Alex van Someren - The Family Office Forum

Download Report

Transcript Alex van Someren - The Family Office Forum 

Amadeus Cybersecurity: the essentials
Alex van Someren
Cybersecurity: the essentials
Family Office Forum
12th November 2014, Zurich
12th November 2014
Amadeus Cybersecurity: the essentials
Cybersecurity: the essentials
AGENDA
1.
2.
3.
4.
Understanding cyber risks
Cyber security market trends
State of the art: threats & defenses
Best practices in cyber security
12th November 2014
Amadeus Cybersecurity: the essentials
Understanding cyber risks
CYBERSECURITY: THE ESSENTIALS
12th November 2014
12th November 2014
Amadeus Cybersecurity: the essentials
What exactly is the threat?
• The External attacker usually wants to:
– Get access to files stored on the computer, or the local network
– Copy Usernames & Passwords from users
– Run programs on the computer to make it a ‘bot’
• They can deliver some ‘Malware’ inside the computer to achieve this, by:
– infecting it with a Virus,
– getting the user to open an email attachment
– persuading the user to click through to an infected web page
• We also consider Internal attackers, i.e. employees as a possible threat
• Finally, disaster planning is also essential
1 UNDERSTANDING CYBER RISKS
4
12th November 2014
Amadeus Cybersecurity: the essentials
What cybersecurity risks should be considered? - 1
Software & network risks
• Email spam
– Unwanted messages, also links & attachments
• Viruses/spyware/malware
– Programs which can run on the receiving computer and do harm
• Email phishing
– Targeted emails, particularly asking for credentials
• Network intrusion/hacking
– External attackers or programs trying to enter machines/networks
• Denial of Service attacks
– Preventing systems/websites from operating
1 UNDERSTANDING CYBER RISKS
5
12th November 2014
Amadeus Cybersecurity: the essentials
What cybersecurity risks should be considered? - 2
Physical & data loss risks
• Theft of mobile devices
– Both accidental, and targeted
• Theft of system hardware
– Physical attacks on facilities
• Corporate espionage/whistleblowers
– Data leakage & data theft
• Criminal damage
– Not only physical, but also logical i.e. data deletion
1 UNDERSTANDING CYBER RISKS
6
Amadeus Cybersecurity: the essentials
Cyber security market trends
CYBERSECURITY: THE ESSENTIALS
12th November 2014
Amadeus Cybersecurity: the essentials
Cyber security market trends
1. External threats: who actually gets hit?
2. External threats: causes of data losses
3. Internal threats: causes of security breaches
12th November 2014
12th November 2014
Amadeus Cybersecurity: the essentials
External threats: who actually gets hit?
Source: Kaspersky IT Risks Survey 2014 – n = 3,900
2 CYBER SECURITY MARKET TRENDS
12th November 2014
Amadeus Cybersecurity: the essentials
External threats: causes of data losses
Source: Kaspersky IT Risks Survey 2014
2 CYBER SECURITY MARKET TRENDS
10
12th November 2014
Amadeus Cybersecurity: the essentials
Internal threats: causes of security breaches
Source: Kaspersky IT Risks Survey 2014
2 CYBER SECURITY MARKET TRENDS
11
Amadeus Cybersecurity: the essentials
12th November 2014
State of the art: threats & defences
CYBERSECURITY: THE ESSENTIALS
Amadeus Cybersecurity: the essentials
12th November 2014
What are the goals of good cybersecurity?
• There are three major goals of cyber security:
– Confidentiality: Keep private information private
• Prevent data leakage, data loss
– Integrity: Guarantee critical information is not altered/tampered
• Protect data
– Availability: Ensure that critical information remains accessible
• Keep systems working, prevent internal attacks
• So, the “C.I.A.” is your friend!
3 STATE OF THE ART: THREATS & DEFENCES
12th November 2014
Amadeus Cybersecurity: the essentials
What are the risk mitigation strategies?
• The primary goal is to prevent malware from getting into computers
– Employees are the source of greatest risk
• They sometimes click on stupid stuff
• They can sometimes be misled
• They sometimes steal data
• So:
– train employees in cybersecurity basics
– employ adequate cybersecurity technology to prevent damage & loss
3 STATE OF THE ART: THREATS & DEFENCES
14
12th November 2014
Amadeus Cybersecurity: the essentials
What kind of basic cybersecurity defences are needed?
• Network Firewalls
– Control the flow of Internet traffic and prevent intrusions
• Anti-Spam filters/services
– Minimise the amount of potentially dangerous email arriving
• Anti-Virus software
– Detect, search for & destroy malware on computers
• Data Loss Prevention
– Detect and prevent the export of sensitive data
• Mobile Device Management
– Allow mobile & ‘BYOD’ users to safely operate remotely
3 STATE OF THE ART: THREATS & DEFENCES
15
Amadeus Cybersecurity: the essentials
12th November 2014
Best practices in cyber security
CYBERSECURITY: THE ESSENTIALS
12th November 2014
Amadeus Cybersecurity: the essentials
Best practices - 1
1.
Business managers must know where the most important data is held
–
2.
3.
4.
On-site in desktops and servers, or in cloud services and mobile devices
Bad things happen to good businesses
–
Automate the secure data back-up process
–
How will business continue if the physical site becomes unavailable?
Train employees about the nature of today’s cyber-attacks
–
Cyber-criminals particularly target SMBs
–
Aiming to compromise the PCs used for online banking and payments
Deploy the security basics:
–
Firewalls for wireless and wired-based access points,
–
Anti-malware on endpoints and servers
–
Encrypt highly sensitive data at rest and in transit
Adapted from Messmer/InfoWorld Oct. 2014
4 BEST PRACTICES IN CYBER SECURITY
17
12th November 2014
Amadeus Cybersecurity: the essentials
Best practices - 2
5. Define each individual’s access to data
–
Ideally use two-factor authentication
–
Systems administrators jobs give them huge power
–
Immediately de-provision access & credentials when an employee departs
6. Trust, but verify
– Do background checks on prospective employees
– Have SLAs for technology vendors/cloud service providers; visit data-centre
7. Remove & securely destroy hard disks
– From all old computers
– And any other devices that store data
4 BEST PRACTICES IN CYBER SECURITY
18
12th November 2014
Amadeus Cybersecurity: the essentials
Best practices - 3
8.
9.
Smartphones require different security requirements than older PCs and laptops
–
‘BYOD’ raises important legal questions
–
Business data no longer held on a device owned directly by the business
Use physical access controls to keep unauthorized individuals from IT resources
–
That includes the office cleaners
–
Train staff to challenge unexpected visitors in a polite, but determined, way
10. Have an employee acceptable-use policy
–
Defining behavior online, how data is to be shared and restricted
–
Have them read and sign it
–
Making it clear if there will be monitoring of online activities
–
There should be possible penalties for non-compliance.
4 BEST PRACTICES IN CYBER SECURITY
19
Amadeus Cybersecurity: the essentials
12th November 2014
Amadeus Capital Partners
Global Technology Investors
Alex van Someren,
Managing Partner,
Early Stage Funds
[email protected]
https://www.amadeuscapital.com/