIENCE

• How do we move the industry forward together

• Do we believe in organisational resilience – Together we are stronger

• Can BC/Cyber be the conductor in your organisation

• Do you believe in the digital journey – It’s happening all around us

• How do you bring it to life – “The Human Factor”

• How does BC/Cyber add everyday value in our organisations

• Can BC/Cyber be a service proposition

• If we don’t diversify we will die…

Don’t get letter-bombedAn unprotected email inbox is an open invitation for hackers, phishers, ransom-holders, spyware and worms.

Scott JennerSales Engineer, Mimecast

Clouded judgment?

Rob HaleAmazon Web Services

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS Security, Identity, and ComplianceAn Overview

March, 2018Rob Hale, Cyber Security Segment Leader, EMEA

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Why is security traditionally so hard?

Lack of visibility

Low degree of automation


ORMove fast Stay secure

Before…


ORANDMove fast Stay secure

Now…


The most sensitive workloads run on AWS

“With AWS, DNAnexus enables enterprises worldwide to perform

genomic analysis and clinical studies in a secure and compliant

environment at a scale not previously possible.”

— Richard Daly, CEO DNAnexus

“The fact that we can rely on the AWS security posture to boost our

own security is really important for our business. AWS does a much

better job at security than we could ever do running a cage in a data

center.”

— Richard Crowley, Director of Operations, Slack

“We determined that security in AWS is superior to our on-premises data

center across several dimensions, including patching,

encryption, auditing and logging, entitlements, and compliance.”

—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)


Automatewith deeply integrated

security services

Inheritglobal

security and compliance

controls

Highest standards for privacy and data security

Largest network

of security partners and solutions

Scale with superior visibility and

control

Move to AWS Strengthen your security posture


Inherit global security and compliance controls


Scale with visibility and control

• Control where your data is stored and who can access it• Fine-grain identity & access control so resources have the right access• Reduce risk via security automation and continuous monitoring• Integrate AWS services with your solutions to support existing workflows,

streamline ops, and simplify compliance reporting


Encryption at scale with keys managed by

our AWS Key Management Service (KMS) or managing your own encryption keys

with Cloud HSM using FIPS 140-2 Level 3

validated HSMs

Meet data residency requirements

Choose an AWS Region and AWS will not replicate it elsewhere unless you choose

to do so

Access services and tools that enable you to

build compliant infrastructure on top of AWS

Comply with local data privacy laws

by controlling who can access content, its lifecycle, and disposal

Highest standards for privacy


Automate with integrated services

CloudWatch Events

Amazon CloudWatch

CloudWatch Event

Lambda

Lambda Function

AWS Lambda

GuardDuty

Amazon GuardDuty

Automated threat remediation


Infrastructure securityLogging

& monitoringIdentity &

access control

Configuration & vulnerability

analysis

Data protection

Largest ecosystem of security partners and solutions


AWS Identity & Access Management (IAM)

AWS Single Sign-On

AWS Directory Service

Amazon Cognito

AWS Organizations

AWS Secrets Manager

AWS Resource Access Manager

AWS Security Hub

Amazon GuardDuty

AWS Config

AWS CloudTrail

AmazonCloudWatch

VPC Flow Logs

AWS Systems Manager

AWS Shield

AWS WAF – Web application firewall

AWS Firewall Manager

Amazon Inspector

Amazon Virtual Private Cloud (VPC)

AWS Key Management Service (KMS)

AWS CloudHSM

AWS Certificate Manager

Amazon Macie

Server-Side Encryption

AWS Config Rules

AWS Lambda

IdentityDetective

controlInfrastructure

securityIncidentresponse

Dataprotection

AWS security solutions


AWS Identity and Access Management (IAM) Securely control access to AWS services and resources

AWS Single Sign-On (SSO)Centrally manage SSO access to multiple AWS accounts & business apps

AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud

Amazon Cognito Add user sign-up, sign-in, and access control to your web/mobile apps

AWS Organizations Policy-based management for multiple AWS accounts

AWS Secrets ManagerEasily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle

AWS Resource Access ManagerSimple, secure service to share AWS resources

Define, enforce, and audit user

permissions across

AWS services, actions

and resources.

