cyber security breakfast briefing - exeter

38
December 2017 Cyber security breakfast briefing

Upload: pkf-francis-clark

Post on 28-Jan-2018

88 views

Category:

Business


0 download

TRANSCRIPT

Page 1: Cyber Security breakfast briefing - Exeter

December 2017

Cyber security breakfast

briefing

Page 2: Cyber Security breakfast briefing - Exeter

Glenn Nicol, Corporate Partner

Chair’s welcome

Page 3: Cyber Security breakfast briefing - Exeter

Housekeeping

@pkfFrancisClark

#CyberSecurity17

Page 4: Cyber Security breakfast briefing - Exeter

Programme

GDPR – Ben Travers, Stephens Scown LLP

GDPR tools – Russell Cosway, Gydeline

Cyber Essentials / IASME accreditation –

Richard Wilding, PKF Francis Clark

Cyber insurance – Jonathan Cox, Paveys

Page 5: Cyber Security breakfast briefing - Exeter

Ben Travers, Stephens Scown

GDPR

Page 6: Cyber Security breakfast briefing - Exeter

GDPR ToolsRussell Cosway – December 2017

Page 7: Cyber Security breakfast briefing - Exeter
Page 8: Cyber Security breakfast briefing - Exeter
Page 9: Cyber Security breakfast briefing - Exeter
Page 10: Cyber Security breakfast briefing - Exeter
Page 11: Cyber Security breakfast briefing - Exeter
Page 12: Cyber Security breakfast briefing - Exeter

Tools landscape . . .

Page 13: Cyber Security breakfast briefing - Exeter

• Date/Who/DPO

• Process Name/Purpose

• Legal Basis

• Data Source/Locations

• Who is impacted?

• Description

• How is data deleted?

• What risks/mitigations

• Date of review

Data Protection Impact Assessment (DPIA)

Page 14: Cyber Security breakfast briefing - Exeter
Page 15: Cyber Security breakfast briefing - Exeter

What does Gydeline do?

• Checks for compliance against every word of the regulation

• Enables proof of accountability

• Changes as the regulation changes

• Identifies specific actions

• Makes GDPR simpler to understand

Page 16: Cyber Security breakfast briefing - Exeter

Links

• gydeline.com/dpia

• gydeline.com/datamap

FCDEC2017 – 25% discount on lifetime of subscription

Page 17: Cyber Security breakfast briefing - Exeter
Page 19: Cyber Security breakfast briefing - Exeter

Richard Wilding, Head of Cyber Services

Cyber Essentials / IASME

accreditation

Page 20: Cyber Security breakfast briefing - Exeter

20

Why PKF Francis Clark

• Trusted advisers – experienced auditors

• We offer assurance not consultancy

Offer assurance to set well known standards

approved by Government and NCSC

Cyber Essentials and IASME are constantly

updated and monitored for quality control

• Some additional services can be offered

Page 21: Cyber Security breakfast briefing - Exeter

www.website.com

General Data Protection Regulations 2018

• GDPR has 2 main sides to it

• The two main areas of GDPR that

organisations need to look at

Data subject rights and the need for

‘informed consent’

Good standards of information security

• Cyber Essentials is a great first step

• IASME demonstrates a wider governance

system for data controls

Page 22: Cyber Security breakfast briefing - Exeter

Cyber Essentials

• Self-assessment questionnaire for the company to complete

• Covers 5 key areas/71 questions

• We provide upfront assistance (1 days needed) to support how to complete and progress

• It is submitted via a secure portal for us to assess

• Basic vulnerability scan performed

• Assessor feedback provided

• Once successful can use the Cyber Essentials logo for 12m

• Limited insurance provided/can help reduce further cyber insurance

Page 23: Cyber Security breakfast briefing - Exeter

Cyber Essentials PLUS

• We audit and test the 5 key control areas

• Includes detailed vulnerability and limited penetration

testing

• A report is then issued

• Once successful can use the Cyber Essentials PLUS

logo for 12m

• Can help to reduce cyber insurance further

Page 24: Cyber Security breakfast briefing - Exeter

IASME (Information Assurance for Small and Medium Enterprises)

• IASME – two levels standard and gold

• 180 questions (including those in Cyber Essentials)

• Includes GDPR specific questions

• Akin to ISO27001

• A report is then issued

• Once successful can use the IASME logo for 12m

Page 25: Cyber Security breakfast briefing - Exeter

25

Next steps

• See brochure in pack

• Complete form

• Chat with us after this event

• Contact your PKF Francis Clark adviser or e-

mail: [email protected]

Page 26: Cyber Security breakfast briefing - Exeter

Disclaimer & copyright

c) copyright PKF Francis Clark, 2017

You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or otherwise circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided by PKF Francis Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without limitation, the conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark. These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark. The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours to ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the materials and /or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF Francis Clark are up-to-date or error or omission-free. Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current law and related regulations on the re-use of Crown copyright extracts in England and Wales.These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a copy of which is available on request.Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential loss or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or otherwise, including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for fraud, for death or personal injury caused by our negligence, or for any other liability is not excluded or limited.

PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with registered number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is available for inspection and at www.pkf-francisclark.co.uk. The term ‘Partner’ is used to refer to a member of Francis Clark LLP or to an employee. Registered to carry on audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal activity of non-contentious probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency practitioners are licensed in the UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative Receiver acts only as agent of the insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does not accept responsibility or liability for the actions or inactions on the part of any other individual member firm or firms.

Page 27: Cyber Security breakfast briefing - Exeter

Insurance Aspects of Cyber

Page 28: Cyber Security breakfast briefing - Exeter

Insurance Cover – Cyber &/or Crime

The Threats

Why Do Businesses Need Cyber Insurance?

Claims

Reducing risk

Q&A

Page 29: Cyber Security breakfast briefing - Exeter

Cyber &/or Crime

Cyber Liability Insurance provides

businesses with protection against financial

loss resulting from the loss of personal

and/or corporate data.

Cover addresses the first and third-party

risks ranging from the loss of a single laptop

or file to the hacking of a companies

website or network.

Security

Breach

Data

Breach

Operational

failure

Main policy triggers:

Crime Insurance provides businesses with protection against financial loss

resulting from criminal or fraudulent taking, obtaining or appropriation of money,

securities, funds or property.

Page 30: Cyber Security breakfast briefing - Exeter

The ThreatsTH

REATS

NEGLIGENT EMPLOEE

Send wrong data

Loss of hardware (mobile theft)

Victim of Phishing, Vishing

OUTSIDERS

Denial of Service

Theft of Data

Hactivism

Crime Syndicate

Denial of Service

Theft of Data

Government Agencies Industrial Espionage

Denial of Service

Malware

Extortion

Shut Down Infrastructure

Advanced Persistent Threats

Credit / Banking details

Government ID

Personally Identifiable Info

Protected Health Info

Corporate Information

SOCIAL NETWORKING

Twitter

Facebook

LinkedIn

ROGUE EMPLOYEEPhysical Theft

Steal Data

Competitive advantage

Sell to criminals

Extortion

VENDORS

Cloud

Data Centers

Outside Providers

Network Interruption

Theft of Data due to Security Failures

Unauthorized Access of Data

Loss of Data

Network Interruption

Physical Theft of Servers

Theft of Data due to Security Failure

Network Interruption

Backdoor Intrusion

Employees

Negligent Employees

Rogue Employees

Page 31: Cyber Security breakfast briefing - Exeter

It’s all about Balance Sheet Protection….

• First Response Costs

• TP Liability

• Fines

• Loss of Revenue

• Brand / Reputational Damage

• Loss of Intellectual Property

• Contractual Liability

• Share Price

Page 32: Cyber Security breakfast briefing - Exeter

Cyber claims received by AIG EMEA (2013-

2016)

By industry

* Construction, Food & Beverage, Information Services, Other Services, Transportation,

Agriculture & Fisheries, Energy and Real Estate

Page 33: Cyber Security breakfast briefing - Exeter

By type

Cyber claims received by AIG EMEA (2013-

2016)

Page 34: Cyber Security breakfast briefing - Exeter

Claims Examples

Cloud Service

provider accidentally

de commissioned live

server (PI claim?)

Confidential Waste

Bins stolen

Older server

handed to bogus

courier

Legal papers

(EPL issues) sent

to wrong person

Details of delayed

products and refund

option sent to 250

people in error

IT consultant

providing HR

services

attempted hack

Insurance brokers

Krypto locked

Page 35: Cyber Security breakfast briefing - Exeter

Claims Examples

A fraudster hacked into the company’s email system to gain information

about its organisational structure. During telephone calls with a member

of staff in the finance department the fraudster mimicked the voice of the

company CEO. It was strongly suspected that the fraudsters listened to

his voice on a webcast and had practiced it to perfection.

The requested payments were supposedly for a confidential acquisition

that only senior management knew about and the fraudster provided

forged invoices containing forged signatures to the member of staff

contacted.

Hacking & Impersonation

Page 36: Cyber Security breakfast briefing - Exeter

Reducing the risk to your business• Ensure your software is up to date and that you have the latest anti-virus software

installed as updates are released frequently to help combat the most recent cyber

threats.

• Staff training is essential. Educate your employees on how to recognise suspicious

emails and browse the internet safely. Cyber awareness should be included in part of

your induction process and revisited in regular refresher sessions.

• Ensure you have an incident response plan in place which you can call upon in the

event of a breach or interruption. This should include technical measures that enable

the recovery of systems, operations and data, and a communication strategy if

necessary.

• If you are looking for additional advice and guidance on prevention, we would

recommend the Cyber Essentials website, a government-backed cyber security

certification scheme that sets out a good baseline of security suitable for all

organisations across all sectors.

Reducing Risk

Identify Analyse Control Transfer

Page 37: Cyber Security breakfast briefing - Exeter

Any Questions?

Page 38: Cyber Security breakfast briefing - Exeter

Glenn Nicol, Corporate Partner

Chair’s close