Welcome to the Cyber Risk Management course
This training course contains audio which will begin on the next slide.
let's Begin
You may mute the audio at any time using the Sound Icon in the bottom right corner of this presentation. (Not recommended)
Cyber Risk Management
Start
Getting Started
Click the home button top right to return to the Table of Contents
You can hover over select images to learn more
Use the left or right arrows to move between slides
Putting Together a Cyber Security Program
Introduction
What is a Cyber Security Risk?
Table of Contents
Resources
Why We Need Cyber Protection
Cyber Security Quiz
Introduction
Cyber Risk Management
Cyber Risk Management is the process of identifying, analyzing, evaluating, and addressing cyber threats to an organization's information assets. Globally, cybercrime costs are projected to grow to $10.5 trillion annually by 2025. Canadian companies face substantial costs from cyber incidents each year, with an average cost of a data breach reaching CAD $6.32 million in 2023.
The goal is to minimize risks to acceptable levels and ensure business continuity, data integrity, and security.
What is a Cyber Security Threat?
A cybersecurity threat is a malicious and deliberate attack by an individual or organization to gain unauthorized access to another individual’s or organization’s network to damage, disrupt, or steal IT assets, computer networks, intellectual property, or any other form of sensitive data.
Cyber Threat Actors –
Who Are They?
Cyber Threat Actors
Motivation
- Groups or individuals with malicious motivation.
- Want to exploit weaknesses in an information system.
- Goal is to gain unauthorized access to or affect victims’ data, devices, systems or networks.
Nation-states Cybercriminals Hacktivists Terrorist groups Thrill-seekers Inside threats
Geopolitical Profit Ideological Ideological violence Satisfaction Discontent
Why Do We Need Cyber Protection
Enterprise access to the internet is fundamental to delivering value, and all those activities that rely on access to the internet are inherently unsafe.
Often failures of cyber defense are not necessarily a failure of operational rigor, but rather a failure of imagination.
A relatively simple attack can halt the operations of an entire company for extended periods and cause the loss of hundreds of millions of dollars.
Putting Together a Cyber Security Program
- Understand the current state
- Align to a framework - update standards & processes
- Align risks, establish investments & protections
- Increase awareness & training
- Identify the risk model & vectors of attack
- Monitor, assess, analyze, report & improve
Understand the Current State
Step 1
Threat and Vulnerability Assessment
Inventory and Critical Asset Analysis
Security Measures and Compliance Check
Risk Assessment and Incident Response
Employee Awareness and Third-Party Risk
Understand the Current State
Step 1
Inventory and Critical Asset Analysis:
Catalog all hardware and software, identify critical data, and understand key business processes.
Threat and Vulnerability Assessment:
Identify potential threats (e.g., malware, insider threats) and regularly scan for system vulnerabilities.
Security Measures and Compliance Check:
Review cybersecurity policies, physical and technical controls, and ensure compliance with applicable laws and standards.
Risk Assessment and Incident Response:
Analyze risk impact, prioritize based on severity, and evaluate the effectiveness of the incident response plan.
Employee Awareness and Third-Party Risk:
Assess cybersecurity training effectiveness and manage risks associated with vendors and partners.
Align to a Framework
Step 2
Cybersecurity governance determines how organizations prevent, detect, and respond to cyber threats and cyberattacks. An IT security framework is a collection of documents and procedures that a typical enterprise can use to implement an information security program and puts a formal structure around the varying controls outlined.
