Cyber security: 3 things every Board should know to protect themselves and their employees

CYBER SECURITY: 3 THINGS EVERY BOARD SHOULD KNOW Simon Whittaker Cyber Security Director - Vertical Structure Ltd

Prepare, Protect, Persist ® • Prepare • We help you and your partners to understand how to identify and resolve potential security issues at the earliest stages with hands on ‘hack yourself first’, threat modelling and GDPR compliance workshops as well as security training for non-technical colleagues. • Protect • Using automated and manual penetration testing techniques, we provide a comprehensive security report for your Web and mobile applications, including API testing, and networks. The report highlights potential issues and their resolutions. • Persist • We ensure that your organisation benefits from continual improvements in security levels through information assurance processes, auditing and certification including ISO27001:2013 and Cyber Essentials. © Vertical Structure Ltd where applicable [email protected]

http://www.visualcapitalist.com/internet-minute-2018/ © Vertical Structure Ltd where applicable [email protected]

Security Breaches through the ages • ‘Target’ stores in November 2013 • Ashley Madison – July 2015 • 40 million customer records stolen • Talk Talk – November 2015 • LinkedIn – revealed May 2016 • ‘Neiman Marcus’ during 2013 • Millions affected • 117 million user details • ‘Home Depot’ in September 2014 • Dropbox – revealed August 2016 • 56 million credit card details stolen • ‘JPMorgan Chase’ data breach during 2014 • 76 million households and 7 million small businesses • ‘Sony Pictures’ hack in November 2014 • Massive amounts of confidential internal information • OPM – June 2015 • Included 5.6 million finger prints • 68 million user details • Yahoo – revealed Dec 2016 • 1 billion user details… • • • • Equifax - September 2017 Butlins – August 2018 Exactis – June 2018 British Airways – September 2018 https://www.privacyrights.org/data-breaches © Vertical Structure Ltd where applicable [email protected]

Cyber Operations Cost Source: https://www.recordedfuture.com/cyber-operations-cost/ © Vertical Structure Ltd where applicable [email protected]

Cybercrime price list Source: https://www.recordedfuture.com/cyber-operations-cost/ © Vertical Structure Ltd where applicable [email protected]

”Hackers” – the stock image © Vertical Structure Ltd where applicable [email protected]

The reality © Vertical Structure Ltd where applicable [email protected]

• “It’s time to think differently about cyber risk – ditching the talk of hackers – and recognising that our businesses are being targeted by ruthless criminal entrepreneurs with business plans and extensive resources – intent on fraud, extortion or theft of hard won intellectual property.” • Paul Taylor, UK Head of Cyber Security, KPMG • http://bit.ly/takingTheOffensive © Vertical Structure Ltd where applicable [email protected]

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ © Vertical Structure Ltd where applicable [email protected]

https://www.sans.org/summit-archives/file/summit-archive-1493740625.pdf © Vertical Structure Ltd where applicable [email protected]

It’s about knowing: It’s about being: what your charity can and can’t do within its purposes familiar with your how your charity is accounts, returns and It’s about: It’s about: informed decisions It’s about: It’s about: experience (reputation) and people requirements interest public details what difference your charity is really aware of other laws that apply to your charity It’s not about being: an expert - but you do need to take reasonable steps to your charity needs appropriate controls and procedures decisions that your charity complies with the law information you responsibility for, and to, members and others with an interest in the charity It’s not about: accountable to the board for its own sake interests accountability as an opportunity not a burden © Vertical Structure Ltd where applicable [email protected]

What makes an organisation nervous? © Vertical Structure Ltd where applicable [email protected]

Some Findings • UK charities hold funds, personal, financial and commercial data and other information that is of interest or monetary value to a range of cyber criminals and other groups. • The type and amount of information held varies according an individual charity’s size, objectives, structure and contacts. • Charities are subject to the same cyber vulnerabilities as other organisations and businesses that conduct financial transactions, and rely on electronically held data or information to conduct dayto-day operations. • Thirty charities interviewed for a recent government-commissioned report had collectively experienced a range of cyber breaches in the last two years including viruses, phishing emails, ransomware attacks, identity theft, website takedowns and variants of online financial fraud. • The breaches resulted in loss of funds, data and website control. Although based on a very small dataset, the findings suggest that malicious cyber activity against the charity sector is varied and enduring. https://www.ncsc.gov.uk/files/Cyber%20threat%20assessment%20-%20UK%20charity%20sector.pdf © Vertical Structure Ltd where applicable [email protected]

Range of Criminals © Vertical Structure Ltd where applicable [email protected]

A Trusting Sector © Vertical Structure Ltd where applicable [email protected]

Business Email Compromise © Vertical Structure Ltd where applicable [email protected]

What is Business Email Compromise © Vertical Structure Ltd where applicable [email protected]

The value of a compromised email address https://krebsonsecurity.com/2013/06/the-value-of-a-hackedemail-account/ © Vertical Structure Ltd where applicable [email protected]

Suppliers © Vertical Structure Ltd where applicable [email protected]

The Assessment https://www.ncsc.gov.uk/files/Cyber%20threat%20assessment%20-%20UK%20charity%20sector.pdf © Vertical Structure Ltd where applicable [email protected]

https://www.ncsc.gov.uk/collection/charity © Vertical Structure Ltd where applicable [email protected]

https://www.ncsc.gov.uk/collection/small-business-guide © Vertical Structure Ltd where applicable [email protected]

Backups © Vertical Structure Ltd where applicable [email protected]

Mobile device security © Vertical Structure Ltd where applicable [email protected]

Ransomware © Vertical Structure Ltd where applicable [email protected]

Phishing © Vertical Structure Ltd where applicable [email protected]

Passwords © Vertical Structure Ltd where applicable [email protected]

Toolkit for boards https://www.ncsc.gov.uk/collection/board-toolkit © Vertical Structure Ltd where applicable [email protected]

Exercise time! • What is important to your organization? • Where are the biggest gaps? • What immediate steps can you take? © Vertical Structure Ltd where applicable [email protected]