1 / 31

A PM’s Guide to Surviving A Data Breach

A PM’s Guide to Surviving A Data Breach. We Are Cyber Risk Managers. Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster Recovery Electronic Litigation Support and Forensic Recovery Penetration Testing

geriw
Download Presentation

A PM’s Guide to Surviving A Data Breach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A PM’s Guide to Surviving A Data Breach

  2. We Are Cyber Risk Managers • Compliance: • PCI QSA and PCI Gap Analysis • FISMA • HIPAA • SSAE 16 • GLBA, Red Flags • Response • Incident Response and Disaster Recovery • Electronic Litigation Support and Forensic Recovery • Penetration Testing • Business Continuity Planning • Network Architecture Design • Crisis Communications • Insurance and Liability Planning

  3. The first rule of survival: Don’t Cross the Street Blindfolded

  4. In cyberspace, you have to be right 100% of the time. A hacker only has to be right ONCE.

  5. How does it happen? • User Credentials • Phishing • User Errors • Malware • Misuse • Unpatched Systems • Web App Attacks

  6. Companies spend money on the wrong things.

  7. How much businesses* spend on physical security 2% of Revenue Global losses to physical theft**: $112 Billion How much businesses spend on cybersecurity .4% of Revenue Global losses to cyber attacks**: $300 Billion * $10M - $100M in revenue (Bloomberg) ** 2013 (Ponemon Institute)

  8. Consider… • US credit card fraud in 2013 equaled $7.1B • The entire rest of the world totaled $6.8B • 71% of cyber attacks happen to businesses with less than 100 employees • The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000 • 60% of SMB that experience a data breach are out of business within 6 months • Extremely effective hacking tools are cheap or free and are easy to obtain and use • Social engineering and employee error are common causes of a breach, followed by application vulnerability

  9. Technology does not equal security...

  10. Defense-In-Depth: Technology • 99% of exploited vulnerabilities had an available patch • More than half of vulnerabilities have an exploit available within 30 days • 70-90% of malware is unique to an organization

  11. …neither does compliance.

  12. We trade convenience for security every day.

  13. Convenient: Online Banking E-Commerce Medical Portals Cloud Storage/Access Anywhere Vendor Access Remote Management Single Sign-On Across Platforms Commonly Stolen: Personal Information Credit Information Medical Records Intellectual Property Customer/Partner Data Network Credentials Email Addresses/Passwords

  14. The second rule of survival: Diamonds vs. Toothbrush

  15. Risk Mitigation: Pre-Planning • Identify critical information and map it • Determine data retention requirements • Know compliance and legal requirements • Identify vendors • Conduct a risk analysis • Determine your threshold • Identify gaps

  16. What’s Most Important? • Banking Credentials • Cloud Storage • Vendor Access • Remote Management • Employee PII • Credit Information • Medical Records • Social Media Presence • Intellectual Property • Customer Data • Supply Chain Data • Network Credentials • Email Addresses • Legal Data • Financial Records • Payroll and Accounting Data

  17. The third rule of survival: Don’t Go to Costco the Day of the Storm

  18. Risk Mitigation: Response • Breach response begins before a breach • IR planning is critical • Know your networks and devices • Train employees to recognize and respond • Success is measured in hours

  19. Risk Mitigation: Response • Your team: • Legal Counsel • Network and Security Administrators • Insurance Agents • PR/Crisis Communications • Forensics and Recovery • Decision Makers (CIO, COO, CEO) • HR • Breach Resolution Service

  20. Risk Mitigation: Compliance • Guidelines and standards for protecting critical information • Most standards allow flexibility based on risk • Prioritizes spending and drives response criteria • May require technology solutions • Best defense against fines, fees, litigation • Compliance does NOT make a company bulletproof

  21. Risk Mitigation: Insurance • The policy must meet the needs of the business • Forensics, legal, PR, notification and lost revenue are all insurable events with the right policy • More information is better when calculating need • Watch for exclusions • Catastrophic protection vs. Cyber HMO

  22. The fourth rule of survival: Exercise is good for you.

  23. Risk Mitigation: Exercise • Training, training, training • Tabletop or Simulation • Walk-through responsibility • Evaluate for currency • Allow enough time • Debrief • Repeat at least annually

  24. The fifth rule of survival: It’s best to solve the problem with the simplest method.

  25. Data Breach: When it’s not a drill • Remove affected devices from the network, don’t turn it off! • Call your lawyer • Activate the IRP • Interview and document • Determine the extent of the breach • Engage your forensic team • Identify legal obligations • Manage communications • Remediate and recover

  26. Final Thoughts: • By 2020, the global Cyber Security market is expected to skyrocket to more than $140 billion • It isn’t possible to manage risk through technology and hardware alone • Cyber is a component of risk management • Vendors are an important part of cyber risk • People make mistakes • Companies must re-think insurance, compliance, liability, and training to include cyber www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

  27. “There are two kinds of companies in America: those who’ve been breached and those who don’t know they’ve been breached.” FBI Director James Comey

  28. Helping Your Company or Client: • Ask them simple questions about compliance and risk management… • Have you thought about what you would do in a data breach situation? • What critical information do you have? • Is your legal team ready to handle your data breach? • Do you know if you are compliant? • Does your cyber insurance product meet your needs? www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

  29. Protect Yourself: • Take Personal Responsibility • Consider a credit freeze if you’ve been breached • Secure your home network, use separate networks for sensitive information • Backup your data • Avoid coffee shop Wi-Fi • Evaluate the convenience vs. privacy tradeoff • Vary your passwords

  30. Questions? Heather Engel heather.engel@sera-brynn.com www.sera-brynn.com | info@sera-brynn.com | 757-243-1257

More Related