Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Published byArron Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014."— Presentation transcript:

1 Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014

2 Overview of this presentation International & local public & private entities that have had incidents. Examples of cybersecurity breaches: Act now! A brief overview of legislation you should be familiar with. Legislation to consider: Consequences if you don’t! Preparing for a cybersecurity breach A breach has happened: first steps & considerations Sharing information in your industry: strength in numbers After the cybersecurity breach: fixing and fighting back A cybersecurity breach game-plan: Mitigating risk!

3 Breaches: It happened to them, it will happen to you! Estimated annual cost of cybercrime to global economy – US$400 million – McAfee, June 2014; Estimated value of cybercrime in SA – 0.14% of GDP, McAfee, June 2014 Sony Corporation PlayStation breach – US$171 million so far, 12% off share price – Booz & Co, 2014 Target breach – US$148 million in costs, CEO resignation – Forbes, September 2014 South African Police Service website – Cost unknown, major reputational damage Payment Association of South Africa, card hack – cost unknown, major reputational damage

4 Why bother with cybersecurity…surely it’s something for the geeky IT guys to deal with? MFM Act Companies Act POPI Act ECT Act RIC Act King III Report South Africa Connect: The National Broadband Policy The National Integrated ICT Policy Green Paper The White Papers on Transforming Public Service Delivery The Minimum Information Standards Policy The Minimum Interoperability Standards Policy Free and Open Source Software Policy Organisation leaders: it’s no longer just the IT guys’ problem, its your responsibility!

5 A basic guideline for cybersecurity: condition 7 of POPI A responsible party must secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information Condition 7: Security safeguards – Part 1

6 Chapter 3: Conditions for lawful processing of personal information A responsible party must take reasonable measures to: identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. Condition 7: Security safeguards – Part 2

7 Chapter 3: Conditions for lawful processing of personal information Where the responsible party appoints an operator: This must be under proper authority and respect confidentiality; Must be governed by a contract which enforces confidentiality and security. Where security breaches occur, data subject and Regulator must be notified. Condition 7: Security safeguards – Part 3

8 Preparing for a cybersecurity breach Categorise data & define access Use smart network design Protect super-sensitive data Audit and test your network Be aware of: your network & data and implement protection procedures Cybersecurity breach management plans Get consents to use of your network Have best practice policies & procedures Supply chain matters Client and customer matters Be aware of and evaluate cyber threats Be aware of cybersecurity risks of business relations

9 A breach has happened! First steps and considerations Directors, lawyers, IT and PR Internal processes & governance after breach Considerations whilst conducting an investigation Conduct an extensive internal investigation Statutory reporting obligations Contractual reporting obligations Shareholder / stakeholder reporting obligations Should all breaches be investigated: investigation thresholds & reporting

10 Sharing information in your industry: strength in numbers Why sharing may be good Competition law considerations

11 After the cybersecurity breach: fixing and fighting back Effective breach response methods Exercising patience may help Don’t overreact or break the law – liability concerns

12 Practical tips & recommendations Read the legislation. Consider POPI’s Condition 7 as a minimum; Do your operations warrant information security awareness training for staff. Put procedures in place to limit who can access certain information on your organisation's computer system. Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Physical security of the premises where you store sensitive information. Put proper contracts in place that compel your service providers to give you assurances that they will comply with some sort of cybersecurity standard. Consider whether securing cyber insurance is necessary. Your current "generic" insurance not likely to provide cover. Have a technical and legal information/cyber security gap analysis done…it will make shareholders or the Auditor-General happy! Develop a comprehensive strategy, but consider these now

13 Any questions? Follow us on:

Download ppt "Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014."

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
SA Constitution Sec 14 – Privacy – RICA – POPI Sec 32 – Access to Information – PAIA – POPI.

SA Constitution Sec 14 – Privacy – RICA – POPI Sec 32 – Access to Information – PAIA – POPI.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Information Systems Security Officer

Information Systems Security Officer
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Similar presentations

Ads by Google