using international standards to improve eu cyber security

Using international standards to

improve EU cyber security

Thursday, March 19, 2015

Alan Calder

IT Governance Ltd

www.itgovernance.eu

PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING AND WILL

AUTOMATICALLY BE UNMUTED FOR THE START OF THE Q&A SESSION

Introduction

About Alan Calder…

• Acknowledged international cyber security

expert

• Leading author on information security

and IT governance issues

• Led the world’s first successful

implementation of ISO 27001

(then called BS 7799)

• Consultant on cyber security and IT

governance strategies globally, including

across Europe

2

© IT Governance Ltd 2015

Agenda

• The current cyber threat – Breaking down recent high-

profile data breaches

• Proposed EU legislation – Learn more about the

GDPR and the NIS Directive, and what you need to do to

meet your legal obligations

• International standard – Discover how the cyber

security standard, ISO 27001, will help get your business

cyber secure

3


4


Current cyber threat

The current cyber threat

4 in every 5Irish companies suffered a data

breach last year

5


1,500data breaches globally in 2014

1 billiondata records compromised

globally in 2014

83% believe cyber attacks are

among the three biggest

threats facing organisations

The changing threat landscape

• 87% of iPhone and 97% of Android

top 100 apps have been hacked

• 100% of companies experience virus

attacks, and 97% have suffered

malware attacks

• 156 million phishing emails are sent

every day

• 15 million make it through spam filters

• The average global cost for each

stolen record is €128, but in Germany

it is €172 and in France it is €161

6


Why did they fail to avoid a

breach?

7


Root cause of data

breaches

The changing threat landscape

Cyber threat trends in Europe

• SSL and TLS have been under massive

stress, after a number of incidents

revealed significant flaws in their

implementation

• 2014 can be called the year of the data

breach – massive data breaches

showed how effectively cyber threat

agents abuse security weaknesses in

businesses and governments

• Privacy violations and surveillance

practices have weakened the trust of

Internet users

• Increased sophistication and advances

in targeted campaigns

8


Case study – German iron plant

• Attackers accessed a German iron

plant’s office network through a

targeted malicious email

• Attackers took over production

network

• The breach resulted in a furnace being

unable to shut down properly, causing

“massive damage to the whole

system”

9


Case study – German iron plant

Concern

• Hackers had detailed, technical knowledge of

industrial control systems and production

processes

• Rare for a cyber attack to cause actual

physical damage

What should the plant have done differently?

• Effective staff training on spotting phishing

emails

• Implement a comprehensive ISMS that covers

people, technology and processes

10


Case study – attacks on EU

governments

Dutch government websites taken offline, Feb 2015

• Back-up plans proved to be ‘useless’

German government websites hacked by pro-Russian hackers, Jan 2015

• Websites of Germany’s parliament and Germany’s chancellor, Angela Merkel,

brought down

• Countermeasures were taken but failed to halt the attack

• First successful APT on German government websites

Hackers claim theft of entire Serbian national database, Dec 2014

• A group of cyber criminals claim to have hacked into the Serbian state network and

stolen the entire national database

• 7.2 million Serbians at risk from fraud and identity theft

Hackers leak Swedish government logins in response to Pirate Bay raid, Dec 2014

• Hackers leaked the log-in details of 38 government email addresses (which were

mostly based in Sweden) in retaliation for the Pirate Bay police raid

11


Case study – attacks on EU

governments

Common mistakes

• Governments unprepared for a cyber attack

• Few or no effective contingency plans in place

Repercussions

• Websites restored but government’s lack of

security exposed

• Effective way for hacktivists to voice opinions

12


International case study –

Sony Pictures

Data breach

• November 2014

• Hackers infiltrated Sony’s corporate computer

network

• Torrents of unreleased Sony Pictures films

appeared online

• Personal information about employees (families,

emails, salaries, etc.) was leaked

• Plaintext passwords were leaked online, along

with other credential data

• Huge amount of marketing slide decks were

leaked

• Kept Sony staff from using computers for days

• Sony postponed release of upcoming film The

Interview

13


International case study –

Sony Pictures

Repercussions

• North Korea blamed, increasing tension with the US

• Ex-employees sought to combine class action lawsuits

against Sony

• Costs reached €88 million

How did the breach get so bad?

• Executives ignored ransom emails, treated as spam

• Failed to acknowledge breach until one week later

• Generally lax approach to online security

– April 2011 – Sony’s PlayStation network hacked

and 76 million gamers’ accounts compromised

– Inappropriate spending? €220m budget still

couldn’t keep them cyber secure

14


Small companies are at risk too

• Cyber criminals target indiscriminately

• 60% of breached small organisations close

down within six months

• Often lack effective internal security practices

• No dedicated IT security and support

• Passwords and system access easily

compromised

• Out-of-date server hardware and software

• Websites are built on common, open-source

frameworks – weaknesses easily exploited

15


What is the board told?

