The Cybersecurity Shift
Making Security Central To The Organization
Heather Stratford
CEO of Stronger International - An International Cyber Security Training and Consulting Firm.
Has 20 years of experience in Leadership and Business Development.
Worked in All areas of Business - Fortune 500 to Start-ups
Entrepreneur - started and taken over national companies
Gravitated to Technology and Cyber Security because she saw a growing market that was essential for all businesses.
Lectures around the country
Why is Cyber Security Important?
Would you Lock your business door?
What’s changed in the last few years?
Compromised Credentials
Cloud Security verses private
networks?
History of Hacking1983 - Six Milwaukee teens, the “414s,” are detained by the FBI for breaking into over 60 computer networks. This was one of the first high-profile hacking arrests.
1986 - Congress passes the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, making it criminal to hack computer systems.
1991 - During the Gulf War, the DoD network was breached. Sensitive military information including development plans for weapon systems was accessed.
1994 - Two teenage hackers break into NASA and the Korean Atomic Research Institute.
History of Hacking
1995 – Vladimir Levin steals millions from CitiBank and Kevin Mitnick takes 20,000 valid credit card numbers and personal information records.
1998 – The Pentagon is successfully hacked, and US Atty Janet Reno forms the National Infrastructure Protection Center.
2000 – A new virus hits the internet every hour. The “I Love You” virus debuts.
2001 – Microsoft’s sites in 4 countries are taken down by a DDoS attack. In 2002, Bill Gates announces security features will be added to Windows products.
History of Hacking
2003 – Anonymous is formed
2006 – KamaSutra replaces files with “garbage” - 3rd of the month.
2007 – Spear-phishing success at the Office of the Secretary of Defense
2013 – Tumblr is hacked – 65,469,298 emails are stolen
2015 – Target and Home Depot attacks
2016 – DNC emails leaked on WikiLeaks
2017 – Petya, NotPetya, and WannaCry
What is the chance of catching a hacker
behind a breach and putting him/her
behind bars?
A. Depends on how soon you start looking
B. Extremely low
C. 50/50
D. Depends on who is looking for the hacker
Hacking Timeline
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
“The methods that will most effectively minimize
the ability of intruders to compromise information
security are comprehensive user training and
education.
Enacting policies and procedures simply won't
suffice. Even with oversight the policies and
procedures may not be effective.
My access to Motorola, Nokia, AT&T, and Sun
depended upon the willingness of people to
bypass policies and procedures that were in
place for years before I compromised them
successfully”
- Kevin Minnick
Source: breachlevelindex.com. Data represented on this slide changes frequently, live, and was captured for display on 2017-04-19.
Data Breach Statistics
,
Only 4% of breaches were “Secure Breaches” where encryption was used and the stolen
data was rendered useless.
DATA RECORDS HAVE BEEN LOST OR STOLEN SINCE 2013
7 0 9 4 2 19 2 60, ,
EVERY
DAY
4,521,939RECORDS
EVERY HOUR
188,414RECORDS
EVERY MINUTE
3,140RECORDS
EVERY
SECOND
52RECORDS
No matter how safe you think you are…
Phishing is now the #1 delivery vehicle for
ransomware and other malware.
Between 10-30% of Phishing emails get opened.
1 in 3 companies have fallen victim to CEO fraud
phishing emails.
Costs related to phishing attacks more than
doubled over the course of four years.
Source: resources.infosecinstitute.com
Where are we Now?
Current Threat Landscape
Growing number of vulnerabilities discovered each week/day
The emergence of new techniques
The continued rise of blended threats
The shrinking time between vulnerability discovery and exploitation development
Increasingly aggressive and evasive malware
How much is a medical record
worth on the black market today?
A. $0.20
B. $2
C. $10
D. $200
How much is a credit card worth
on the black market today?
A. $200
B. $20
C. $2
D. $0.20
3 Areas that must Change
1. Simplify the system.
2. Change the Dialog
3. Establish a Security
Minded Culture
Technology Increases
Security 'Sprawl' Not Sustainable
The most common approach to safeguarding digital
assets is “defense in depth," adding more and more
layers—and products—to effectively build bigger
walls and patch holes in on-premise security.
In an October of 2015, Morgan Stanley survey of CIOs,
most said they had bought or planned to buy more
than 15 different security technologies.
