Cybersecurity Risk Governance
Download as PPTX, PDF0 likes1,281 views
This document summarizes a presentation on cybersecurity risk governance. It discusses the high degree of risk boards face from cyber attacks, noting a large increase in ransomware attacks and payments in 2020. The ransomware threat is very high. Public sectors are primary targets due to weaker defenses from budget pressures. Cyber attacks can cause privacy failures, reputational problems, high response costs, and civil liability. The presentation then provides an overview of key cybersecurity concepts for boards like asset management, defense in depth, and the NIST Cybersecurity Framework. It examines how boards can provide oversight in each framework area such as identifying critical data and access controls for protecting information.
Cybersecurity Risk Governance
- 1. Presented By AWCBC GOVERNANCE SUMMIT 2021 Cybersecurity risk governance Dan Michaluk June 10, 2021
- 2. The degree and nature of the risk to boards
- 3. o Cyber (outside > in) • Ransomware/malware • Business e-mail compromise and fraud • Misconfiguration driven exposures • Distributed denial of service (DDoS) o Other (inside > out) • Insider theft • Snooping • Errant e-mails • Lost devices, papers… Register of data security problems The degree and nature of the risk to boards 3
- 4. o Attacks up by 150% in 2020 o Ransom payments are up more than 300% in 2020 o Double and triple extortion threat • Lock up data • Steal data and hold it ransom • DDoS or doxing threat o Market for insurance is hardening • Premiums up 20% to 50% • Higher deductibles, limits and co-insurance • New conditions for coverage and harder vetting The ransomware threat is very high The degree and nature of the risk to boards 4
- 5. The public sector is a primary target The degree and nature of the risk to boards 5 o Budgetary pressures tend to leave public sector entitles with weaker defences o Government and MUSH sector attacks are very common
- 6. o Privacy compliance failures o Reputational problems • What’s the impact on the operation of ruptured trust? • Access legislation invites full and unmitigated transparency o Response costs • Operational drain • Hard costs o Civil liability and liability to employees Manifestations of risk The degree and nature of the risk to boards 6
- 7. Cyber security 101 for governors
- 8. o The practice of protecting information by mitigating information risks o The value of information to organizations is derived from its • Confidentiality • Integrity • Availability Meaning of information security Cyber security 101 for governors 8
- 9. o The process of managing the deployment, maintenance, upgrading and disposal of IT assets o An IT asset is hardware, software or data repository within the technology environment o Common problems • Assets that have been adopted but are not under management • Legacy technologies can be vulnerable and may not integrate with current security technologies Asset management Cyber security 101 for governors 9
- 10. o The use of layered, redundant measures to protect information and systems with the expectation that some measures will fail o Achieved through implementation of an array of controls – physical, administrative and technical o And achieved through layering – perimeter security >> system level security o The cloud and remote work have led to a focus on controls deeper than the perimeter – internal monitoring is now very important o Readiness to respond to events and incidents is another aspect of layering Defence in depth Cyber security 101 for governors 10
- 11. o A security event is a possible problem that should be assessed o An security incident is a confirmed problem that needs to be managed through the incident response process • Cyber attack • A misconfiguration • An errant communication o A “breach” is a legal concept that relates to unauthorized access to information or loss, theft… Events, incidents and “breaches” Cyber security 101 for governors 11
- 12. o Insecure remote access • Exposed remote desktop protocol • No multi-factor authentication o Vulnerability and patch management o Poor implementation of least privilege principle o Poor network visibility o Poorly implemented and untested backup procedures Common problems Cyber security 101 for governors Coveware Q1 2021 Ransomware Report 12
- 14. o Establish tone at the top o Build the board’s cyber competency • How to educate board members? • Who ought to be recruited? o Talk to each other and benchmark your oversight practices o If IT or IT security presents the report, don’t exclude other executives o Consider using the NIST Cybersecurity Framework to structure the dialogue with management Overview Cybersecurity oversight 14
- 15. o Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. • Do we have asset inventories? With a classification scheme? When were they last updated? • Are our roles and responsibilities clearly and appropriately assigned? By what policies? When were they last updated? • Do we have processes for ongoing risk assessment? What are they? Do we use third parties, and how? - Overall - Supply chain Identify Cybersecurity oversight 15
- 16. o Develop and implement appropriate safeguards to ensure secure delivery of critical services. • What is most our most critical data? • Where is it backed up? • Have we tested our backup procedure? • Who has access to it? • How do we make sure they are who they are? • How do we know we can trust them? • What do we do to train them? Protect Cybersecurity oversight 16
- 17. o Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. • How do we gain visibility into our network activity? • What data do we collect? - Internal - External (threat intelligence) • Who analyzes it? • Who decides if we have an incident? What’s the threshold? What happens then? Detect Cybersecurity oversight 17
- 18. o Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. • Do we have an incident response plan? • When was it last updated? • Have we scenario tested it? • Who’s on the incident response team? • Have they been trained? • Have we pre-retained outside providers? • When was our last incident? What did we learn from it about our ability to respond? • Is that reflected in our plan? Respond Cybersecurity oversight 18
- 19. o Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. • When was our last incident? • Did we debrief? How? • What did we learn from it about our ability to respond? • Is that reflected in our plan? • Did we communicate with our stakeholders about these learning? Recover Cybersecurity oversight 19
- 21. For more information, contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2021 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 [email protected]