Align to a Framework
Step 2
Common Cyber Security Frameworks
TYPICAL INDUSTRIES
ISSUED BY
COVERAGE
FRAMEWORK
NIST CSF
Critical infrastructure
Broad
US National Institute of Standards & Technology
The International Organization of Standardization & The International Electrotechnical Commission
ISO/IEC 27000
General Enterprise
Moderate
NIST SP 800-53 (USA)
Federal Agencies and Contractors
Moderate
US National Institute of Standards & Technology
ITSG-33 (CANADA)
Federal Agencies and Contractors
Canadian Centre for Cybersecurity
High
CSA CCM
Cloud Service Providers
Moderate
Cloud Security Alliance
PCI-DSS
Credit Card Processors
Moderate
Payment Card Industry
CIS CSC
Global enterprises
Moderate
Centre for Internet Security
HITRUST CSF
Healthcare Service Providers
Moderate
Hi Trust (HIPPA)
International Society for Automation & American Standards Institute
ANSI/ISA-62443
Industrial Automation & Control Manufacturers
Moderate
COBIT
Private sector
Broad
Information Systems Audit and Control Association
SCF
Secure Controls Framework
Complex compliance orgs
High
SOC 1/2/3
Service Providers
Broad
American Institute of Certified Public Accountants
Align risks, establish investments & protections
Step 3
Aligning Risks:
Identify and understand how cyber risks correlate with the organization's objectives, assets, and overall risk appetite. It's about ensuring that the cyber security strategy is directly linked to the organization's priorities and vulnerabilities, enabling a focused and efficient approach to managing risk.
Aligning Risks
Step 3
Phishing
Fraudulent emails, text messages, phone calls or web sites designed to trick users into downloading malware, sharing sensitive information, password or personal data. One of the biggest cyber security threats that organizations face as everyone has email access.
Physical Threat
Protection
Customer PII
Email Filtering
Sensitive Business Info
Run phishing simulations
System Access
Deploy in-depth defenses
Aligning Risks
Step 3
How Ransomware Works
Ransomware
1.
2.
A type of malware that uses encryption that threatens to publish the victim's personal data or permanently block access to it unless a ransom is given.
Bad guys create ransomware themselves or buy/lease it from other cybercriminals.
Cybercriminals use social engineering to gain access to your network or systems.
In some cases, attackers will exfiltrate your data prior to encrypting your systems.
Physical Threat
Protection
3.
4.
Business Info
Monitoring
Customer/Donor Info
Anti-Malware
They use the malware to digitally encrypt all your IT systems and data possible.
Attackers use your encryted sensitive data as leverage to force you to pay a ransom.
Sensitive Documents
Backups
Aligning Risks
Step 3
Denial of Service
The Attacker seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Flooded HTTP Requests
Attacker
Physical Threat
Protection
Webserver
Block website access
Network line scrubbing
Legitimate HTTP Requests
Stop business processes
Firewalls
Network Diversity
User
Aligning Risks
Step 3
Vulnerability Exploits & Zero-Day
The vulnerability is an opening (in a system, network, software or code) and the exploit is something that uses that opening to execute an attack. A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it.
Physical Threat
Protection
Access systems & networks
Patching
Obtain sensitive data
Access controls/firewalls
Cause business interruption
Defense in depth
ATTACK
VULNERABILITY
EXPLOIT
DAY ZERO
A vulnerability in a system, software or service is found by an individual who decides to keep it a secret from the vendor.
Knowledge of the vulnerability is then used by either the person discovering it or a partner or contact to develop "exploit code" that is able to leverage the vulnerability.
The explout is the used to perform one or more attacks on vulnerable systems.
"Day Zero" is the day the vendor learns of the vulnerability and begins working on a fix.
Aligning Risks
Step 3
Password Attacks
The goal is to compromise user account authentication. Compromised credentials are the most common cause of breaches.
Physical Threat
Protection
Gain "legitimate looking" access to systems
Complex passwords
No reuse of passwords
Obtain or remove sensitive data
2FA/MFA
Types of Password Attacks
Brute Force Attacks
Dictionary Attacks
Keylogger Attacks
Align risks, establish investments & protections
Step 3
Establishing Investments:
Once risks are aligned and priorities are set, organizations need to determine what investments are needed to mitigate these risks effectively. This involves allocating budget and resources towards cyber security measures that could include technology solutions (firewalls, antivirus software, encryption), hiring or training staff, implementing robust policies and procedures, and other preventive measures.
