top of page
Buscar

Computer Security Day: Webinar on Cybersecurity

  • Foto del escritor: Angelina Angelov
    Angelina Angelov
  • 30 nov 2021
  • 6 Min. de lectura

Cybersecurity incidents may lead to reputational damage, lost productivity, stealing of intellectual property, operational disruptions, and high costs of recovery. Data protection is a huge challenge that requires ongoing commitment. Therefore, we must establish cybersecurity policies and procedures and ensure its implementation and compliance. Training at all levels, especially of leaders, can be that differentiating factor to reduce the risks associated with the use of technologies. It is therefore necessary to create a culture of cybersecurity.


The following is a transcript of some parts of the Webinar:


First I would like to take the opportunity to thank the public for joining us today, members of the IWIRC association and more widely colleagues and friends, for joining us in this meeting on the occasion of Computer Security Day.


Our lifestyle has changed. According to IoT Analytics, by the end of 2020, the number of connected devices worldwide reached around 21.7 billion, and 54% of them is part of the Internet of Things. We are surrounded by smart devices: at home, in the office, on the street. In October 2019, the American Bar Association published the Technology Report, where they indicate that an average person uses around 36 cloud-based applications in their daily lives.


Juan Jose has made it clear what the statistics for 2021 have been alarming. Globally, 1 in 61 organizations has been affected by ransomware every week. Despite the efforts, cyber crime will continue to grow, so it is no longer enough to have cybersecurity, but to build cyber resilience. Broadly, build the strategy on cyber resilience.


Cybersecurity must be part of the strategic plan of your business towards the digital transformation. Cyber resilience must become a cornerstone of the ecosystem. The CIO, as a technical professional, must actively participate in strategic planning.

Cybersecurity is NOT the sole responsibility of the Technology staff. It is everyone's responsibility.


Risk management


The cybersecurity policy needs to be based on the Risk Assessment of the firm and those responsible for each process. The foundation of Cybersecurity Program is to have the support of Senior Management. After they are committed and onboard, create policies and procedures to follow and then implement the corrective measures to achieve compliance.


Keywords: Owner, General Manager, CEO: If you identify your name between the keywords, you are ultimately responsible.

Basic knowledge of cyber rules will keep you from being a perfect target for cyber criminals.


Keywords: Legal, compliance

If you find any of the keywords in the job title or description, then your role is critical to risk management.

  • Understand the legal implications of cybersecurity to enable robust risk mitigation,

  • Implement an effective compliance program.

  • Actively participate in the risk management process working with Planning, Finance, Administration and other areas, to mitigate risks in a comprehensive manner.

  • Support incident response team

  • After an eventual incident, carry out the necessary steps, either in support of official investigation bodies, notifications to clients, suppliers or the general public.

  • Protect information from legal compliance: Make sure information is destroyed in accordance with your organization's data retention policies or external regulations.

Other roles:

Fully understand your role and take personal responsibility for knowing how your organization addresses cybersecurity risks.

Be willing to learn, as technology continually evolve.

Know how to manage, control, store, transfer and dispose of information in your organization.

Protect your assets by physically safeguarding your computer, mobile devices, and non-electronic information.

Follow your organization's security procedures for facilities and prevent unauthorized access through social engineering tricks, souplantation of identity or so called spoofing.

Use the best authentication capabilities your organization offers to control access to computers, mobile devices, and others

Use encryption for information in transit and at rest.

If you work from home, protect your home devices and connections

Learn about your organization's security incident notification policy and contacts.

Take control of your own security and cybersecurity; don't assume hardware and software vendors will do it for you


Security policies include the three axes:

  • Physical security: user policies

  • Technical Security: IT responsibility

  • Administrative Security: Cybersecurity Policies and Procedures

What do we protect?

  • Physical and electronic database of employees

  • Physical and electronic database of customers

  • Physical and electronic financial information of clients and the branch

Vulnerable data is stored, in process and in transit.


Administrative security begins by defining policies and those are approved by Senior Management. To implement any project, we must necessarily have the support of Senior Management and in the case of cyber-resilience, they must be part of the entire process.


Prepare a business continuity and disaster recovery plan as well as breach response plan.

  • Plan must be consistent and from time to time, you have to test it.

  • Have a business continuity plan based on the identification and analysis of critical processes

  • Establish an alternative physical infrastructure where to work, communications equipments, technology, identify key people, etc.