Ho
w M
any
Laye
rs o
f P
rod
uct
s an
d
Secu
rity
do
es y
ou
r o
rgan
izat
ion
Hav
e?
Security
Security
Security
Legacy Security
Legacy Security
Security
Partner Security
Sister Company Security
Security
Security
Adding more makes more complexity
“The status quo
is not sustainable." Keith Weiss, head of U.S. software coverage for Morgan Stanley.
While companies spend more on security, losses related to cybercrime have nearly doubled
in the last five years.
More is Not Necessarily Better
The current strategy of most
organizations —layering on many
different technologies —is not only
proving ineffective, it is overly
complex and expensive.
You’re Only
as Strong as
Your Weakest Link
Don’t manage the device, manage the data.
Hotel California Model
Problem: Tidal wave of consumer devices
Potential Solution: Data-centric security models.
“The “green screen” is back in vogue and Citrix has become everyone’s best
friend, as companies herd data away from the endpoints to protected areas.”
You can check out, but never leave.
Growing Security Spending
Cyber Security Attacks and
increasing
Organizations of all sizes are
spending more money to shore
up their digital defenses.
Evolving Threat Landscape
Internet of Things (IoT)
Point of Sale (PoS) malware
Within a few years we will have 30 Billion
Connected Devices.
20 years ago cars contained 1 million lines of code.
Today they contain about 100 million lines of code
with defects appearing at least every 50 lines of
code.
How many people, in your Organization,
are on the Security Team?
The Lucy Lesson
What do we learn
from this video?
Complex and Struggling
Cyber-security threats have suddenly become so complex, sophisticated, and transnational, companies
are struggling to stay current.
“When a data breach hits the headlines, there is an instinctive reaction that somebody screwed up and left a door unlocked. This only further fuels the fire that breached companies must redouble fortification and detection. That might be true, but the reality is that companies, above all else, should pivot their attention and focus to data breach response.” David Fontaine, CEO of Corporate Risk Holdings (parent company of Kroll
What’s Needed in the Future
More automation and greater visibility across enterprises. For a
better Cyber Security Future we need integrated solutions that can
detect and abate breaches more efficiently and cost-effectively.
More AutomationGreater Visibility
Across EnterprisesIntegrated Solutions
How to Change the
Cyber Security Discussion?
Geek Speak
•Analyzed 1,452,134 logs
•Detected 423,132 viruses
•Blocked 2,028,438 connections
•Closed 3,095 Incident Tickets
•Patched 30,000 Systems
VS
Prevented 2 Cyber-Crime Attack s
• Linked to ABC Criminal Organization
• Targeting POS Systems
• Prevented theft of 10M Customer Credit Cards
• Avoided $78M Loss:
• Cleanup, Notification,
• Brand Reputation & Revenue• Shareholder Lawsuit & Stock Drop
Business Impact
Security belongs to everyone
“Many organizations have the opinion that the
security department is responsible for security.”
How do you change that idea?
Operations
Marketing/Sales
Finance
ITHR/Training
Facilities /Maintenance
Security
Operations
Marketing/Sales
Finance
ITHR/Training
Facilities /Maintenance
Security
How to Develop a Security Culture
1. Ensure executive support. Culture starts at the top
2. Make it fun and engaging. People learn differently.
3. Focus on changing behavior, in and out of the office.
4. Measure and repeat.
Creating a positive Cyber Security Culture takes time.
Uber – An Example
“At Uber, we are trying to change our employees'security stories. By creating programs catered toregion, department, and role, our peopleunderstand that security is part of their story andour culture.”Samantha Davison, security program manager at Uber
Integrate Security into the culture … security belongs to everyone.
… bake it into everything in the organization.
Uber’s Culture under attack,
But not for their Security
“Security can be so much more than PowerPoints and videos. Pick a fun theme and parody it—we did Game of Thrones. Give gamification a try. Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.” Davison, Uber.
Fun? Change the Paradigm
“For far too long people have associated security with boring training or someone saying no all the
time.”
To engage your organization, do not be afraid to laugh and goof around some.
Security Trivia with a different security category each month. Hackers in the movies one month and security news in another.
How many people, in your Organization,
are on the Security Team?
How to Create A Security Culture with
Different Generations of Employees
Generational Differences
Millennials are here, and gaining influence.
