foreign [Music] Welcome to our exclusive Global leading voices webinar campaign we are delighted to have you join us here today please be informed that if you have any questions during the presentation you may type them into the question box in your control panel the presenter will answer your questions at the end of the presentation accordingly now without further Ado we will turn the time over to our presenter who will begin shortly hello everyone uh good morning good afternoon good evening wherever you may be welcome to the webinar where we'd be discussing cyber security Trends what to expect in 2023 so uh in terms of the agenda we'll briefly go over some introductions hit the main topic and then hit q a we'll leave about 10 minutes for Q a so please feel free to enter any questions you might have into the chat uh function and uh the organizers would relay that over to us all right so in terms of introductions I'm a partner at Baker Tilly we're an international CPA advisory firm uh I've spent over 20 years in cyber security risk and compliance started my career at Hewlett-Packard uh helped set up their I.T savings Oxley team worked on a lot of Regulatory Compliance needs out there uh worked in a lot of global management consulting firms as well and my goal is to help companies in terms of proactively approaching their cyber security risk and uh as you can imagine that's my dog Bruce over to you Colleen good morning good day everyone my name is Colleen Lennox I am the owner of cyber job Central which is a job board for cyber Security Professionals I've been a recruiter in the technology space for many many years and for the past six years have been only doing cyber security which is which has been great it's a great industry it's busy it's a great time to look for a job in this space or to enter into this space and hopefully we'll be able to provide you all with some good insight into what we see in 2023 and they're my cats scratching at the door [Laughter] so uh just as we move ahead uh you know a quick note in terms of how we're planning to approach this so uh the trends that we've identified we're gonna keep them at a high level understanding very well that the audience could be folks who are starting off in cyber security looking to get into cyber security and the seasoned professionals so if there are any questions uh you know that we need to take offline our contact details are available at the end of this slide and these slides will be shared with you so we'd love to hear back from you but just know that the general note of this uh webinar would be to keep it at a level where everybody could understand all right so uh starting off uh people continue to remain a risk so nothing has changed when we do risk assessments for our clients we typically look at the people process and Technology aspects of any organization with the risk being in that order so people continue to be the greatest risk uh you know with any organization phishing attacks again continue to be the main causes for data breaches so that's absolutely based out of uh you know employees clicking on malicious emails and allowing uh you know Bad actors to enter the network now access controls have been uh you know strengthened in most companies but the awareness piece needs to continue to be uh you know strengthened because as the threat landscape keeps seeing a change in how the Bad actors are able to get in so uh in terms of fortifying your Fortress which is your organization and all of the data what we typically recommend is to have your employees be the Guardians for your organization and how do you do that you do that by equipping them with all the right information all the right training that then they when they see something they say something and that is sometimes the best sense of uh support that you can get as an organization and as a information security Personnel because most times you know you cannot be the only ones who are looking at keeping uh your businesses uh with with the highest security protecting all of the data and so on so when you have your employees you know relay information over to you you've got that additional support that all of you within the cyber security business would understand that you know you really when you're trying to put in some cyber security program without the support of the employees without uh exact buy-in you're not able to make the right inroads and again there are lots of tools uh that are available for uh awareness training and there are a lot of security vendors that you can go to so feel free to choose something that makes uh you know that makes the best sense from a financial standpoint but also has the right coverage for your industry so your employees are given the best chance to learn something and to have their eyes up open for any security threats Colleen do you have anything to add well I think also you know obviously most attacks happen through email clicking links so just making people aware not to click click links or to double check the email address of emails coming in because these people are really good at faking you know being the bad guy so and also I think another thing in this is third party risk around being being uh being making sure you're aware of what the other vendors you have on your network the risk labor absolutely and and you brought up a good point there so uh one of the other items that uh you know just happened last night so uh We rescued two dogs last night put them on a app called Paul boost and my uh phone number went out there for uh you know anybody to contact me and what I noticed was immediately I got a text from somebody uh saying hey do you have uh the dogs and they asked me for a code which came from Google Voice and for the uninitiated they would probably just go ahead and provide that code but uh you know one Google search told me that this is basically a scam where they're trying to get into your Gmail uh and you know change your password and gain control over your Gmail so there are a lot of these different types of attacks and sometimes it's best to uh you know take some time not react immediately and try to you know fall low orders be it uh you know a BEC a business email compromise or text messages that uh purportedly comes from uh one of your execs so the awareness should be there to make sure that folks are taking their time figuring out whether they are at risk and then taking action accordingly or passing that information over to the information security team and then uh you know allowing for a more informed decision all right