Cyber Security for the Small Business Experience

ETHAN STEIGER, VP, Information Security, Domino's

Ethan SteigerVP of Information Security

In this session you will learn: Risk based approach. Why it is important to invest in proactive protection

against cyber attack.

Key actionable steps required to building a security program.

How to prepare your company to respond to a potential breach.

Are you prepared?Your local business is part of the fabric of your community. People feel secure there. But even there also has a dark side.

SMBs typically spend less time and money on network security than larger firms. That means they’re easy targets for cyber criminals.

Are you prepared?

Break the Kill Chain

Step 1Upgrade your protection

See the Threat to defend against it

Train your staff (and yourself) to practice good digital hygiene

Step 2Step 3

Step 4Get a security audit, prioritize the risks and heed its findings

Step 5

Why Cybersecurity matters?Investigations, Fines and Remediation

+45 Different state Breach-Notification laws

Inevitable Class-Action lawsuits

Inescapable Brand Damage

Why Cybersecurity matters?The average small business pays $36,000 to $50,000 for a Data Breach

SMB’s are often the weakest link in a chain-of-trust attack.

Cyber criminals can target vertical market segments that let them take advantage of common vulnerabilities.

Why Risk is important?Commonly SMB IT Directors take a “security technology du jour” approach. Their information security decisions are based on a very limited and un-scrutinized subset of information sources as input to an ad-hoc information security approach.

Why Risk is important?Risk-based information security approach

Determine your targeted security posture (i.e. what is and what is not acceptable risk to your company)

Explore your information systems and technology(i.e. find the gaps that expose your business to risk)

Leverage industry frameworks(Use is as a compass, you can transform risk information into information security decisions. Example: NISTIR 7621 Revision 1 – Small Business Information Security)

Building a Security Program1. Understand all of your Risk perfectly:

Environmental (e.g. fire, water, tornado, earthquake);Business Resources (e.g. equipment failure, employees andHostile Actors (e.g. hackers, hacktivist, criminals, nation-state actors).

2. Identify what information your business stores and uses:Determine the value of your informationDevelop an InventoryUnderstand your threats and vulnerabilitiesPrioritize Resolution action

3. Leverage industry frameworks:To provides a common language to address Cybersecurity RiskImproving communications both within and outside your business

Building a Security ProgramIdentifyThe activities in the Identify Function help increase an organization’s understanding of their resources and risks.

ProtectThe Protect Function supports the ability to limit or contain the impact of a potential information or cybersecurity event.

DetectThe activities under the Detect Function enable timely discovery of information security or cybersecurity events.

RespondThe Respond Function supports the ability to contain or reduce the impact of an event.

RecoverThe Recover Function helps an organization resume normal operations after an event.

How to be PreparedDevelop a plan for what immediate actions you will take in case of a fire, medical emergency, burglary, or natural disaster. The plan should include the following:

• Roles and Responsibilities• What to do with your information and systems• Who to call in case of an incident• Make sure you know the laws for your area and include

relevant information in your plans• Define types of activities that constitute an information

security incident

Cyber InsuranceSometimes SMB’s owners feel invisible compared to large business. But your business is just as visible, and vulnerable, as any other company. Additionally, your business need to be able to absorb the financial impact of such crimes. That’s where cyber insurance, may come in handy.

Mitigating risk Reimbursing costs associated with an attack Providing business interruption protection Covering legal fees in the event of litigation or paying judgments.

Why

Is your business ready?Who has access to your business information?

Are you conducting background checks?

Do you require individual user accounts for each employee?

Are you training your employees?

Do you limit your employees the access to data and information?

Do you patch your operating systems and applications?

Do you dispose your old computers and media safely?

Is your business ready?

Do you

use encryption for sensitive business information?

maintain and monitor logs?

develop a plan for disasters and information security incidents?

consider cyber insurance?

make improvements to processes / procedures / technologies?

install and active software and hardware firewalls?

Q&A