response 1
lewcan13
MUSAPresentation.pdf
Board Review: MUSA Cyber Security Awareness Program
November 6, 2017
Thank stakeholders and MUSA Board members for attending the meeting.
1
Agenda
• Need for Cyber Security
• Current Risks
• Cyber Security Program Overview
• Program Budget, Timeline, and Benefits
• Program Approval Requested
Quickly state that during today’s meeting we’ll look at the general need for a cyber security awareness program and then look at specifics for MUSA’s program, including budget, timeline, and expected benefits.
*** State that the stakeholders will be asked to approve the program at the end of the meeting. ***
2
Need for Cyber Security
Ponemon Institute. (2017, June). 2017 cost of data breach study – United States. Available from https://www.ibm.com/security/data-breach/index.html#reports
Average number of security breaches per US company per year
27.4% Increase in annual number
of security breaches
130
50 Number of days to resolve a malicious insider attack
• Cyber crime is a trillion dollar business that affects companies of every size and industry (Eubanks, 2017)
• Each data breach costs a company an average of $7.35MM • This does not include the loss of reputation, market share, and
future business (Ponemon Institute, 2017) • US companies spend, on average, 11.7MM each year on protecting
their systems from attack • MUSA has not had a serious breach yet but these numbers indicate
that is only a matter of time
References Eubanks, N. (2017, July 13). The true cost of cybercrime for business. Retrieved from https://www.forbes.com/sites/theyec/2017/07/13/the- true-cost-of-cybercrime-for-businesses/#559acf249476
Ponemon Institute. (2017, June). 2017 cost of data breach study – United
3
States. Available from https://www.ibm.com/security/data- breach/index.html#reports
3
Current MUSA Security Risks
Assessment Finding Security
Awareness Systems
Policies and
Processes No security awareness program X
No configuration change management policy X X
No intrusion detection and prevention system (IDPS) X X
No log collection or evaluation X X X
No media access control policy X X X
No encryption or hashing X X X
Infrequent vulnerability assessments X X
High attrition rates and unhappy employees X
Security Incidents X X X
No segregation of duties X X X
• Results of a recent internal cyber security review revealed multiple risks to MUSA’s business
• Findings show: • A lack of security awareness at all levels of the company • Deficient security systems • Weak or non-existent security policies and procedures
• Each of these items leaves MUSA open to attack from both malicious outsiders and disgruntled employees
• Since security assurance is our core business, MUSA should invest in improving its security posture
4
Cyber Security Program Overview
• A Cyber Security Program can significantly reduce MUSA’s risk of a data breach by introducing improvements in multiple areas
Sy st
e m
s • Firewalls • IDPS
• VPN
• Monitoring and Logging
• Encryption
• LMS
P e
o p
le • Segregation of Duties
• Skills training
• Security Awareness
• EAP and Wellness
P o
li ci
e s • Corporate
policy review
• Auditing
• Incident Response
• Change Management
• Continuous Improvement
• Implementing a cyber security program is not a trivial exercise • Successful programs require participation and support from all levels
(Welshhons, 2016) • The most successful programs combine investment in systems and
policies with investment in people (Acohido, 2013)
References Acohido, B. (2013, March 15). Disgruntled employees, insiders pose big hacking risk. Retrieved from https://www.usatoday.com/story/tech/2013/03/15/insider-threat- matthew-keys-anonymous/1991265/
Welshhons, L. (2016, April 3). How employee wellness programs can generate savings for your company. Retrieved from http://web.archive.org/web/20160403011918/http:/meritresources.com /userdocs/materials/Employee_Wellness_Initiatives_Merit.pdf
5
Program Budget
Item Implementation Cost
(Year One)
Ongoing Cost
(Year Two +)
Program Communications $ 150,000 $ 100,000
Audits and Risk Assessments $ 250,000 $ 200,000
Policy Reviews and Updates $ 225,000 $ 125,000
Configuration Change Management Program $ 325,000 $ 225,000
Security System Upgrades $ 1,025,000 $ 350,000
Data Encryption $ 600,000 $ 300,000
Security Monitoring and Logging $ 2,900,000 $ 900,000
Security Incident Response Program $ 225,000 $ 175,000
Learning Management System $ 1,825,000 $ 225,000
Employee Assistance Program (EAP) $ 225,000 $ 200,000
Employee Wellness Study $ 100,000 $ 0
TOTALS $ 7,850,000 $ 2,800,000
• Initial investment is significant but consider it as a preventative measure. Ironically, the cost is approximately the same as a single security breach (Ponemon Institute, 2017)
• Implementation costs include the cost of systems, software, setup and installation.