next one so increase compliance requirements so who doesn't love compliance right so at the end of the day with uh you know the US and I'm not only going to be talking about U.S Pacific given that we've got an audience that is across the world but just from a referral standpoint I mean the US has come up with a lot of different State uh privacy laws and what we're gonna see is there are going to be more laws that are going to be passed to ensure that not only privacy but security features are strengthened within organizations we've seen multiple countries come up with uh compliance requirements so we're only going to see more of these and what that means is that organizations either would need to hire uh dedicated GRC staff and uh you know ensure that they're meeting the compliance requirements and also with all these multiple uh privacy regulations you would want to get a matrix a control or compliance Matrix that ensures that you are hitting multiple uh you know privacy compliances through the different controls that you've got whereas most people tend to think of the compliances as uh you know uh independent what we traditionally do uh is to ensure that we've got a mapping of the different compliance needs and see that if one control can meet requirements across uh the different uh regulations that's probably the best way to go which means again you need to have those dedicated GRC staff that can help you with in this endeavor as opposed to doing it piecemeal across multiple regulatory requirements and everybody on this call is probably aware of gdpr that set everything in motion you've got the paper in um in Canada you've got multiple other laws in Mexico India Brazil China you name it all of these countries are coming up with that so be prepared for increased compliance requirements and in terms of uh the hiring uh piece I think this is a good segue for Colleen to kind of give you a lay of the land in terms of the critical shortage that we are finding within the cyber security uh uh you know industry so Colleen do you have some uh thoughts on that well I do know that the Privacy space is so understaffed there's just not enough people in the world to do what is needed to be done so it's a great space to enter into I a lot of people some have their law degree some do not so some people think they have to have their law degree to get into this space but truthfully it's it I don't think it matters as long as you have some experience around privacy and an interest in it thank you Colleen so one of the other things that we've noticed uh from a Consulting standpoint is that because of the shortage there are a lot more co-sourcing opportunities that have come about where uh as a company we are able to uh you know augment some of the staff into internal audit uh teams and some of the other teams just to help with some of these high burden uh issues and uh that's something for you all to consider in terms of working with some of the third parties if you're not able to hire dedicated staff within a timeline just given that most of these regulations have tight deadlines that you would have to meet in order to ensure you don't get hit by any regulatory fines all right uh next one is vendor consolidation so we're definitely seeing a lot of M A within the security space folks are basically relying on uh you know refining their current software not really focusing in on developing new things bringing everything uh you know into a Consolidated manner acquiring different companies uh so what we're seeing there is fewer security vendors and what that means is uh one good thing is you're basically going to be tasked with managing less security vendors but on the other end of the spectrum you're probably going to see that the budgetary standpoints the cost might increase because there could be some sort of a monopoly within uh within that area as you can already tell the cyber security Market space uh is a noisy one everybody's jostling for uh space out there everybody's trying to you know showcase why they're better than the others uh why their tool is the most necessary for uh organizations so one thing that we always tell folks is uh to ensure that they're looking at security vendors uh based on their third-party uh assessment so have a questionnaire as much as uh as a CSO as uh information security Personnel you are inundated with risk assessment questionnaires from your third parties make sure that you're returning the favor in some ways by ensuring that you're bringing on security vendors who take their security seriously and have the right certifications be it ISO 27001 or sock 2 reports that are common in the U.S uh region and and sure that they've got cyber security Insurance they've got all the relevant things that you think are necessary for you to do business with them make sure it's not just a checklist it is something that you're waiting and in some cases a lot of companies do put into their uh contracts they put a clause in terms of a right to audit so at any given point of time you're able to go in and audit these security vendors to ensure that your data is actually uh you know being taken care of and is not out there for anybody to see uh one of the things that in the last bullet so even when Outsourcing securely functions you want to make sure that you've got experienced folks in-house so uh no amount of external Consultants such as myself and the rest of the uh you know rest of the team can come in and showcase the risk as much as folks within the organization so when we typically do risk assessments we leverage the information we get from uh not only your experience cyber security staff but the experienced people within the organization so they are the ones who actually open their uh you know hearts out in some cases and give us the lay of the land tell us about the risk within the organization and so on so have some of these experienced folks in-house because that will enable you to not only manage your vendors appropriately but to manage your workflow in terms of all the different tasks that somebody within the organization needs to deal with uh Colleen do you have any inputs in terms of vendor consolidation are you seeing anything based on your interactions with uh you know either candidates or with the companies that you're recruiting for um I think it's still just such a candidate short Market there's just not enough people out there doing what needs to be done so I think that this will be a problem for years to come so um but I do think it's important also you mentioned like having an