1 / 33

BUSINESS AND CYBERSECURITY PART 2 Brian K. Payne, PhD Vice Provost Old Dominion University

BUSINESS AND CYBERSECURITY PART 2 Brian K. Payne, PhD Vice Provost Old Dominion University. Cybersecurity, Business, and Workplace Behaviors. Who is involved? Customers Workers Leaders. Cybersecurity and customers. Legal duty to protect customers Ethical issues arise

arlene
Download Presentation

BUSINESS AND CYBERSECURITY PART 2 Brian K. Payne, PhD Vice Provost Old Dominion University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BUSINESS AND CYBERSECURITY PART 2Brian K. Payne, PhDVice ProvostOld Dominion University

  2. Cybersecurity, Business, and Workplace Behaviors • Who is involved? • Customers • Workers • Leaders

  3. Cybersecurity and customers • Legal duty to protect customers • Ethical issues arise • Type of data collected from customers • Use of data • Legal duty to notify customers of breaches • Protecting data makes good business sense

  4. Cybersecurity and Customers • Things small businesses can do to serve customers (FCC) • Train employees about cybersecurity • Protect information, computers, and networks from attacks • Provide firewall security for your Internet • Create a mobile device action plan • Make back-up copies of important business data and information • Control physical access to your computers and create user accounts for each employee • Secure Wi-Fi networks • Employ best practices on payment cards • Limit employee access to data and information, limit authority to install software • Passwords and authentication

  5. Cybersecurity and Workers • Training • Insider error • “The problem is in the chair, not in the software” • Is training enough • Inside offending • White-collar cybercrime

  6. Cybersecurity and Leaders • Ultimately – the security of an organization starts at the top of an organization. • Several cybersecurity leadership principles are relevant.

  7. Cybersecurity Leadership Principle #1: Communication is vital to effective cybersecurity. • Leaders must communicate: • Policies • Penalties • Enforcements • Connections between business and cybersecurity • The need for incident-based response planning

  8. Incident-based Response Planning • Stages • Identify incident • Contain incident • Treat incident • Incident recovery • Post incident review • Repeat as needed • -Chris Moschovita, CYSE Program Development for Business, 2018. • Poor cybersecurity planning leads to • Denial • Unstructured chain of command • Lack of foresight • Strengthening Planning • Secure participation from key stakeholder • Delineate roles • Table tops • Communicate well (Wayne Lee and Keith Swait, 2018)

  9. Cybersecurity Leadership Principle #2: Opportunities for new businesses • List legal ways to make money in cybersecurity • Create app that rates software. • Yacht GPS software that is secure. • B • E • R • S • E • C • U • R • I • T https://www.youtube.com/watch?v=sgbRbYlojm8 • Y Austin Chan, Unsplash

  10. Cybersecurity Leadership Principle #3 – Law: If you fight the law, the law will win. • Depending on business, must notify authorities when breach occurs • Failure to protect data may make companies liable for lawsuits • Failing to protect to civil liberties of consumers may place companies at risk • Types of laws: • Criminal • Civil • Regulatory • Administrative

  11. Cybersecurity Leadership Principle #2: Opportunities for new businesses

  12. Cybersecurity Leadership Principle #4: Lead by example. • Duo factor authentication • Participation in events • Walk the walk, talk the talk, and record the records safely • Clean desk policies start at the top Duane Storey, Unsplash

  13. Cybersecurity Leadership Principle #5: Awareness about risk matters. • Crime occurs in every setting, even in businesses. • The concept of white-collar crime is relevant. • Cybercrime occurs in all spaces, even in businesses • “White-collar cybercrime” refers to cybercrimes occurring in a business • To understand “white-collar cybercrime,” it may be best to consider the connections between white-collar crime and cybercrime. LuboMinar, Unsplash

  14. Cybersecurity Leadership Principle #6:Balance security expenses with goals and profit • In 2020, it is estimated that companies will spend $101.6 billion on cybersecurity. • This is up from $73 billion in 2016. • Business lockdown is not good for business. • What risk are you willing to take? Rawpixel, Unsplash

  15. Cybersecurity Leadership Principle #7: Open door policies are bad…on the network. Routine activities theory Crime is more likely when three things exist at the same time and in the same place: Motivated offender Vulnerable target Absence of a capable guardian Open doors might sound good some times but they are rarely good in cyberspace.