Align risks, establish investments & protections
Step 3
Implementing Protections:
Installing and configuring security software, conducting training sessions for employees on security best practices, regularly updating and patching systems, and continuously monitoring the organization's networks and systems for signs of suspicious activity.
Increase awareness & training
Step 4
Fostering a culture within organizations where cybersecurity is a shared responsibility. Employees should be encouraged to report suspicious activities and understand their role in protecting the organization's digital assets.
Promoting a Culture of Security:
Offering regular, up-to-date training sessions to keep employees informed about the latest cybersecurity trends, threats, and protection techniques. This can include simulated phishing exercises, security workshops, and online training modules.
Regular Training and Education:
For IT and cybersecurity professionals, providing specialized training to develop technical skills in areas such as network security, threat analysis, forensic investigation, and security architecture design.
Technical Skills Development:
Compliance and Regulatory Understanding:
It is important to educate teams about the importance of compliance with legal and regulatory requirements related to cybersecurity in various industries, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) or the Digital Privacy Act (DPA).
Identify a Risk Model & Vectors of Attack
Step 5
Identify entry points:
Identify all possible entry points for cyber threats, including email, network, endpoints, and physical access.
Comprehensive Asset Inventory:
Catalogue all assets, software, and data, with a focus on those critical to business operations.
Threat Intelligence:
Gather and analyze information about emerging threats and attack methods.
Vulnerability Assessment:
Regularly scan for and assess weaknesses in your cybersecurity defenses.
Security Posture Analysis:
Evaluate the effectiveness of current security measures against identified risk vectors.
Monitor, Assess, Analyze, Report & Improve
Step 6
Monitor
- Continuously track network and system activity
- Use real-time security solutions to detect anomalies
- Ensure all monitoring tools are calibrated to the latest threat intelligence
Assess
- Evaluate the potential impact and likelihood of identified threats
- Conduct regular vulnerability assessments and penetration tests
- Prioritize risks based on their severity and business impact
Analyze
- Investigate incidents to understand attack vectors and tactics
- Use data analytics to discern patterns and predict future threats
- Leverage threat intelligence to contextualize the risk environment
Report
- Document findings, incidents, and breaches comprehensively
- Communicate risk posture and incidents clearly to stakeholders
- Ensure compliance with reporting obligations for regulatory bodies
Improve
- Use lessons learned to strengthen security posture
- Update policies, procedures, and controls as necessary
- Foster a culture of continuous cybersecurity improvement
RECAP
Putting Together a Cyber Security Program
1. Understand the current state
2. Align to a framework - update standards & processes
3. Align risks, establish investments & protections
4. Increase awareness & training
5. Identify the risk model & vectors of attack
6. Monitor, assess, analyze, report & improve
Real Life Cyber Incidents
Cyber Threats are often linked to people threats. Social Engineering is still the path of least resistance.
In 2023, hackers initiated a cyber-attack on MGM Casino in Las Vegas by identifying an employee through LinkedIn. They impersonated the employee, called the company's Help Desk, and successfully breached the system in just a 10-minute conversation. In 2019, hackers posing as the construction firm for St. Ambrose Catholic Parish in Ohio convinced the parish into wiring $1.75 million to a fraudulent account by claiming overdue payments. The hackers withdrew all the funds before being detected.
Basic Protections
For most organizations and individuals, cyber protection doesn’t necessarily need to be costly or complicated. By managing risks, being aware and using common technology tools and measures, we can reduce our likelihood of a cyber incident. Larger organizations and those with sensitive data need to deploy more costly and complex protections, strategies and tools.
Reporting Cyber Crimes
It is strongly encouraged for businesses and individuals to report cybercrimes. You could have invaluable information that could make a difference to more than one investigation.
Depending on the circumstances report cyber crimes to:
Cyber Centre’s online portal
Canadian Anti-Fraud Centre
to get support and advice
who use reports to maintain a repository of information to assist law enforcement
File a police report and keep note of the report number for your reference.
Additional Resources
Click on an image below for more information.