internal staff you have to make sure you take good care of your staff because they are constantly being hunted by someone so you have to make sure you treat your staff well and have good retention if not you're gonna have major turnover in your Security Department and hence the Pac-Man reference down there right everyone's it's a doggy dog world out there and everyone's trying to make sure that because of this shortage if they're not able to find somebody outside they're trying to poach from their competitors and so on so Colleen that's a great point all right moving on so again I mean uh with Through The Years uh you know we've noticed that uh the prioritization of cyber risk has you know worked its way up when uh you know a few years ago it wasn't even in the top 10 risk that uh uh the board really expected to uh discuss during a board meeting now it creeped its way up and uh it's probably in the top three in these days but you want to make sure you know in 2023 that this is a high priority I mean we've been uh earlier the cyber security Market was uh basically running on fear uncertainty and doubt but but uh you know talking about various uh you know uh let's say various breaches that came into play but then now when you open the newspaper if anyone's uh reading a physical newspaper or opening any websites one of the top things you always see are either uh consumer attacks or some sort of a data breach so this is only gonna get bigger uh in 2023 so with all of this economic uncertainty what we are also seeing is that spending on cyber security will increase but they will be diligent in terms of how they want to expend that money so we're seeing a lot more uh folks trying to ensure that from a spending standpoint they're only focusing in on those critical things that can absolutely reduce their security risk and the discretionary spend you know that typically was done for other areas that had an impact but not so much they're kind of working them into the entire security umbrella trying to ensure that they're focusing solely on prioritizing risk mitigation activities and nothing more so be it uh risk assessments be it pen testing be it all of those privacy and compliance issues that they need to get into play so all of those are things that everybody's prioritizing just to ensure that they have a good grasp over their security posture and they're able to relay that information to their leaders as well and what uh I mean with with there could be some contradictions in terms of you know with the security uh vendors having their M A activities in play and there could be that Monopoly that you could see and that might be a little long drawn but what you do see is most leaders are seeking budget-friendly security Investments so there could be a case where there would be uh you know a back and forth uh between the vendors and uh the companies in terms of getting the most bang for the buck in terms of ensuring that uh not only are the priorities of the company being taken care of but it's being done on a budget-friendly uh on budget friendly terms as well and uh you know again uh 2023 is no different from 2022 no different from 2021 the threat landscape is changing significantly what that means is that uh you know the Cyber criminals are trying to do everything in there might to penetrate uh uh through the networks gather as much information as they can hold people uh Ransom so that is only gonna increase as we move forward so one of the things that um uh you know one of the things that from a from a cyber uh crime standpoint it isn't uh really industry specific though some Industries are uh being targeted a lot more than others which we will hit later on in this uh webinar but one of the things to note is that they don't rest so you need to constantly be prepared in terms of uh you know ensuring that if you're doing certain tasks uh you want to ensure that those tasks are being done timely for example one of the companies that I've been helping out from a strategic standpoint as a healthcare company where they were doing a monthly vulnerability scans and we had to change that to weekly just to ensure that we've got a better understanding as to our vulnerabilities and because the healthcare uh sector is being targeted a whole lot you need to make certain adjustments within the uh within the security uh plan to ensure that you're meeting uh or trying to stay ahead of the threat landscape because it's changing very frequently Colleen I had a question for you out here so do you have any interactions with board members and have you heard anything from them about the Cyber risk uh standpoint and where they see uh cyber risk as uh uh you know one of their priorities I mean I think everyone you know talks a good game that they want to increase their cyber awareness and cyber risk programs um I think until there's a penalty put against it like privacy laws I think some people will still be lackadaisical because it does cost money and you don't see a return on investment but you do it could put you out of business if you don't absolutely and and uh we are seeing you know from uh a board perspective there is a lot more Nuance conversations uh you know in in the board meetings that I've been in the past few years what typically happened was it was coming from uh the bottom to the top right so it was coming from the management to the board and uh they weren't necessarily any metrics or any other things that were uh finalized or developed for the board to see but in the last few years what I'm seeing is there has been some sort of a role reversal not uh so much that the management is not paying attention to cyber but uh in terms of the board proactively asking uh for updates on Cyber and wanting to look at some of the metrics so they can support uh Management in terms of making certain decisions uh in addressing cyber risk so that's a welcome change and I think uh one of the things that I always tell my clients is to have that approach where you're proactive and working with the board uh develop metrics that ensures that not only uh you've got the support as an organization but it also uh from a CSO standpoint you're showcasing all the different things that you're running up against so you get adequate support be it increase in the cyber security budget or Staffing all of that plays a important role in keeping the security of a company together so some of the things that you would want to pay attention to in 2023 and continuing into the future as well all right we've touched upon this uh significantly already and you'll