Michael Wright • Chief Security Officer • Tech Lock Introduces Data Breach Root Causes Michael Wright • Chief Security Officer • TECH LOCK Michael Wright • Chief Security Officer • Tech Lock
Cyber Security Risks While this data Data Breach Root Causes Cyber Security Risks While this data management method wasn’t as efficient, it might have been more secure.
Cyber Security Risks 30% $73.7 Billion 12% 99% 56% Data Breach Root Causes Cyber Security Risks 30% of users open phishing emails* $73.7 Billion 12% increased spending worldwide on cybersecurity in 2016** click on the links contained in the email* 56% 99% of breaches occurred due to phishing attacks* of computers use software that is vulnerable to attack if not updated* *Heimdel Security **IDC
Cost of a Breach How will your customers react to a breach? Data Breach Root Causes Cost of a Breach Average consolidated cost of a data breach rose to $4 million in 2016* Average cost for each stolen record is $158 Additional cost is reputational harm How will your customers react to a breach? *Ponemon Institute 2016 Cost of a Data Breach Study: Global Analysis
1 2 Making Compliance a Competitive Advantage Data Breach Root Causes Making Compliance a Competitive Advantage The following slides cover a dual role: 1 They can do to set yourself above the rest from a compliance perspective. 2 They can protect you from a breach --- these are a distillation of the vast majority of our pen test and audit findings. Mike
Making Compliance a Competitive Advantage Data Breach Root Causes Making Compliance a Competitive Advantage Regulations dictate that companies must validate all of their vendors’ data security and compliance. What sets you apart from everyone else? Reputation… No security breaches (yet)… is not enough is not enough Mike Operational excellence… is not enough
Data Breach Root Causes Overview Data Breach Root Causes While you can’t guarantee a breach will never occur, there are best practices you can implement to better secure your data and lower your risks. Lax or Ineffective Access Control Non-authoritative Policies No Third-Party Data Security Audits Data Security Not Part of Daily Processes Insufficient Vendor Oversight Business Leaders Not Involved
Lax or Ineffective Access Control Data Breach Root Causes Lax or Ineffective Access Control Provide only the level of access required to perform job duties Providing higher than necessary access often exacerbates ransomware attacks Train your team, including C-Level executives, why having only required access helps protect your company
Data Security Not Part of Daily Processes Data Breach Root Causes Data Security Not Part of Daily Processes Many organizations focus on data security only during their annual audits “Bake” it into your daily routines and business processes
Data Security Not Part of Daily Processes Data Breach Root Causes Data Security Not Part of Daily Processes Assess the impact to data security and compliance when making technology or business process changes Examples include: • Moving software systems or data “to the cloud” • Switching from traditional telephony to Voice over IP Build data security requirements in the planning and transition
Document Vendor Oversight Program Data Breach Root Causes Insufficient Vendor Oversight Execute Due Diligence Determine Risk Level Identify Data Flows Document Vendor Oversight Program
Non-Authoritative Policies Data Breach Root Causes Non-Authoritative Policies Documents created by IT to satisfy audit requirements and sitting neglected on a server are not effective Create appropriate IT Security Policies – Say what you Do and Do what you Say Disseminate Policies Create Security Policies IT policies can protect your organization only when enforced Enforce Policies
No Third-Party Data Security Audits Data Breach Root Causes No Third-Party Data Security Audits Independent audits and penetration tests are effective ways to validate your data security measures You don’t know if you are secure if you don’t test the system
Business Leaders Not Involved Data Breach Root Causes Business Leaders Not Involved As a business leader within your organization, what are YOU doing to ensure your company stays out of the news? BE INVOLVED! Compliance and Security Best Practices You probably have a formal compliance program for CFPB, FDCPA, etc. Do you include data security like PCI, HIPAA, GLBA Safeguards Rule, etc.? Or do you just trust that your technical and operations staff are staying compliant with standards they may know little-to-nothing about? Mike
Questions? Ensure Appropriate Access Control Data Breach Root Causes Questions? Ensure Appropriate Access Control Create Authoritative IT Policies Make Data Security Part of Daily Processes Validate Your Data Security Oversee Your Vendors BE INVOLVED!
Michael Wright • Chief Security Officer • Tech Lock Thank you www.techlockinc.com info@techlockinc.com Michael Wright • Chief Security Officer • Tech Lock