Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rogers Enterprise Security Solutions

Published byCristóbal Navarro Maestre Modified over 6 years ago

Similar presentations

Presentation on theme: "Rogers Enterprise Security Solutions"— Presentation transcript:

1 Rogers Enterprise Security Solutions
Bracing for a Breach: Prepare for Cybersecuity Threats with Proper Planning Stewart Cawthray, CISSP, CISM, CRISC, CEH General Manager, Enterprise Security Rogers Communications May 2, 2017

2 The Breach… Are you prepared?
It’s 3:00pm do you know where your data is? Cyber breaches happen to companies of all sizes, from all industries. No one is immune! How you handle the breach is what determines how you survive the breach. Are you prepared? 2 Rogers Enterprise Security | Communicating the Breach

3 Agenda 1. What constitutes a breach?
2. The Law & Breach Notification 3. Cybersecurity Playbook & Incident Response 4. Internal & External Communications 5. Summary & Recommendations 3 Rogers Enterprise Security | Communicating the Breach

4 Worlds Biggest Data Breaches
Selected losses greater then 30,000 records Click to view full data visualization: 4 Rogers Enterprise Security | Communicating the Breach

5 What Constitutes a Breach
Is every security incident a breach? • Does a breach only involve data loss? Does it matter what type of data? Quantity of data? • A textbook definition would be “Any unauthorised disclosure or loss of sensitive information due to intentional, accidental or malicious act.” • In general most consider a breach to involve “PII” personally identifiable information or Health Data. • But corporate data loss can also be a breach: Future plans, M&A information, Intellectual Property “The Secret Sauce”, etc. Anything which could be materially damaging to your business. 5 Rogers Enterprise Security | Communicating the Breach

6 Different laws exist across Canada and Globally
Breach Notifications Laws Different laws exist across Canada and Globally Canada • No national disclosure law is in force currently. PHIPAA does require disclosure to impacted parties for loss of health information across Canada • Digital Privacy Act 2015 – The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. Not currently in effect - Consultation closed May 31, 2016 • Alberta is the only province with a provincial Disclosure law in effect USA • All but 5 states have mandatory breach notification laws in effect. CSOonline.com has an interactive map showing which states and links to the actual laws. • California was first in 2003 International • EU Data Protection Regulations includes requirements for notification in the event of a “Personal Data Breach” 7 Rogers Enterprise Security | Communicating the Breach

7 When do we need to disclose a breach?
To Tell or not to tell… When do we need to disclose a breach? Whether you need to disclose that you were breached is dependant on several factors: Jurisdiction • Is there a law in the jurisdiction in which you are operating that requires disclosure? Remember this often means where the impacted parties reside not where your business resides Type/Classification of Data • What kind of data was lost PII, health records, sensitive corporate data. Most disclosure laws are applicable to PII and health records only. Brand Reputation • If the breach where to be discovered how would the corporate brand be impacted? Getting in front of a bad situation can often cool fires before too much damage is done Cyber Insurance Policy • Many cyber insurance policies require a disclosure to at least the impacted parties before a payout will be approved. Corporate Citizenship • In a highly connected business ecosystem disclosure of a breach which may impact peers, partners, suppliers or customers can be helpful for those organizations to protect themselves or detect their own breaches. 8 Rogers Enterprise Security | Communicating the Breach

8 Are you prepared? A playbook for cybersecurity incident response is essential for handling a breach. Do you have a playbook? Is it written down? Is it tested? The National Association of Corporate Directors (NACD) recommends five guiding principles: Understand and approach cyber security as an enterprise-wide risk management issue not just an IT issue. Understand the legal implications of cyber risks as they relate to the companies specific circumstances. Boards should have adequate access to cyber security expertise and discussions about cyber risk management and should be given regular time on the board meeting agenda. Make sure that management establishes an enterprise-wide risk management framework with adequate staffing and budget. The board and management should identify which risks to avoid, accept, mitigate, or transfer through insurance. As well as specific plans associated with each approach. Test your plan regularly and often; weekly within Security and quarterly with the broader company. The Actions you take before an incident are far more impactful then the actions you take during or after one. 10 Rogers Enterprise Security | Communicating the Breach

9 Before incident checklist
Cybersecurity Playbook Before incident checklist Stay current on cybersecurity threats and best practices. Prepare the board and executives by establishing a committee and links between board and C-level executives like the CIO and CISO. Identify and know the firms security posture and risks. Assess systems, assets, data and capabilities. Research, design and deploy security technologies appropriate to the assessed risks. Develop and deploy detection systems to identify security events as soon as possible. Create and incident response plan, including whom to contact and when. Build in contingencies. Ensure the response plan covers communications, analysis, mitigation and other critical tasks like legal or customer support. Link incident response plan to recovery and Business Continuity plans. Discuss with counsel if security events should be disclosed and what should be disclosed. Obtain liability insurance for directors, officers as well as the corporation. 11 Rogers Enterprise Security | Communicating the Breach

