using international standards to improve eu cyber security
TRANSCRIPT
Using international standards to
improve EU cyber security
Thursday, March 19, 2015
Alan Calder
IT Governance Ltd
www.itgovernance.eu
PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING AND WILL
AUTOMATICALLY BE UNMUTED FOR THE START OF THE Q&A SESSION
Introduction
About Alan Calder…
• Acknowledged international cyber security
expert
• Leading author on information security
and IT governance issues
• Led the world’s first successful
implementation of ISO 27001
(then called BS 7799)
• Consultant on cyber security and IT
governance strategies globally, including
across Europe
2
© IT Governance Ltd 2015
Agenda
• The current cyber threat – Breaking down recent high-
profile data breaches
• Proposed EU legislation – Learn more about the
GDPR and the NIS Directive, and what you need to do to
meet your legal obligations
• International standard – Discover how the cyber
security standard, ISO 27001, will help get your business
cyber secure
3
© IT Governance Ltd 2015
The current cyber threat
4 in every 5Irish companies suffered a data
breach last year
5
© IT Governance Ltd 2015
1,500data breaches globally in 2014
1 billiondata records compromised
globally in 2014
83% believe cyber attacks are
among the three biggest
threats facing organisations
The changing threat landscape
• 87% of iPhone and 97% of Android
top 100 apps have been hacked
• 100% of companies experience virus
attacks, and 97% have suffered
malware attacks
• 156 million phishing emails are sent
every day
• 15 million make it through spam filters
• The average global cost for each
stolen record is €128, but in Germany
it is €172 and in France it is €161
6
© IT Governance Ltd 2015
Why did they fail to avoid a
breach?
7
© IT Governance Ltd 2015
Root cause of data
breaches
The changing threat landscape
Cyber threat trends in Europe
• SSL and TLS have been under massive
stress, after a number of incidents
revealed significant flaws in their
implementation
• 2014 can be called the year of the data
breach – massive data breaches
showed how effectively cyber threat
agents abuse security weaknesses in
businesses and governments
• Privacy violations and surveillance
practices have weakened the trust of
Internet users
• Increased sophistication and advances
in targeted campaigns
8
© IT Governance Ltd 2015
Case study – German iron plant
• Attackers accessed a German iron
plant’s office network through a
targeted malicious email
• Attackers took over production
network
• The breach resulted in a furnace being
unable to shut down properly, causing
“massive damage to the whole
system”
9
© IT Governance Ltd 2015
Case study – German iron plant
Concern
• Hackers had detailed, technical knowledge of
industrial control systems and production
processes
• Rare for a cyber attack to cause actual
physical damage
What should the plant have done differently?
• Effective staff training on spotting phishing
emails
• Implement a comprehensive ISMS that covers
people, technology and processes
10
© IT Governance Ltd 2015
Case study – attacks on EU
governments
Dutch government websites taken offline, Feb 2015
• Back-up plans proved to be ‘useless’
German government websites hacked by pro-Russian hackers, Jan 2015
• Websites of Germany’s parliament and Germany’s chancellor, Angela Merkel,
brought down
• Countermeasures were taken but failed to halt the attack
• First successful APT on German government websites
Hackers claim theft of entire Serbian national database, Dec 2014
• A group of cyber criminals claim to have hacked into the Serbian state network and
stolen the entire national database
• 7.2 million Serbians at risk from fraud and identity theft
Hackers leak Swedish government logins in response to Pirate Bay raid, Dec 2014
• Hackers leaked the log-in details of 38 government email addresses (which were
mostly based in Sweden) in retaliation for the Pirate Bay police raid
11
© IT Governance Ltd 2015
Case study – attacks on EU
governments
Common mistakes
• Governments unprepared for a cyber attack
• Few or no effective contingency plans in place
Repercussions
• Websites restored but government’s lack of
security exposed
• Effective way for hacktivists to voice opinions
12
© IT Governance Ltd 2015
International case study –
Sony Pictures
Data breach
• November 2014
• Hackers infiltrated Sony’s corporate computer
network
• Torrents of unreleased Sony Pictures films
appeared online
• Personal information about employees (families,
emails, salaries, etc.) was leaked
• Plaintext passwords were leaked online, along
with other credential data
• Huge amount of marketing slide decks were
leaked
• Kept Sony staff from using computers for days
• Sony postponed release of upcoming film The
Interview
13
© IT Governance Ltd 2015
International case study –
Sony Pictures
Repercussions
• North Korea blamed, increasing tension with the US
• Ex-employees sought to combine class action lawsuits
against Sony
• Costs reached €88 million
How did the breach get so bad?
• Executives ignored ransom emails, treated as spam
• Failed to acknowledge breach until one week later
• Generally lax approach to online security
– April 2011 – Sony’s PlayStation network hacked
and 76 million gamers’ accounts compromised
– Inappropriate spending? €220m budget still
couldn’t keep them cyber secure
14
© IT Governance Ltd 2015
Small companies are at risk too
• Cyber criminals target indiscriminately
• 60% of breached small organisations close
down within six months
• Often lack effective internal security practices
• No dedicated IT security and support
• Passwords and system access easily
compromised
• Out-of-date server hardware and software
• Websites are built on common, open-source
frameworks – weaknesses easily exploited
15
© IT Governance Ltd 2015
What is the board told?
