Cyber Risk & Mitigation Strategies for the Real World

Transcription

1 Cyber Risk & Mitigation Strategies for the Real World Inga Goddijn EVP, Managing Director Risk Based Security 2014 FALL CONFERENCE & TRAINING SEMINAR 1

2 2

3 A motivated hacker is difficult to stop. Trust me? But it s not just about I.T. Phishing 3

4 Phishing (ˈfɪʃɪŋ) n An e mail fraud method in which the perpetrator sends out legitimate looking in an attempt to gather personal or financial information from recipients. SearchSecurity.TechTarget.com 4

5 Why? Curiosity as to contents leads to high rates of plugging it in, just to see what s there. Ease of use and high mobility means data can walk out the door. 5

6 = Worst data theft ever?? Ever Leave A Laptop Back In The Room? 6

7 Did I Really Just Hit Send On That? Causes of Data Loss at Governmental Entities Distribution of Incidents by Type at Governmental Entities Risk Based Security Cyber Risk Analytics US Entities 1/05-1/14 7

8 Privacy or Security? A Few Statistics In 2012, RBS captured data on 3,140 data breach events. For the same year, Verizon s DBIR looked at 47,000 security events, of which 621 resulted in data loss. What Does This Tell Us? Security events are happening at an alarming rate. Data loss events get a lot of attention but are less frequent than security events.* 8

9 Personally Identifiable Information Generally a person s first name (or first initial) and last name, in combination with: Social Security Number Drivers License Number Financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account Medical Information Biometric Information (like fingerprints) User Names & Passwords Financial Implications Likely Costs Notification Legal fees Identity protection Forensics Possible Costs Defense costs Settlements Responding to regulatory investigations 9

10 Response Costs Alone Can Add Up Fast Forensics$250+ an hour Lawyers$350+ an hour Mailing$2 $3 per letter Identity Protection $25+ per person So how do we control for the exposure? 10

11 With Standards, Of Course! The Beauty of Standards is That There Are So Many to Choose From Existing Security Standards NIST Cyber Security Framework Dutch A&K Analysis EBIOS, ETSI, FAIR, FIRM, FMEA, FRAP, ISAMM ISO Series (ISO 27001:2013) ISO Methodology Open Source Approaches PCI/DSS State Standards such as MA 201 CMR 17 Other methodologies such as COBIT and OCTAVE And many more! 11

12 Will implementation reduced risk? Security is rarely one size fits all 12

13 There is a solution to every road block Start with the human element 13

14 Awareness & Training This Can Be FUN!. Identify and track information assets 14

15 Continuous assessment of security posture Act Plan Check Do Ask a lot of questions of your vendors! 15

16 Have a plan And put it to the test! Unfortunately, even the best plan can go wrong 16

17 A data breach is an extraordinary situation and lack of experience responding coupled with the desire to make things right can lead to some curious outcomes. South Carolina Department of Revenue Hackers gain access to electronic tax returns, compromising 4.4M 6.4M records Costs estimated at more than $20M $1.2M notification $12M Experian credit monitoring + latest offering from CSID Additional monitoring services by Dun & Bradstreet for companies caught in the breach $750,000 to Mandiant alone for forensic breach analysis Additional consultants, up grades including encryption, legal fees from class action suit According to Governor Nikki Haley s office spokesman, Doug Mayer, there have been no confirmed cases of identity or credit theft directly related to the Department of Revenue hacking. CarolinaLive.com October 22,

18 Lessons Learned Establish relationships with resources before the event, not after. Controlling expenses is important but putting off system upgrades can be more costly in the long run. Credit monitoring is one way to ease concerns, but not the only way. Ultimately, security is about people not technology. Foundations of Information Privacy and Data Protection P. Swire & K. Ahmed,

19 QUESTIONS? COMMENTS? CONCERNS? 19