Information Security Proposal POP’S POP SPRITZERS JULY 2016

Small Businesses at Risk  Cyber Attacks are a growing threat among small businesses  Previous thought was that small businesses wouldn’t attract the attention of attackers  Large, Blue Chip Corporations have been ramping up defense efforts.  Attackers may see small businesses as the new “soft” targets

Top Risks to Small Businesses Cyber Streetwise is a UK based government initiative to raise awareness. According to their research, the top threats to small businesses include:  Ransomware  Data is encrypted  Payment demanded to unlock  Hacking  Unpatched vulnerabilities exploited  Sensitive data stolen  Denial of Service / Distributed Denial of Service  Traffic overload  Loss of service  Human Error  Weakest Link  Mistakes / confusion  CEO/Executive Fraud  Impersonations  Spoofing

Proposed Security Organization Structure

Risk Assessment & Control Design

Measurable Metrics Metric IDCYBS.001 Metric TitleRefresh of information Assets Description Measures the % of information assets that have been inventoried, updated, and had their configuration checked Metric OwnerCIO Metric ContactInformation Security Manager Control TypePreventative FormatPercent FrequencyAnnually Calculation # of Assets that have been reviewed and refreshed within the past 6 months / total # of information assets LSL0.95 USL1 Target1 Which Direction is BetterHigher is Better < This Number = Red0.95 <= This Number = Green0.95

Measurable Metrics Continued Metric IDCYBS.004 Metric TitleMonthly Success rate of InfoSec controls Description Tracks the number of incidents that were presented during the month and how many of those incidents were mitigated by controls that were in place. Metric OwnerCSO/CISO Metric ContactInformation Security Manager Control TypeDetective FormatPercent FrequencyMonthly Calculation Total # of incidents blocked or prevented / Total # of incident attempts detected. LSL0.9 USL1 Target1 Which Direction is BetterHigher is Better < This Number = Red0.9 <= This Number = Green0.9

Measurable Metrics Continued Metric IDCYBS.005 Metric Title # of vulnerabilities found during penetration testing deemed as high or medium risk Description Results of regularly scheduled penetration testing efforts to detect vulnerabilities and gaps. Metric OwnerInformation Security Manager Metric ContactIT Technicians Control TypeDetective FormatNumber FrequencySemi-annually LSL0 USL10 Target0 Which Direction is BetterLower is Better > This Number = Red10 >= This Number = Green10

Business Contingency

Security Training and Awareness Basic Security Awareness  All employees  At Onboarding  Annually  How security impacts you  How to strengthen the company  Assessment & Attestation Advanced Security Training and Education  Employees with security specific roles  Formal Classes & Certification  Partner with local Colleges & Universities  Highlight Industry Certification Courses  Geared toward specific types of roles  Tuition Reimbursement Program  2 year commitment  Ongoing Awareness Campaigns  Newsletter  Banners & Posters

Budget (Projected) Line ItemAmountComments People Salaries, Training, Recruiting. Includes % of shared resources Hardware Dedicated Security Hardware. Computers, Networking, Control Devices, etc. Software 4900 Purchases & Licensing Communications 4100 Including Mobile Vendor Services 375 Disaster Recovery6375 Planning, Design, & Readiness Support Services3250 Total Security Budget326,000

Costs of a Breach  Survey Found that average small business breach cost organization $38,000.  Additional indirect costs  Reputation  Lost business  Potential Legal or Regulatory “The cost of a security breach is always higher than the cost of protection.” -Kaspersky Lab Survey Report

Additional Resources         

Questions