• 32.5% of boards do not
receive any information
about their cyber security
posture and activities
• 38% of the remainder
receive reports only
annually
• 29% of IT teams don’t
report breaches for fear of
retribution
16
© IT Governance Ltd 2015
Cyber security skills shortage
Shortage
• Global shortage of two million cyber
security professionals by 2017
ISACA report
• 86% believe there is a shortage
• 54% expect difficulties finding skilled
candidates
• 53% plan to increase staff training
Companies should be looking for
• Industry-recognised qualifications
(IBITGQ)
17
© IT Governance Ltd 2015
General Data Protection Regulation
(GDPR)
19
© IT Governance Ltd 2015
Who?
Applicable to any business that controls/processes
personal data in the European Union, regardless of size
Why?
• Produce a single law to unify data protection legislation
and enforcement
• Bring data protection principles into line with 21st century
technological advances
Failure to comply
Up to 5% of your annual global turnover or €100 million
Key proposals of the GDPR
20
© IT Governance Ltd 2015
• The right to be forgotten – individuals have the right to have
their data deleted or amended
• The right to data portability – gives individuals the right to
obtain a copy of any personal data held about them
• Notification of data breach – requires data controllers to
report a breach without undue delay
• Data protection officer – any organisation with 250+
employees to appoint a data protection officer
• Consent – explicitly sought and freely provided by the
organisation
• Impact assessments – conduct privacy impact assessments
Network and Information Security
(NIS) Directive
What?
• EU member states required to adopt a high, common level of
network and information security to help prevent, handle and
respond appropriately to incidents
– National competent authority
– CERT
Who will it effect?
• Public bodies and market operators within the EU
– Apply procedures that demonstrate effective use of security
policies and measures
– Ripple effect on other businesses that want to stay competitive,
win new business and strengthen supply chain
21
© IT Governance Ltd 2015
Are you ready?
22
© IT Governance Ltd 2015
20% are fully prepared
66% understand the impact of the
legislation
BUTONLY
Main challenges and concerns
23
© IT Governance Ltd 2015
62% have some or no
clear guidance on
requirements
Meeting cyber security legislation
• A strong security
posture
• An effective incident
response plan
• A CISO appointment
• Implementing
industry standards
24
© IT Governance Ltd 2015
ISO 27001 – the cyber security
standard
• ISO 27001 – a globally recognised
standard that provides a best-practice
framework for addressing the entire
range of cyber risks
– Encompasses people, processes and
technology
– Systematic approach for establishing,
implementing, operating, monitoring,
reviewing, maintaining and improving an
organisation's information security to
achieve business objectives
26
© IT Governance Ltd 2015
Key elements of implementing
ISO 27001
• Determine the scope of the ISMS
• Consider the context of the organisation and interested
parties
• Appoint a senior individual responsible for information security
• Conduct a risk assessment – identify risks, threats and
vulnerabilities
• Appoint risk owners for each of the identified risks
• Implement appropriate policies and procedures
• Conduct staff training
• Conduct an internal audit
• Perform continual improvement of the ISMS
27
© IT Governance Ltd 2015
How will ISO 27001 benefit your
business?
• Increased/appropriate level of information security
– Systematic approach to risks
– Informed decisions on security investments: cost-effective
security
• Better work practices that support business goals
• Good marketing opportunities
• Credibility with staff, customers and partner organisations
• Due diligence
• Compliance with corporate governance requirements
– Appropriate action to comply with law
– Manage business risks
– Industry best-practice security
– Internationally recognised good security practice
28
© IT Governance Ltd 2015
Benefits of ISO 27001
certification
• Assurance to customers, employees, investors –
their data is safe
• Credibility and confidence
• Internationally recognised
• Shows that you have considered all the
information security associated risks
• Notably fulfilling fiduciary responsibilities
• Supports your adherence to multiple
compliance requirements
29
© IT Governance Ltd 2015
Why some of the world’s most valuable
brands pursue ISO 27001 certification
31
© IT Governance Ltd 2015
Google: “This certification validates what I already
knew… that the technology, process and
infrastructure offers good security and protection
for the data that I store in Google Apps
Amazon: “The certification confirms our
longstanding commitment to the
security of our services to our customers.”
Microsoft: “…provides external validation that
our approach to managing security risk in a
global organization is comprehensive and
effective, which is important for our business
and consumer customers.”
IT Governance
• Helped over 150 organisations
achieve ISO 27001 certification
worldwide
• 15+ years experience
• Highly regarded within the industry
• Unique offering of tools, training and
consultancy, which is unavailable
elsewhere32
© IT Governance Ltd 2015
Fixed-priced, packaged solutions
You deliver the
project
independently
You resource
the project,
calling on
specialist tools
and courses to
aid efficiency
and accelerate
implementation
Standards and books
Software and documentation templates
Training
Mentor and coach
IT Governance
removes all the
pain, delivering
a certification-
ready ISMS,
aligned with
ISO 27001
You resource
the project,
use tools and
courses and
benefit from
the expert’s
know-how
You own and
are in control of
the project,
receiving hands-
on guidance
from us
You provide
input
Find out more: www.itgovernance.eu/t-iso27001-solutions.aspx