What every executive needs to know about information technology security
-
Upload
legal-services-national-technology-assistance-project-lsntap -
Category
Technology
-
view
273 -
download
0
Transcript of What every executive needs to know about information technology security
![Page 1: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/1.jpg)
What Every Executive Needs To Know About Information
Technology SecurityPeter Campbell
Chief Information OfficerLegal Services Corporation
![Page 2: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/2.jpg)
Topics
Introduction/Data Security
Cloud Computing
Cyber Insurance
Passwords
Mobile
Network Security
Questions?
![Page 3: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/3.jpg)
The Internet is rapidly changing, as are the ways that you should protect yourself. This is relatively current information that factors in the use of mobile technology and cloud computing.
![Page 4: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/4.jpg)
Image by National Institute for Occupational Safety and Health (NIOSH), via Wikimedia Commons
Why we need to be protected:
Business continuity
Safety of clients, staff, data, and property
Compliance (PCI, HIPAA, etc.)
![Page 5: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/5.jpg)
Attackers either:
Want something you have, or
Want to extort money from you by taking what you have, or
Want to attack others by using what you have.
![Page 6: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/6.jpg)
Two kinds of risk:
Sensitive Information Breached
Systems Attacked
Image by Setreset (Own work), via Wikimedia Commons
![Page 7: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/7.jpg)
Data Sensitivity must be assessed:
High - Medium - Low
Risk to organization vs risk to clients, etc.
Labor/time to reproduce
Security policies should be based on these assessments
Image by Friedrich Graf, via Wikimedia Commons
![Page 8: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/8.jpg)
Cloud Computing
![Page 9: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/9.jpg)
Core Cloud Considerations:
Established cloud services might offer higher data security than you can
How many certified IT Security Specialists do you have on staff, compared to Google or Microsoft?
But also have low accountability for confidentiality
Vendor might give data in response to subpoenas that you wouldn’t
![Page 10: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/10.jpg)
Cost concerns:
Moves software from capital to expense
Subscriptions cost more than maintenance renewals, but are possibly offset by infrastructure and support savings
Huge benefits for remote access
![Page 11: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/11.jpg)
Contracting Tips:
Make sure that you backup your data locally and are able to access it if a cloud vendor goes out of business
Clearly delineate duties
Never agree to termination fees
[Image: “The Land of Contracts” by David Anthony Colarusso]
![Page 12: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/12.jpg)
Cyber Insurance
![Page 13: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/13.jpg)
As of 2013, 35 insurers covered this1. Now many more do.
Third party and first party offerings
Costs vary widely, as do items covered (shop around!)
About Cyber-Insurance
1. https://www.mcguirewoods.com/Client-Resources/Alerts/2013/12/A-Nonprofit-Buyers-Guide-to-Cyber-Insurance.aspx
![Page 14: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/14.jpg)
Third Party Coverage
Litigation Costs
Regulatory Expenses
Notification Costs
Crisis Management
PR
![Page 15: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/15.jpg)
First Party Coverage
Theft and Fraud
Forensic Investigation
Business Interruption
Data Loss and Restoration
Photo by Jon Crel
![Page 16: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/16.jpg)
![Page 17: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/17.jpg)
Passwords aren’t secure.
Any password can be deciphered
Any network can be hacked
The old rules about password safety are invalid
Image by nikcname
![Page 18: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/18.jpg)
But passwords are still critical.
Strong passwords:
Long phrases are better than words
Upper case letters, lower case letters, numerals, punctuation, spaces.
Not too difficult to remember - or
Stored in a Password Manager
Subject to two-factor authentication
Unique across systems
Changed immediately after a breach is revealed.
![Page 19: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/19.jpg)
New Thinking on Passwords
Changing the password regularly is not as important as changing it after a breach.
Fingerprint readers and other physical alternatives are only secure if they aren’t compromised - a fingerprint can’t easily be changed.
Password Managers are necessary.
![Page 20: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/20.jpg)
Dual Factor Authentication
AKA “Two Factor Authentication” “2FA”
Insures that a hacker with your password
can’t access your account
Multiple methods: text, phone, email, fob, or
app
Home and work PCs can be trustedImage by Brian Ronald
![Page 21: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/21.jpg)
Password Managers
Only one password to memorize
Fills in passwords across computers and devices
Generates secure passwords
The best include breach alerts and security checks
![Page 22: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/22.jpg)
Mobile
Image by HLundgaard (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
![Page 23: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/23.jpg)
Core Mobile Considerations
Business data on mobile devices is not subject to network security measures
Mobile devices are easily lost or stolen
Public WiFi networks are often insecure
Malicious apps surreptitiously copy private information from mobile devices
Image by Alan Levine
![Page 24: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/24.jpg)
Security Measures
Screen Locks
Passcodes are safer than patterns
Fingerprint, facial recognition only good if phone isn’t hacked.
Encryption (SSL Anywhere)
Two Factor Authentication
Hotspots (as opposed to public WiFi)
![Page 25: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/25.jpg)
Mobile Device Management Software
Mobile Device Management Systems (MDMs) offer a degree of security for mobile devices. With them, you can
Remotely wipe data
Track devices
Remotely install/remove applications
Block application installs
Enforce security options
![Page 26: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/26.jpg)
Policies and Education
Key to safely letting staff work with company data (email, documents, etc.) on mobile devices is solid policies and user education.
The best security in the world won’t protect you if staff don’t know how to protect passwords and detect scams.
Policies should be sensible and not so prohibitive that staff are compelled to work around them.
![Page 27: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/27.jpg)
Network Security
![Page 28: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/28.jpg)
Office Security
If you have IT staff, you likely have these things in place
Firewalls, anti-virus, anti-spam and other standard security tools can only protect what passes through them
Mobile devices, USB drives and other portable media can bypass security
Servers open to the public (web servers, remote access, client-facing applications) are at greatest risk. Photo by Ilya Sedhyk
![Page 29: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/29.jpg)
Monitoring and Perimeter Testing
It’s important to have software that monitors the systems and alerts IT staff in case of hardware issues or attacks.
Investigations might be critical in case of a breach.
Perimeter Testing should be done regularly to identify security issues.
Pricing varies widely on this service
Find best mix of pricing/frequency
Can be a requirement/cost offset for cyber-insurance
![Page 30: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/30.jpg)
Ransomware
PC and/or server drives are encrypted and data inaccessible until a ransom is paid to hacker
Triggered by links in emails or infected media (such as flash drives)
Protection:
Backup to cloud or alternate media
Spam and virus filtering
User education!
Avoidance:
Cloud document storage
![Page 31: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/31.jpg)
![Page 32: What every executive needs to know about information technology security](https://reader035.fdocuments.net/reader035/viewer/2022070523/58eca4c11a28abb3018b462f/html5/thumbnails/32.jpg)
Contact
Peter Campbell, CIO, LSC
202-295-1685
@peterscampbell
Session Eval:
http://tinyurl.com/TIGeval