Whitepaper: Cyber Risk Management: Security & Protection in an Online World
Risk Bulletin: Safe Use of Social Media
Cyber Risk Management
Quiz
Start
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
1/10
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
Correct!
Next
1/10
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
Incorrect
Return
1/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
False
True
2/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
Correct!
Next
False
True
2/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
Incorrect
Return
False
True
2/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
3/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
Correct!
Next
3/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
Incorrect
Return
3/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
4/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
Correct!
Next
4/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
Incorrect
Return
4/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
False
True
5/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
Correct!
Next
False
True
5/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
Incorrect
Return
False
True
5/10
- Question 6 -
What is the final step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
6/10
- Question 6 -
What is the 6th step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
Correct!
Next
6/10
- Question 6 -
What is the 6th step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
Incorrect
Return
6/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
7/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
Correct!
Next
7/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
Incorrect
Return
7/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
8/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
Correct!
Next
8/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
Incorrect
Return
8/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
9/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
Correct!
Next
9/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
Incorrect
Return
9/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
10/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
Correct!
NEXT
10/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
Incorrect
Return
10/10
Congratulations on completing our quiz!
Please click here to download your certificate of completion.
Have Questions?
Contact training@ecclesiastical.cafor more information
Help keep colleagues and associates safe - Share our training using the links below:
Ecclesiastical Insurance is a specialist provider of unique insurance solutions and services dedicated to the protection and preservation of Canada's distinct communities, cultures, and heritage. We are proud to be part of the Benefact Group - a charity owned, international family of financial services companies that gives all available profits to charity and good causes. We are rated "A" (Excellent) by A.M. Best and "A-" by Standard and Poor's. For more information on our products and unique Risk Management services, please visit www.ecclesiastical.ca.
Cyber Risk Management
Ecclesiastical Insurance
Created on August 19, 2024
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Smart Presentation
View
Practical Presentation
View
Essential Presentation
View
Akihabara Presentation
View
Flow Presentation
View
Dynamic Visual Presentation
View
Pastel Color Presentation
Explore all templates
Transcript
Welcome to the Cyber Risk Management course
This training course contains audio which will begin on the next slide.
let's Begin
You may mute the audio at any time using the Sound Icon in the bottom right corner of this presentation. (Not recommended)
Cyber Risk Management
Start
Getting Started
Click the home button top right to return to the Table of Contents
You can hover over select images to learn more
Use the left or right arrows to move between slides
Putting Together a Cyber Security Program
Introduction
What is a Cyber Security Risk?
Table of Contents
Resources
Why We Need Cyber Protection
Cyber Security Quiz
Introduction
Cyber Risk Management
Cyber Risk Management is the process of identifying, analyzing, evaluating, and addressing cyber threats to an organization's information assets. Globally, cybercrime costs are projected to grow to $10.5 trillion annually by 2025. Canadian companies face substantial costs from cyber incidents each year, with an average cost of a data breach reaching CAD $6.32 million in 2023.
The goal is to minimize risks to acceptable levels and ensure business continuity, data integrity, and security.
What is a Cyber Security Threat?
A cybersecurity threat is a malicious and deliberate attack by an individual or organization to gain unauthorized access to another individual’s or organization’s network to damage, disrupt, or steal IT assets, computer networks, intellectual property, or any other form of sensitive data.
Cyber Threat Actors –
Who Are They?
Cyber Threat Actors
Motivation
Nation-states Cybercriminals Hacktivists Terrorist groups Thrill-seekers Inside threats
Geopolitical Profit Ideological Ideological violence Satisfaction Discontent
Why Do We Need Cyber Protection
Enterprise access to the internet is fundamental to delivering value, and all those activities that rely on access to the internet are inherently unsafe.
Often failures of cyber defense are not necessarily a failure of operational rigor, but rather a failure of imagination.
A relatively simple attack can halt the operations of an entire company for extended periods and cause the loss of hundreds of millions of dollars.
