Upload
gerard-cobb
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
A PM’s Guide to Surviving A Data Breach
• Compliance: • PCI QSA and PCI Gap Analysis• FISMA• HIPAA• SSAE 16• GLBA, Red Flags
• Response• Incident Response and Disaster Recovery• Electronic Litigation Support and Forensic
Recovery• Penetration Testing • Business Continuity Planning• Network Architecture Design• Crisis Communications
• Insurance and Liability Planning
We Are Cyber Risk Managers
The first rule of survival: The first rule of survival:
Don’t Cross the Street Don’t Cross the Street
BlindfoldedBlindfolded
In cyberspace, you have to be right 100% of the time. A
hacker only has to be right ONCE.
How does it happen?
• User Credentials• Phishing• User Errors• Malware• Misuse• Unpatched Systems• Web App Attacks
Companies spend money on Companies spend money on the wrong things.the wrong things.
2% of Revenue
$112 Billion
How much businesses* spend on physical security
Global losses to physical theft**:
$300 Billion
How much businesses spend on cybersecurity
Global losses to cyber attacks**:
.4% of Revenue
* $10M - $100M in revenue (Bloomberg)** 2013 (Ponemon Institute)
Consider…• US credit card fraud in 2013 equaled $7.1B• The entire rest of the world totaled $6.8B
• 71% of cyber attacks happen to businesses with less than 100 employees
• The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000
• 60% of SMB that experience a data breach are out of business within 6 months
• Extremely effective hacking tools are cheap or free and are easy to obtain and use
• Social engineering and employee error are common causes of a breach, followed by application vulnerability
Technology does not equal security...
Defense-In-Depth: Technology• 99% of exploited
vulnerabilities had an available patch
• More than half of vulnerabilities have an exploit available within 30 days
• 70-90% of malware is unique to an organization
…neither does compliance.
We trade convenience for security every day.
Commonly Stolen:•Personal Information•Credit Information•Medical Records•Intellectual Property•Customer/Partner Data•Network Credentials•Email Addresses/Passwords
Convenient:•Online Banking•E-Commerce•Medical Portals•Cloud Storage/Access Anywhere•Vendor Access•Remote Management•Single Sign-On Across Platforms
The second rule of survival: The second rule of survival:
Diamonds vs. ToothbrushDiamonds vs. Toothbrush
Risk Mitigation: Pre-PlanningRisk Mitigation: Pre-Planning
• Identify critical information and map it• Determine data retention requirements• Know compliance and legal
requirements• Identify vendors• Conduct a risk analysis• Determine your threshold• Identify gaps
What’s Most Important?• Banking CredentialsBanking Credentials
• Cloud StorageCloud Storage
• Vendor AccessVendor Access
• Remote ManagementRemote Management
• Employee PIIEmployee PII
• Credit InformationCredit Information
• Medical RecordsMedical Records
• Social Media PresenceSocial Media Presence
• Intellectual PropertyIntellectual Property
• Customer DataCustomer Data
• Supply Chain DataSupply Chain Data
• Network CredentialsNetwork Credentials
• Email AddressesEmail Addresses
• Legal DataLegal Data
• Financial RecordsFinancial Records
• Payroll and Accounting DataPayroll and Accounting Data
The third rule of survival: The third rule of survival:
Don’t Go to Costco the Day of Don’t Go to Costco the Day of
the Stormthe Storm
Risk Mitigation: ResponseRisk Mitigation: Response
• Breach response begins before a breach• IR planning is critical• Know your networks and devices• Train employees to recognize and
respond• Success is measured in hours
Risk Mitigation: ResponseRisk Mitigation: Response
• Your team:• Legal Counsel• Network and Security Administrators• Insurance Agents• PR/Crisis Communications• Forensics and Recovery• Decision Makers (CIO, COO, CEO)• HR• Breach Resolution Service
Risk Mitigation: ComplianceRisk Mitigation: Compliance
• Guidelines and standards for protecting critical information
• Most standards allow flexibility based on risk
• Prioritizes spending and drives response criteria
• May require technology solutions• Best defense against fines, fees,
litigation• Compliance does NOT make a company
bulletproof
Risk Mitigation: InsuranceRisk Mitigation: Insurance
• The policy must meet the needs of the business
• Forensics, legal, PR, notification and lost revenue are all insurable events with the right policy
• More information is better when calculating need
• Watch for exclusions• Catastrophic protection vs. Cyber HMO
The fourth rule of survival: Exercise is good for you.
Risk Mitigation: ExerciseRisk Mitigation: Exercise
• Training, training, training• Tabletop or Simulation• Walk-through responsibility• Evaluate for currency• Allow enough time• Debrief• Repeat at least annually
The fifth rule of survival:The fifth rule of survival:
It’s best to solve the problem It’s best to solve the problem
with the simplest method.with the simplest method.
Data Breach: When it’s not a drillData Breach: When it’s not a drill• Remove affected devices from the network, don’t turn
it off!• Call your lawyer• Activate the IRP• Interview and document• Determine the extent of the breach• Engage your forensic team• Identify legal obligations• Manage communications• Remediate and recover
Final Thoughts:Final Thoughts:•By 2020, the global Cyber Security market is expected to skyrocket to more than $140 billion•It isn’t possible to manage risk through technology and hardware alone•Cyber is a component of risk management•Vendors are an important part of cyber risk•People make mistakes•Companies must re-think insurance, compliance, liability, and training to include cyber
www.sera-brynn.com | [email protected] | 757-243-1257
““There are two kinds of companies in There are two kinds of companies in America: those who’ve been breached America: those who’ve been breached and those who don’t know they’ve and those who don’t know they’ve been breached.”been breached.”
FBI Director James ComeyFBI Director James Comey
Helping Your Company or Client:Ask them simple questions about compliance and risk management…• Have you thought about what you would do in a data
breach situation?• What critical information do you have?• Is your legal team ready to handle your data breach?• Do you know if you are compliant?• Does your cyber insurance product meet your needs?
www.sera-brynn.com | [email protected] | 757-243-1257
Protect Yourself:• Take Personal Responsibility• Consider a credit freeze if you’ve been breached• Secure your home network, use separate networks for
sensitive information• Backup your data• Avoid coffee shop Wi-Fi• Evaluate the convenience vs. privacy tradeoff• Vary your passwords