SlideShare a Scribd company logo

Don't panic - cyber security for the faint hearted

IRIS, profile picture
IRIS

This document discusses security issues related to data protection and retention. It addresses three main topics: 1) Appropriate security measures should be proportionate to risk and include access controls, data protection, and a security policy. 2) Common security threats include network intrusions, malware, and ransomware attacks. Basic mitigation techniques include firewalls, antivirus software, training, and multifactor authentication. 3) When a security breach occurs, organizations should contain the issue, assess ongoing risks, notify relevant parties, and evaluate responses to prevent future incidents. Regular reviews of data retention and processing practices are also important to comply with privacy regulations.

Economy & Finance
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
David Watson Managing Director Hosted Accountants Ltd
Three Topics How secure is your system? What are you storing and for how long? What to do when things go wrong?
What is Appropriate Security? • An appropriate measure is one that is proportionate to the risks it safeguards against. You can take into account the state of technological development and the cost of implementing the measure. • Regulation 5(1A) says these measures must at least: • “(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; • (b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and • (c) ensure the implementation of a security policy with respect to the processing of personal data.”
Don't panic - cyber security for the faint hearted
What are the Threats? 545,000 Network Intrusion Attempts per minute 140,000 Malware Programs blocked per minute 170,000 Malicious website blocked per minute 310,000 Botnet attacks blocked 312 Zero Day exploits blocked
Don't panic - cyber security for the faint hearted
Don't panic - cyber security for the faint hearted
In Real Life Deloitte – Email Hack Sept 2017 ICAEW – Firms at High Risk FCA – 24 Attacks in 2015, 38 in 2016, 69 in 2017 National Cyber Security Centre 1100 Reported Attacks, 590 Significant, 30 Requiring Action from Government bodies, 10 Significant attacks each week. 4000 ransomware attacks a day 2016
Mitigation • Can’t stop it happening • Firewalls • Anti Virus • Training • Office 365 • Dual Factor
GDPR Retention and Processing • Give Data Proper Respect • What are you storing and what are you processing? • What best practice “Privacy Policy” looks like
How long should I keep data? • This is the fifth data protection principle. In practice, it means that you will need to: • review the length of time you keep personal data; • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; • securely delete information that is no longer needed for this purpose or these purposes; and • update, archive or securely delete information if it goes out of date.
What data do you actually have? Data Retention Period Legitimate Reason Physical Files 7 Years Business Reason Client Correspondence 7 Years Business Reasons Payroll Data 7 Years Business Reasons Permanent Files ? ? Email ? ? Backups ? ? Archive Storage ? ? ICloud ? ? Dropbox ? ?
What should you be collecting? • In practice, the second data protection principle means that you must: • Be clear from the outset about why you are collecting personal data and what you intend to do with it; • Comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data; • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
Summary Retention and Processing • Collect the minimum you need to do your job • Don’t use data for other purposes • Tell clients as soon as you can what you are collecting and why • Deal with the legacy of data that you have physical and electronic • Only keep what you need and or have consent for
The Anatomy of a Hack On Average 99 Days before detected 3,301,824,415 Usernames and Passwords stolen in 2016 Costs of Data breaches is increasing up 29% from 2013 Short Term / Long Term Impacts
Phase 1. The break in • Phishing Emails • Password Laziness • Password spraying • Ignored software updates • Software Vulnerability • Theft • Merging Networks • Malware • Server Misconfigurations • Watering holes • Blagging
Phase 2. The inside man • Starts with a network scan • Then target • Employees with Higher Access than they need • Out of Date systems • Companies with no security procedures • 24 – 48 Hours to full control • User accounts with Admin • Software running under Admin Account • Same Account used across the firm • Local accounts setup to solve a problem then not removed
Phase 3. The Long Con • Assume Breach • Sudden Download of terabytes of Data • Large numbers of files being moved • Simultaneous logins from different IPs • Multiple Failed login attempts • Backdoor • Smash and Grab • Living off the land • Advanced Persistent Threat
It is going to happen, what are you going to do? • There are four important elements to any breach plan • Containment and Recovery • Assessment of ongoing risk • Notification of Breach • Evaluation and Response
Containment & Recovery Who is going to take the lead? Who needs to be made aware? What might need to be done? How do you recover? How do you limit the damage?
Assessment of ongoing Risk What Data is involved? Are their protections in place? What has happened to the data stolen / lost? Who are the individuals whose data has been breached?
Notification Notification should have a clear purpose Are their legal or contractual arrangements? Notification should be appropriate Consider the dangers of over notifying Notify the appropriate regulatory body
Evaluation and Response Build a team of technical and non technical peopleBuild Identify your weak pointsIdentify Discuss “What If “ scenariosDiscuss Develop a plan for dealing with Security IncidentsDevelop
Questions? David Watson Managing Director Hosted Accountants