• Ongoing costs include system and software maintenance as well as any additional staff needed to support the systems
• Adds 16 permanent staff to MUSA’s information security team, including the creation of a 24x7 Security Operations Center for monitoring and early incident response (SOC)
References Ponemon Institute. (2017, June). 2017 cost of data breach study – United States. Available from https://www.ibm.com/security/data- breach/index.html#reports
6
Q4 Q1 2018
Q2 Q3 Q4 Q1 2019
Program Approval
Nov 6
EAP Launch
Feb 25
Audit Findings Published
Apr 2
LMS Launch
Jul 15
Encryption Complete
Aug 24
Monitoring/Logging Complete
Dec 14
Program Complete
Feb 15
Risk Assessment/Security Incident Launch
May 25
System/Policy Upgrades Complete
Dec 3
Nov 6 Dec 15 Program Kick-off and Planning
Jan 2 Mar 5Employee Assistance Program
Jan 2 Jul 30Learning Management System
Jan 8 Mar 2 Initial External Audit and Findings Review
Feb 1 Jun 6Employee Wellness Study
Mar 5 May 25Internal Risk Assessment Program Creation
Mar 5 May 25Security Incident Response Program
Mar 5 Dec 14Internal Policy Reviews/Updates
Mar 5 Dec 14Security System Upgrades
Apr 2 Dec 14Security Monitoring and Logging Setup
May 1 Sep 3Data Encryption Initiative
May 1 Sep 3Configuration Change Management Program Creation
Jul 9 Nov 9Initial Cyber Security Awareness Training
Jan 2 Feb 12Program Review and Lessons Learned
Mar 1 Mar 28Continuous Monitoring and Improvement
• MUSA will go from having no program to a robust program with continuous monitoring and program improvement in 18 months.
• Program implementation requires significant planning • Some early, easy wins are:
• Third party Employee Assistance Program • External audit
• Long lead time items include: • Policy reviews and revisions • Security system upgrades, such as new Firewalls and IDPS
system • Creating a robust security logging environment with a Security
Operations Center (SOC) • Cyber Security awareness training for all employees happens the
second half of the year so the new systems can be introduced to MUSA staff
7
Program Benefits
• Cyber Security program: • Reduce MUSA’s exposure to risk through robust
systems
• Improve MUSA’s reputation and market share by publishing white papers about our experiences
• Improve employee morale through training and employee investment
• Reduce employee attrition and the risk of insider threats
• Formal program approval requested today
• Multiple benefits to implementing this program. Some of the most immediate are:
• Reducing risk • Improving morale and thus reducing employee attrition and the
likelihood of insider threats • A robust program is a strong selling point for MUSA’s security
assurance clients • Your support to this important initiative is crucial. Your involvement
will be viewed by MUSA staff as support of them and support of the company’s future (Welshhons, 2016)
• Please approve the cyber security awareness program today • Any questions?
References Welshhons, L. (2016, April 3). How employee wellness programs can generate savings for your company. Retrieved from
8
http://web.archive.org/web/20160403011918/http:/meritresources.com /userdocs/materials/Employee_Wellness_Initiatives_Merit.pdf
8
