A PM’s Guide to Surviving A Data Breach

Compliance: PCI QSA and PCI Gap Analysis FISMA HIPAA SSAE 16 GLBA, Red Flags Response Incident Response and Disaster Recovery Electronic Litigation Support and Forensic Recovery Penetration Testing Business Continuity Planning Network Architecture Design Crisis Communications Insurance and Liability Planning We Are Cyber Risk Managers

The first rule of survival: Don’t Cross the Street Blindfolded

In cyberspace, you have to be right 100% of the time. A hacker only has to be right ONCE.

How does it happen? User Credentials Phishing User Errors Malware Misuse Unpatched Systems Web App Attacks

Companies spend money on the wrong things.

2% of Revenue $112 Billion How much businesses* spend on physical security Global losses to physical theft**: $300 Billion How much businesses spend on cybersecurity Global losses to cyber attacks**:.4% of Revenue * $10M - $100M in revenue (Bloomberg) ** 2013 (Ponemon Institute)

Consider… US credit card fraud in 2013 equaled $7.1B The entire rest of the world totaled $6.8B 71% of cyber attacks happen to businesses with less than 100 employees The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000 60% of SMB that experience a data breach are out of business within 6 months Extremely effective hacking tools are cheap or free and are easy to obtain and use Social engineering and employee error are common causes of a breach, followed by application vulnerability

Technology does not equal security...

Defense-In-Depth: Technology 99% of exploited vulnerabilities had an available patch More than half of vulnerabilities have an exploit available within 30 days 70-90% of malware is unique to an organization

…neither does compliance.

We trade convenience for security every day.

Commonly Stolen: Personal Information Credit Information Medical Records Intellectual Property Customer/Partner Data Network Credentials Addresses/Passwords Convenient: Online Banking E-Commerce Medical Portals Cloud Storage/Access Anywhere Vendor Access Remote Management Single Sign-On Across Platforms

The second rule of survival: Diamonds vs. Toothbrush

Risk Mitigation: Pre-Planning Identify critical information and map it Determine data retention requirements Know compliance and legal requirements Identify vendors Conduct a risk analysis Determine your threshold Identify gaps

What’s Most Important? Banking Credentials Banking Credentials Cloud Storage Cloud Storage Vendor Access Vendor Access Remote Management Remote Management Employee PII Employee PII Credit Information Credit Information Medical Records Medical Records Social Media Presence Social Media Presence Intellectual Property Customer Data Supply Chain Data Network Credentials Addresses Legal Data Financial Records Payroll and Accounting Data

The third rule of survival: Don’t Go to Costco the Day of the Storm

Risk Mitigation: Response Breach response begins before a breach IR planning is critical Know your networks and devices Train employees to recognize and respond Success is measured in hours

Risk Mitigation: Response Your team: Legal Counsel Network and Security Administrators Insurance Agents PR/Crisis Communications Forensics and Recovery Decision Makers (CIO, COO, CEO) HR Breach Resolution Service

Risk Mitigation: Compliance Guidelines and standards for protecting critical information Most standards allow flexibility based on risk Prioritizes spending and drives response criteria May require technology solutions Best defense against fines, fees, litigation Compliance does NOT make a company bulletproof

Risk Mitigation: Insurance The policy must meet the needs of the business Forensics, legal, PR, notification and lost revenue are all insurable events with the right policy More information is better when calculating need Watch for exclusions Catastrophic protection vs. Cyber HMO

The fourth rule of survival: Exercise is good for you.

Risk Mitigation: Exercise Training, training, training Tabletop or Simulation Walk-through responsibility Evaluate for currency Allow enough time Debrief Repeat at least annually

The fifth rule of survival: It’s best to solve the problem with the simplest method.

Data Breach: When it’s not a drill Remove affected devices from the network, don’t turn it off! Call your lawyer Activate the IRP Interview and document Determine the extent of the breach Engage your forensic team Identify legal obligations Manage communications Remediate and recover

Final Thoughts: By 2020, the global Cyber Security market is expected to skyrocket to more than $140 billion It isn’t possible to manage risk through technology and hardware alone Cyber is a component of risk management Vendors are an important part of cyber risk People make mistakes Companies must re-think insurance, compliance, liability, and training to include cyber | |

“There are two kinds of companies in America: those who’ve been breached and those who don’t know they’ve been breached.” FBI Director James Comey

Helping Your Company or Client: Ask them simple questions about compliance and risk management… Have you thought about what you would do in a data breach situation? What critical information do you have? Is your legal team ready to handle your data breach? Do you know if you are compliant? Does your cyber insurance product meet your needs? | |

Protect Yourself: Take Personal Responsibility Consider a credit freeze if you’ve been breached Secure your home network, use separate networks for sensitive information Backup your data Avoid coffee shop Wi-Fi Evaluate the convenience vs. privacy tradeoff Vary your passwords

| | Heather Engel Questions?