Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf ·...
Transcript of Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf ·...
![Page 1: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/1.jpg)
Cybersecurity:HowtoProtectYourBusiness
Presenter:CraigWatanabe,CSCPSr.ComplianceConsultantCoreCompliance&LegalServices,Inc.
![Page 2: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/2.jpg)
Agenda
q Understandhowtomeetregulatoryexpectationsq Learnhowtodevelopanactionablecybersecurity
planq Explorecyberprotectionsthatarepractical,
economicalandeffective
2
![Page 3: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/3.jpg)
Materialsq Cybersecuritycannotbethoroughlycoveredin50
minutessoextensivematerialshavebeenprovidedastakeawaysv Detailedoutlinewithbestpracticesv CybersecurityReadinessAssessmentToolv UserAwarenessTrainingmemov ITVendorDueDiligenceChecklist
3
![Page 4: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/4.jpg)
Cybersecurityisaregulatoryandbusiness riskthataffectsnearlyallfirms.Formanyfirmscybersecurityistheirnumberonerisk.
4
![Page 5: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/5.jpg)
UnderstandHowtoMeetRegulatoryExpectations
5
![Page 6: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/6.jpg)
ExpectationsareArticulatedinRegulatoryGuidance
q SECOCIENationalExamProgramRiskAlert– OCIECybersecurityInitiative(Apr.15,2014)
q SECOCIEExamPrioritiesfor2015(Jan.3,2015)q SECOCIENEPRiskAlert– CybersecurityExamination
SweepSummary(Feb.3,2015)q FINRAReportonCybersecurityPractices(Feb.2015)q SECOCIENEPRiskAlert– OCIE’s2015Cybersecurity
ExaminationInitiative(Sep.15,2015)6
![Page 7: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/7.jpg)
CaseStudyq IntheMatterofR.T.JonesCapitalEquities
Management,Inc.,SECRel.No.4204(Sep.22,2015)v SECstatesthatR.T.Jonesstoredsensitivepersonally
identifiableinformationofclientsonitswebserverwithoutadoptingwrittenpoliciesandproceduresregardingthesecurityandconfidentialityofthatinformationandtheprotectionofthatinformationfromanticipatedthreatsorunauthorizedaccess
v InJuly2013,thefirm’sserverwasattackedbyanunauthorized,unknownintruderwhogainedaccesstothedataontheserver
7
![Page 8: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/8.jpg)
CaseStudyq IntheMatterofR.T.Jones(cont’d)
v Asaresultoftheattack,personallyidentifiableinformationofmorethan100,000individualswasrenderedvulnerabletotheftØ CyberattackhadbeenlaunchedfrommultipleIP
addresses,allofwhichtracedbacktoChinaØ Couldnotdeterminethefullextentofthebreach
becausetheintruderdestroyedthelogfiles
8
![Page 9: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/9.jpg)
CaseStudyq IntheMatterofR.T.Jones(cont’d)
v RemediationeffortsØ ProvidednotificationofbreachtoindividualsØ Appointedaninformationsecuritymanagerto
overseedatasecurityØ AdoptedawritteninformationsecuritypolicyØ EncryptedtheinternalnetworkØ Retainedacybersecurityfirm
FINDINGS:C&D,Censure,CivilPenaltyof$75,000fine
9
![Page 10: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/10.jpg)
LearnHowToDevelopanActionableCybersecurityPlan
10
![Page 11: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/11.jpg)
TheFive-StepPlanningModel
1. Gatherinformationtoassessthecurrentsituation2. Defineandquantifyobjectives3. Performananalysis,consideralternatives,formulate
theplan4. Implementtheplan5. Periodicallyreviewandmakeadjustmentsas
necessary
11
![Page 12: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/12.jpg)
CybersecuritySteps1&2q TheCybersecurityReadinessAssessmentTool
v Thistoolisanalogoustoafinancialplanningdatagatheringchecklist
v 42questionsin6categories
q VulnerabilityAssessmentPerformedbyanIndependentInformationSecurityConsultantv Theassessmentwillidentifyvulnerabilitiesandsuggest
remediation(defineandquantifyobjectives)12
![Page 13: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/13.jpg)
Step3ExploreCyberProtectionsthat
arePractical,EconomicalandEffective
13
![Page 14: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/14.jpg)
TheFortressModelofCybersecurity
q Fourcomponentsofthefortressmodelv Barriersv Entry/exitsv Locksv Keys
14
![Page 15: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/15.jpg)
TheLocks(Encryption)areVeryStrong
q Inmostendeavorstheoffensehastheadvantageoverthedefenseandthisisespeciallytrueincybersecurity
