Presentation on theme: "Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014."— Presentation transcript:
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014
Overview of this presentation International & local public & private entities that have had incidents. Examples of cybersecurity breaches: Act now! A brief overview of legislation you should be familiar with. Legislation to consider: Consequences if you don’t! Preparing for a cybersecurity breach A breach has happened: first steps & considerations Sharing information in your industry: strength in numbers After the cybersecurity breach: fixing and fighting back A cybersecurity breach game-plan: Mitigating risk!
Breaches: It happened to them, it will happen to you! Estimated annual cost of cybercrime to global economy – US$400 million – McAfee, June 2014; Estimated value of cybercrime in SA – 0.14% of GDP, McAfee, June 2014 Sony Corporation PlayStation breach – US$171 million so far, 12% off share price – Booz & Co, 2014 Target breach – US$148 million in costs, CEO resignation – Forbes, September 2014 South African Police Service website – Cost unknown, major reputational damage Payment Association of South Africa, card hack – cost unknown, major reputational damage
Why bother with cybersecurity…surely it’s something for the geeky IT guys to deal with? MFM Act Companies Act POPI Act ECT Act RIC Act King III Report South Africa Connect: The National Broadband Policy The National Integrated ICT Policy Green Paper The White Papers on Transforming Public Service Delivery The Minimum Information Standards Policy The Minimum Interoperability Standards Policy Free and Open Source Software Policy Organisation leaders: it’s no longer just the IT guys’ problem, its your responsibility!
A basic guideline for cybersecurity: condition 7 of POPI A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information Condition 7: Security safeguards – Part 1
Chapter 3: Conditions for lawful processing of personal information A responsible party must take reasonable measures to: identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. Condition 7: Security safeguards – Part 2
Chapter 3: Conditions for lawful processing of personal information Where the responsible party appoints an operator: This must be under proper authority and respect confidentiality; Must be governed by a contract which enforces confidentiality and security. Where security breaches occur, data subject and Regulator must be notified. Condition 7: Security safeguards – Part 3
Preparing for a cybersecurity breach Categorise data & define access Use smart network design Protect super-sensitive data Audit and test your network Be aware of: your network & data and implement protection procedures Cybersecurity breach management plans Get consents to use of your network Have best practice policies & procedures Supply chain matters Client and customer matters Be aware of and evaluate cyber threats Be aware of cybersecurity risks of business relations
A breach has happened! First steps and considerations Directors, lawyers, IT and PR Internal processes & governance after breach Considerations whilst conducting an investigation Conduct an extensive internal investigation Statutory reporting obligations Contractual reporting obligations Shareholder / stakeholder reporting obligations Should all breaches be investigated: investigation thresholds & reporting
Sharing information in your industry: strength in numbers Why sharing may be good Competition law considerations
After the cybersecurity breach: fixing and fighting back Effective breach response methods Exercising patience may help Don’t overreact or break the law – liability concerns
Practical tips & recommendations Read the legislation. Consider POPI’s Condition 7 as a minimum; Do your operations warrant information security awareness training for staff. Put procedures in place to limit who can access certain information on your organisation's computer system. Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Physical security of the premises where you store sensitive information. Put proper contracts in place that compel your service providers to give you assurances that they will comply with some sort of cybersecurity standard. Consider whether securing cyber insurance is necessary. Your current "generic" insurance not likely to provide cover. Have a technical and legal information/cyber security gap analysis done…it will make shareholders or the Auditor-General happy! Develop a comprehensive strategy, but consider these now