Identity & accessmanagement

Identity and accessmanagement


AWS Security HubCentrally view & manage security alerts & automate compliance checks

Amazon GuardDutyIntelligent threat detection and continuous monitoring to protect your AWS accounts and workloads

AWS ConfigRecord and evaluate configurations of your AWS resources to enable compliance auditing, resource change tracking, & security analysis

AWS CloudTrailTrack user activity and API usage to enable governance, compliance, and operational/risk auditing of your AWS account

Amazon CloudWatchComplete visibility of your cloud resources and applications to collect metrics, monitor log files, set alarms, and automatically react to changes

VPC Flow LogsCapture info about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs

Gain the visibility you need

to spot issues before they impact

the business, improve your

security posture, and reduce the

risk profile of

your environment.

Detectivecontrol


AWS Systems ManagerEasily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems

AWS ShieldManaged DDoS protection service that safeguards web applications running on AWS

AWS WAF – Web application firewallProtects your web applications from common web exploits ensuring availability and security

AWS Firewall ManagerCentrally configure and manage AWS WAF rules across accounts and applications

Amazon InspectorAutomates security assessments to help improve the security and compliance of applications deployed on AWS

Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define

Reduce surface area to manage

and increase privacy for and

control of your overall

infrastructure on AWS.

Infrastructuresecurity


AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data

AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud

AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates for use with AWS services

Amazon MacieMachine learning-powered security service to discover, classify, and protect sensitive data

Server-Side EncryptionFlexible data encryption options using AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys

In addition to our automatic data

encryption and management

services,

employ more features for

data protection.(including data management, data

security, and encryption key storage)

Dataprotection


AWS Config RulesCreate rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additionaldata, or restoring configuration to a known-good state

AWS LambdaUse our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents

During an incident, containing the

event and returning to a known

good state are important elements

of a response plan. AWS provides

the following

tools to automate aspects of this

best practice.

Incidentresponse


“I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We

determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”

• Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day

• Processes approximately 6 terabytes of data and 37 billion records on an average day

• Went from 3–4 weeks for server hardening to 3–4 minutes

• DevOps teams focus on automation and tools to raise the compliance bar and simplify controls

• Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts

—John Brady, CISO FINRA

Financial industry regulatory authority


“Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management …All our new services are built as stateless docker containers, allowing

us to deploy and scale them easily using Amazon’s ECS.”

“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”

• Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization

• New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month

• Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours

• Maintain end to end visibility of patient data using AWS

Online medical care schedulingOnline medical care scheduling

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/https://aws.amazon.com/products/security

https://aws.amazon.com/security/

https://aws.amazon.com/compliance/

https://aws.amazon.com/products/security

Premium Insurance

Raf SanchezBeazley Group

Cyber Security:

The Latest Challenges and

Approaches

14th March 2019

Raf Sanchez

Misconceptions

Cyber Threats

& Trends

40%

12%8%

8%

24%

8%

2018: UK Incidents by Cause

Hack / Malware

Vendor breach

Insider

Portable Device

Unintended

Disclosure

Social Engineering

45%

14%

4%

2%

4%

17%

2%

12%

BBR International: Total breaches by cause

Hack / Malware

Vendor breach

Insider

Physical/Non

Electronic

Portable Device

Unintended Disclosure

Social Engineering

Other

Emotet & Ryuk

Microsoft Office 365 Account Compromise

Failure to Implement MFA

Cyber

Insurance

Suffering a Data Breach is

not a disaster…

Mishandling it is.

2013 2014 2015 2016 2017 2018

554777

1249

1944

2615

3332

Global Incidents Handled

What do BBR Services Do?

NO

•Legal Advice

•Activate Policy

YES

•Advocacy

•Liaison

Detection

Prevention

ContainmentRecovery

Learning

Pre-Breach Services

Breach Management

Risk ManagementServices

Incident

Management

How Does BBR Services Assist ?

breach hotline


in-house team

How Does Beazley Assist ?

co-ordination


expert vendors


risk management

Planning for continuity

Justin RhodesURIM

URIM The Road Ahead

2019

10/03/2019

1. Android Version – Q2

2. Single Sign On – Google & Microsoft Active Directory – Q2

3. PEN Testing – Already A+ Rating via “SSL Labs” - Q2

4. Forms Support – Q2

5. Change Control Audit – “who, what, when” – Q3

Contents

Universal Remote Information Management

GDPR keeping data safe?

Shane GohilQubic Group plc

GDPR

“The General Data Protection Regulation (GDPR) very

significantly increases the obligations and

responsibilities for organisations and businesses in

how they collect, use and protect personal data.”

What is the aim of the GDPR?