see it's a Common Thread right uh csos on the call will tell you that you know with the economic uncertainty excuse me there's definitely budget cuts but uh like I said the Cyber criminals are not uh you know taking a break either so the risks continue to increase so uh one of the things that uh you know we need to take into consideration is though uh the cyber security spending is projected to increase the uh like I said earlier leaders may not be comfortable spending all that uh amount required they would need to keep a rainy day fund to handle uh multiple other things but you want to make sure that uh from a staffing perspective which Colleen can definitely talk about you uh you've got your employee training you've got Advanced security tools process improvements these are multiple things that you need to do to ensure that you mitigate the risk but it needs to be done within a budget-friendly uh environment so work with those vendors that you're comfortable working with there could be chances where you can uh you know have a payment plan with them to ensure that you're still uh you know hitting your budgetary goals but then you're also taking the lead in terms of ensuring the organization is uh you know looking at their security posture in the right sense uh what I I think uh Colleen one of the uh uh you know thoughts that I just had right now was you know given that uh folks don't necessarily want to spend a whole lot but there is a shortage you know which is a conundrum in itself how would you uh address this situation and also maybe share some words of uh advice to those folks within the call who are probably looking for a new move well I think that it's um I because you know people don't know people believe it's like first Last Stand first out which I don't necessarily believe to be true I think you know hard workers will always stand out and maintain their job but also I do think that you know you know we hear about no one's hiring no one's hiring I just I don't see it yet on the Cyber side and because I do think a lot of these you know positions are just have been vacant for so long but let me ask you this video if you were working with a smaller company that really doesn't have a huge budget to spend on anything extra is there like three things you would say to spend your money on as opposed to others is now is obviously not the best time to implement a new tool but what would you suggest they spend their money on so uh typically what I try to do is uh you know like I stated earlier with uh the market being so noisy the cyber security Market you've got a lot of tools that are out there that can do a lot of work but uh essentially I'll answer this but not uh stick to your uh three uh you know topics that you wanted me to touch upon I'll just touch upon a few and might hit those three we'll see uh but I typically start off with a cyber security risk assessment so one of the things that a lot of organizations do is not necessarily know uh where their risk lies uh you know uh especially with the smaller companies and I'll touch upon the larger ones as well uh not not wanting to generalize because uh the larger ones typically uh you know the csos they've got a independent information security function where the csos and the staff do conduct uh uh you know risk assess assessment but essentially starting with a risk assessment where either as the third party we come in with a fresh set of eyes which is always a good thing uh just given the different Industries and different companies that we meet on a regular basis and do these similar activities it is good to start off with a risk assessment because you're not just thinking about it from a technology perspective one thing that I've seen with the smaller companies is they are so focused on technology they forget the people and process aspect so from a risk perspective we either use the nist uh uh you know standards National Institute of Standards and Technologies cyber security framework as a guideline it's got 108 subcategories uh five large categories so we hit all of those different aspects and what that does is to give a good understanding of the organization from end to end where cover bring not only the people aspect of things given that it's the highest risk get getting down into the process piece as well so we are not just talking to it or security and Leadership we're talking to finance we're talking to sales HR tax you name it we're trying to ensure that we get a good understanding of where the organization stands what the different uh risk uh uh is within the processes and then once we get all of that combined we also do a vulnerability scanning penetration testing to then combine it with uh what we've learned to get a good understanding as to where things lie for that organization then do uh uh you know we do a roadmap in terms of what are the biggest uh uh you know risk factors that can be mitigated quickly so typic typical things 20 percent of our recommendations were the top 20 rather would hit pretty much 80 percent of the risk so we road map uh things and I think doing it in that fashion would allow you to take more uh of an informed decision as opposed to just finding one area that you think is a risk but not understanding what are the different factors that cause that risk to come into play it could be the people it could be just a broken process so having a good understanding and then for those who do not typically employ third party Consultants uh be it due to spending reasons or otherwise have self-assessments on a periodic basis do certain things that would allow you to gain a better understanding of things uh and uh from an incident response planning standpoint disaster recovery and business continuity standpoint make sure you've got these policies you've got these plans and you're testing them periodically that that is something that I'm seeing a lot of companies still fail to do it's a quick win it allows leadership it loves the rest of the folks who are within the incident response team or in the business continuity Disaster Recovery teams to know how to uh perform their activities when a real life exercise comes into play uh till you're doing tabletop exercises uh you know there is less stress but in a real life uh you know incident everybody's head is on fire everyone's trying to get into other people's Lanes so practice practice so when you're hit with something you're actually going to benefit out of uh ensuring that uh you know you're ahead of the curve and everybody's in their Lane you're able to get back to your feet