Strategies for cyber resilience - Everyone has a Role
-
Upload
kevin-duffey -
Category
Business
-
view
319 -
download
2
Transcript of Strategies for cyber resilience - Everyone has a Role
Everyone has a Role
National & OrganisationalStrategies for Resilience to
Cyber Attack
www.CyberRescue.co.uk
agenda
www.CyberRescue.co.uk
1. UK National Cyber Security Strategy to 2021
2. Building Resilience – everyone has a roleNick Wilding, General Manager, Cyber Resilience, Axelos
3. Recovery – what should CEOs do?
These presentations were given at a meeting organised by Cyber Rescue on 29/6/16. Participants included senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, and others.
For similar material, follow Cyber Rescue on LinkedIn here.
Strategies for Resilience to Cyber AttackBUILDING RESILIENCE: EVERYBODY HAS A ROLE TO PLAY 29 June 2016
AXELOS.COM
...it’s about behavioursIt’s not just about bits and bytes...
We all have a role to play
90%......NEED TO
INFLUENCE AND ENABLE POSITIVE CHANGE IN USER
BEHAVIOURS
Stats and facts
“253 days is the median number of days it takes an organisation to realise that they have been successfully attacked.”
(Verizon 2015 Data Breach Investigations Report)
“Only 29% of companies rate their cyber resilience as high. Nearly 33% said collaboration was poor/non-existent.”
(Ponemon Institute research with 450 IT and security professionals)
(PWC UK Data breach report, Feb 2015)
“90% of all successful cyber-attacks rely on human vulnerability to succeed.” (Verizon 2015 Data Breach Investigations Report)
“65% of large firms detected a cyber security breach or attack in the last year.”
(UK Cyber security breaches survey May 2016)
“17% of UK businesses have had their staff attend some form of cyber training in the last 12 months”
(UK Cyber security breaches survey May 2016)
1 person can enable an attacker to compromise
your systems and access your most valuable
information.
Who are we?
Cyber Resilience best practice
Cyber Resilience is the ability for an organisation to resist, respond and
recover from attacks that will impact the critical information they require to do
business.
Reliance on checking the box
Lack of engaging and appropriate materials
Reliance on a single training exercise
Metrics are not collected
Unreasonable expectations
Failure to acknowledge that awareness is a
unique discipline
Why do security awareness programmes typically fail?
Attitudes to awareness training
99%Fairly or very important
“How important is information securityawareness training to minimising the risk of cyber security breaches at your organisation?”
“How important is minimising human errorin managing the risk of cyber security breaches at your organisation?” 98%
Fairly or very important
And yet when asked how manypeople within their organisation completed awareness training only
52%said it was between
75%-100% of staff
How effective is awareness learning?
42%Very
effective
49%Fairly
effective7%
Not at all effective
When asked “How effective is your InfoSec awareness programme?”
28%Very
effective
55%Fairly
effective13%
Not at all effective
When asked “How effective is your InfoSec Awareness programme in changing behaviours?”
Is your learning relevant?
When asked: “Overall, how confident are you that the information security awareness training your organisation provided to all staff is relevant to their day to day work?”
32%Very
confident
62%Fairly
confident
6%Not at all confident
When asked: “How effective is your awareness learning in ensuring compliance with required regulatory requirements only?”
37%said it
was very effective
Awareness learning – delivery methods
14%Games
61%Face to face
80%E-learning
43%Posters26%
Animations
• Clear that majority of respondents still rely on traditional E-learning.
• Is this an engaging, fun way to learn?
• ...Face to face and posters
• An effective and efficient control?
• Face to face in small organisations may be, but it both cases it can be challenging to measure ongoing progress of the learner
• Animations & Games
• 79% of respondents to a TalentLMS survey said that they would be more productive and motivated if their learning involved gamification.
• “Games have the power to teach, train and educate and are effective means for learning skills and attitudes that are not so easy to learn by rote memorization” (Michael & Chen, 2006,)
13 AXELOS - GLOBAL BEST PRACTICE AXELOS INTERNAL USE ONLY
…in summary - some principles
On-going, regular learning
Adaptive & personalised
Measurable benefit
Principle
Engaging, competitive and fun
• Regular learning• Short and concise• Supporting updates and refreshers
• Suit individual learning preferences• Content tailored to different skill levels• Focus on the priority security issues
• Tracking changing behaviours over time• Qualitative and quantitative metrics• Demonstrate value of investment
• Different learning styles and formats• Ability to learn inside and outside work• Play to the competitive element of games
Summary and benefits
Questions and observations?
Nick WildingGeneral Manager, Cyber ResilienceE: [email protected]: 07860 950108
www.CyberRescue.co.uk
Who should ownthe human element of cyber defence?
vote
Board CEO CFO CIO COO HR Director
There was a strong consensus at the meeting that the CEO must own the human element of cyber defence, including prevention & response. All roles listed above were share some responsibility, but the CEO has to define the “Command & Control” as well as the Culture that is key to Cyber Resilience.
thank you National & OrganisationalStrategies for Resilience
to Cyber Attack
www.CyberRescue.co.uk
Kevin DuffeyManaging Director29th June 2016
For similar material, follow Cyber Rescue on LinkedIn here.