  16. Cybersecurity Leadership Principle #8:Reward Cybersecurity Practices • Recognition • Monetary awards • PromotionJob titles • Cabinet time

  17. Cybersecurity Leadership Principle #9: Ask your CISO these questions. • Are we in compliance? • Where are the biggest risks? • How effective are our training programs? • Are we spending enough on cybersecurity? • What hiring strategies do we need? • How will we respond during a breach? • What can the C-Suite do to enhance security? • What trends are we seeing? Photo by Kiana Bosman, Unsplash

  18. Kepto et al. Findings- Temporal & GEOGRAPHIC Trends • Hacks occur most between January and March • Top States: CA (242), NY (77), TX (76), FL (50) • Top Regions:

  19. Findings- Organizational Trends CONTINUED Phishing most common in BSF, EDU, and GOV organizations Malware most common in BSO and BSR organizations Ransomware most common in MED organizations

  20. Cybersecurity Leadership Principle #10: Test your system to see if you can trust it. • Insiders are responsible for a large number of breaches. • Accidental • Intentional Bernard Hermant, Unsplash

  21. Temporal Key Findings • Insider breaches are reported most frequent in the month of January (Wiggins et al).

  22. Cybersecurity Principle #11: Identify barriers to effective cybersecurity • Goal confusion • Norm confusion • Resources • Role confusion • Ignorance about dynamics • Lack of understanding about cyber technology • Legal constraints • Aggressive responses • Lack of training Tim Collins, Unsplash JadLimcaco, Unsplash

  23. Cybersecurity Leadership Principle #12: Overcome the barriers. • Knowledge • Attention to detail • Balancing risk and reward • Asking the right questions • Collaboration Marc Lopez, Unsplash

  24. Cybersecurity Leadership Principle #13:Need to make sure every employee is responsible for protecting computer systems and networks • Starts with hiring • Policies • Ongoing education/training • Rewards/sanctions • Culture • Adaptive policies John Calabrese, Unsplash

  25. Every employee is responsible -- Hiring • Screening questions • Checking applicant’s social media • 70% of employee check it • Can be an indication of whether individuals use safe computer practices • Reference checks • Initial training: • Password protection • Review company policy • Protect smartphones Rawpixel, Unsplash

  26. Every employee is responsible -- Policies • Policies don’t mean workers will follow them. • Help workers do what’s right. • Policies are the foundation of a company’s cybersecurity strategies • Having cybersecurity policies is seen as a way for small businesses to recruit customers • Policies should be: • Written • Clear • Communicated • Audited • Enforced (Cobb, no date).

  27. Every employee is responsible -- Ongoing education and training • Cybersecurity training tips. • Recognize that privacy begins with employees. • Stress human error/cybersecurity. • Make the training relevant to the employee. • Make the training frequent • Use active learning training strategies • Re-evaluate training on an ongoing basis. • Mandate the training (Penkala, 2017) Rawpixel, Unsplash

  28. Every employee is responsible -- Ongoing education and training • For some businesses, training is mandated. • Mandated does not equal good. • Quality of training will impact security. • One study found that nearly one-fifth of health care employees (n=912) were will to sell confidential information to unauthorized buyers (Schoew, 2018) • Training axiom – “If you hold a gun to a man's head, and he can do what you ask, then he doesn't need training.” -Gilbert • How does this quote relate to cybersecurity?

  29. Every employee is responsible --Rewards/Sanctions • Stephen Cobb advises: • 1. Establish a policy, for example “You must use strong passwords” • 2. Tell all employees about the policy • 3. Reward those who follow policy • 4. Punish those who don’t (Stephen Cobb) • Result = much better password protection than if you don’t do 1-4 Ariel Besagar, Unsplash Rawpixel, Unsplash

  30. Every employee is responsible -- Culture • Executives must create a culture that embraces cybersecurity. • Drucker – “culture eats strategy for breakfast.” • Culture refers to values and beliefs that are important to an organization. • Cybersecurity culture refers to values and beliefs that emphasize the importance of cybersecurity: • Executives talking about cybersecurity • Executives committing resources to cybersecurity • Ongoing public awareness campaigns about cybersecurity Tom Watkins, Unsplash Lee Bernd, Unsplash Ian Macharia, Unsplash Andrew James, Unsplash Mimi Thian, Unsplash

  31. Every employee is responsible -- Culture • Core Dimensions of Security Culture • Behaviors: Actual or intended activities and risk-taking actions of employees that have direct or indirect impact on security culture • Attitudes: Employees’ feelings and emotions about the various activities that pertain to organizational security • Cognitions: Employees awareness, verifiable knowledge and beliefs regarding practices, activities and self-efficacy that are related to organizational security • Compliance: Adherence to organizational security policies, awareness of the existence of such policies and the ability to recall the substance of such policies • Communication: Ways employees communicate with each other, sense of belonging, support for security issues and incident reporting • Norms: Perceptions of what sort of security-related organizational conduct and practices are deemed normal by employees and their peers and what practices are informally perceived as deviant • Responsibilities: Awareness of the importance of every employee as a critical factor in sustaining or endangering the security of the organization (European Union Agency For Network and Information Security)

  32. Speaking of everyone being responsible: Communication Opportunities for new businesses Lead by example Law, if you fight it you will lose Awareness about risk Balance safety and profit Open door policies on the network are bad Reward cybersecurity practices Ask your CISO questions Test your system to see if you can trust it Identify barriers to cybersecurity Overcome the barriers. Need to make sure everyone is accountable

More Related