• 32.5% of boards do not

receive any information

about their cyber security

posture and activities

• 38% of the remainder

receive reports only

annually

• 29% of IT teams don’t

report breaches for fear of

retribution

16


Cyber security skills shortage

Shortage

• Global shortage of two million cyber

security professionals by 2017

ISACA report

• 86% believe there is a shortage

• 54% expect difficulties finding skilled

candidates

• 53% plan to increase staff training

Companies should be looking for

• Industry-recognised qualifications

(IBITGQ)

17


Proposed EU legislation

18

General Data Protection Regulation

(GDPR)

19


Who?

Applicable to any business that controls/processes

personal data in the European Union, regardless of size

Why?

• Produce a single law to unify data protection legislation

and enforcement

• Bring data protection principles into line with 21st century

technological advances

Failure to comply

Up to 5% of your annual global turnover or €100 million

Key proposals of the GDPR

20


• The right to be forgotten – individuals have the right to have

their data deleted or amended

• The right to data portability – gives individuals the right to

obtain a copy of any personal data held about them

• Notification of data breach – requires data controllers to

report a breach without undue delay

• Data protection officer – any organisation with 250+

employees to appoint a data protection officer

• Consent – explicitly sought and freely provided by the

organisation

• Impact assessments – conduct privacy impact assessments

Network and Information Security

(NIS) Directive

What?

• EU member states required to adopt a high, common level of

network and information security to help prevent, handle and

respond appropriately to incidents

– National competent authority

– CERT

Who will it effect?

• Public bodies and market operators within the EU

– Apply procedures that demonstrate effective use of security

policies and measures

– Ripple effect on other businesses that want to stay competitive,

win new business and strengthen supply chain

21


Are you ready?

22


20% are fully prepared

66% understand the impact of the

legislation

BUTONLY

Main challenges and concerns

23


62% have some or no

clear guidance on

requirements

Meeting cyber security legislation

• A strong security

posture

• An effective incident

response plan

• A CISO appointment

• Implementing

industry standards

24


International standards

25

ISO 27001 – the cyber security

standard

• ISO 27001 – a globally recognised

standard that provides a best-practice

framework for addressing the entire

range of cyber risks

– Encompasses people, processes and

technology

– Systematic approach for establishing,

implementing, operating, monitoring,

reviewing, maintaining and improving an

organisation's information security to

achieve business objectives

26


Key elements of implementing

ISO 27001

• Determine the scope of the ISMS

• Consider the context of the organisation and interested

parties

• Appoint a senior individual responsible for information security

• Conduct a risk assessment – identify risks, threats and

vulnerabilities

• Appoint risk owners for each of the identified risks

• Implement appropriate policies and procedures

• Conduct staff training

• Conduct an internal audit

• Perform continual improvement of the ISMS

27


How will ISO 27001 benefit your

business?

• Increased/appropriate level of information security

– Systematic approach to risks

– Informed decisions on security investments: cost-effective

security

• Better work practices that support business goals

• Good marketing opportunities

• Credibility with staff, customers and partner organisations

• Due diligence

• Compliance with corporate governance requirements

– Appropriate action to comply with law

– Manage business risks

– Industry best-practice security

– Internationally recognised good security practice

28


Benefits of ISO 27001

certification

• Assurance to customers, employees, investors –

their data is safe

• Credibility and confidence

• Internationally recognised

• Shows that you have considered all the

information security associated risks

• Notably fulfilling fiduciary responsibilities

• Supports your adherence to multiple

compliance requirements

29


ISO 27001 in Europe

30


Why some of the world’s most valuable

brands pursue ISO 27001 certification

31


Google: “This certification validates what I already

knew… that the technology, process and

infrastructure offers good security and protection

for the data that I store in Google Apps

Amazon: “The certification confirms our

longstanding commitment to the

security of our services to our customers.”

Microsoft: “…provides external validation that

our approach to managing security risk in a

global organization is comprehensive and

effective, which is important for our business

and consumer customers.”

IT Governance

• Helped over 150 organisations

achieve ISO 27001 certification

worldwide

• 15+ years experience

• Highly regarded within the industry

• Unique offering of tools, training and

consultancy, which is unavailable

elsewhere32


Fixed-priced, packaged solutions

You deliver the

project

independently

You resource

the project,

calling on

specialist tools

and courses to

aid efficiency

and accelerate

implementation

Standards and books

Software and documentation templates

Training

Mentor and coach

IT Governance

removes all the

pain, delivering

a certification-

ready ISMS,

aligned with

ISO 27001

You resource

the project,

use tools and

courses and

benefit from

the expert’s

know-how

You own and

are in control of

the project,

receiving hands-

on guidance

from us

You provide

input

Find out more: www.itgovernance.eu/t-iso27001-solutions.aspx

http://www.itgovernance.eu/t-iso27001-solutions.aspx

34


using international standards to improve eu cyber security

Business

cyber attacks

governance issues

governance strategies

cyber security standard

cyber threat agents

eu cyber securitythursday

business cyber secure3

case study attacks