Putting Together a Cyber Security Program
Understand the Current State
Step 1
Threat and Vulnerability Assessment
Inventory and Critical Asset Analysis
Security Measures and Compliance Check
Risk Assessment and Incident Response
Employee Awareness and Third-Party Risk
Understand the Current State
Step 1
Inventory and Critical Asset Analysis:
Catalog all hardware and software, identify critical data, and understand key business processes.
Threat and Vulnerability Assessment:
Identify potential threats (e.g., malware, insider threats) and regularly scan for system vulnerabilities.
Security Measures and Compliance Check:
Review cybersecurity policies, physical and technical controls, and ensure compliance with applicable laws and standards.
Risk Assessment and Incident Response:
Analyze risk impact, prioritize based on severity, and evaluate the effectiveness of the incident response plan.
Employee Awareness and Third-Party Risk:
Assess cybersecurity training effectiveness and manage risks associated with vendors and partners.
Align to a Framework
Step 2
Cybersecurity governance determines how organizations prevent, detect, and respond to cyber threats and cyberattacks. An IT security framework is a collection of documents and procedures that a typical enterprise can use to implement an information security program and puts a formal structure around the varying controls outlined.
Align to a Framework
Step 2
Common Cyber Security Frameworks
TYPICAL INDUSTRIES
ISSUED BY
COVERAGE
FRAMEWORK
NIST CSF
Critical infrastructure
Broad
US National Institute of Standards & Technology
The International Organization of Standardization & The International Electrotechnical Commission
ISO/IEC 27000
General Enterprise
Moderate
NIST SP 800-53 (USA)
Federal Agencies and Contractors
Moderate
US National Institute of Standards & Technology
ITSG-33 (CANADA)
Federal Agencies and Contractors
Canadian Centre for Cybersecurity
High
CSA CCM
Cloud Service Providers
Moderate
Cloud Security Alliance
PCI-DSS
Credit Card Processors
Moderate
Payment Card Industry
CIS CSC
Global enterprises
Moderate
Centre for Internet Security
HITRUST CSF
Healthcare Service Providers
Moderate
Hi Trust (HIPPA)
International Society for Automation & American Standards Institute
ANSI/ISA-62443
Industrial Automation & Control Manufacturers
Moderate
COBIT
Private sector
Broad
Information Systems Audit and Control Association
SCF
Secure Controls Framework
Complex compliance orgs
High
SOC 1/2/3
Service Providers
Broad
American Institute of Certified Public Accountants
Align risks, establish investments & protections
Step 3
Aligning Risks:
Identify and understand how cyber risks correlate with the organization's objectives, assets, and overall risk appetite. It's about ensuring that the cyber security strategy is directly linked to the organization's priorities and vulnerabilities, enabling a focused and efficient approach to managing risk.
Aligning Risks
Step 3
Phishing
Fraudulent emails, text messages, phone calls or web sites designed to trick users into downloading malware, sharing sensitive information, password or personal data. One of the biggest cyber security threats that organizations face as everyone has email access.
Physical Threat
Protection
Customer PII
Email Filtering
Sensitive Business Info
Run phishing simulations
System Access
Deploy in-depth defenses
Aligning Risks
Step 3
How Ransomware Works
Ransomware
1.
2.
A type of malware that uses encryption that threatens to publish the victim's personal data or permanently block access to it unless a ransom is given.
Bad guys create ransomware themselves or buy/lease it from other cybercriminals.
Cybercriminals use social engineering to gain access to your network or systems.
In some cases, attackers will exfiltrate your data prior to encrypting your systems.
Physical Threat
Protection
3.
4.
Business Info
Monitoring
Customer/Donor Info
Anti-Malware
They use the malware to digitally encrypt all your IT systems and data possible.
Attackers use your encryted sensitive data as leverage to force you to pay a ransom.
Sensitive Documents
Backups
Aligning Risks
Step 3
Denial of Service
The Attacker seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Flooded HTTP Requests
Attacker
Physical Threat
Protection
Webserver
Block website access
Network line scrubbing
Legitimate HTTP Requests
Stop business processes
Firewalls
Network Diversity
User
Aligning Risks
Step 3
Vulnerability Exploits & Zero-Day
The vulnerability is an opening (in a system, network, software or code) and the exploit is something that uses that opening to execute an attack. A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it.