sooner with minimal spend and lastly from a technology perspective a lot of companies buy a lot of Technology but they are not utilizing it to the fullest so so make sure that you're looking at your technology seeing what the different features are within that tools kit ensure that you're able to leverage that because we see a lot of overlap between technology tools and a lot of companies tend to have a small piece with one of the items a smaller piece with another uh vendor and the spend becomes significant but one vendor could potentially take care of all of these different uh activities so make sure you're reviewing your technology vendors and ensuring even from repository standpoint that you're able to leverage some of your conversations with them into negotiating and getting a better rate things Colleen did that kind of answer your question anything that you think I should have brought up no perfect okay thank you all right so cyber Insurance a fun topic uh you know we've seen things change so much from a cyber Insurance standpoint we've had uh you know I I recall in the uh about 10 close to 10 years ago uh I've done a study and we noticed that everybody was jumping into the Cyber Insurance business but they didn't have any Trends analysis history none of that but they were charging these low premiums giving big coverages till a lot of the underwriters went broke so uh what what happened then was that they started doing a lot more Trend analysis they were asking for more detailed questionnaires uh for those who've been in the business for a while you would have noticed you know earlier on the questionnaires for cyber Insurance were very limited they were just an add-on to your existing policies and uh you know most times it was answered by folks who probably didn't even know anything about the Cyber landscape within the organization and they still got insurance coverage and now uh with everything that's going on insurance uh carriers are uh you know facing record uh uh losses so what that that means is they're charging a premium but then they're paying so much that they're not making any money and what that means is you would have noticed for anybody who went through a renewal your cyber security insurance has probably gone through the roof for all the coverage that you need to be having and we're seeing that uh you know with uh with all of these risks that uh they're trying to take on because insurance is nothing but transferring of the risk where you know you're hoping for the best but preparing for the worst so that's typically the tagline of the insurance companies as well as cyber security Personnel so you know in that way it's relatable but know that they would want to see more uh of your risk assessments uh to then provide you what is a good driver discount so work with your insurance providers to see what you can do to provide them such that you can negotiate your rates more favorably we're seeing a lot of cases where uh insurance providers are reaching out to uh you know uh partnering with third-party Consultants uh to get a better understanding of the risk posture of a particular company and then in some cases not even uh you know going forward with issuing any insurance because they feel like it could be a loss maker so work through uh your security uh uh cyber security Insurance Brokers or carriers ensure that uh you know if you've got certain certifications from an ISO standpoint or if you've got your soft 2 reports sock one reports make sure that you're leveraging that to get uh more bang for your buck again uh from a insurance standpoint and know that uh you know at the end of the day insurance is not going to cover everything that uh uh you know you've got within your umbrella there could be a limit out there after which you would have to self-insure and in most cases uh folks are looking at self-insurance in that regard as well so be prepared have somebody know knowledgeable read through your cyber insurance policies to look for those clauses I always joke with some of my clients saying that look there are days when if somebody's hit by a breach the insurance folks could say well you got up from the wrong side of the bed so today you're not going to get covered you want to make sure that you're covered no matter what and you know exactly to what limit you're covered when you need to pull in Insurance make sure that from a cyber Insurance standpoint if they've got certain forensics vendors that they've tied up with you've got all the capabilities uh there to kind of lean upon should you have a breach so make sure from an overarching perspective you're dealing with uh the right coverage getting it at the right price and utilizing any uh opportunities to use their uh you know approved vendors from a foreign forensic standpoint and otherwise and obviously you know given the area that we're working in there would be involvement with law enforcement so one of the things that I always tell my clients is make sure you have a good relationship with your law enforcement folks just in case something does go sideways you are able to reach out to them and you're not initiating a relationship then you've already had one so you can reach out to them and start moving the process much sooner Colleen any any thoughts on the Cyber Insurance space are you seeing uh you know any uh hiring needs from cyber insurance carriers where they're trying to get people who've already worked in the cyber security business just to spruce up and ensure that from a risk perspective they're covering things just curious oh I do actually I just went to a webinar on Cyber insurance and um the one thing that I think a lot of companies for many years use cyber insurance as their safety net where they we're aware of certain vulnerabilities that they left you know they put a blind eye to because they if anything did happen cyber would cover insurance would cover it but I don't think that's the case anymore but something interesting that they said in this webinar was the three types of Industries which are almost uninsurable in some cases um you would think would be to me I thought it'd be Financial Services because they seem to be the ones that are most at risk but it's really manufacturing health care and education which I thought that that that I mean if I think my slide was correct there you go wow look at that I didn't even know and this wasn't planned uh but uh from from an industry specific attacks I mean no industry is safe I mean we're not saying that if you're outside of uh the healthcare industry or manufacturing