“The aim of the GDPR is to allow Data Subjects to

understand and manage personal data held by

businesses and organisations.”

What is personal data?

• The term ‘personal data’ means any information relating to

a living person who is identified or identifiable (such a

person is referred to as a ‘data subject’).

• The GDPR gives examples of identifiers, including names,

identification numbers, and location data. A person may

also be identifiable by reference to factors which are

specific to their identity, such as physical, genetic or cultural

factors.

• Therefore, if you can identify an individual based on any

data held this is personal data and is applicable to GDPR.

(This includes employee data.)

Processing explained

You are deemed to be processing personal data if

you do any of the following:

• Collect, store, organise or retrieve data

• Change, modify or adapt the data

• Use part or all of the data

• Transmit or transfer the data

• Destroy or erase data

Principles and Rights

1. Lawfulness, Fairness and

Transparency

2. Purpose limitation

3. Data minimization

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated

decision making and profiling.

Integrity and confidentiality the Security Principle

What does the GDPR say?

“Processed in a manner that ensures appropriate

security of the personal data, including protection

against unauthorised or unlawful processing and

against accidental loss, destruction or damage, using

appropriate technical or organisational measures”

This means that you must have appropriate security

to prevent the personal data you hold being

accidentally or deliberately compromised

Why should organisations review security?

The ICO is required to consider the technical and organisational measures you had in place when considering an administrative fine.

Case example

Cybersecurity factors

• System security – the security of your network and

information systems, including those which process

personal data;

• Data security – the security of the data you hold within

your systems, e.g. ensuring appropriate access controls are

in place and that data is held securely;

• Online security – e.g. the security of your website and any

other online service or application that you use; and

• Device security – including policies on Bring-your-own-

Device (BYOD) if you offer it.

Security of processing (GDPR Article 32)

What does the GDPR say?

• Encrypt personal data;

• Have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• Have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• Have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Security of processing (GDPR Article 32)

What does this mean for organisations?

• Ensure data is secure both in rest and in transit

• Maintain a suite of cyber security services that

keep you secure (a layered approach)

• Have backup and disaster recovery and a business

continuity plan

• Run reports and test your systems and measures

you have in place

Where are organisations falling short?

Subject Access Requests - SARs

Under the GDPR, individuals have the right to

obtain:

• Confirmation that their data is being processed;

• Access to their personal data; and

• Other supplementary information – this largely

corresponds to the information that should be

provided in a privacy notice.

Recent ICO enforcement

The court heard that an individual had submitted a subject access request on 17 April 2017. A subject access request, or SAR, allows someone to request all the personal information an organisation holds about them.

Magnacrest, based in Hazlemere, Buckinghamshire, failed to provide the information within the required timescale of 40 calendar days and the individual complained to the data protection regulator, the ICO.

Magnacrest pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February 2019. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.

Getting SARs right

• Establish a procedure for acknowledging SARs –allowing an individual to know their request is received and being worked on

• Gain an understanding of what the individual wants to achieve – this may save you time and resource

• Ensure your privacy policy has been updated; this can inform individuals about how and why you want to process their data

• Provide staff training on SARs – unaware staff could be the reason you fail to provide under the request


Working from home.

• Two-factor authentication and secure remote

connections should be established

• Allowing staff to insecurely connect to your

network increases information security risk

• Staff are required to be made aware of their

responsibilities of access and ensure risk is

minimised

Case example – working from home

• Former council officer fined for emailing CVs of rival job applicants to his partner

• He accessed the authority’s recruitment system and emailed the personal information of the nine rival shortlisted candidates to both his own work email address and also his partner’s Hotmail account.

• The recruitment packs he shared included the name, address, telephone number and CV of each candidate, along with contact details for each of their two referees. That was against the law.


Device security.

More and more organisations are now allowing BYOD. Personal data being processed via a personal device might be stored in one, or a combination, of the following locations:

• On the device;

• On a server within the organisation’s IT network (or other private cloud); or

• In a private, community or public cloud.

Regardless of where the data is stored, you will have to take appropriate measures to protect against unauthorised or unlawful access, for example if the device is lost or stolen. This remains your responsibility as the data controller.

Spare slide

• Text here

020 8601 7000

www.qubicgroup.com

Keynote address...2019/03/14 · AWS Shield Managed DDoS protection service that safeguards web...

Documents

Transcript of Keynote address...2019/03/14 · AWS Shield Managed DDoS protection service that safeguards web...