Physical Threat
Protection
Access systems & networks
Patching
Obtain sensitive data
Access controls/firewalls
Cause business interruption
Defense in depth
ATTACK
VULNERABILITY
EXPLOIT
DAY ZERO
A vulnerability in a system, software or service is found by an individual who decides to keep it a secret from the vendor.
Knowledge of the vulnerability is then used by either the person discovering it or a partner or contact to develop "exploit code" that is able to leverage the vulnerability.
The explout is the used to perform one or more attacks on vulnerable systems.
"Day Zero" is the day the vendor learns of the vulnerability and begins working on a fix.
Aligning Risks
Step 3
Password Attacks
The goal is to compromise user account authentication. Compromised credentials are the most common cause of breaches.
Physical Threat
Protection
Gain "legitimate looking" access to systems
Complex passwords
No reuse of passwords
Obtain or remove sensitive data
2FA/MFA
Types of Password Attacks
Brute Force Attacks
Dictionary Attacks
Keylogger Attacks
Align risks, establish investments & protections
Step 3
Establishing Investments:
Once risks are aligned and priorities are set, organizations need to determine what investments are needed to mitigate these risks effectively. This involves allocating budget and resources towards cyber security measures that could include technology solutions (firewalls, antivirus software, encryption), hiring or training staff, implementing robust policies and procedures, and other preventive measures.
Align risks, establish investments & protections
Step 3
Implementing Protections:
Installing and configuring security software, conducting training sessions for employees on security best practices, regularly updating and patching systems, and continuously monitoring the organization's networks and systems for signs of suspicious activity.
Increase awareness & training
Step 4
Fostering a culture within organizations where cybersecurity is a shared responsibility. Employees should be encouraged to report suspicious activities and understand their role in protecting the organization's digital assets.
Promoting a Culture of Security:
Offering regular, up-to-date training sessions to keep employees informed about the latest cybersecurity trends, threats, and protection techniques. This can include simulated phishing exercises, security workshops, and online training modules.
Regular Training and Education:
For IT and cybersecurity professionals, providing specialized training to develop technical skills in areas such as network security, threat analysis, forensic investigation, and security architecture design.
Technical Skills Development:
Compliance and Regulatory Understanding:
It is important to educate teams about the importance of compliance with legal and regulatory requirements related to cybersecurity in various industries, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) or the Digital Privacy Act (DPA).
Identify a Risk Model & Vectors of Attack
Step 5
Identify entry points:
Identify all possible entry points for cyber threats, including email, network, endpoints, and physical access.
Comprehensive Asset Inventory:
Catalogue all assets, software, and data, with a focus on those critical to business operations.
Threat Intelligence:
Gather and analyze information about emerging threats and attack methods.
Vulnerability Assessment:
Regularly scan for and assess weaknesses in your cybersecurity defenses.
Security Posture Analysis:
Evaluate the effectiveness of current security measures against identified risk vectors.
Monitor, Assess, Analyze, Report & Improve
Step 6
Monitor
Assess
Analyze
Report
Improve
RECAP
Putting Together a Cyber Security Program
1. Understand the current state
2. Align to a framework - update standards & processes
3. Align risks, establish investments & protections
4. Increase awareness & training
5. Identify the risk model & vectors of attack
6. Monitor, assess, analyze, report & improve
Real Life Cyber Incidents
Cyber Threats are often linked to people threats. Social Engineering is still the path of least resistance.
In 2023, hackers initiated a cyber-attack on MGM Casino in Las Vegas by identifying an employee through LinkedIn. They impersonated the employee, called the company's Help Desk, and successfully breached the system in just a 10-minute conversation. In 2019, hackers posing as the construction firm for St. Ambrose Catholic Parish in Ohio convinced the parish into wiring $1.75 million to a fraudulent account by claiming overdue payments. The hackers withdrew all the funds before being detected.