More Related Content

PPTX
Implementing A User Activity & Behavior Monitoring Program
Veriato
 
PPTX
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
PPTX
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
PDF
Cybersecurity Update
Shawn Tuma
 
PPTX
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
PPTX
GDPR | Cyber security process resilience
Rishi Kant
 
PPTX
Data protection within development
owaspsuffolk
 
PPTX
Introduction to Cyber Forensics Module 1
Anpumathews
 
Implementing A User Activity & Behavior Monitoring Program
Veriato
 
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Cybersecurity Update
Shawn Tuma
 
Edgescan 2021 Vulnerability Stats Report
Eoin Keary
 
GDPR | Cyber security process resilience
Rishi Kant
 
Data protection within development
owaspsuffolk
 
Introduction to Cyber Forensics Module 1
Anpumathews
 

What's hot (20)

PDF
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
PDF
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
WPICPE
 
PDF
CISSP-WEB
MEHMET FATIH YALDIZ
 
PPTX
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
PPTX
Data security
AbdulBasit938
 
PDF
Slide Deck CISSP Class Session 2
FRSecure
 
PPTX
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
PDF
lexmark-secure-content-monitor_fed-gov_solution-sheet_final-1-
Amy Bussema
 
PPT
Security is a Culture GB v 9
Garry Bolland
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
PPT
Data Classification And Loss Prevention
Nicholas Davis
 
PPT
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 
PDF
Cybersecurity
nado-web
 
PDF
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
Interset
 
PPSX
The myth of secure computing; management information system; MIS
Saazan Shrestha
 
PDF
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
Stefano Maria De' Rossi
 
PPTX
Network Security of Data Protection
UthsoNandy
 
PPTX
Data security
Tapan Khilar
 
PDF
How to keep printing processes GDPR compliant
Xenith Document Systems Ltd
 
PPTX
Cybersecurity Training for Nonprofits
Community IT Innovators
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
WPICPE
 
CISSP-WEB
MEHMET FATIH YALDIZ
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
Data security
AbdulBasit938
 
Slide Deck CISSP Class Session 2
FRSecure
 
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
lexmark-secure-content-monitor_fed-gov_solution-sheet_final-1-
Amy Bussema
 
Security is a Culture GB v 9
Garry Bolland
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
Data Classification And Loss Prevention
Nicholas Davis
 
Lecture Data Classification And Data Loss Prevention
Nicholas Davis
 
Cybersecurity
nado-web
 
IANS Forum Charlotte: Operationalizing Big Data Security [Tech Spotlight]
Interset
 
The myth of secure computing; management information system; MIS
Saazan Shrestha
 
E Fraud And Predictive Forensic Profiling Reducing Losses By Combining Sci...
Stefano Maria De' Rossi
 
Network Security of Data Protection
UthsoNandy
 
Data security
Tapan Khilar
 
How to keep printing processes GDPR compliant
Xenith Document Systems Ltd
 
Cybersecurity Training for Nonprofits
Community IT Innovators
 
Ad

Similar to Don't panic - cyber security for the faint hearted (20)

PPTX
Are You Prepared For a Data Breach
Brian Heidelberger
 
PPTX
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
PPTX
A breach demands immediate, calculated response
Home
 
PDF
2014 ota databreach3
Meg Weber
 
PPTX
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
PPTX
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
PPTX
Chapter_5_Security_CC.pptx
LokNathRegmi1
 
PPTX
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
acemindia
 
PPTX
Tsc2021 cyber-issues
Ernest Staats
 
PPTX
Multi-faceted Cyber Security v1
Asad Zaman
 
PPTX
nerfslides.pptx
ssusera5ade5
 
PDF
Flash Friday: Data Quality & GDPR
Precisely
 
PDF
Anatomy Of A Breach: The Good, The Bad & The Ugly
Resilient Systems
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPTX
Introduction to Information security ppt
krishkiran2408
 
