A PM’s Guide to Surviving A Data Breach
We Are Cyber Risk Managers
• Compliance:
• PCI QSA and PCI Gap Analysis
• FISMA
• HIPAA
• SSAE 16
• GLBA, Red Flags
• Response
• Incident Response and Disaster Recovery
• Electronic Litigation Support and Forensic Recovery
• Penetration Testing
• Business Continuity Planning
• Network Architecture Design
• Crisis Communications
• Insurance and Liability Planning
The first rule of survival:
Don’t Cross the Street Blindfolded
In cyberspace, you have to be
right 100% of the time. A hacker
only has to be right ONCE.
How does it happen?
•
•
•
•
•
•
•
User Credentials
Phishing
User Errors
Malware
Misuse
Unpatched Systems
Web App Attacks
Companies spend money on the
wrong things.
How much businesses*
spend on physical security
Global losses to physical
theft**:
How much businesses spend
on cybersecurity
Global losses to cyber
attacks**:
2% of Revenue
$112 Billion
.4% of Revenue
$300 Billion
* $10M - $100M in revenue (Bloomberg)
** 2013 (Ponemon Institute)
Consider…
•
•
•
•
•
•
US credit card fraud in 2013 equaled $7.1B
• The entire rest of the world totaled $6.8B
71% of cyber attacks happen to businesses with less than 100
employees
The forecasted average loss for a breach of 1,000 records is between
$52,000 and $87,000
60% of SMB that experience a data breach are out of business within 6
months
Extremely effective hacking tools are cheap or free and are easy to
obtain and use
Social engineering and employee error are common causes of a breach,
followed by application vulnerability
Technology does not equal
security...
Defense-In-Depth: Technology
• 99% of exploited
vulnerabilities had an
available patch
• More than half of
vulnerabilities have an
exploit available within 30
days
• 70-90% of malware is
unique to an organization
…neither does compliance.
SSAE
16
SOC
Red
Flags
PCI
GLBA
ISO 27000
SOX
HIPAA
NIST
We trade convenience for security
every day.
•
•
•
•
•
•
•
Convenient:
Online Banking
E-Commerce
Medical Portals
Cloud Storage/Access
Anywhere
Vendor Access
Remote Management
Single Sign-On Across
Platforms
•
•
•
•
•
•
•
Commonly Stolen:
Personal Information
Credit Information
Medical Records
Intellectual Property
Customer/Partner Data
Network Credentials
Email
Addresses/Passwords
The second rule of survival:
Diamonds vs. Toothbrush
Risk Mitigation: Pre-Planning
•
•
•
•
•
•
•
Identify critical information and map it
Determine data retention requirements
Know compliance and legal requirements
Identify vendors
Conduct a risk analysis
Determine your threshold
Identify gaps
What’s Most Important?
• Banking Credentials
• Intellectual Property
• Cloud Storage
• Customer Data
• Vendor Access
• Supply Chain Data
• Remote Management
• Network Credentials
• Employee PII
• Email Addresses
• Credit Information
• Legal Data
• Medical Records
• Financial Records
• Social Media Presence
• Payroll and Accounting Data
The third rule of survival:
Don’t Go to Costco the Day of the
Storm
Risk Mitigation: Response
•
•
•
•
•
Breach response begins before a breach
IR planning is critical
Know your networks and devices
Train employees to recognize and respond
Success is measured in hours
Risk Mitigation: Response
• Your team:
• Legal Counsel
• Network and Security Administrators
• Insurance Agents
• PR/Crisis Communications
• Forensics and Recovery
• Decision Makers (CIO, COO, CEO)
• HR
• Breach Resolution Service
Risk Mitigation: Compliance
• Guidelines and standards for protecting
critical information
• Most standards allow flexibility based on
risk
• Prioritizes spending and drives response
criteria
• May require technology solutions
• Best defense against fines, fees, litigation
• Compliance does NOT make a company
Risk Mitigation: Insurance
• The policy must meet the needs of the
business
• Forensics, legal, PR, notification and lost
revenue are all insurable events with the
right policy
• More information is better when calculating
need
• Watch for exclusions
• Catastrophic protection vs. Cyber HMO
The fourth rule of survival:
Exercise is good for you.
Risk Mitigation: Exercise
•
•
•
•
•
•
•
Training, training, training
Tabletop or Simulation
Walk-through responsibility
Evaluate for currency
Allow enough time
Debrief
Repeat at least annually
The fifth rule of survival:
It’s best to solve the problem
with the simplest method.
Data Breach: When it’s not a drill
•
•
•
•
•
•
•
•
•
Remove affected devices from the network, don’t turn it off!
Call your lawyer
Activate the IRP
Interview and document
Determine the extent of the breach
Engage your forensic team
Identify legal obligations
Manage communications
Remediate and recover
Final Thoughts:
• By 2020, the global Cyber Security market is expected to
skyrocket to more than $140 billion
• It isn’t possible to manage risk through technology and
hardware alone
• Cyber is a component of risk management
• Vendors are an important part of cyber risk
• People make mistakes
• Companies must re-think insurance, compliance, liability, and
training to include cyber
www.sera-brynn.com | info@sera-brynn.com | 757-243-1257
“There are two kinds of companies in
America: those who’ve been breached
and those who don’t know they’ve been
breached.”
FBI Director James Comey
Helping Your Company or Client:
Ask them simple questions about compliance and risk
management…
• Have you thought about what you would do in a data
breach situation?
• What critical information do you have?
• Is your legal team ready to handle your data breach?
• Do you know if you are compliant?
• Does your cyber insurance product meet your needs?
www.sera-brynn.com | info@sera-brynn.com | 757-243-1257
Protect Yourself:
• Take Personal Responsibility
• Consider a credit freeze if you’ve been breached
• Secure your home network, use separate networks for
sensitive information
• Backup your data
• Avoid coffee shop Wi-Fi
• Evaluate the convenience vs. privacy tradeoff
• Vary your passwords
Questions?
Heather Engel
heather.engel@sera-brynn.com
www.sera-brynn.com | info@sera-brynn.com | 757-243-1257