cyber security april 2016 presentation
TRANSCRIPT
Cyber Security: Challenges for the RegulatorJFSC COO Mike Jeacock & JFSC Head of ICT Denis Philippe
› JFSC Chief Operating OfficerMike Jeacock
› An evolving Commission
› An agile & open regulator
› Technology ›To fulfil international responsibilities
›To protect & defend our systems
› An active Cyber Programme›Ownership of risks & obligations
› Introduction
› Subjected to approximately 3,800 network security attack attempts DAILY
› Process over 5,000 emails per day with up to 34% of inbound traffic being rejected due to identified threats
› Website screening prevents access to high risk content (< 0.1% traffic)
› What happens to the JFSC
› Executive
32% of Boards do not receive information security updates
45% of Boards do not believe it is important
› Fire Metaphor
FIRE
Opportunistic Threat
Indiscriminate
Exploits vulnerability
Owns everything
› Human
› Vigilant
› More complex
› Vulnerable
50% of people take some form of confidential information with them when they leave an organisation
› Case Studies›Sleeper
›Chinese restaurant
›Starbucks
›Me
› Human factors
› JFSC Head of ICT Denis Philippe
“Commission held information1, in all its forms, written, recorded electronically or printed, will be protected from accidental or intentional unauthorized access, modification, or destruction throughout its life cycle”
› 1This includes all information created or owned by the Commission as well as information collected by or provided to the Commission by external parties for the execution of the Commission’s activities
› Cyber-Security Mission Statement
› Definitions of what we protect:
› Private & personal information ›Legal definition versus what people actually value
› What?
GapExtended
Reputational Risk
› Why?
› Mitigate Risk – “Data is a commodity of interest to many”
› Extensive investment in providing an interconnected and online mode of stakeholder engagement is being balanced with a significant effort and investment in our security to protect the systems and data we are collecting and holding
› How?
› The JFSC Gold Standard
› This blend of NIST and ISO allows us to speak to other regulators and registries in security terms they understand
5 Pillars based on a blend of NIST and ISO27001
Identify Protect Detect Respond Recover
› Governance and Landscape
› Governance Policy framework from 125 to 12
› Understanding the landscape
› The JFSC holds diverse sets of information:
› Market sensitive information› Incorporations
›Mergers and Acquisitions
›Fund Products
› Beneficial ownership information
› Security Interest information
Manage the value equation, it is about delivering value Cyber-security should be seen as a business benefit and not just a cost
› Protect
› Building new systems
› Building walls is not enough
› Flexibility and collaboration are key
› Improved intelligence will improve detection
› Understand the landscape threats
› Building an e-Enabled JFSC
› Developing a new platform environment with security baked in from the start
› Delivering joined up services
› Delivering new Registers from a common platform (SIR, JAR)
› Move to more services online
› Increased surface area requires a different approach to security
› Building new systems – changing risks
› Detect
› Behavioural analytics – not magic
› Real-time visibility
› 7.6 million network / data events per day at JFSC
› Detect
“If the product doesn't give you a why, it is only an illusion of security.” Amit Yoran – President, RSA
› Humanware
› Focus is turning to people
› Soft targets = weak link in the chain
› Cultural evolution through training and secure behaviours
› Understanding the landscape
People Skills KnowledgeHumanware
2.0
› 40% of daily actions are driven without thinking:› Changing gear› Tying shoe laces› Locking the front door
› Bad habits include:› Writing down passwords› Leaving screens unlocked› Clicking on emails and links without knowing what they are or where they go
› “Evidence has shown that a large number of cyber hygiene issues have become bad habits.” Bikash Barai
› Habits
› Two areas of the brain we are interested in:
› Goal directed part (Pre-frontal cortex)›Responsible for conscious and deliberate activity
›Slower functioning
› Habit part (Basal Ganglia)›Fast›Near automatic function›Does not require thought
› Habits
› Changing habits
Trigger Routine Reward
› Example 1: Stop writing down passwords
Trigger:
Password expiry
Old Routine:
Write down password
New Routine:
Write down a clue
Reward:
Feeling secure
Rehearse and repeat at least 20 times
› Example 2: Stop clicking on Phishing links
Trigger: Legitimate entity
asking for personal details
Old Routine: Share details
New Routine: Validate
legitimacy of entity
Reward:
Feeling secure
› IP theft or sabotage for their own benefit or that of others
› Have a training and awareness plan
› Malicious
of those who steal data do so in their last month of work
of those who steal data do so two months before leaving
50%
70%
Ref: Dawn Cappelli
› Island opportunity
› What about the local aspect?
Is there a need to ensure that cyber-security is embedded as a pre-requisite to doing business?
Is there a place for cyber in the regulatory framework?
Who should set and monitor any local standards?
Should the standards be scalable?
› Key discussion points
›An agreed cyber standard for financial services sector
›Apply existing international standards
›Guidelines for consumers and industry
›The need for a minimum standard
›Build a collaborative environment to discuss real-time cyber incidents and issues
› Closing remarks
› Things to spend time on
Communicating through collaboration
Targeting resources where they are most effective
Patching people as well as systems, Humanware 2.0
Follow us at @JerseyFSC
Like us at Jersey Financial Services Commission
Follow us at Jersey Financial Services Commission
JFSC COO Mike [email protected]
Head of ICT Denis [email protected]