PPT
Lecture data classification_and_data_loss_prevention
Nicholas Davis
 
PPTX
Ease out the GDPR adoption with ManageEngine
ManageEngine
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPTX
Security Architecture
Priyank Hada
 
PPTX
SECURITY AND CONTROL
shinydey
 
Are You Prepared For a Data Breach
Brian Heidelberger
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
A breach demands immediate, calculated response
Home
 
2014 ota databreach3
Meg Weber
 
Top Cybersecurity Challenges Facing Your Business
Nicholas Davis
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Chapter_5_Security_CC.pptx
LokNathRegmi1
 
Security Management in Cloud Computing by Shivani Gogia - Aravali College of ...
acemindia
 
Tsc2021 cyber-issues
Ernest Staats
 
Multi-faceted Cyber Security v1
Asad Zaman
 
nerfslides.pptx
ssusera5ade5
 
Flash Friday: Data Quality & GDPR
Precisely
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Resilient Systems
 
Introduction to Information security ppt
krishkiran2408
 
Introduction to Information security ppt
krishkiran2408
 
Lecture data classification_and_data_loss_prevention
Nicholas Davis
 
Ease out the GDPR adoption with ManageEngine
ManageEngine
 
1. Security and Risk Management
Sam Bowne
 
Security Architecture
Priyank Hada
 
SECURITY AND CONTROL
shinydey
 
Ad

More from IRIS (10)

PPTX
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
PPTX
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
PPTX
HMRC
IRIS
 
PDF
Software impact of gdpr
IRIS
 
PDF
Opportunity or burden
IRIS
 
PDF
Happy clients happy compliance
IRIS
 
PDF
Game changing legislation
IRIS
 
PDF
Whos role is it anyway
IRIS
 
IRIS World 2018 - Keynote 3 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 4 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote 2 - Thrive in the Digital Economy
IRIS
 
IRIS World 2018 - Keynote - Thrive in the Digital Economy
IRIS
 
HMRC
IRIS
 
Software impact of gdpr
IRIS
 
Opportunity or burden
IRIS
 
Happy clients happy compliance
IRIS
 
Game changing legislation
IRIS
 
Whos role is it anyway
IRIS
 

Recently uploaded (20)

PPTX
Session 14-16. Capital Structure Theories.pptx
2023mb21003
 
PPTX
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
PPTX
EABDM Slides for Indifference curve.pptx
deeksha8770
 
PDF
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
PDF
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
PPTX
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
PDF
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
PDF
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
PPTX
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
PDF
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
PPTX
Basic Concepts of Economics.pvhjkl;vbjkl;ptx
rboivakhriya
 
PPTX
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
DOCX
marketing plan Elkhabiry............docx
ramadanantar44
 
PDF
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
PDF
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
PDF
Spending, Allocation Choices, and Aging THROUGH Retirement. Are all of these ...
Better Financial Education
 
PPTX
fastest_growing_sectors_in_india_2025.pptx
Grip Invest
 
PPTX
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
PDF
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 
Session 14-16. Capital Structure Theories.pptx
2023mb21003
 
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
EABDM Slides for Indifference curve.pptx
deeksha8770
 
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
Why Ignoring Passive Income for Retirees Could Cost You Big.pdf
Enterprise world
 
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
social-studies-subject-for-high-school-globalization.pptx
villanuevajoealfred
 
Understanding University Research Expenditures (1)_compressed.pdf
Innovosource
 
Basic Concepts of Economics.pvhjkl;vbjkl;ptx
rboivakhriya
 
Introduction to Essence of Indian traditional knowledge.pptx
souravpoddarhith
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
marketing plan Elkhabiry............docx
ramadanantar44
 
final_dropping_the_baton_-_how_america_is_failing_to_use_russia_sanctions_and...
AnastosiyaGurin1
 
Bitcoin Layer August 2025: Power Laws of Bitcoin: The Core and Bubbles
Stephen Perrenod
 
Spending, Allocation Choices, and Aging THROUGH Retirement. Are all of these ...
Better Financial Education
 
fastest_growing_sectors_in_india_2025.pptx
Grip Invest
 
Session 3. Time Value of Money.pptx_finance
2023mb21003
 
financing insitute rbi nabard adb imf world bank insurance and credit gurantee
robertclive1690
 

