Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
The CISO’s Guide to Being Human
1. The CISO’s Guide to Being Human
How to prevent and cope with accidental data leakage
2. The CISO’s guide to being human
The issue of data security is becoming ever more
pressing for the public and private sectors:
• Sensitive data that has been lost or leaked by
Britain’s private and public sectors has risen by
1,014% between August 2007 and August 2012
• From 2011/2012, the UK logged 821 data breaches
• 58% of IT professionals polled by Computer Weekly
admit to not using Data Loss Protection products
SOURCE: The Register2012 Verizon Data Breach Investigation Report
While malicious hacking is the number one threat to your
data security, there is one element that still accounts for
making much of it possible – staff making mistakes that
can lead to costly data leakage...
3. The CISO’s guide to being human
The issue of data security is becoming ever more
pressing for the public and private sectors:
• Sensitive data that has been lost or leaked by
Britain’s private and public sectors has risen by
1,014% between August 2007 and August 2012
• From 2011/2012, the UK logged 821 data breaches
• 58% of IT professionals polled by Computer Weekly
admit to not using Data Loss Protection products
SOURCE: The Register2012 Verizon Data Breach Investigation Report
While malicious hacking is the number one threat to your
data security, there is one element that still accounts for
making much of it possible – staff making mistakes that
can lead to costly data leakage...
97%
97% of breaches
were avoidable
through simple
or intermediate
controls
4. According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its
members, of the security challenges that a company is likely to face in the next 12 months:
5. According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its
members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be
mistakes made
by employees
13%
13% will be incidents
relating to employees’
personal devices (BYOD)
6. According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its
members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be
mistakes made
by employees
13%
13% will be incidents
relating to employees’
personal devices (BYOD) VIEW INFOGRAPHIC
7. According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its
members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be
mistakes made
by employees
13%
13% will be incidents
relating to employees’
personal devices (BYOD)
But are companies doing enough to tackle data compliance issues? According to the same report:
• Nearly 1/4 of respondents said management’s level of involvement in governance is low
• 49% of enterprises will be increasing investments in IT over the next 12 months.
But will they be increasing their data security budgets too?
VIEW INFOGRAPHIC
8. SOURCE: FlashRouters, Mashable
While DLP solutions are available, there are several
basic lessons that can be instilled into staff to act as
your first line of defense against data leakage:
• More than 60% of people use the same password across
a multitude of accounts; this can make life easy for
hackers
• Use a secure password generator that will create
difficult-to-crack passwords
http://www.pctools.com/guides/password/
Facepalm Passwords
According to SplashData, the worst passwords of 2012 were:
5. ‘qwerty’
4. ‘abc123’
3. ‘12345678’
2. ‘123456’
1. ‘password’
9. SOURCE: FlashRouters, Mashable
While DLP solutions are available, there are several
basic lessons that can be instilled into staff to act as
your first line of defense against data leakage:
• More than 60% of people use the same password across
a multitude of accounts; this can make life easy for
hackers
• Use a secure password generator that will create
difficult-to-crack passwords
http://www.pctools.com/guides/password/
Facepalm Passwords
According to SplashData, the worst passwords of 2012 were:
5. ‘qwerty’
4. ‘abc123’
3. ‘12345678’
2. ‘123456’
1. ‘password’
Treat your password like
your toothbrush. Don’t
let anybody else use it,
and get a new one every
six months.
Clifford Stoll, data security guru
10. “Speared by phishing”
SOURCE: Websense, Mashable
SOURCE: Verizon
Spear-phishing is the latest trend in sucker-
punching naive employees; it’s the specific
targeting of particular groups or individuals
via socially-engineered content:
• Combat phishing through employee education.
Facebook holds an annual ‘Hacktober’ where
employees are treated to simulated security
threats for a month. Those who report fake
phishing attempts and other security attacks are
given prizes – while those who fail to do so are
given further training.
11. “Speared by phishing”
SOURCE: Websense, Mashable
SOURCE: Verizon
Spear-phishing is the latest trend in sucker-
punching naive employees; it’s the specific
targeting of particular groups or individuals
via socially-engineered content:
• Combat phishing through employee education.