q However,oneareawherethedefensehastheadvantageisencryptionv Encryptionispractical,economicalandeffectivev ThecaseofApplevs.theFBIv EdwardSnowden
15
![Page 16: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/16.jpg)
DefenseinDepth
q Thisisamilitaryprinciplewhichprescribesmultiplelayersofdefense
q Incybersecurityyoudeploymultiplelayersofencryptionv Firewallv Diskorfileencryption
16
![Page 17: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/17.jpg)
TheKeys(Passwords)aretheWeakestLink
q Althoughencryptionisstrongitcanbedefeatedbystealingthekeys(thepassword)
q Threecontrolstostrengthencontrolstopreventunauthorizedaccessv Strongpasswordpolicyv Utilizepasswordmanagersv Employtwo-factorauthentication
17
![Page 18: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/18.jpg)
StrongPasswordPolicyq Any8characterpasswordcanbecrackedin15
minutesusingreadilyavailablehackertoolsq A10characterpasswordwouldtakeseveralweeksto
crackq Thekeytopasswordstrengthislengthq Teachthetechniqueofpasswordpaddingtocreate
longpasswordsthatareeasytorememberandeasytotype
18
![Page 19: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/19.jpg)
UsePasswordManagersq Passwordmanagersallowuserstosetdifferent
passwordsforeachsiteandtheuserneedonlyrememberthemasterpassword
q Passwordmanagersaddconvenienceq Lastpass andRoboform areexamplesofcommon
passwordmanagers
19
![Page 20: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/20.jpg)
Two-FactorAuthentication(2FA)q A2FAprotocolrequiresasecondformof
authenticationinadditiontothepasswordsuchasabiometric,answertoachallengequestionorenteringasecuritytoken
q Thisisakintorequiringeachlocktobeopenedwithtwokeys
q 2FAispractical,economicalandeffective
20
![Page 21: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/21.jpg)
UserAwarenessTraining
21
![Page 22: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/22.jpg)
TheHumanElementofCybersecurity
q Accordingtothe2015VerizonDataBreachInvestigationsReport,abouttwo-thirdsofallbreachesentailedacompromiseduser
q Userawarenesstrainingisacriticalcomponentofcybersecurity
q Trainingismosteffectivewhendeliveredinthecontextofhomecomputersandpersonaldevices
22
![Page 23: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/23.jpg)
UserAwarenessTraining
q Theprinciplesofeffectivetrainingapplytoteachingcyberhygienev Trainingmustberelevantandengagingv Principlesshouldbereinforcedcontinuallywellafter
thetrainingiscompletedv Livetrainingisthemosteffectivefollowedbywebinar
andself-study
23
![Page 24: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/24.jpg)
WeakControls
24
![Page 25: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/25.jpg)
IntrusionDetectionMonitoring
q Accordingtoa2015studydonebyTrustwave onover600breaches,over80%wereneverdiscoveredbythevictim
q Thevictimwasoftencontactedbythehackerornotifiedbylawenforcement
q Skilledhackersareveryadeptatavoidingdetectionwitheventhebestsystemsavailable
25
![Page 26: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/26.jpg)
VendorDueDiligence
q Asignificantpercentageofbreachesoriginatefromathird-partyvendor
q Vendorduediligenceisrecommendedbutnotveryeffective
q Dealingwithvendorsthatarelargeandwell-respectedreducesthedownsideversusasmallvendor
26
![Page 27: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/27.jpg)
PenetrationTests
q Forsmallfirmsavulnerabilityassessmentismorevaluablethanapenetrationtest
q Vulnerabilityassessmentsaremorecomprehensiveandmorecostlythanpenetrationtests
27
![Page 28: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/28.jpg)
Step4- Don’tProcrastinate!
q Asinfinancialplanning,procrastinationisoneofthebiggestreasonsforfailureincybersecurity
q Developandimplementyourcybersecurityplan!
28
![Page 29: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/29.jpg)
Step5- PeriodicallyReview
q Likefinancialplanning,cybersecurityisnotaone-timeevent,itisanongoingprocess
q Itisabestpracticetoperformannualvulnerabilityassessments
29
![Page 30: Cybersecurity: How to Protect Your Businesssouthfloridafpa.org/wp...How-to...Presentation.pdf · Expectations are Articulated in Regulatory Guidance qSEC OCIE National Exam Program](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fb70c4bdc26b82f5f36bd1c/html5/thumbnails/30.jpg)
Questions?
30
Craig Watanabe, CFP® AIF® CSCPSr. Compliance [email protected]
Core Compliance & Legal Services, Inc.1350 Columbia Street, Suite 300San Diego, CA 92101Tel: (619) 278-0020www.corecls.com