or financial uh or educational you're safe no everyone's going after everybody it's one of those things you have to keep your eyes and ears open for your uh you know for the threat landscape that seeps into each one of these areas uh Healthcare Providers again I mean we've seen that in the dark web that the record each record from a healthcare uh perspective uh you know you get the most money on the dark web so obviously the criminals would go after that uh from emerging I mean you've got so many emerging Technologies uh from a medical field standpoint and so you've got medical devices that come into play they need to be tested on a frequent basis there are vulnerabilities out there that need to be uh you know patched so the healthcare providers again they are working to take care of the health of everybody within uh the country within uh you know our planet people to go after them uh what we've seen is you know from a healthcare perspective we've seen ransomware uh shut down scheduling uh tools it has ensured that folks are not able to uh you know register patients who are coming in for treatment so that creates a lot of issues they're changing up numbers within the test results uh things that are you know that morally kind of baffle me and would baffle most of you they're doing certain things that don't even make sense so we need to make sure that from a healthcare standpoint we are protecting the interest taking all the help that we can uh use uh there is uh the HIPAA uh high-tech law within the US that covers the healthcare industry be it the covered entities or uh you know the business associates there's a lot of requirements there uh that people need to fulfill but there are still opportunities to just walk in and you know ensure that you're able to gain access to uh Health Care records so from a healthcare perspective be on the vigil you've got other areas uh like uh Colleen said manufacturing where we've seen uh cases where there was a Coca-Cola plant where they would constantly keep ferrying uh multiple uh you know trucks filled with a Coca-Cola products but uh ransomware took that entire thing down and uh the owners were tasked with continuing to pay for the trucks continuing to pay the uh employees till the systems came up and uh came back up and it's easy for somebody to get in and cause that nuisance value but what this nuisance does is to shut shop for a lot of companies so you need to be very aware of where somebody could come in and interject things and again all of you are familiar I mean the mode of attack could be external know it could also be internal so make sure that from an information security standpoint that you're focusing in on all of your uh different threads and uh taking action accordingly with good access controls and so on financial information uh again uh obvious uh you know areas where people want to go uh anything where they can create uh identity theft issues uh everybody is going for it so uh definitely something to be aware of uh use regulation to your advantage so what I tell a lot of my clients who are maybe reeling under a lot of risk but not getting the support of their management is to use regulation to their advantage because there are cases where regulation requirements would allow you to meet certain security requirements that you had in place you had in mind and I think that's a good way to tackle that and get the buy-in but from all of these uh you know Industries be it the highest priority Target to the lowest one make sure you're constantly in touch with your management and alerting them uh to the risk so you're getting the support that you need uh Colleen anything else you want to add on this particular topic well I just think over just in healthcare in general I think if you even just read about what can happen if there is a breach in a hospital or Healthcare organization it's very very scary um but also just on on a job field I feel um I wanted to say about manufacturing that iot is in the past year like jobs in that space are crazy so it's a good area to look into if you're interested absolutely yeah I mean there's a need across the board and the opportunity to get into uh cyber security and having the job security is uh something else because this is something that we are not seeing going away anytime soon and uh on that point I mean there are so many different uh modes where we've seen a lot of people pivot in their career towards cyber security they could have some relevant experience in the past but I'm seeing a lot of people who have actually changed their career path to get into security and uh you know those are conversations that I have with a lot of mentees where uh you know uh those uh that want to get in because they're excited with this field and I think as cyber Security Professionals we need to welcome them with open arms because we could use all the help we could get and especially those who are enthused and who are excited about serving the community that's something that uh you know I'm passionate about and uh obviously can talk about that for uh you know several hours if I uh chose to but if anybody needs help I mean Colleen and I are available on that topic specifically you know to chat and help make introductions within the cyber security Community itself absolutely and it's I think it's in obviously I think it's very important when you're breaking into cyber it's just a very hard area to break into because you just don't necessarily have hands-on experience um so you just want to make sure you know what you're doing so that you can have a conversation with people when you do get an opportunity to be in front of someone and having a mentor is key absolutely all right did it say are you able to see my screen I see it okay it says please move to resume sharing all right so uh more software patches so I mean this is something that's again we're seeing patches come out on an incredible level uh something that we haven't seen in the past because of all of these different zero day vulnerabilities that folks are coming up against so it teams are struggling to keep everything up to date so make sure that uh you know either your teams are current in terms of uh the uh patches they're up to date in terms of their learning and education in terms of how to apply them create a plan that makes it uh you know important for them to address this issue in a uh in good stead because if you're not patching things it's the easiest way for these vulnerabilities to be exploited and for Bad actors to come in uh a topic we've already touched upon