RCR 008: Risk Management Profile - CISSP Study and Training!

Description:  

Shon Gerber from ShonGerber.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity for business training and how you can begin to address the cyber risk for your daily business.

In this episode (Part 7), Shon will talk about what you need to profile the risk for your business and some possible options that you can put in place immediately.

Transcript:

Welcome to the reduce cyber risk podcast or we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker hoarded Bay hi my name is Sean Gerber and I'm your host for this action packed and forwarded podcast join me each week cuz I provide the information you need to best protect your business and reduce your company's cyber risk in a case of this it would be like if you have him put a collaboration across your business so if you've got your HR people your it people if you have a manufacturing facility operations people and it doesn't matter for the big manufacturing small manufacturing if you have something like that and if it comes into your business of your financial institution do you have your tellers are they connected with all of this or is your HR connected with it sedation you need to have everybody involved it's not just an IT problem or snot just an operations problem it's the whole businesses challenge do you need two people the best knowledge with the right on your meetings and this is critical when you're planning your path forward and what you should do because it's really hard to do you make these great plan and have these good ideas but at the end of the day if you want the right people in the room to talk about it and forget best knowledge it doesn't matter right so you'll see all of us in a vacuum and then you think you got the right plan from a cyber risk perspective but you've left out something in regards to finances so I'll give you an example institution and you know that you do you pass your your finances your EDI finances are passed through Swift or something like that they're done through electronic gate exchange if you don't have the people in the room that know that system and understand that system and you think you're putting in a successful program to protect it but yet you know the key people to tell you that you know what we have two people that have to say before any money is transferred we have to have these two people have to agree will you think that you know what is only one person but in reality there's two people involved technology but do they really have the ability to make the decisions around so you say for example yet your cybersecurity I'll use me for an examples it is a security officer the decision rights to make changes in our organization there's some things that I can know can't do it he says I'm an influencer trying to get the people that had the decision rights the Ops leaders the CFO the CEO to make the changes to agree to make the change because they have the ultimate decision rights to make those changes so you got to make sure you know who these people are and don't make assumptions whatever you don't make assumptions because you may think that person has a decision to make this change but all the sudden this is a company-wide thing that you have to put into place security program well if you don't have the boss involved in this decision making to see if one of the vice-president's potentially you're just wasting your time decisions and you need to review this plant annually okay so it's like anything else the moment you created it and you put it on paper and you say homework doing it it automatically be has a shelf life and it starts to become stale you have to continue to do this you have to continue to look at it and that's what I care and feeding really comes into play as you're dealing with these and I don't go back real quick on that slide you really need to ask yourself what keeps you up at night so if if you ever asked when I was in the military and ask General is it what keeps you up at night while I'm worried about this system being hacked and all the information going off to North Korea and in so that's really what this person was worried about was so then you got that changes your Dynamic on how you're going to protect because if the if it's his situation he goes bad finances are bad but at the end of the day military weapons information is extremely important to me more important than the hrr financial data so where you going to protect your going to protect what's important to him or her on a yearly basis identify the data what's the most valuable data to you now with most valuable to the HR or to finance person may be very different than what most valuable to the operations person so you need to figure out have all these people are rude to figure out what is the most important data to your organization and when I recommended you put together like a risk register and it register that set up specifically what is the one key things that are in your organization and what is the highest risk around the I'll have another couple trainings and we'll go on the in a future on these but bottom line is from a wrist standpoint you need a document what is the most important data and the most important systems to your organization right so some may only have personally identifiable information if you are a company deal with credit card information you have very specific data and that specific data is relevant to your business well that is what is your most important data is that credit card information and the and the people that have entrusted you with their personal information that pii any equipment or anything it was all about the data so when they got breached that was the most important data was the most important information that they had about the organization so you need to understand what you may have multiple things you may have personally identifiable information property you may have Lowe's pieces in part you really have to decide but then as you get this all broken down you got to break to the brass tacks of going what is the most important thing work on securing that and then work your way down from there again identifying the date I didn't have to identify it takes time don't rush it don't get in the mood I have something and you can do that if you know you have some barbering things that you have to address immediately but the other day you need to take the methodical approach to identify what data is most critical to you if you really want to truly protect your business and your business is data you define your data so you getting your Divine is it Electro property in the vital records is it health records what is it that's the most specific piece about your information and where you can focus on is week is the CIA confidentiality Integrity availability of those are some key points that we talked about in the cybersecurity space it will start with no mercy with numbers how is it protected is it protected in the fact that if you something would have happened to it like say for instance you have your secret sauce your 11 herbs and spices is that protected that if that got out and somebody got a hold of it is