Don't panic - cyber security for the faint hearted

  • 2. Three Topics How secure is your system? What are you storing and for how long? What to do when things go wrong?
  • 3. What is Appropriate Security? • An appropriate measure is one that is proportionate to the risks it safeguards against. You can take into account the state of technological development and the cost of implementing the measure. • Regulation 5(1A) says these measures must at least: • “(a) ensure that personal data can be accessed only by authorised personnel for legally authorised purposes; • (b) protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and • (c) ensure the implementation of a security policy with respect to the processing of personal data.”
  • 5. What are the Threats? 545,000 Network Intrusion Attempts per minute 140,000 Malware Programs blocked per minute 170,000 Malicious website blocked per minute 310,000 Botnet attacks blocked 312 Zero Day exploits blocked
  • 8. In Real Life Deloitte – Email Hack Sept 2017 ICAEW – Firms at High Risk FCA – 24 Attacks in 2015, 38 in 2016, 69 in 2017 National Cyber Security Centre 1100 Reported Attacks, 590 Significant, 30 Requiring Action from Government bodies, 10 Significant attacks each week. 4000 ransomware attacks a day 2016
  • 9. Mitigation • Can’t stop it happening • Firewalls • Anti Virus • Training • Office 365 • Dual Factor
  • 10. GDPR Retention and Processing • Give Data Proper Respect • What are you storing and what are you processing? • What best practice “Privacy Policy” looks like
  • 11. How long should I keep data? • This is the fifth data protection principle. In practice, it means that you will need to: • review the length of time you keep personal data; • consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; • securely delete information that is no longer needed for this purpose or these purposes; and • update, archive or securely delete information if it goes out of date.
  • 12. What data do you actually have? Data Retention Period Legitimate Reason Physical Files 7 Years Business Reason Client Correspondence 7 Years Business Reasons Payroll Data 7 Years Business Reasons Permanent Files ? ? Email ? ? Backups ? ? Archive Storage ? ? ICloud ? ? Dropbox ? ?
  • 13. What should you be collecting? • In practice, the second data protection principle means that you must: • Be clear from the outset about why you are collecting personal data and what you intend to do with it; • Comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data; • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
  • 14. Summary Retention and Processing • Collect the minimum you need to do your job • Don’t use data for other purposes • Tell clients as soon as you can what you are collecting and why • Deal with the legacy of data that you have physical and electronic • Only keep what you need and or have consent for
  • 15. The Anatomy of a Hack On Average 99 Days before detected 3,301,824,415 Usernames and Passwords stolen in 2016 Costs of Data breaches is increasing up 29% from 2013 Short Term / Long Term Impacts
  • 16. Phase 1. The break in • Phishing Emails • Password Laziness • Password spraying • Ignored software updates • Software Vulnerability • Theft • Merging Networks • Malware • Server Misconfigurations • Watering holes • Blagging
  • 17. Phase 2. The inside man • Starts with a network scan • Then target • Employees with Higher Access than they need • Out of Date systems • Companies with no security procedures • 24 – 48 Hours to full control • User accounts with Admin • Software running under Admin Account • Same Account used across the firm • Local accounts setup to solve a problem then not removed
  • 18. Phase 3. The Long Con • Assume Breach • Sudden Download of terabytes of Data • Large numbers of files being moved • Simultaneous logins from different IPs • Multiple Failed login attempts • Backdoor • Smash and Grab • Living off the land • Advanced Persistent Threat
  • 19. It is going to happen, what are you going to do? • There are four important elements to any breach plan • Containment and Recovery • Assessment of ongoing risk • Notification of Breach • Evaluation and Response
  • 20. Containment & Recovery Who is going to take the lead? Who needs to be made aware? What might need to be done? How do you recover? How do you limit the damage?
  • 21. Assessment of ongoing Risk What Data is involved? Are their protections in place? What has happened to the data stolen / lost? Who are the individuals whose data has been breached?
  • 22. Notification Notification should have a clear purpose Are their legal or contractual arrangements? Notification should be appropriate Consider the dangers of over notifying Notify the appropriate regulatory body
  • 23. Evaluation and Response Build a team of technical and non technical peopleBuild Identify your weak pointsIdentify Discuss “What If “ scenariosDiscuss Develop a plan for dealing with Security IncidentsDevelop