RCR 009: Risk Management Mitigation - CISSP Study and Training!

Description:  

Shon Gerber from ShonGerber.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity for business training and how you can begin to address the cyber risk for your daily business.

In this episode (Part 6), Shon will talk about what you need to to do mitigate the risk for your business and some options that you can put in place immediately.

Transcript:

Welcome to the reduce cyber risk podcast where we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker hoarded Bay hi my name is Sean Gerber and I'm your host for this action packed and forwarded podcast join me each week is I provide the information you need to best protect your business and reduce your company cyber risk okay I miss episode we're going to talk about the mitigation piece of cyber risk management and retirement how you manage I'm going to get your specific cyber risk now one thing to keep in mind is no amount of money you're going to spend is going to get you to a zero point unless you basically unplug don't connect to the internet any of your networks connect or talk together so bottom line is that you will never get there unless you do some of the drastic measures which I don't recommend this cyber security companies will tell you though in many cases protect you the best what they provide you if implemented will dramatically reduce your however at the end of the day they can only do so much and much of what can affect your company is how you minimize that risk specifically okay so if you focus on the doing the basics the blocking and tackling pieces of this you can drop dramatically reduce your risk and using those vendors provided tools it'll work as well so something to keep in mind no matter what he's ever going to get you where you want to go that the blocking and tackling we talk about is the the patching the provisioning reasoning of your accounts and your access controls an example is in the Air Force who take advantage of accounts that had numerous people in these accounts what would happen if we'd had bills bill and Bill had access to basically this one account and he would have a group that be multiple people in this group will be getting to that group and then we will expand what's the same thing if people have access to multiple accounts and multiple groups then there for the access to these systems can increase so that's why it's important for you to understand you're going to mitigate this stuff you need to do the blocking and tackling first you can do to mitigate the risk is cyber insurance I have all the episodes that will talk about and other trainings about this but at the end of the day cyber Risk insurance or cyber Insurance can be away for you to transfer some of this risk to an insurance company Now is it going to fix you all the time no is is there things in that you can pay attention to yes you need to definitely understand the exemptions and the terms of each policy because they can bite you recent incident and I want to say Virginia where the bank of Blacksburg had a situation where they got hacked and about two and a half million dollars well they didn't totally understand their insurance policy and what's happening now is the insurance company saying we're not going to cover that so it also may require you the creation of various processes and procedures I eat instant respond reach notification so on and so forth so there's other things that you're going to have to think about when you create these products or when you go get these Insurance products and then again I'll have another area about cyber insurance and that'll be the separate training that all put out later but again you're going to have a business you need to have some level I in my recommendation some level of cyber Risk insurance type activity where you have specific questions that you asked and based on those questions what kind of have to go down and different ladders I'm going well then there's this section then there's a section so these different audit you can do and you will provide some guidance around what your network looks like and so these assessments are quite valuable especially most have some level of an assessment of security assessment assessment where you got people scanning your system or if you got just a document that you're walking through there is possible regulatory requirements of cheetah considered rars does the FDIC require something is there Insurance requirement again those are where is it you need to understand penetration test a penetration test is a very narrow Target approach and it means if you're just looking specifically I'd like a web server which is basically your page of the internet penetration test me Focus specifically on that web server or if there's a firewall that is access to the internet which allows your people that are within your network access to the internet penetration test me Focus specifically on that firewall to see if they can break through it the goal is that they come in and hit a system and a pivot they try to roll back into it impossible regulatory requirements fall in this line as well you may be required to do a penetration test based on your business and your business model there's a pink or red team activities that's what I used to do in a different life and the red team at teams are really really cool it's awesome we got to do what we got to basically emulate the adversary first movie with hack into a system steel mini credentials we could but in today's world everything is digitized on the network you can get almost 95% or more of that information that you really want through the network extended directions are we would go for weeks and months at a time as we're trying to get into a system I'm also a firm believer in the fact that you tell me I can't break in a hacker will find a way it's just a matter of time now I'm a take them months to get in but play get in can you find them we got to decide are you willing to accept the risks to so when you're dealing with mitigation pieces of this I'm just so you know what I'm willing to accept that risk I know how to I know the risks to my company but bottom line is I don't want to spend the money or I don't have the people train so I'm not going to worry about it I'm just going to accept that for my company be careful what you do that makes you have all the information at your fingertips and you Norwell so often they a leader within an organization will come in and say yeah I'm accepting that wrist that risk is I figured it out but then they don't totally understand the overall picture and they're accepting risk when in reality they probably shouldn't be accepting that risk or they should at least put other mechanisms in place to transfer that risk I insurance policies and so forth so this lesson we kind of talked about this episode how to manage and mitigate your cyber risk we talked about cyber insurance will be more to come around that again focusing specifically on exemptions and will how much Insurance do you really want to buy testing options your vulnerability testing red team testing and then determining how much of the wrist do you really want to accept you want to basically go I'm good I'm a put my head in the sand I don't care or you may decide to go you know what I'm going to mitigate some of that with insurance I'm also going to put some of security practices in place but there's also a piece right here I'm just going to go ahead and accept that risk you like what you heard check us out of can get us at debordieu cyber-risk or you can check me out at Sean Gerber at YouTube we would get stuff out there or reduce cyber risk.com you check me out on that as well alright thanks