you know from a hiring standpoint right so the upon him on Institute found that 64 percent of the organizations are looking to hire more I.T staff for patch management which tells you how much this has changed in the last few years because they need to stay current with their patches and I can tell you a lot of organizations are struggling to do that so make sure that you're hiring the right people from an I.T perspective but also retaining experienced I.T staff uh like Colleen said incentivize them make sure that you're doing the right things to keep them on board because losing a staff member who's got institutional knowledge and then bringing somebody on board to train them up to speed and getting the best out of them there's a vast difference there so uh you know make sure that you're working towards that easier said than done but reach out to your resources reach out to your community find out who can introduce you to whom to kind of address some of these I.T related gaps and then uh like I said I mean outdated software because you're not patched could lead to vulnerabilities could then automatically lead to a data breach because people are basically getting out there and looking for vulnerabilities as we speak so make sure you're taking care of those uh things on a timely basis zero trust adoption we've seen that buzzword zero trust is uh something everyone's talking about but make sure that uh you know you are utilizing authentication uh identity as part of everything that you do from a zero trust endpoint being risk aware ensuring that uh you know uh there is continuous identity authorization and then you're practicing the least privileged uh access controls as well ensure that you're monitoring these things on a regular basis again not everybody has gone in to adopt uh zero trust it is something that is work in progress in most organizations but what we're going to see is a lot more people are going to go that route just given the nature of everything within the uh industry from a threat landscape standpoint comment intervention uh we're seeing you know the US has come up with a lot of uh uh you know rules be it from an SEC standpoint for public organizations uh there are multiple other countries I know India came up with one uh you know Canada and so on different uh countries are trying the governments are talking about uh cyber security being a big risk and that they need to protect their interests so because all of these businesses are what is uh you know showing up the economy of that particular country and they want to make sure that these businesses survive and are taking the right steps to uh you know ensure that they're preventing these uh cyber security attacks now you cannot always prevent but be proactive in your approach so that way when you're hit by uh you know an attack you're able to get back on your feet sooner so things like incident response plan business continuity plan all of those those things are what the government has come up with they they do come up with a certain lists that uh you know you would want to look at and see if you're meeting those requirements if not work towards them because these are very simple standard things that all organizations need to deal with but there are industry specific uh items that you would still need to consider outside of what the government notices you know put out uh from a U.S standpoint they've absolutely spoken about ransomware because it's uh hitting you know educational institutions it's setting hospitals cities even so there is a big uh requirement for everybody to kind of fall in line in terms of ensuring they're taking care of their cyber security posture having a good program in place and uh in I mean we've spoken like I said I don't want to make this more U.S Centric but please look at your garments uh you know notifications on cyber security uh I would love to hear from some of you in terms of what you have gathered there because it only increases my knowledge as well but I'd love to hear from you after this uh presentation to see you know what uh the governments are talking about and how you've addressed uh those particular risks lastly uh from an MFA standpoint you know MFA is out there cyber insurers needed everybody needs it but there are phishing uh techniques now that are MFA aware so they are designed with MFA in mind which allows uh folks to still get through to that point uh I spoke about the earlier incident where with Paul boost somebody reached out to me asked for that uh you know token that Google had sent up so uh these are ways that they'll try to socially engineer and get through things but uh you want to make sure that uh you know MFA is not the PO and all of it all so you want to make sure that employees are aware and you want to ensure that uh you know your training each of your employees to understand that the threat landscape is changing and make sure that you're not doing the same awareness training year after year have a provider or a vendor who is giving you new uh you know videos or new training so you can do them more on a quarterly basis because uh at best doing it quarterly is how it stays in your employees mind and they can act as a guardian as I spoke earlier to help you in successfully mitigating cyber security risks Colleen any thoughts on this particular Topic at all well there's you know obviously there's a lot to do so there's a lot of jobs thank you no it's it's I mean it's crazy and I think we all everybody I think every everyone in the audience is gets text all the time for two Factor absolutely all right with that thank you so much for your time I had to leave some time for questions I know I ran uh you know we ran a couple minutes uh over our 15 minute time slot but open for any questions um okay thank you Maddie and Colin for uh delivering this very informative webinar just to remind you that PCB offers training and certification courses which will show your dedication in managing cyber security and most importantly you will get recognized uh worldwide now without further Ado I'll go ahead and uh answer some of the questions from the attendees uh the first question is uh how will AI Technologies like uh GPT influence the cyber security risk landscape okay so that's an interesting one because we're seeing uh chat GPT and other AIS now chat GPT obviously came into uh more prominence with the Microsoft purchase and uh just with all the stories that are out there right so I think what we are going to be seeing is uh leveraging artificial intelligence to the fullest extent but we still