Basic Protections
For most organizations and individuals, cyber protection doesn’t necessarily need to be costly or complicated. By managing risks, being aware and using common technology tools and measures, we can reduce our likelihood of a cyber incident. Larger organizations and those with sensitive data need to deploy more costly and complex protections, strategies and tools.
Reporting Cyber Crimes
It is strongly encouraged for businesses and individuals to report cybercrimes. You could have invaluable information that could make a difference to more than one investigation.
Depending on the circumstances report cyber crimes to:
Cyber Centre’s online portal
Canadian Anti-Fraud Centre
to get support and advice
who use reports to maintain a repository of information to assist law enforcement
File a police report and keep note of the report number for your reference.
Additional Resources
Click on an image below for more information.
Whitepaper: Cyber Risk Management: Security & Protection in an Online World
Risk Bulletin: Safe Use of Social Media
Cyber Risk Management
Quiz
Start
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
1/10
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
Correct!
Next
1/10
- Question 1 -
What is a cyber threat actor?
An invisible IT support agent
Groups or individuals with malicious motivation
A tech-savvy individual
Incorrect
Return
1/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
False
True
2/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
Correct!
Next
False
True
2/10
- Question 2 -
True or False:
Failures of cyber defence are not necessarily always a failure of operational rigor, but rather a failure of imagination.
Incorrect
Return
False
True
2/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
3/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
Correct!
Next
3/10
- Question 3 -
What is not a protection to implement against phishing attacks?
Running phishing simulations
Email filtering
Deploying defence in depth
Keeping encrypted emails
Incorrect
Return
3/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
4/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
Correct!
Next
4/10
- Question 4 -
Where does ransomware fall in a Cyber Security Program?
Align risks, establish investments & protections
Align to a framework – update standards & processes
Identify risk model & vectors of attack
Incorrect
Return
4/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
False
True
5/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
Correct!
Next
False
True
5/10
- Question 5 -
True or False:
Compromised credentials are the least common cause of breaches.
Incorrect
Return
False
True
5/10
- Question 6 -
What is the final step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
6/10
- Question 6 -
What is the 6th step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
Correct!
Next
6/10
- Question 6 -
What is the 6th step of putting together a Cyber Security Program?
Align risks, establish investments & protections
Increase awareness & training
Monitor, assess, analyze, report & improve
Incorrect
Return
6/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
7/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
Correct!
Next
7/10
- Question 7 -
What is considered to be the least path of resistance for cyber threats?
Social engineering
Insider threats
Phishing
Incorrect
Return
7/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
8/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
Correct!
Next
8/10
- Question 8 -
What is a Vulnerability Assessment?
Evaluating the effectiveness of current security measures against identified risk vectors
Regularly scanning for and assessing weaknesses in your cybersecurity defenses
Gathering and analyzing information about emerging threats and attack methods
Incorrect
Return
8/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
9/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
Correct!
Next
9/10
- Question 9 -
What are some types of entry points or vectors of attack?
Physical Access
Network
Email
All of the above
Incorrect
Return
9/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
10/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
Correct!
NEXT
10/10
- Question 10 -
Why is it important to simulate phishing exercises and offer regular training sessions on cyber security?
To validate the investment in cybersecurity software
To keep the IT department in check
To keep employees informed about the latest cybersecurity trends, threats, and protection techniques.
Incorrect
Return
10/10
Congratulations on completing our quiz!
Please click here to download your certificate of completion.
Have Questions?
Contact training@ecclesiastical.cafor more information
Help keep colleagues and associates safe - Share our training using the links below:
Ecclesiastical Insurance is a specialist provider of unique insurance solutions and services dedicated to the protection and preservation of Canada's distinct communities, cultures, and heritage. We are proud to be part of the Benefact Group - a charity owned, international family of financial services companies that gives all available profits to charity and good causes. We are rated "A" (Excellent) by A.M. Best and "A-" by Standard and Poor's. For more information on our products and unique Risk Management services, please visit www.ecclesiastical.ca.