  • Prepare and test cyber attack scenarios

  • Define those responsible for communication and the emergency committee, responsible for decision-making

Ensure regular training with the participation of all employees, from Senior Management to employees in the front line, through special courses, tests and simulations. Human error in using information systems improperly remains among the most common reasons for a cybersecurity incident. Cyber exercises and trainings for the entire team help build a culture of security within organizations, increase awareness of cyber security, and prevent employees from falling for social engineering and data theft. It also improves staff resistance to phishing.

Once the training sessions are completed, which must also be continuous and mandatory for new hires, employees must sign the security agreements and, if applicable, those for the use of their own equipment.


What does Building a Cybersecurity Culture mean?


The culture of our organizations is essential to establish a successful cybersecurity program. Culture should emphasize, reinforce, encourage leaders to model behavior towards safety. Culture is how we do things in our organizations: and it is the leaders who set the guidelines. It requires vision, investment support in safety and modeling good personal safety habits. And it starts by raising awareness. It is the critical component. When we create awareness in organizational culture, our ability to address risks increases. Be vigilant and prepared, regardless of whether you are a small, non-profit, or one of the Fortun 100. Mindset shifts will drive appropriate behaviors at the individual level, helping build resilience throughout the organization.


Regarding leadership: Cybersecurity needs require financial and human resources

Understand the basics and best practices, enough to allow sound decision making Include cyber risks within the category of your business risk: NOT a topic reserved for IT

Develop and maintain information security policies and standards.

Create cross-functional teams to achieve cybersecurity program goals

Hiring experts can save money, resources, and protect your business. They have more experience and qualified equipment and personnel.


Use technology to enforce policy:

  • Password changes

  • Use of passwords with specific characteristics

  • Disable USB ports

  • Do not allow access to certain pages

  • Systems lockout due to inactivity

Note to leaders


Don't be afraid to ask questions. No one expects leaders to understand cybersecurity as well as finance or operations, but everyone expects it to mitigate business risks, and a real risk today is cybersecurity risk. As a leader, your job depends on how well you deal with risks sometimes with unfamiliar issues.

ISO 27000 standards provide recommendations for the use of organizational policies and structures to reduce risk, and the COSO framework connects corporate governance with culture by highlighting the importance of cultural requirements, core values, and human talent development and training. The clear commitment of leaders to risk management is essential for success.

The good news is that a study published by Ernst and Young in 2020 identifies that 81% of board members classify cybersecurity as "Highly Relevant," and Gartner predicts that by 2025, 40% will have a cybersecurity committee. (currently it is only 10%). We have one in the office.


Customer expectations, for internal clientas are hybrid work and for external: Security, Mobility and Connectivity.


Audits, audits and more auditors are in the light of day, forms of hundreds of pages to fill out, both the part on administrative protections or others.


Risk of not being in compliance is expensive:

Speaking, for example, of the GDPR, the first thing many people mention is the risk of fines. But for most organizations, fines are not the most significant risk of non-compliance.


Loss of confidence

This is the number one scare for most organizations. If customers don't trust you with their data, they won't do business with you. Complying with applicable regulations and standards is becoming the basis for doing business. "If he's not playing by the rules, we don't even talk."


Reputational damage

If a breach occurs, your name will appear in the news, damaging reputation and lowering trust. No organization wants to be known or remembered for the breach that occurred and the data they lost. Panama Papers, Pandora Papers, to mention some.


Fines

Although it is not the most important consequence according to many organizations, it is still very important and could have a substantial impact on business.


Simple recommendations:

  • DO NOT put your passwords written on a "post it"

  • DO NOT let your minor children use the devices where they have the office data

  • Use encryption, but remember to safeguard the key or password used to encrypt. There are no alternative ways to open previously encrypted data.

  • USB memory sticks: Encrypted, for example Ironkey, Apricom

  • Keep personal files separate from office files

But also:

  • Limit the ability of others to find your router

  • Use secure connections (VPN)

  • If you travel, do not enter sensitive data on public computers, much less open public networks, for example, libraries, Internet cafes, hotels, airports.

  • Finally: use Social Media wisely: Don't share your personal information on corporate accounts or vice versa

To conclude, I only have to thank the public once again, remaining at their disposal to answer any questions.


Angelina Angelov



Comments

©2020 por The time of change. Creada con Wix.com

bottom of page