need to make informed decisions from a human standpoint to ensure complete coverage uh so uh ensuring that you're able to gather all the information that you need which earlier we'd have to go in and crawl the internet or crawl uh your network you could utilize uh you know AI to gain that information but I always feel like having that human intervention and taking that human uh decision is important in ensuring that uh you're able to protect your interest now it will be interesting to see how things change or evolve from the Bad actors trying to take advantage of AI and that's something I've got my eyes and ears open for as well but uh you know I think there will be some sort of an impact uh surely on uh in the short term and pretty significant in the long term because it's not that the AI is available just for the good guys versus the bad guys right it's available to both so we need to kind of see how we can keep up with it but uh know that human intervention is still required to keep your systems and your organization secure uh okay thank you Matthew uh one of the attendees wants to know in your own uh opinion what is more important uh the compliance or the knowledge of the end user about the cyber security so those I think are two different topics per se uh so knowledge of cyber security from the end users is good to protect the entire interest of the firm because then they know what not to do from a compliance standpoint it is having certain guidelines that you need to attain compliance which still would need the requirements of uh the different employees within the organization it could be limited to a few or it could be everybody for example if you're protecting Healthcare information because that is a topic we spoke about uh uh significantly in the last few slides uh all the employees would be required to uh protect that whereas with certain other compliance areas that could be limited to just uh the compliance team that is helping collate data and put things into play so I think they're independent in some ways but could come together in some ways but are of equal importance because at the end of the day my goal is to protect the company overall from a security risk perspective but also meet compliance and ensure that employees are aware and are trained significantly to protect their interests as well uh thank you Matthew okay another question Quest cyber crime is on the increase despite the continuous cyber security awareness so uh the uh from a cyber criminal standpoint they're looking for new ways to get in so not only are they uh as cyber criminals aware of the trainings all the modes of protection that we put into place they are trying to go one up so as much information that we have access to they have access to that and more so we want to make sure that uh from a cyber criminal standpoint we are staying ahead of the curve in terms of educating our uh you know employees and ourselves as we move forward but know that their uh cyber criminals are constantly testing new tools uh new techniques in terms of how they can enter uh an organization so uh I mean given given this environment a lot of people they've been remote uh we've seen covet uh you know be a enhancer of cyber criminal activity it's just because people are sitting at home and they uh you know there are some people who are getting enrolled into criminal groups and all they're doing is to try to find vulnerabilities within organizations having the same knowledge that the organization has so you need to constantly stay on top of things there uh thank you okay and okay the question is the think of penalizing stuff for negligence on infosec risk actions uh I'm sorry can you repeat the uh question again uh what do you think of penalizing staff for negligence on infosec risk actions okay so this uh I have uh an interesting take on it so I've seen companies where uh you know the first time around if there are some uh risky actions being taken that could put the company in Jeopardy it calls for uh training and coaching but the second time around there uh let go so it's two strikes and you're out uh policy and I think a lot of them are looking at that only because uh they do not want somebody who has such a high risk to the organization that they keep clicking on every email that comes through or provides information to Outsiders without uh you know clearly getting any approvals they want to make sure that their environment is secure so in some ways I'm all for it but also need to understand where the Gap is that prompted said individual to do what they uh did uh try to address those gaps as well so I've seen both ends of the spectrum but uh I think uh you know given this day and age I can see why two strikes on your out makes sense uh thank you okay and the last question for is what items we need to have when we speak about a good cyber security governance so uh from a cyber security governance I mean you obviously have uh your uh cyber security uh your ciso you've got all of your different uh uh folks that either report uh into that particular system and obviously uh address security risk appropriately so uh you want to make sure that you've got adequate policies you've got your incident response plan business continuity Disaster Recovery ensure that you've got the right people uh under each one of these uh as responsible accountable and so on ensure that you're leveraging your organization such that you're talking uh to your ciso whenever required or management and allow for that constant interaction to address uh security uh you know risks and that's uh see something say something sort of a mentality if it is uh addressed and the tone at the top uh if that is significant I think the governance model becomes that much simpler for people to openly share information within the organization and one thing that I also uh you know would uh recommend is if you have industry specific groups that you can be a part of there's a lot of information uh sharing that happens in these in in Industry specific groups and it would be good for you to understand what the risks are that other uh companies within the industry uh you know saw that you can then look to see how you are addressing it and Spruce up your efforts there as well uh thanks a lot okay thank you one more time Matthew and uh Colin uh for uh presenting today the audience please just be informed that this session is recorded and it will be posted on our website and YouTube channel along with the slides of the presentation thanks to you all for joining us today thank you so much thank you