Facebook holds an annual ‘Hacktober’ where
employees are treated to simulated security
threats for a month. Those who report fake
phishing attempts and other security attacks are
given prizes – while those who fail to do so are
given further training. 84%
84% of victims
unknowingly possessed
evidence of a breach in
their logs
2012 Verizon Data Breach
Investigation Report
12. Research has revealed that half of the surveyed companies had lost a device with
important business data on it, causing security implications for over a fifth of
organizations. If correct encryption procedures had been followed, such security
implications would have been eliminated.
[SOURCE: Business Computing World]
13. Research has revealed that half of the surveyed companies had lost a device with
important business data on it, causing security implications for over a fifth of
organizations. If correct encryption procedures had been followed, such security
implications would have been eliminated.
[SOURCE: Business Computing World]
Encrypt laptops, mobile devices and removable media to ensure that if
tech is lost out in the field (or in a pub), its data remains inaccessible.
14. [SOURCE: Ernst Young]
Take extra care...
… and consider controlling the use of removable media such as
USB flash drives – and enforce the ban by using software that will not allow
unauthorized drives to be accessed when plugged in.
15. [SOURCE: Ernst Young]
Worst case scenario
An international oil and gas company
lost an unencrypted laptop containing
the personal information of 13,000 US
individuals including their names, Social
Security numbers and addresses. The
sting in the tail? The information lost
was for claimants who had already filed
against the company...
Take extra care...
… and consider controlling the use of removable media such as
USB flash drives – and enforce the ban by using software that will not allow
unauthorized drives to be accessed when plugged in.
16. [SOURCE: Ernst Young]
Scorched Earth Policy
Always have the ability to remotely wipe
lost or stolen devices available to you as
your last line of defense...
Worst case scenario
An international oil and gas company
lost an unencrypted laptop containing
the personal information of 13,000 US
individuals including their names, Social
Security numbers and addresses. The
sting in the tail? The information lost
was for claimants who had already filed
against the company...
Take extra care...
… and consider controlling the use of removable media such as
USB flash drives – and enforce the ban by using software that will not allow
unauthorized drives to be accessed when plugged in.
17. “Being Human”
Remember: serious data leakage could be caused by something as simple as sending
an email to the wrong person by accident (auto-complete in the ‘To:’ field has made
slips ups easier than ever). Help employees care about data compliance and leakage:
18. “Being Human”
Remember: serious data leakage could be caused by something as simple as sending
an email to the wrong person by accident (auto-complete in the ‘To:’ field has made
slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable
policies that list prohibited
behaviors and what is expected
from employees when it comes to
handling company data
19. “Being Human”
Remember: serious data leakage could be caused by something as simple as sending
an email to the wrong person by accident (auto-complete in the ‘To:’ field has made
slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable
policies that list prohibited
behaviors and what is expected
from employees when it comes to
handling company data
Provide regular mandatory training on
security awareness for employees –
especially for those who are regularly
handling highly sensitive data
20. “Being Human”
Remember: serious data leakage could be caused by something as simple as sending
an email to the wrong person by accident (auto-complete in the ‘To:’ field has made
slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable
policies that list prohibited
behaviors and what is expected
from employees when it comes to
handling company data
Avoid long, waffly checklists of
dos and don’ts that don’t engage
employees but simply turn them off
Provide regular mandatory training on
security awareness for employees –
especially for those who are regularly
handling highly sensitive data
21. “Being Human”
Remember: serious data leakage could be caused by something as simple as sending
an email to the wrong person by accident (auto-complete in the ‘To:’ field has made
slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable
policies that list prohibited
behaviors and what is expected
from employees when it comes to
handling company data
Avoid long, waffly checklists of
dos and don’ts that don’t engage
employees but simply turn them off
Provide regular mandatory training on
security awareness for employees –
especially for those who are regularly
handling highly sensitive data
If a new data threat emerges, keep
staff informed so they know what to
look for
22. Return to our Cyber Hub for more
useful content
VISIT NOW!