it still protected is it wrapped in is a little protective mechanism or is it raw data where somebody got it that's the end of the day so that's your confidentiality are you protecting the information from a confidential standpoint the middle can go ahead and intercepted and then mate modify it and then send it that's Integrity is the data and fully protected okay what are the protections on the data is the data encrypted is a tunnel encrypted the data before goes through the encrypted tunnel in Cryptid so what is the Integrity of the data and the datastream availability what's the role based authentication is it is it says location where you only people within China can access the data within China which is going to be part of the Chinese Cyber Law or potentially you want to keep that stuff localized what you going to get more more more countries going to want that again available is it taken out by a stray backhoe is it available to your users integrity and availability so I questionnaire what will help you determine what is the critical data and you can do that very simple questionnaire or through very large question I highly recommend you start off start small forgot what you know but Define what is that data that you best know it and then build a questionnaire it not 20 or 30 thousand questions but maybe like maybe 10 to 15 questions to help you narrow down what is the important to you and your business just develop a critical data inventory got a call that a risk register Pace pieces of information and you may have you may have to get this from other places but the bottom line is your critical data and your critical systems so what of your data are the 11 herbs and spices or your system that houses that critical data you have that you keep it on the spreadsheet or you having a specific system that stores all of this data together will be your critical data inventory okay fight systems is very specific and is very Define and that was a critical component of that system to protect him you have Technologies outside your business so are you looking at the cloud are you going to store your secrets in the cloud a good example of that is the military is not decided to storm any of the secrets they have in the Amazon Cloud will they wouldn't just go willy-nilly go and do that they have a process by which they're going to ensure that is protected and then you have controls in place of technology in place a firewall do you have role-based access control multi-factor authentication you have things in place to limit what people can get to soak and that's how you identify your data when you start working your way out from there the threats and vulnerabilities against the day that you need to consider that is it consistent across the industry financial manufacturing their very different so are the threats the same or are they different if you own a bank I put your friend of mine does if you own that bank on that chain of bank is your threat different than what I was in the military flying B1 bombers then they are today even time has changed if you're in the manufacturing space you manufacture widgets of some kind is your interlock intellectual property important it could be it may not be it may be one of those things where the electro property just a quick moment in time once it hits the net the the world then no longer is as as important as it was when you first develop the product you know the the write the iPhone when it first came out the electrical property behind that was just a huge now they still have IP as it goes on as they're having new versions but at the end of the day the old iPhone is still out there and it's been copied modified many things done to it so that's where you have to kind of way what is most important when it first came out the brand new iPhone was the was everything but now the iPhone 10 some pieces of it probably our butts much of it may not be as important as the new 10 and Beyond senior business sector geographic location an airliner are you in Ukraine right now texting how did the whole Space is change you I have a friend that went now to go take care of artificial intelligence to fight with with the one of the major Air Aviation competitors or Aviation companies and he's going to be studying that's just bleeding edge right is that a different threat than what I work on just just say in the manufacturing of a widget for an airplane here in Wichita Kansas maybe maybe not epic location what is your data for your competitor all those things have to be considered and also other things to think about is your running regularly review the business threats and vulnerabilities in excess assess your likelihood on how you're going to get hacked in if you're going to get hacked there's a vast resources available to FBI other organizations throughout the global provide that information for you recently just came out the FBI in the United States warning that there's going to be cybercriminals trying to hack into Banks and use the ATMs to basically in a coordinated effort to steal cash out of ATM I'm not the baking industry so I'm not as worried about that but my buddy who is the banking industry is worried about that it just depends on the situation I'll locations from threats FBI's infragard you got USC National vulnerability database and other paid companies out there crowdstrike many others that will go and provide you the intelligence you need to protect your business there free services and paid Services you just have to decide what is the most important for you ask yourself this valuable information around the question what's the value of your information what if it's made public what does that do to my business what are the competitors requires this information how does that affect my business. Take the highest place value and risk rank order these things you may not competitors may not be a big deal some people it is a big deal if your bank are you worried about the bank across the street the most cases no not really they have a lot of competition in the fact that was established to try to get people but once they have their their core group of people stick with them so that's different then let's just say in the aviation world stealing you can ask me an option for develop a process to mitigate or accept the risk you got to ask yourself as a company do I want except this risk or do I want to go ahead and try to put a mitigation in place you make it to the point where to spend so much money to mitigate the risk it's not worth it I'm just going to accept it so those are the things you got to walk through what you're going through this management okay so we talked about in this episode is you risk management and how you have to identify the date place that you know where it lives what is it and why you restricted the way you did y'all see her say the threats and vulnerabilities vulnerabilities against the data and what could potentially be the likelihood of why you might get attacked and then the last thing is with this could very well be just it's a reputation about you you're all those things into the play as you're going through this whole process hope you enjoyed it and we'll move on next