“People entering the work force today are accustomed to working on a variety of mobile platforms and to storing and sharing data using cloud-based systems and social networking sites. They have a more permissive view of information-sharing than older workers, and they expect to work on their own schedules, with devices of their choosing, often from remote locations.”
1. All of these behaviors enhance risk
2. These behaviors are increasing
3. These behaviors will become more difficult to curtail
How to Develop an “All-In” Mentality
1. Incorporate security at the highest levels into your vision and
mission.
2. Speak about the importance of security from the highest levels.
This does not mean just the people who have security in their
title (CISO, CSO), but also from other C-level execs all the way down
to individual managers.
3. Don’t Hide it Under the Rug. Teachable Moments.
An Example of Everyone “All-In”
Application Security
knowledge.
When was the last time all
developers and engineers had
hands-on OWASP Top 10
training?
Put your money where your
mouth is.
If you say security is important,
prove it by providing growth
potential for those with a
passion for security.
What’s Your Password?
A little old, but still… What??
What is the weakest link in security?
A. Passwords
B. Laptops
C. People
D. Open-source software
The 8th Layer
The 8th Layer
Why does an organization need a security culture?
In any system, people are always the weakest leak.
Security culture is for the people, not for the computers.
The challenge is with the people, who click on phishing emails and fall to tricks
based on social behavior. People need a framework to understand what the right
thing is for security.
In general, people within your organization want to do the right thing—they just
need to be taught.
8th Layer Errors
95 percent of information security incidents involve human error.
Human error is the most important factor in Security. IBM Security Services Cyber Security Intelligence Index
System Misconfiguration
Poor Patch Management
Use of Default usernames and passwords
Lost devices
Disclosure of information via incorrect email address
Clicking on an unsafe URL or attachment
Sharing Passwords with others
Leaving computers unattended when outside the workplace
Using personally owned mobile devices that connect to the organization’s network
When an Organization
Creates a Security Culture…
They will retain
more IT and Security Staff.
Retention is Better than Recruitment
Turnover is costly. According to Right Management, a talent and career management consulting firm, it costs nearly 3-times an employee’s salary to replace someone, which includes recruitment, severance, lost productivity, and lost opportunities. Recruiting new staff is expensive, stressful and time-consuming. Once you have good
staff it pays to make sure they stay
Think of retention as re-recruiting your workforce.
Recognize that what attracts a candidate to a particular job is often different from what keeps that person there.
Effective Retention Methods
Training. Training employees reinforces their sense of value. Through training, employers help employees achieve goals and ensure they have a solid understanding of their job requirements.
Mentoring. With a mentoring program, an organization pairs someone more experienced in a discipline with someone less experienced in a similar area.
Instill a positive culture. An organization company should establish a series of values as the basis for culture such as honesty, excellence, attitude, respect, and teamwork.
Use communication to build credibility. Show appreciation via compensation and benefits.
Recruit from within.
Provide growth opportunities. According to Right Management, employees are more likely to stay engaged in their jobs and committed to an organization that makes investments in them and their career development.
Make employees feel valued. Employees will go the extra mile if they feel responsible for the results of their work, have a sense of worth in their jobs.
Lower stress from overworking and create work/life balance.
Paradigm Shift is Required
Steps to Creating a Stronger Security Culture
STEP 1 STEP 2 STEP 3 STEP 4 STEP 5
ASSESS
Assess the needs
and vulnerability of
the organization
SET GOALS
Set goals for
improvement
and key evaluation
metrics
DEVELOP
Develop a
definitive plan for
consulting,
training and
monitoring
IMPLEMENT
Implement plan and
survey and review
after completion
MEASURE
Measure the
effectiveness
of the program and
optimize
Sources
https://www.morganstanley.com/ideas/cybersecurity-needs-new-paradigm
https://www.complianceweek.com/blogs/john-reed-stark/transforming-the-cyber-security-paradigm#.WV71UdPyuCQ
https://techbeacon.com/6-ways-develop-security-culture-top-bottom
https://www.helpnetsecurity.com/2017/05/08/build-security-culture/
http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html
http://exec.tuck.dartmouth.edu/downloads/623/human_behavior_and_security_culture_ciso_workshop_overview.pdf
http://re-generations.org/generations-in-america/
Thank You
Heather Stratford
Stronger International, Inc.
Office: 509-290-6598