10 During incident checklist
Cybersecurity Playbook During incident checklist Oversee an incident response. Act as a conduit between incident responders and the company and external stakeholders Understand that news of the incident usually comes to the company from outsiders, such as law enforcement or partner companies. Keeping the event under wraps is likely not possible. Work closely with legal counsel and public relations to advise C-level about how to disclose incident details. Don’t disclose details until they are verified. Stay in touch with your response team right through the remediation. 12 Rogers Enterprise Security | Communicating the Breach

11 After incident checklist
Cybersecurity Playbook After incident checklist After the breach has been repaired assist in damage control to fix companies infrastructure and reputation. Review incident response and assess how it performed. Determine where to make improvements and praise elements which went well. With guidance from legal counsel determine how to make customers whole if they were impacted by the incident. Monitor churn rate and offer remedies to minimise this churn. Legal counsel will advise if any remedies are required by law. 13 Rogers Enterprise Security | Communicating the Breach

12 Agenda 1. What constitutes a breach?
2. The Law & Breach Notification 3. Cybersecurity Playbook & Incident Response 4. Internal & External Communications 5. Summary & Recommendations 14 Rogers Enterprise Security | Communicating the Breach

13 What and who do you tell about a breach?
Internal & External Communication of a Breach What and who do you tell about a breach? Who you tell of a breach depends on your playbook. Different levels of incidents will have different disclosure requirements. • Internal stakeholders; IT, Operations, Executives, department heads and/or employees. • External stakeholders; Government, shareholders, industry regulators, employees, and/or media. Have a plan prepared • Who is on point to speak about the incident? Who will prepare the talking points and brief spokes people? • What cadence will information be released? Who approved the release? Will legal review prior to release? • What are your contingencies? Manage the message • Focus your initial messages on the steps being taken to investigate the issue • Communicate in a clear and direct way – companies shouldn’t get overly technical. Provide people with the information they need and what they can do to protect themselves • Release of un-verified details can cause problems or contradictions down the road if details change. • The sense of urgency to get information out to customers needs to be overwritten with the pragmatic approach to only release verified information. After the breach • Create a hub where people can get updates • Monitor social media (in additional to traditional media) to understand the tone and volume of what company stakeholders and influencers are saying • Once the worst of the breach is behind you, it’s time to start repairing your company’s reputation – this starts with clear, direct communication around the steps your company is taking to ensure a breach doesn’t happen again Always be mindful that a breach will garner media attention 15 Rogers Enterprise Security | Communicating the Breach

14 If you remember nothing else for this session, remember this…
Summary & Recommendations If you remember nothing else for this session, remember this… • Cyber security incidents will happen to you. • How prepared you are will determine their impact to your organization. • Know your legal and risk landscape. It is highly likely more then one jurisdiction applies. • Establish a plan with clear communication guidelines and procedures verified by legal, PR & the company leadership. • Test your response plan regularly and often. Weekly within security org, quarterly with broader company. • Seek help to prepare before an incident if needed. 17 Rogers Enterprise Security | Communicating the Breach

15 Thank You.

16 Your success is our business.

17

Download ppt "Rogers Enterprise Security Solutions"

Similar presentations

Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Are you ready for a recall? Medical Device Regulatory, Reimbursement and Compliance Congress March 28, 2007 Willie R. Bryant, Jr. Consultant Stericycle,

Are you ready for a recall? Medical Device Regulatory, Reimbursement and Compliance Congress March 28, 2007 Willie R. Bryant, Jr. Consultant Stericycle,
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
Developing Plans and Procedures

Developing Plans and Procedures
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Incident Response November 2015 Navigating a Cybersecurity Incident.

Incident Response November 2015 Navigating a Cybersecurity Incident.
New A.M. Best Cyber Questionnaire

New A.M. Best Cyber Questionnaire
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
A global nonprofit: Focusing on IP Protection and Anti-Corruption Sharing leading practices based on insights from global companies, academics, organizations.

A global nonprofit: Focusing on IP Protection and Anti-Corruption Sharing leading practices based on insights from global companies, academics, organizations.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.

Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.

New EU General Data Protection Regulation Conference 2016 Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Feb 24 th.
CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.

CMG Events 2016 Cybersecurity Briefing 24 February 2016 John Magee William Fry.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Similar presentations

Ads by Google